Our advice is informed by decades of experience working alongside the leading industry players in energy, life sciences, technology, financial services, private capital and more.
If you plan to bid for a Dutch Ministry of Defense (MoD) contract, the General Security Requirements for Defense Contracts (Algemene Beveiligingseisen voor Defensieopdrachten 2019; ABDO 2019) is not boilerplate. It is a binding, risk‑based security regime governing how your organization protects information, material, facilities, people, and digital systems throughout an MoD engagement and sets out practical steps you may take to prepare yourself for ABDO 2019 compliance.
This blog gives a brief overview of what ABDO 2019 entails, highlights the key requirements (organizational, personnel, physical, and cyber security), explains the screening and authorization process.
This blog intends to present an introductory overview to companies and bid teams of the relevant requirements, helping them assess readiness early and structure preparations for inspection by the Dutch Defense Intelligence and Security Service’s Industrial Security Office (DISS/ISO).
What ABDO 2019 covers and why it matters
ABDO 2019 sets the general security requirements contractors must meet to safeguard Interests to be Protected (IBP), e.g. sensitive information, material, goods, and buildings related to defense work.
IBPs are categorized from IBP 1 (most stringent) to IBP 4, and, where applicable, marked with national classification levels (NLD TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED). Measures scale with IBP category and classification.
When a contract requires a contractor to receive or generate an IBP, it becomes a ‘Special Contract’, triggering strict security obligations. The contractor must apply the ABDO 2019 security measures to the IBP’s production, handling, processing, storage, and destruction. ABDO obligations also apply to any subcontractors or suppliers who access, process, store, or generate IBP.
Non‑compliance is a breach of contract and can lead to suspension or withdrawal of authorization, contract termination, withdrawal of personnel clearances, and possible criminal exposure where State interests are compromised. It may also constitute a ground for exclusion in in future tenders.
Key ABDO 2019 Requirements
ABDO requirements include the following key requirements.
Security plan: Security starts at the top. Your highest executive body must endorse a comprehensive security policy and a contract‑specific security plan approved by DISS/ISO. You should run periodic self‑inspections, and notify DISS/ISO of material changes. The plan converts ABDO requirements into procedures across organizational, personnel, physical, and cyber domains and is annually validated through self‑inspection. Material security policy changes require approval.
Security and Cyber Officers: You must appoint a qualified Security Officer (SO) and a Cyber Security Officer (Cyber SO). The SO and a Cyber SO, which must be Dutch nationals, employed by your company, screened to the highest classification in scope, with direct and independent access to your board. They lead implementation, training, incident reporting, subcontractor authorizations, registers, and change management, and liaise with DISS/ISO. The Cyber SO oversees cyber activities and security, strict requirements apply to e.g. mobile devices and teleworking, handling digital information, access rights, password management and authentication, network security and suppliers.
Personnel security: Only people with a valid Certificate of No Objection (CNO) or Certificate of Good Conduct (CGC) may access classified IBP. These persons must be designated in a List of Confidential Positions.
Security awareness program: You must implement a measurable awareness program. This program should include duty‑of‑secrecy acknowledgements, periodic training, and briefings for high‑risk travel. Public communications, social media, and imagery are restricted and require approval.
Physical security: A layered OCER approach (Organizational, Constructional, Electronic, Response) is required for access, management, intrusion detection, storage, transport, and response, calibrated to IBP level.
Supply‑chain control: You must ensure that subcontractors comply with ABDO requirements or foreign equivalents. The outsourcing of any activity that touches IBP (domestic or foreign) requires prior DISS/ISO permission. Companies must centralize IBP work where possible.
Incident readiness: You must maintain an incident response procedure, log access and examination of IBP for prescribed periods, classify and report incidents to DISS/ISO on tight timelines, protect evidence, implement lessons learned and enforce a “Clear desk/clear screen”. The security plan may need to be amended after incidents or threat changes.
Record‑keeping: You must maintain log access and examination of the IBP, preserve incident records, and maintain registers for visitors and of the Confidential Positions Lists.
Change of control notifications: You must notify DISS/ISO without delay of proposed changes in ownership, shareholding, control, executive appointments (notably non‑Dutch nationals), structure, locations, mergers, divestments, strategic partnerships, and business activities. DISS/ISO can suspend or withdraw authorization if risks cannot be mitigated. Notification must occur pre-closing. Authorization from DISS/ISO applies in addition to possible investment screening notifications.
The Screening and Authorization Process
ABDO authorization is granted per contract, not as a general facility licence. It is a condition for receiving IBP at any stage. Three phases can be distinguished: orientation, negotiation/quote and award and execution.
Orientation: In the orientation stage, MoD decides whether a contract is classified, sets the IBP category/classification, and indicates the applicable ABDO level.
Negotiation/quote: If bidders must access IBP to prepare an offer, DISS/ISO can issue conditional authorization following inspection. If IBP is needed on company premises, DISS/ISO assesses your security organization, physical measures, and digital controls. When IBP is viewed only on a MoD site, conditional authorization may rely on CGCs, CNOs and/or NDAs.
Award and execution: Before awarding a contract involving IBP to a contractor, DISS/ISO conducts a full inspection and if approved issues a Security Clearance to a selected contractor, and security clearances to the relevant personnel.
For foreign appointments, a so-called Facility Security Clearance Certificate issued by a foreign authority may be used to attest capability up to a level. DISS/ISO permissions and coordination with the relevant foreign authority are required for FSCs.
Oversight continues throughout execution of the contract. This may include advisory visits, inspections, audits, and incident investigations. Upon the end of the contract, the relevant authorizations lapse and the IBP should be returned or destroyed.
Practical Preparations
In order to prepare yourself for ABDO 2019 compliance, there are various steps you may take. Some of these steps may be wise to implement irrespective of whether you intend to bid for MoD contracts that are subject to ABDO 2019.
Security and awareness: Implement a comprehensive security plan using the DISS/ISO template, run awareness training, schedule annual self-inspections, rehearse incident handling and update the security plan with lessons learned.
Gap‑assessment: Based on the expected IBP-level of the Special Contract, use the Chapters 1-4, Appendix 5 and Appendix 7 of ABDO 2019 to identify potential gaps between your organization and the ABDO 2019.
SO and Cyber SO and Personnel Security: Nominate the SO and Cyber SO. Identify roles that may require CNOs/CGCs.
Strengthen physical security: Implement layered measures, including the formalization of visitor and transport processes to meet ABDO standards.
Modernize cyber security: Secure information systems that may handle IBP. Including the application of access control, strengthened authentication, logging, patching, backups, and DISS/ISO‑approved cryptography.
Secure the supply chain: Prepare envisaged subcontractors and service providers and embed ABDO terms and obtain permissions for domestic and foreign outsourcing in accordance with Appendix 8 of ABDO 2019.
Closing remarks
ABDO 2019 is not merely a checklist, but a broad operating model for safeguarding State interests across complex supply chains. Organizations that invest early in governance, personnel vetting, layered physical controls, and robust cyber security reduce operational risk, shorten authorization timelines, build trust with the MoD and significantly increase their chances to be awarded with the winning bid in calls for tenders. If defense opportunities are on your horizon, then consider ABDO 2019 readiness and compliance before a tender opportunity arises.
