BIO (Baseline Informatiebeveiliging Overheid) is the Dutch government’s baseline standard for information security, applicable to all levels of the public sector — from municipalities to ministries. It sets requirements for protecting systems and information and serves as the framework for managing and auditing cybersecurity within Dutch government organizations.
Background and structure of BIO
In effect since 2019, the BIO unified previous baselines (like BIG, BIR, BIWA) into one consistent approach to government information security.
The BIO is built on the international ISO/IEC 27001 and 27002 standards, supplemented with Dutch-specific requirements. It defines three levels of security classification (BBN 1, 2, and 3), depending on risk and sensitivity of the information.
Its structure includes:
- Control measures across policy, organizational, physical, and technical domains;
- Risk-based decision-making: security controls are based on risk analysis;
- Accountability and audits to demonstrate compliance.
Why is BIO important?
BIO is mandatory for Dutch public organizations and highly relevant for private companies delivering services to the government. The framework:
- Ensures consistent protection of public-sector information;
- Supports legal compliance (e.g., GDPR, Public Access Law);
- Enhances cyber resilience and transparency.
Vendors offering hosting, software, or advisory services to public institutions are often required to meet BIO standards.
BIO and RiskStudio
RiskStudio helps organizations assess their suppliers’ alignment with the BIO standard. Through automated scans and risk profiling, the platform identifies whether suppliers meet BIO-related requirements — such as encryption, logging, or network controls. You can group suppliers around critical assets and demonstrate compliance per BIO control. With RiskStudio, the BIO becomes a practical tool for managing digital risks across your supply chain — actionable, measurable, and auditable.