ISMS Copilot for Dutch government suppliers
Meet the BIO/BIO2 baseline, pass DigiD assessments and satisfy Dutch NIS 2 (Cbw) before you bid on a government contract.
Selling to Dutch government: the BIO baseline you must meet
- Implement BIO and the forthcoming BIO2 baseline controls — the mandatory information security baseline across all Dutch government layers
- Map your existing NEN-EN-ISO/IEC 27001 and 27002 controls to BIO government-specific additions
- Apply the correct government classification and protection levels (basis, vertrouwelijk, geheim contexts)
- Prepare for DigiD security assessments if you operate a service connected to DigiD
- Meet NIS 2 obligations through the BIO2 duty of care under the Cybersecurity Act (Cbw)
- Produce municipality- and province-specific documentation where requirements differ from central government
Built for the supplier in a Dutch public-sector procurement
BIO2 control implementation guidance aligned to the government baseline, not generic ISO 27001
DigiD assessment preparation and evidence gathering for the annual security audit
NIS 2 compliance routed through BIO2 as the Dutch implementation pathway under the Cbw
AVG and Autoriteit Persoonsgegevens (AP) alignment for personal data in government systems
Dutch-language support with native terminology (maatregelen, VvT, BIO)
Data flow kept inside the EU by default — AWS Amsterdam storage, Mistral inference on Swedish infrastructure, no US-headquartered provider in the path
Selling to Dutch government: the BIO baseline
A vendor selling to a Dutch government body does not get to pick a security framework — the buyer dictates it. The Baseline Informatiebeveiliging Overheid (BIO) is the mandatory information security baseline for all Dutch government layers: central government, municipalities, provinces and water authorities, and it cascades onto their suppliers contractually. BIO is built explicitly on NEN-EN-ISO/IEC 27001 and 27002 with government-specific baseline controls added on top, so an ISO 27001 programme is a strong foundation but not sufficient on its own. BIO2 will be folded into the Dutch Cybersecurity Act (Cbw) as a NIS 2 duty of care, meaning the baseline and the directive converge into one obligation. If your service touches DigiD you also face an annual DigiD security assessment. ISMS Copilot maps your ISO controls to the BIO additions, prepares DigiD evidence, and handles the Cbw duty of care in one workspace.
BIO framework guidance →Frequently Asked Questions
Is BIO mandatory for suppliers, or only for government itself?
BIO is mandatory for all Dutch government organisations, and it cascades onto their suppliers through procurement contracts. If you provide IT services or solutions to Dutch central government, a municipality, a province or a water authority, you will be required to demonstrate BIO conformity as a condition of the contract.
We are already ISO 27001 certified — is that enough for BIO?
It is a strong foundation but not sufficient. BIO is explicitly based on NEN-EN-ISO/IEC 27001 and 27002 but adds government-specific baseline controls. ISMS Copilot maps your existing Annex A controls to the BIO additions so you implement only the delta rather than starting over.
How do DigiD assessments and Dutch NIS 2 fit in?
If your service connects to DigiD you face a recurring DigiD security assessment with its own evidence requirements. Separately, BIO2 is being incorporated into the Cybersecurity Act (Cbw) as a NIS 2 duty of care, so the baseline and the directive converge. The Copilot prepares DigiD assessment evidence and the Cbw duty-of-care documentation alongside BIO.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.