Blog

Information Security in 2026: from BIO and NIS2 to AI Governance

In 2026, information security is no longer a separate box next to day-to-day service delivery, but its backbone. BIO, NIS2 and the AI Act now land on the same desk, and anyone who keeps treating them in isolation loses time, money and control. We help governments and SMEs forge these three tracks into one workable story.

Why 2026 is a turning point

Over recent years the frameworks have stacked up: the Dutch BIO as a baseline for government, NIS2 as a European duty of care with management accountability, and the AI Act reining in high-risk AI applications. On their own these are three impressive documents. Together they form a maze, especially for organisations that still run their security as projects rather than as structure.

The turning point is not yet another standard, but the expectation behind them. Regulators, supply-chain partners and citizens now assume that information security is demonstrably under control. Demonstrably is the key word: not just policy on paper, but working measures you can actually show.

BIO 2.0: the baseline as a starting point

The renewed BIO aligns more closely with the international ISO 27001 approach and shifts the emphasis from tick-box lists to risk management. That is good news, because it makes the BIO usable as a foundation under all your other obligations. If your risk analysis, controls and accountability are in order, you also stand far more solidly under NIS2 and the AI Act.

In practice we see many municipalities, water authorities and public-sector bodies still treating their BIO implementation mainly as an annual self-assessment exercise: a yearly spike towards the report. The gain lies in reversing that, so the self-assessment becomes the logical conclusion of a process that runs all year round.

NIS2: from the server room to the boardroom

The biggest change NIS2 brings is not technical but governance-related. The directive places responsibility explicitly with senior management, with personal liability and an obligation to report incidents within tight deadlines. Information security has thereby become a definitive agenda item for the executive board, not just for the CISO.

For many organisations this means supply-chain dependency must come sharply into focus. Which suppliers are critical? What happens if they fail or are hacked? NIS2 forces you to answer those questions in advance, rather than during a crisis. A sound supplier assessment and a well-rehearsed incident process are half the battle here.

The AI Act: governance that already affects you

In 2026, AI is no longer an experiment; it sits in chatbots, fraud detection, image recognition and decision support. The AI Act classifies applications by risk, and government in particular ends up quickly in the higher categories: anything touching rights, public services or enforcement weighs heavily.

AI governance has thus become an extension of information security. You need to know which models you use, what data they were trained on, how you safeguard explainability and human oversight, and how you prevent bias and data leaks. We advise including AI applications in the same risk register as your other systems, so that governance is not a separate silo but part of the whole.

One policy, three tracks

The biggest pitfall is letting BIO, NIS2 and the AI Act be picked up by three different teams, each with its own timeline and vocabulary. That leads to duplicate work, contradictory documents and a board that can no longer see the wood for the trees. The three frameworks share the same core: know your risks, take appropriate measures, and be able to prove it.

We bring those tracks together into a single information security policy with one risk register, one set of controls and one accountability rhythm. That not only saves work, it also makes your story credible towards regulators and management. Best Value thinking helps here: don't try to do everything at once, but prioritise what covers the most risk for the least effort.

Do it yourself, or together?

Would you rather start with a baseline measurement? A short information security scan shows where you stand against BIO, NIS2 and the AI Act, and which steps deliver the most value. For SMEs and public organisations, vouchers and subsidies are also regularly available to make those first steps affordable.

Want to spar about how to turn these three tracks into one workable policy? Feel free to get in touch. We're happy to think along for an hour, no obligation and no jargon, simply about what makes the difference in your situation.