BIO 2.0 and risk-based approach
In 2019, the Dutch government introduced the first version of the Government Information Security Baseline (BIO). This is aimed at uniform information security for government organisations. We are now at BIO 2.0 which introduces a risk-based approach in line with the latest ISO 27001 and ISO 27002:2022 standards by the end of 2024.
In parallel, the European NIS Directive is being updated to NIS2, with updated risks and more comprehensive sectoral coverage. These new regulations, to be introduced in the Netherlands by the end of 2024, align the duties of care with the ISO standards with an effective Plan/Do/Check/Act cycle for risk management.
Applicable to different sectors
Unlike BIO, which focuses primarily on protecting the Dutch (central) government and its information, NIS2 applies to a broader group of organisations with a risk-based approach.
NIS2 focuses on expanding and refining the regulatory framework for securing digital systems and networks in essential and key sectors. ‘Essential organisations’ are often large-scale, complex and have a major impact on society. Think of those in energy, transport, banking, healthcare or public services. On the other hand, the ‘important organisations’ may be smaller but are just as crucial. Think digital providers, postal and courier services, waste management, food, chemicals, research and manufacturing.
From compliance-based to risk-based
The shift from a ‘compliance-based approach’ to a ‘risk-based approach’ requires organisations to analyse their own risks and take action accordingly. The main difference between ‘compliance-based’ and ‘risk-based’ approaches is mainly seen in the intended end goal: ‘compliance’ focuses on following rules, while in risk management, the goal is to identify the risks that may affect an organisation and define a specific response for each risk. You can read more about this in our white paper: From a compliance-based approach to a risk-based approach.
Inclusion of suppliers
Another important aspect of NIS2 is that suppliers are now included in the security domain. ‘The chain is as strong as its weakest link’ certainly applies in this age of digitalisation and connectedness. Because everything is so intertwined, suppliers providing services and products to key organisations must also comply with NIS2 requirements. This means that responsibility for risk management lies not only within, but also between organisations.
NIS2 ensures that not only key and important organisations, but also their suppliers, have to work together on stringent security measures. This highlights how important a joint approach is to strengthen cyber security in the Netherlands and Europe.
Conclusion
Although NIS2 and BIO come from different corners, the cooperation between European and Dutch regulations is crucial to protect our digital infrastructures. By effectively implementing both regulations, we are putting in place a robust defence against the cyber threats of today and tomorrow. Protecting our digital world is a complex but achievable task if we understand the nuances of these regulations and take their implementation seriously. Together, we are working towards a more secure and resilient digital future.
