From ABDO to ABRO: Why January 2026 Marks a Turning Point for Government Suppliers

On November 21, 2025, the Council of Ministers approved a measure that will affect many Dutch companies in the coming years: the introduction of ABRO 2026.¹ For suppliers working with sensitive government information, something fundamental is changing. From January 1, 2026, uniform requirements apply to every contract that affects national security, regardless of whether it comes from a ministry, agency, or the police.²

The timing is no coincidence. Espionage by state actors, sabotage operations in Europe, and cyberattacks on critical infrastructure mean the cabinet can no longer wait.³ But here's the real risk: companies that are not ABRO-compliant will simply not be invited to tenders. In other words: no certificate, no conversation, no chance to prove yourself. For organizations that are (partially) dependent on government contracts, this is a strategic problem.

The shift from ABDO to ABRO reflects a broader recognition: national security doesn't stop at the gates of Defense. Other government organizations also work daily with information, systems, and infrastructure of strategic importance.

ABRO 2026 is a development of ABDO 2019, but with crucial adjustments.⁴ The scope has been expanded to the entire national government and police. Security requirements have been established based on current legislation, technological developments, and the current threat landscape. An extensive chapter has been added specifically for cloud security. Moreover, there is now one central supervisor: the National Bureau for Industrial Security (NBIV), a collaboration between AIVD and MIVD.⁵

The implementation is phased. In 2026 and 2027, the core ministries, their services, agencies, and the police will start. For existing Defense contracts under ABDO, the old requirements remain in effect for the duration of the contract.⁶ The cabinet has announced that autonomous administrative bodies, provinces, municipalities, water boards, and vital sectors will follow in later phases.⁷

In our practice, we regularly guide scale-ups and technology companies entering the defense or government market for the first time. The pattern is recognizable: enthusiasm about a promising tender, followed by the discovery that compliance processes take months and cost tens of thousands of euros. Costs that were almost never included in the original business case.

One concrete example: a technology company submitted a project proposal worth over one million euros without accounting for compliance investments. Had no one warned them, this project would have become loss-making before the first deliverable. This is not an exception. It's what happens when organizations approach the government market as if it were a regular B2B client.

With ABRO, this risk only increases. The requirements are stricter, the scope broader, and the NBIV will scrutinize more critically than many companies are accustomed to. Those who think compliance is something for the procurement department underestimate what's at stake.

For companies already working under ABDO legislation, ABRO offers both continuity and new obligations. The familiar division into four categories of Interests to Be Protected (TBB 1 through 4) remains, but the concrete requirements per level have been tightened.⁸ Organizations have two years to fully comply with the new standard.⁹ That sounds comfortable, but the reality is that a thorough ABRO process, including threat analysis, security framework, and implementation, easily takes six to twelve months. Those wanting to compete for an ABRO tender in Q3 2026 must start now.

For companies not yet covered by ABDO but with ambitions toward government contracts, the message is even more urgent: without preparation, you'll be sidelined. The NBIV assesses whether a contractor meets the requirements before an ABRO Certificate is issued. Without that certificate, no contract.¹⁰

The impact extends beyond direct suppliers. Sub-suppliers and subcontractors in the chain may also face ABRO requirements. Supply chain transparency thus becomes not just a nice-to-have, but a hard condition. One weak link in the chain can jeopardize an ABRO certificate.

The difference between companies that smoothly navigate the transition and companies that miss opportunities lies in preparation. Three steps are crucial.

First: map out which Interests to Be Protected are relevant within the organization. This inventory determines which security measures are proportionate and prevents you from investing in measures that aren't necessary or fall short where it matters.

Second: conduct a threat analysis that specifically examines the risks the organization faces due to involvement in the government chain. State actors increasingly target suppliers as gateways to sensitive information. This is not a theoretical risk: we see in practice that companies become targets as soon as their name appears in a defense-related context.

Third: develop a Security Risk Framework that translates identified risks into concrete ABRO-compliant measures.

The problem with figuring it out yourself: the ABRO documentation is extensive, interpretation requires experience, and the NBIV is strict. Those who discover halfway through the process that their chosen approach doesn't align with what the NBIV expects start over, with all the delays and costs that entails.

Proximities guides organizations through this entire process, from initial inventory to obtaining an ABRO Certificate. We have extensive experience with ABDO processes and direct knowledge of the working methods of MIVD and AIVD. That's why we know not only which steps are necessary, but also which pitfalls organizations consistently overlook. That coordinating role, from "we want to do business with the government" to "we are compliant," is precisely where we make the difference.

January 2026 is approaching. Companies that start preparing now can use the transition as a competitive advantage: they'll be ready when competitors are still struggling with their first NBIV conversation. Companies that wait risk not only missed tenders but also reputational damage when it becomes clear they cannot meet the requirements.

Sources

¹ Rijksoverheid.nl, ‘Nieuwe beveiligingseisen voor overheidsopdrachten met risico's voor de nationale veiligheid’, 28 november 2025.

² Staatscourant 2025, nr. 39538, Kaderbesluit ABRO Rijksdienst, 3 december 2025.

³ AIVD.nl, ‘Nieuwe vereisten voor nationale veiligheid bij overheidsopdrachten’, 28 november 2025.

⁴ Staatscourant 2025, nr. 42214, ABRO-voorschrift.

⁵ Rijksoverheid.nl/ABRO.

⁶ Staatscourant 2025, nr. 42214.

⁷ Rijksoverheid.nl, ‘Beveiligingseisen bij overheidsopdrachten (ABRO)’.

⁸ ABRO 2026 voorschrift, artikel Te Beschermen Belangen.

⁹ Kaderbesluit ABRO Rijksdienst, artikel 12.

¹⁰ Rijksoverheid.nl/ABRO, Q&A ABRO.