Business.gov.nl uses cookies to improve the website. These functional and analytical cookies do not contain your personal data. Do you want to watch video content? Third parties may place tracking cookies to track your online behaviour. You can refuse these tracking cookies. How cookies are used on Business.gov.nl.

To homepage

Logo Business.gov.nl, government information for entrepreneurs.

To homepage

Home
Regulations

Security requirements for government contracts (ABRO)

Published by:
Netherlands Enterprise Agency, RVO
3 min read
Nederlandse versie

On this page

Are you an entrepreneur and do you carry out assignments for the central government or the police in the Netherlands? And does your assignment pose risks to national security, such as cyberattacks, data breaches, espionage, or sabotage? If so, additional security requirements apply.

These are the General Security Requirements for Central Government Contracts (Algemene beveiligingseisen voor Rijksoverheidsopdrachten, ABRO). You may only start the assignment once you have met the ABRO requirements and received a positive ABRO declaration from the National Industrial Security Agency (Nationaal Bureau Industrieveiligheid, NBIV).

When do the security requirements apply?

The ABRO requirements apply if you carry out an assignment that poses risks to national security. Your client (the central government or the police) must first determine whether there are any potential risks.

Examples of risks to national security:

  • Your client shares sensitive information with you, such as state secrets, confidential documents, personal data, or travel details of employees.
  • You work at a special location such as a data centre or a security operations centre. This applies, for example, to IT suppliers, cleaners, or painters.
  • You work on computer systems that process sensitive information. For example, if you supply software or IT services.
  • You work in or on special buildings, such as a detention centre, airport, or weapons storage facility.

Which businesses are subject to the security requirements?

Businesses that may be subject to the ABRO requirements in the case of a government contract include, for example:

  • ICT companies (cloud providers, software developers, suppliers of ICT equipment, telecoms providers)
  • service providers (cleaners, painters, security firms, audit firms, consultancy firms, transport companies, travel agencies, training centres, translation agencies, catering companies)
  • construction contractors (architectural firms, construction companies, technical installation firms)
  • companies working with radar, crypto, weapon systems, personal data, data centres, and communication equipment

What are the security requirements for a government contract?

If there is a risk to national security, your client will determine the security level for your contract and which security requirements apply. The higher the security level, the stricter the security requirements. The security requirements cover:

These security requirements apply at all times. For example, you must provide an overview of the company structure and the individuals with influence within the company. The requirements for management and organisation are set out in Chapter 1 of the ABRO (in Dutch).

These security requirements apply at all times. For example, your staff must hold a Certificate of no objection (Verklaring van geen bezwaar, VGB) or a Certificate of conduct (Verklaring omtrent het gedrag, VOG). Staff are subject to a duty of confidentiality or must undergo training. The requirements for staff are set out in Chapter 2 of the ABRO (in Dutch).

These security requirements depend on the assignment and the location, and relate, for example, to access and the security of buildings and transport. The requirements for physical security are set out in Chapter 3 of the ABRO (in Dutch).

These security requirements depend on the assignment and the location, and relate to the security of ICT assets and data security. The requirements for cyber security are set out in Chapter 4 of the ABRO (in Dutch).

These security requirements depend on the assignment and the location, and relate to the security of information (for example, key management and exit strategy). The requirements for cloud solutions are set out in Chapter 5 of the ABRO (in Dutch).

The National Industrial Security Agency (NBIV) inspects whether your company meets the ABRO requirements. If this is the case, you will receive a positive ABRO statement from the NBIV and you can start with the assignment. Compliance with the security requirements will also be monitored throughout the duration of the assignment.

This article is related to:

Security and crime prevention
How would you rate this page?(question 1 of max 3)
We are sorry to hear that. How can we improve?(question 2 of 3)

Related articles

External links

Questions relating to this article?

Please contact the Netherlands Enterprise Agency, RVO

+31 (0)88 042 44 00Contact formAsk other entrepreneurs for advice on Higherlevel.nl
To top