/

Regulation & Framework

/

Baseline Information Security for Government 2 (BIO2)

EXPERTISE

Baseline Information Security for Government 2 (BIO2)

The information-security baseline for Dutch government — the successor to the BIO, aligned to ISO 27001/27002 and more strongly risk-based.

What it is — and why it matters.

BIO2.0 (Baseline Informatiebeveiliging Overheid) is the common information-security framework for Dutch government bodies — central government, municipalities, provinces, and water authorities. The updated 2.0 version aligns more closely with the latest ISO 27001/27002 and takes a more explicitly risk-based approach than its predecessor. For public-sector organisations — and the suppliers that serve them — meeting the BIO is effectively mandatory.

Who this affects.

Dutch government organisations (Rijk, gemeenten, provincies, waterschappen) and the suppliers and service providers that work with them.

What's involved

  • Risk-based selection of controls aligned to ISO 27002

  • Governance and management accountability for information security

  • Implementation of organisational and technical controls

  • ENSIA self-assessment and audit reporting (where applicable)

  • Continuous improvement

How we help.

  • Scoping & gap analysis | Where you stand against the BIO baseline today.

  • Risk-based control selection | The controls appropriate to your risk profile.

  • Control implementation | Organisational controls implemented; technical ones orchestrated.

  • ENSIA reporting support | Help with the self-assessment and audit reporting.

  • Aligned to ISO 27001 | Run together so you don't do the work twice.

  • Ongoing maintenance | Kept current as your managed office.

Compliance

Within your managed office.

BIO2.0 sits under Compliance and overlaps heavily with ISO 27001 — we run them together so a single management system satisfies both. It connects to Governance and Risk as part of your wider program.

Within your managed office.

BIO2.0 sits under Compliance and overlaps heavily with ISO 27001 — we run them together so a single management system satisfies both. It connects to Governance and Risk as part of your wider program.

CTRL Disrupt

Your Managed Security & Risk Office.
Based in the Netherlands.

EXPERTISE

ISO 27001

NIS2

BIO2.0

EU AI Act

AI Security & Compliance

Marshalllaan 2
2625 GZ Delft
The Netherlands

© 2026 CTRL Disrupt Consulting B.V. · KvK 87198983 · All rights reserved.