Compliance & Governance
Standardizing Without Sluggishness
A reference chapter only has value when teams can immediately use it to plan, design, and deliver.
With Compliance & Governance, it's all about demonstrability: translating standards into ownership, planning, and verification.
This keeps this chapter from being mere theory, and instead serves as a practical compass for consistent execution.
Immediate measures (15 minutes)
Why this matters
The core of Compliance & Governance is risk reduction in practice. Technical context supports the measure selection, but implementation and assurance are central.
NIS2 Obligations to Technical Measures
NIS2 (Directive (EU) 2022/2555) describes in Article 21 the risk management measures that entities classified as "essential" and "important" must take. Below is the translation into concrete technical implementations.
| NIS2 Obligation | What it means | Technical implementation | See |
|---|---|---|---|
| Risk management measures (Art. 21.2a) | Risk analysis and information system security policy | Threat modeling, asset inventory, vulnerability scanning, risk matrix | Reference 01, Reference 02, Network 15 |
| Incident handling (Art. 21.2b) | Detection, analysis, containment, and response to incidents | SIEM, EDR, incident response plan, forensic capability, escalation procedures | Reference 03, Network 02, Network 09, Cloud 10 |
| Business continuity (Art. 21.2c) | Backup management, disaster recovery, crisis management | Backup strategy (3-2-1), DR plan, RPO/RTO definitions, restore tests | Network 09, Cloud 09, Cloud 10 |
| Supply chain security (Art. 21.2d) | Security requirements for direct suppliers and service providers | Supplier assessments, SLAs with security requirements, supply chain scanning | Cloud 06, Cloud 12, Cloud 13 |
| Security in acquisition and development (Art. 21.2e) | Security in procurement, development, and maintenance of systems | SSDLC, code review, SAST/DAST, dependency scanning, hardening baselines | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Cloud 05, Cloud 06, Cloud 12 |
| Effectiveness assessment (Art. 21.2f) | Testing and auditing of cybersecurity measures | Penetration tests, vulnerability assessments, red teaming, hardening audits | Reference 01, Reference 05, Cloud 10 |
| Cyber hygiene and training (Art. 21.2g) | Basic practices for cyber hygiene and awareness training | Password policy, MFA rollout, phishing awareness, security onboarding | Network 01, Network 07, Web 10 |
| Cryptography policy (Art. 21.2h) | Policy and procedures for the use of cryptography and encryption | TLS 1.2+, encryption at rest, key management, certificate management, hashing | Web 13, Cloud 13, Network 05, Network 07, Network 08 |
| Access control and asset management (Art. 21.2i) | Security policy for personnel access, asset management | RBAC, least privilege, privileged access management, service account hardening | Web 10, Web 14, Web 16, Network 03, Network 04, Cloud 02, Cloud 03, Cloud 04 |
| Multi-factor authentication (Art. 21.2j) | MFA or continuous authentication where appropriate | FIDO2/WebAuthn, TOTP, conditional access policies, adaptive MFA | Web 10, Web 16, Network 01, Cloud 02, Cloud 03, Cloud 04 |
| Vulnerability notifications (Art. 23) | Reporting significant incidents within 24/72 hours | Early warning (24h), incident notification (72h), interim report (1 month) | Reference 03 |
| Coordinated vulnerability disclosure (Art. 12) | Process for receiving and handling vulnerability reports | security.txt, responsible disclosure policy, vulnerability intake process | Web 11, Web 14 |
NIS2 Reporting Deadlines
| Deadline | Action | Reference |
|---|---|---|
| Within 24 hours | Early warning to CSIRT/competent authority | Reference 03 |
| Within 72 hours | Full incident notification with severity and impact assessment | Reference 03 |
| Within 1 month | Final report with root cause, measures taken, cross-border impact | Reference 03 |
NIS2 Classification: Essential vs. Important
| Category | Sectors | Difference |
|---|---|---|
| Essential | Energy, transport, banking, healthcare, drinking water, digital infrastructure, ICT service provision B2B, space, government | Proactive supervision, higher fines (max 10M or 2% turnover) |
| Important | Postal/courier services, waste management, chemicals, food, manufacturing, digital services, research | Reactive supervision, lower fines (max 7M or 1.4% turnover) |
GDPR Technical Measures
The GDPR (General Data Protection Regulation) requires "appropriate technical and organizational measures" but does not specify exactly which ones. The table below translates the relevant articles into concrete technical implementations.
| GDPR Article | Obligation | Technical implementation | See |
|---|---|---|---|
| Art. 5(1)(f) | Integrity and confidentiality | Encryption, access control, logging, network segmentation | Web 13, Network 15, Network 07, Cloud 13 |
| Art. 25(1) | Privacy by design | Minimal data collection, pseudonymization, encryption in transit and at rest, data flow analysis | Web 13, Cloud 13, Web 12, Web 14 |
| Art. 25(2) | Privacy by default | Default minimal processing, no unnecessary data exposure via APIs, opt-in instead of opt-out | Web 14, Web 12, Web 07 |
| Art. 28 | Processor requirements | Security requirements in data processing agreements, audit rights, sub-processor controls | Cloud 02, Cloud 03, Cloud 04, Cloud 06 |
| Art. 32(1)(a) | Pseudonymization and encryption | TLS, disk encryption, database encryption, column-level encryption, key management | Web 13, Cloud 13, Network 07 |
| Art. 32(1)(b) | Confidentiality, integrity, availability, resilience | Access control, input validation, network segmentation, redundancy, DDoS protection | Web 10, Web 12, Network 15, Network 04, Cloud 02, Cloud 03, Cloud 04 |
| Art. 32(1)(c) | Recovery after incidents | Backup, disaster recovery, incident response, restore tests | Network 09, Cloud 09, Reference 03 |
| Art. 32(1)(d) | Regular assessment and evaluation | Pentesting, vulnerability scanning, audit logging, security reviews | Reference 01, Cloud 10, Network 02 |
| Art. 33(1) | Data breach notification to DPA (72 hours) | Detection and alerting, incident response process, logging, breach assessment | Reference 03, Cloud 10, Network 02 |
| Art. 34 | Data breach notification to data subjects | Communication procedure, severity assessment, contact details of data subjects | Reference 03 |
| Art. 35 | DPIA (Data Protection Impact Assessment) | Threat modeling, risk analysis based on technical architecture, data flow mapping | Reference 01, Reference 02 |
GDPR Fine Categories
| Category | Maximum fine | Examples |
|---|---|---|
| Category 1 (Art. 83(4)) | 10 million euros or 2% global turnover | Violation of Art. 25 (privacy by design), Art. 32 (security measures) |
| Category 2 (Art. 83(5)) | 20 million euros or 4% global turnover | Violation of Art. 5 (processing principles), Art. 6 (lawfulness) |
ISO 27001:2022 Annex A – Securitymaatregelen.nl Mapping
ISO 27001:2022 reorganized the Annex A controls from 114 controls in 14 domains to 93 controls in 4 categories. The focus below is on the technical controls (category A.8, 34 controls) and a selection of organizational controls (A.5) that are directly relevant.
A.5 Organizational controls (selection)
| ISO 27001 Control | Description | Technical translation | See |
|---|---|---|---|
| A.5.7 | Threat intelligence | Threat intelligence collection and processing, IOC feeds, ATT&CK mapping | Reference 01 |
| A.5.10 | Acceptable use of information | Acceptable use policy, DLP, content filtering | Network 10, Network 15 |
| A.5.15 | Access control | RBAC, least privilege, periodic access reviews | Web 10, Network 04, Cloud 02, Cloud 03, Cloud 04 |
| A.5.16 | Identity management | Identity lifecycle, provisioning/deprovisioning, SSO | Web 16, Network 04, Cloud 03 |
| A.5.17 | Authentication information | Password policy, MFA, credential management | Web 10, Network 07, Cloud 13 |
| A.5.23 | Information security for cloud | Cloud security posture management, shared responsibility | Cloud 01, Cloud 02, Cloud 03, Cloud 04, Cloud 05, Cloud 06, Cloud 07, Cloud 08, Cloud 09, Cloud 10, Cloud 11, Cloud 12, Cloud 13 |
| A.5.24 | Incident management planning | Incident response plan, runbooks, escalation matrix | Reference 03 |
| A.5.25 | Assessment of and decision on incidents | Incident classification, impact assessment, triage | Reference 03 |
| A.5.26 | Response to incidents | Containment, eradication, recovery procedures | Reference 03 |
| A.5.27 | Learning from incidents | Post-incident review, lessons learned, control updates | Reference 03 |
| A.5.28 | Collection of evidence | Forensic procedures, chain of custody, log preservation | Reference 03, Cloud 10 |
| A.5.29 | Information security during disruption | BCP, failover procedures, prioritization of security measures | Network 09, Cloud 09 |
| A.5.30 | ICT readiness for business continuity | DR plan, backup verification, failover testing | Network 09, Cloud 09, Cloud 10 |
A.8 Technological controls
| ISO 27001 Control | Description | See |
|---|---|---|
| A.8.1 | User endpoint devices | Network 12 (Windows), Network 11 (Linux) |
| A.8.2 | Privileged access rights | Network 03, Network 04, Cloud 02, Cloud 03, Cloud 04 |
| A.8.3 | Information access restriction | Web 10, Web 14, Network 04 |
| A.8.4 | Access to source code | Cloud 06, Cloud 12 |
| A.8.5 | Secure authentication | Web 10, Web 16, Network 01, Network 05 |
| A.8.6 | Capacity management | Cloud 02, Cloud 03, Cloud 04, Cloud 07 |
| A.8.7 | Protection against malware | Network 02, Network 12 |
| A.8.8 | Management of technical vulnerabilities | Reference 01, Reference 02, Network 03 |
| A.8.9 | Configuration management | Reference 05, Cloud 12, Network 11, Network 12 |
| A.8.10 | Information deletion | Cloud 13, Network 07 |
| A.8.11 | Data masking | Web 12, Web 14, Cloud 13 |
| A.8.12 | Data leakage prevention | Network 10, Network 15, Cloud 08 |
| A.8.13 | Information backup | Network 09, Cloud 09 |
| A.8.14 | Redundancy of information processing facilities | Cloud 02, Cloud 03, Cloud 04, Cloud 11 |
| A.8.15 | Logging | Cloud 10, Network 02, Network 09 |
| A.8.16 | Monitoring activities | Cloud 10, Network 02, Network 09 |
| A.8.17 | Clock synchronization | Cloud 10, Network 02 |
| A.8.18 | Use of privileged utility programs | Network 03, Network 12, Network 02 |
| A.8.19 | Installation of software on operational systems | Network 02, Network 12, Cloud 05 |
| A.8.20 | Network security | Network 15, Network 10 |
| A.8.21 | Security of network services | Network 15, Network 13, Web 13 |
| A.8.22 | Segregation of networks | Network 15, Cloud 08 |
| A.8.23 | Web filtering | Network 10, Network 15 |
| A.8.24 | Use of cryptography | Web 13, Cloud 13, Network 07 |
| A.8.25 | Secure development lifecycle | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Cloud 06, Cloud 12 |
| A.8.26 | Application security requirements | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Web 12, Web 14 |
| A.8.27 | Secure system architecture and principles | Network 15, Cloud 08, Reference 02 |
| A.8.28 | Secure coding | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 12 |
| A.8.29 | Security testing in development and acceptance | Reference 01, Cloud 06, Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16 |
| A.8.30 | Outsourced development | Cloud 06, Cloud 12 |
| A.8.31 | Separation of development, test, and production environments | Cloud 06, Cloud 02, Cloud 03, Cloud 04 |
| A.8.32 | Change management | Cloud 12, Cloud 06 |
| A.8.33 | Test information | Cloud 06, Web 14 |
| A.8.34 | Protection of information systems during audit testing | Reference 01, Cloud 10 |
BIO (Baseline Information Security for Government)
The BIO is based on ISO 27001/27002 and is mandatory for all Dutch government organizations (central government, municipalities, provinces, water boards). The BIO adds specific government measures on top of the ISO foundation, with extra attention to information classification and stricter requirements for higher classification levels.
The BIO has three baseline security levels (BBN): - BBN1 – baseline for all government information - BBN2 – for confidential information (most government systems) - BBN3 – for state secret classified information
| BIO Control | Subject | Explanation | See |
|---|---|---|---|
| BIO 6.1.1 | Network segmentation | Separation of networks based on classification level | Network 15 |
| BIO 9.1.2 | Access to networks and network services | Controlled access, authentication at network level | Network 01, Network 15 |
| BIO 9.2.3 | Management of privileged access rights | Minimal privileges, separate admin accounts, PAM | Network 03, Network 04, Cloud 02, Cloud 03, Cloud 04 |
| BIO 9.4.1 | Information access restriction | Need-to-know, RBAC, object-level authorization | Web 10, Web 14 |
| BIO 9.4.2 | Secure log-on procedures | Strong authentication, MFA, brute force protection | Web 10, Web 16, Network 01 |
| BIO 10.1.1 | Policy on the use of cryptography | Approved algorithms, key management, TLS configuration | Web 13, Cloud 13, Network 07 |
| BIO 10.1.2 | Key management | Key rotation, secure storage, certificate lifecycle | Cloud 13, Network 08 |
| BIO 12.2.1 | Protection against malware | Endpoint protection, AMSI, AppLocker/WDAC | Network 02, Network 12 |
| BIO 12.4.1 | Event logging | Audit logging, central log management, tamper-proof storage | Cloud 10, Network 02 |
| BIO 12.4.3 | Administrator and operator log files | Privileged session logging, command logging | Network 02, Network 03, Cloud 10 |
| BIO 12.6.1 | Management of technical vulnerabilities | Vulnerability scanning, patch management, hardening | Reference 01, Reference 02, Reference 05 |
| BIO 13.1.1 | Network controls | Firewall management, IDS/IPS, network monitoring | Network 15, Network 10 |
| BIO 13.1.3 | Segregation in networks | VLANs, microsegmentation, zero trust networking | Network 15, Cloud 08 |
| BIO 14.1.2 | Securing application services on public networks | HTTPS, API security, WAF | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Web 13, Web 14 |
| BIO 14.2.1 | Secure development policy | Secure SDLC, code review, SAST/DAST | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Cloud 06 |
| BIO 14.2.5 | Secure systems engineering principles | Defense in depth, least privilege, fail secure | Network 15, Reference 02 |
| BIO 16.1.2 | Reporting information security events | Incident reporting, mandatory notification, communication procedure | Reference 03, Cloud 10 |
| BIO 18.2.3 | Technical compliance review | Technical audits, penetration tests, compliance scans | Reference 05 |
CIS Controls v8
The CIS Controls are organized into three Implementation Groups (IGs) based on organization size and risk. IG1 (56 safeguards) is the minimum for every organization. IG2 (74 additional) for organizations with IT staff. IG3 (23 additional) for organizations with dedicated security teams.
| CIS Control | Name | Brief description | See |
|---|---|---|---|
| CIS 1 | Inventory and Control of Enterprise Assets | Active and passive asset discovery, CMDB | Network 04, Cloud 01 |
| CIS 2 | Inventory and Control of Software Assets | Software inventory, allowlisting, removal of unauthorized software | Network 02, Network 12, Cloud 05 |
| CIS 3 | Data Protection | Classification, encryption, DLP, data-level access control | Network 07, Cloud 13, Web 13, Network 05 |
| CIS 4 | Secure Configuration of Enterprise Assets and Software | Hardening baselines, CIS Benchmarks, configuration drift detection | Reference 05, Network 11, Network 12, Network 14 |
| CIS 5 | Account Management | Account lifecycle, disabled accounts, minimal privileges | Network 04, Web 10, Cloud 02, Cloud 03, Cloud 04, Network 03 |
| CIS 6 | Access Control Management | RBAC, least privilege, access reviews, privileged access | Web 10, Web 14, Web 16, Network 03, Network 04 |
| CIS 7 | Continuous Vulnerability Management | Vulnerability scanning, patch prioritization, remediation tracking | Reference 01, Reference 02, Network 03 |
| CIS 8 | Audit Log Management | Central log management, log retention, tamper-proof storage, SIEM | Cloud 10, Network 02, Network 09 |
| CIS 9 | Email and Web Browser Protections | Email filtering, browser hardening, URL filtering, anti-phishing | Network 01, Network 13, Web 11, Web 09 |
| CIS 10 | Malware Defenses | Anti-malware, EDR, script execution control, sandboxing | Network 02, Network 12 |
| CIS 11 | Data Recovery | Backup strategy, offline backups, restore tests, DR planning | Network 09, Cloud 09 |
| CIS 12 | Network Infrastructure Management | Firewall management, network segmentation, secure network architecture | Network 15, Network 10, Network 06 |
| CIS 13 | Network Monitoring and Defense | IDS/IPS, network traffic analysis, egress filtering, DNS monitoring | Network 02, Network 10, Network 15, Cloud 10 |
| CIS 14 | Security Awareness and Skills Training | Phishing awareness, secure coding training, role-based training | Network 01 |
| CIS 15 | Service Provider Management | Supplier assessment, cloud security review, SLA monitoring | Cloud 01, Cloud 02, Cloud 03, Cloud 04, Cloud 06 |
| CIS 16 | Application Software Security | Secure SDLC, SAST/DAST, dependency scanning, WAF | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Cloud 06, Cloud 12, Network 14 |
| CIS 17 | Incident Response Management | IR plan, runbooks, tabletop exercises, lessons learned | Reference 03 |
| CIS 18 | Penetration Testing | Internal and external pentests, red teaming, remediation verification | Reference 01 |
Cross-reference: Framework Overlap
The table below shows which NIS2 obligations directly correspond with controls from other frameworks. Use this table to demonstrate that a single measure addresses multiple compliance requirements simultaneously.
| NIS2 Obligation | ISO 27001 | CIS v8 | GDPR | BIO |
|---|---|---|---|---|
| Art. 21.2a – Risk management | A.5.7, A.8.8 | CIS 7 | Art. 35 | BIO 12.6.1 |
| Art. 21.2b – Incident handling | A.5.24-A.5.28 | CIS 17 | Art. 33, 34 | BIO 16.1.2 |
| Art. 21.2c – Business continuity | A.5.29, A.5.30, A.8.13 | CIS 11 | Art. 32.1c | BIO 12.3.1 |
| Art. 21.2d – Supply chain | A.5.19-A.5.22 | CIS 15 | Art. 28 | BIO 15.1.1 |
| Art. 21.2e – Development | A.8.25-A.8.31 | CIS 16 | Art. 25 | BIO 14.2.1 |
| Art. 21.2f – Effectiveness assessment | A.8.34 | CIS 18 | Art. 32.1d | BIO 18.2.3 |
| Art. 21.2g – Cyber hygiene | A.6.3 | CIS 14 | – | BIO 7.2.2 |
| Art. 21.2h – Cryptography | A.8.24 | CIS 3 | Art. 32.1a | BIO 10.1.1 |
| Art. 21.2i – Access control | A.5.15, A.8.2, A.8.3 | CIS 5, 6 | Art. 32.1b | BIO 9.2.3 |
| Art. 21.2j – MFA | A.8.5 | CIS 6 | Art. 32.1b | BIO 9.4.2 |
Summary
The overlap between these frameworks is significant. An organization that systematically works through the Securitymaatregelen.nl chapters addresses the vast majority of NIS2, GDPR, ISO 27001, BIO, and CIS Controls simultaneously. The tables in this chapter provide the traceability that auditors expect.
The most important gaps are not in the technology but in governance: policy documentation, risk analyses, management review, and formal incident response procedures. These fall outside the scope of this handbook but are required for certification and compliance audits. Specifically:
- ISO 27001 certification requires a formal ISMS (Information Security Management System) with policy documents, risk register, Statement of Applicability, and internal audits.
- NIS2 compliance requires demonstrable executive oversight, a formal incident response process, and periodic effectiveness assessments.
- GDPR compliance requires a processing register, DPIAs for high-risk processing, and a Data Protection Officer for certain organizations.
Practical advice: use the mapping in this chapter to show auditors which technical measures you have taken and where they are documented. Combine this with Reference 06 (Compliance Mapping Matrix) for a complete overview per chapter.
Further reading in the knowledge base
These articles in the portal provide more background and practical context:
- Incident Response — when things go wrong
- Compliance — following rules without losing your mind
- Least Privilege — give people only what they need
- Patch management — the most boring thing that can save your life
- Backups — the most boring topic that can save your life
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
