There are moments when something that long felt distant suddenly becomes real. The vote on the Dutch ‘Cyberbeveiligingswet’ (Cbw) in the House of Representatives is one such moment. Not because anything drastic changed that day, but because the room to wait and see has shrunk considerably since.
For public sector organisations, this is exactly as urgent as it sounds.
Where do we stand now?
The Dutch House of Representatives (Tweede Kamer) has adopted the Cbw, the Dutch implementation of the European NIS2 Directive. The Dutch Senate (Eerste Kamer) still needs to consider the bill, but the direction is set. The government aims to bring the act into force in the second quarter of 2026, together with the ‘Wet weerbaarheid kritieke entiteiten’ (Critical Entities Resilience Act, Wwke) and the accompanying secondary legislation.
For the public sector, this means one thing in practice: BIO2 (Baseline Information Security Government) will become the mandatory standard. Not as an ambition, but as a legal requirement backed by supervision.
Why this time is different
When the original BIO was introduced, there was still time. Time to adjust, time to make plans, time to deal with it later. That luxury no longer exists in the same way.
BIO2 was officially adopted on 24 September 2025. For provinces, water authorities and central government, it already applies as binding self-regulation. For municipalities, BIO v1.04 remains the formal standard for now, but that will change once the Cbw enters into force. And that date is approaching fast.
What is also different is that BIO2 requires a different way of working. The familiar BBN levels, where you could reason from a fixed set of controls, are gone. In their place is a risk-based approach. That may sound abstract, but the practical consequences are very real. You can no longer get by with a ticked-off checklist. You need to be able to explain why you made the choices you made, which risks you accept, and who bears executive responsibility for them. That last point is precisely where many organisations struggle.
The real problem is not technical
Ask any CISO at a municipality or province how information security is going, and the answer is rarely “we do nothing.” There are policy documents, there is an ISMS, and audits are conducted. Most organisations have a reasonable technical foundation.
The problem lies one level higher.
BIO2 requires that information security is demonstrably part of executive governance. That the board knows which risks are at play, that incidents are reported and escalated, and that there is a structure in which continuous improvement does not depend on the efforts of one driven employee.
At that governance level, the gap is largest in many organisations. Not because executives are unwilling, but because information security has for too long been treated as something for the IT department. BIO2 corrects this, but it requires preparation.
What you can do now
No list of twelve action points. Just three honest questions to start with:
-
Does your board know what BIO2 requires of them (and not just of the CISO)?
-
Can you demonstrate today how your risks are assessed and who decides on them?
-
Is there a realistic path from where you are now to what the law will require?
If the answer to any of these questions is “not really,” then this is the moment to change that.
The Cbw is not yet in force. But the direction is clear, the date is approaching, and the requirements are defined. Those who take this as a signal to get serious now gain something valuable: time to do it properly.
Want to know where your organisation should start? On 18 June from 12:00 to 13:00 we’re hosting the webinar ‘The Cybersecurity Act is coming, now what?’. In one hour, we’ll walk you through what NIS2 and the Dutch Cybersecurity Act mean in practice, how to apply BIO 2.0 pragmatically, and what is changing in terms of governance, board accountability and awareness.
You’ll leave with clear insights and practical first steps you can take immediately. Register via this link.
