What is BBN (BIO Security Levels)?
BBN stands for Beveiligingsniveaus BIO (BIO Security Levels), part of the BIO (Baseline Informatiebeveiliging Overheid — Dutch government information security baseline). The BBN model helps government organisations determine how stringent security measures must be, depending on the impact of an incident on the availability, integrity and confidentiality of information.
🔢 The three BBN levels
The BIO distinguishes three security levels, based on risk and impact:
| BBN level | Description | Examples |
|---|---|---|
| BBN1 – Basic | Low risk, limited damage from an incident | Public websites, non-sensitive information |
| BBN2 – Substantial | Medium risk, serious damage possible | Personal data, financial data |
| BBN3 – Critical | High risk, severe societal or legal damage | Security services, critical infrastructure |
🧠 How do you determine the right BBN level?
The choice of BBN level depends on a risk analysis and is usually based on:
- Legal requirements (such as the AVG or Wpg)
- Consequences of data loss or system failure
- Importance of the information to the organisation or to society
The BIO links each BBN level to a specific set of measures, calibrated to the level of protection required.
🔐 Example application
Suppose you work at a municipality:
- An internal news article = BBN1
- A citizen portal with DigiD access = BBN2
- A crisis management system for disaster response = BBN3
🔎 Many government organisations determine the BBN level per system, process or information type.
🔄 Relationship to other frameworks
| Standard / framework | Relationship to BBN |
|---|---|
| BIO | BBN is part of the BIO risk-driven approach |
| ISO 27001 | Provides an ISMS framework but does not itself define a BBN structure |
| CSIR | Applies BBN to industrial objects (e.g. locks, pumping stations) in combination with IEC 62443 |
📌 In summary
BBN is the classification model within the BIO that government bodies use to determine the security level required for their systems and data. It supports risk-driven, proportionate security measures based on impact and context.