EN 
NL 
DE 
From BIO 1.04 to BIO 2.0
For the government, since 1 January 2019, there is the Baseline Information Security Government (BIO), which includes additional requirements for the government to ISO27001:2017. Since 2022, there has been a new version of the ISO27001 standard, where in particular the control measures in Annex A have been updated. The new BIO 2.0 is in line with this. BIO 2.0 is expected to be published during 2025.
Tip: on the website bio-overheid.nl, the BIO 2.0 handbook is already available for download.
NIS2 and the BIO 2.0
In the new NIS2, which is translated into the Cyber Command Act (CBW) in the Netherlands, government bodies (ministries, provinces, municipalities and water boards) have been designated as essential organisations. In addition, the BIO is designated as a specific measure for government bodies. This gives the BIO a legal anchorage and thus makes it an obligation. Essential organisations will be proactively assessed by inspectorates regarding compliance with this law. For government bodies, this will be the Rijksinspectie Digitale Infrastructuur (RDI).
According to the latest reports, the Cybersecurity Act (CBW) will be published in Q2 2025, just before the summer period. From then onwards, it will therefore be a legal requirement for governments to comply with the Cybersecurity Act and hence the BIO. Therefore, there is no transition period.
Zero measurement audit in governments
Based on the new BIO 2.0, DigiTrust has a specific BIO 2.0 baseline audit available for governments. The DigiTrust auditor will deliver a clear report after the audit. This will clearly show per BIO topic where your organisation already complies and where it still does not. You can use this report for your accountability to the Rijksinspectie Digitale Infrastructuur (RDI), but also as a basis for your own improvement plan.
Different baseline measurements for your organisation
Type of audit Days
- ISO27001:2022 baseline measurement 3
- BIO 2.0 baseline measurement (on additional BIO requirements only) 2
- Combination baseline measurement 4
Please note; in your ENSIA report on DigiD and Suwinet, a Registered EDP Auditor (RE) will assess whether the specific control measures for these are effective. All other BIO control measures are assessed and determined on the basis of a self-declaration. In other words, you have no impartial and objective accountability about the entire BIO and whether you have a working ISMS. And that is a requirement from the NIS2/CBW, that you can demonstrate this. DigiTrust's audit allows you to account for this.
Suppliers BIO 2.0 'in control statement'
As an organisation, you are responsible for identifying and mitigating the risks to your organisation. Organisations subject to the Cyber Security Act (CBW) must identify dependency relationships with direct (relevant) suppliers or service providers. It is therefore important to make proper arrangements and keep track of the risks and, if necessary, limit them to a 'tolerable' risk.
In doing so, BIO explicitly requires that relevant suppliers must also comply with BIO. It is therefore important that you can demonstrate this.
To assess your suppliers' compliance with BIO, DigiTrust has a specific audit available; the BIO In Control Declaration. (BIO-ICV). During this 2-day audit, we assess whether your supplier really does comply with BIO 2.0. We will assume that your supplier is already ISO27001 certified under accreditation.
BIO 2.0: take action
It is crucial for your organisation and your critical suppliers to know where you stand in terms of BIO 2.0 compliance. Then you can still take measures before the RDI is at your doorstep.
Please contact us so we can schedule you in time.
088-2245600
