Information security is not a matter of ticking off a single standard, but of layers. For government, BIO and ENSIA form the baseline, and as a sector becomes more sensitive or critical, stricter frameworks stack on top: NIS2 for essential and important organisations, and sector-specific standards such as DORA for the financial markets and NEN 7510 for healthcare. In this article we explain that layering — and why you can use the higher layers not only as an obligation, but also as an ambition to protect your organisation ever better. We focus on (semi-)government, but because the threat landscape touches every sector, this layered way of thinking applies more widely.
No two organisations are alike, and no two pieces of data are equally sensitive. That is why a single universal standard does not work. Information security is built as a series of layers: a baseline that applies to everyone, with stricter requirements on top as the impact of an incident grows. The more critical your service and the more sensitive your data, the higher you need to stand on that ladder.
This layering is not a bureaucratic pile-up, but a logical ordering. It helps you determine what is appropriate for your organisation — and prevents you from doing too little, or losing yourself in requirements that do not apply to you at all.
The layering also runs not only upward but alongside you: information security shares the field with privacy (the GDPR) and, more recently, with AI governance (the AI Act). These are not rungs on the same ladder, but neighbouring dimensions you consider together — we wrote a separate article about that.
For Dutch government, everything starts with the BIO, the Baseline Information Security for Government: the shared standard — based on the international standards ISO 27001 and 27002 — that determines which measures you must have in place. ENSIA is the accompanying accountability method: one annual cycle in which you demonstrate that you actually take those measures. In short: the BIO says what you arrange, ENSIA arranges how you account for it.
Every government organisation shares this baseline. It revolves around risk management — a deliberate assessment of what is critical and which protection fits — and not around a blind checklist. Those who have this layer in order have a solid foundation to build on.
Above the baseline sits NIS2, implemented in the Netherlands through the Cybersecurity Act. NIS2 targets essential and important organisations — and many public bodies fall under it: municipalities, water authorities, and organisations in energy, water, healthcare and digital infrastructure. For them this is not an optional layer, but an obligation.
NIS2 raises the bar above the baseline: a duty of care with concrete risk measures, an obligation to report incidents, attention to your entire supply chain, and — new to many — direct responsibility for board members. Where the BIO gets the house in order, NIS2 demands demonstrable resilience and management involvement right up to the top.
On top of the baseline and NIS2 sit sector-specific layers: frameworks that apply only to those working in a particular, extra-sensitive sector. For the financial markets that is DORA — the Digital Operational Resilience Act, in force since early 2025 — with strict requirements for ICT risk management, mandatory incident reporting, periodic resilience testing and tight management of ICT suppliers. For healthcare it is NEN 7510, the standard (again built on ISO 27001 and 27002) with which care providers protect patients' sensitive data.
Neither DORA nor NEN 7510 applies to a municipality or water authority — they bind financial entities and care providers respectively. But together they reveal a pattern: the more sensitive the sector, the higher and more specific the bar. And that is precisely what makes them useful as a reference.
Here lies the heart of this story. Those layers are not merely a stack of duties to tick off; together they form a maturity ladder. And you are allowed to look up.
For a government organisation, DORA and NEN 7510 are not a legal obligation — but you can borrow their rigour as an ambition. A periodic resilience test, tighter supplier management, a sharper incident procedure: all practices from a higher layer that you can voluntarily adopt to protect yourself better. This turns a stricter framework from a burden into a development direction — a way to climb one rung higher, at your own pace and in the places that matter.
But why would you want to go beyond the minimum obligation? First, because the threat is real and growing rather than shrinking: the threat landscape — ransomware, supply-chain attacks, state actors — is continuously monitored by the IBD (for municipalities) and the NCSC (nationally). And beyond that, not for the tick, but for what lies beneath it. An organisation that genuinely has its information security in order wins the trust of citizens and chain partners, stands firmer when an incident does happen, and remains a reliable link for everyone who depends on it. Compliance is then not a goal, but the proof of something more valuable: that you take seriously the data and the services people rely on. That is the real reason to want to climb a rung higher.
For government, this layering is largely enforceable: BIO, ENSIA and NIS2 are not optional advice. In the commercial world it is different. Apart from a few sector layers (such as DORA), there is often no legal obligation, and a company makes its own risk trade-off. And that is precisely where the danger lies: too few directors realise that not having your information security in order is itself a business risk — for continuity, reputation, liability and customer trust.
For the threat is not selective: ransomware and supply-chain attacks do not care whether you are a municipality or an SME. The difference lies in the driver — for government the obligation, in business the conscious choice. And it is exactly at that intersection that our value sits: combining the compliance discipline of the public sector with the risk-and-value thinking of the commercial world. The same ladder, two starting points.
The most common mistake is treating each layer as a separate checklist. ENSIA then becomes a race against the clock at year-end, and NIS2 a separate project hanging alongside the rest — while the strength lies precisely in the coherence. A second pitfall is fragmentation: security that sits only with the CISO or IT, while the risks, and under NIS2 also the responsibility, are spread across the whole organisation and right up to the board.
And a third: skipping the baseline in the rush to comply with a higher layer. Without a solid BIO foundation, every layer above it is a shell without substance.
Treat information security as a continuous process and as one coherent whole, not as separate obligations. First make sure the baseline genuinely stands. Then determine which layer applies to you as an obligation — for most government organisations that is NIS2 — and focus there. Assign responsibility to the process owners and the board, not only to IT.
And deliberately look up: choose one or two practices from a higher layer to take on as an ambition. Better a handful of measures that genuinely work and can be demonstrated than a thick document nobody reads. Want to know where you stand? Run your baseline and your NIS2 obligations through a checklist — then you see in black and white where the gaps are before you look up.
Understanding information security in layers helps you do what fits: not too little, not too much, and with a clear direction to grow into. It is precisely at that intersection of information security, compliance and public frameworks that we work as DWDA.
Want to know which layer your organisation stands on, and where your biggest gains lie? Take our free maturity scan and receive an immediate report with concrete next steps. Prefer to spar about BIO, ENSIA, NIS2 or an ambition towards DORA level? With our starter vouchers we deliver a first analysis for a fixed price, without long-term commitment. Feel free to get in touch and we will look together at where you stand and where you want to go.