Last updated: April 16, 2026
Data classification is the systematic labelling of files, emails and documents based on sensitivity, so your security systems know what they are protecting. Without a label your DLP works on regex and location. With a label every downstream system knows which policy applies, from access control to encryption to outbound traffic. That is the difference between guessing and governing.
What it does. Classification gives every file and every email a machine-readable label at the moment of creation or through content discovery. That label travels with the file as metadata and is read by DLP, CASB, MFT, encryption and SIEM.
The Fortra chain. Four products form one line of defence: Titus for classification at creation in Outlook, Office and SAP GUI, Boldon James for discovery and automatic classification of existing data, Clearswift for deep content inspection on email and web, and Vera for persistent rights management on documents that leave your organisation.
Regulatory base. GDPR Article 5(2), NIS2 Article 21, ISO 27001 Annex A 8.2, BIO, DORA Article 6. Five frameworks, one shared technical foundation.
How you start. A 30-day POC on your own production data, not on a demo tenant. Concrete figures on adoption, DLP impact and schema fit within a month. A full rollout in 4 to 6 months after that.
Classification is the act of giving every file, every email and every document a sensitivity label. Four levels are typical: public, internal, confidential, secret. The label is not pasted as text in the document, it is stored as metadata in the file format itself. A custom property in OOXML for Office, an X-header on SMTP, an attribute on SAP transaction records. The location is standardised, which is why every downstream tool reads the field without a bespoke connector.
The label itself is semantically empty until you tie it to policy. A label tells a DLP that this file is confidential; the DLP rule then decides whether that means no USB, no external mail, or encryption at rest. Classification is therefore the semantic layer underneath technical enforcement. No marketing language, just machine-readable labels that every downstream control in your stack can interpret.
The gain sits on three axes: consistency, because one schema applies across the whole organisation; auditability, because every classification action sits in a log a regulator can inspect; and interoperability, because every modern security tool understands the same metadata fields.
Primary audience: CISOs, security leads, compliance officers and enterprise architects at Dutch organisations between 500 and 10,000 FTE. They run a Microsoft 365 tenant, they have a DLP in production, and they face a regulatory context that demands evidence. In the Netherlands that context is rarely one law, it is a stack: GDPR on top of ISO 27001 on top of NIS2 for essential and important entities, with BIO for public-sector bodies and DORA for financial entities.
The trigger looks different per sector. Financial firms under DORA have had to classify ICT assets and data explicitly since 17 January 2025. Healthcare organisations process special categories of personal data and must be able to satisfy the GDPR accountability duty toward the Dutch Data Protection Authority. Public sector and executive agencies fall under the BIO and ENSIA audit. Industrial organisations protect intellectual property against targeted exfiltration. In all four cases the underlying question is the same: prove what you hold and prove how you protect it.
Less suitable for organisations under 100 FTE without a dedicated security function, for environments without an existing DLP (no enforcement layer means labels without technical effect), and for work processes that run entirely in personal chat and cloud tools outside IT control. The creator-driven flow does not work there. In those cases discovery is the first step and classification at creation the second.
Classification sits in three places inside your infrastructure: at creation, at rest, and in transit. At creation Titus adds a label bar to Outlook, Word, Excel, PowerPoint and SAP GUI. The user picks the label, an ML suggestion helps, the label lands as metadata in the file. At rest Boldon James scans your file shares, SharePoint sites, OneDrive and endpoints for unlabeled files, recognises 300+ data types and labels automatically. In transit Clearswift reads the labels on outbound email and web traffic and applies content inspection based on what is actually in the message.
Downstream, standard security tooling acts on the same fields. Microsoft Purview, Digital Guardian, Forcepoint, Symantec DLP, Netskope and Zscaler read metadata and filter on label. Microsoft Sentinel and Splunk ingest the classification audit log into the SIEM and produce workbooks for anomalies and trends. GoAnywhere MFT routes file exchange based on the label inside the file. Vera adds an encryption layer on top of the document that also works outside your network and lets you revoke access at any moment, regardless of where the file has travelled.
The policy server and audit log run on-premises or in a Dutch data centre, depending on data sovereignty requirements. Schema definitions, ML models and logs stay inside the jurisdiction that your GDPR legal basis demands.
Three concrete trigger events recur in Dutch projects. After a data breach where the Dutch Data Protection Authority opens a file and you have to prove which categories of data were affected. In the run-up to a NIS2 audit, where Article 21 mandates risk-management measures and Article 23 imposes a 24-hour reporting duty. During an ISO 27001 certification or surveillance audit, where Annex A 8.2 (information classification) and A 8.3 (labelling of information) are explicit controls a certified auditor tests.
Triggers outside direct regulation also apply. You see the DLP false-positive ratio climbing while real leaks slip through. You notice your Microsoft Purview rollout has stalled on the enforcement side because there is no solid label discipline at the creation side. A supervisor asks which files contain personal data and you can only answer with a full rescan instead of a query on labels. A merger or divestment forces data separation that is not provable without labels.
Sector-specific: DORA implementation at banks, insurers, investment firms and ICT third parties. BIO assessment by ENSIA at public-sector bodies. Periodic TISAX assessments across the automotive supply chain. The Dutch National Cyber Security Centre and ENISA both name classification as the foundation under modern information security.
Fair question. A DLP can operate in three modes: pattern matching on content, rules on location, or filters on metadata. The first two are the alternatives to classification. Both fall over on unstructured data.
Pattern matching (regex on BSN, IBAN, credit card numbers) works for structured data in databases. It fails on unstructured data where the same numbers appear in context: an internal memo with one example BSN triggers the same alert as an export of ten thousand records. The result is a sea of false positives, and security teams widen the rules until the DLP effectively catches nothing. Classification solves this by anchoring context at the source.
Location policy (everything on this drive is sensitive) works as long as nobody moves anything. In practice that is exactly what happens: staff copy to OneDrive, to a shared drive, to a USB for a meeting. The moment the file moves, the protection disappears. Labels travel as metadata, so the protection follows the file regardless of location.
Full-disk encryption stops unauthorised access but not authorised exfiltration: the employee with legitimate access still shares the content. Vera adds a layer here by revoking rights at document level, even after the document has left your organisation. But even that only works if you know which documents need that layer, and you only know that through classification.
The editorial line on data classification is published by Neo Security based on implementations at Dutch organisations under NIS2, ISO 27001, BIO, GDPR and DORA.
Four products, one line of defence. Each link does one thing well and hands the label to the next.
Creator-driven classification in Outlook, Word, Excel, PowerPoint and SAP GUI. ML suggestions, centrally managed schema, labels as OOXML metadata.
2. DiscoverDiscovery and automatic classification of existing data on file shares, SharePoint and endpoints. 300+ data types, shared schema with Titus.
3. InspectDeep content inspection on email and web traffic. Reads the label, analyses the attachment, applies real-time content rules without hard blocking.
4. LockPersistent encryption and rights management. The document stays encrypted after sending, access can be revoked at any moment.
Five frameworks require you to know which data you process and how sensitive it is. Classification makes that demonstrable.
Data classification is the systematic labelling of files, emails and documents based on sensitivity. Every piece of data gets a machine-readable label, such as public, internal, confidential or secret, stored as metadata in the file itself. Your DLP, encryption and access control read that label and apply the correct policy automatically. Without a label, those systems operate on guesswork.
GDPR Article 5(2) (the accountability principle) requires organisations to demonstrate which personal data they process and how they protect it. Classification is the most systematic way to meet that obligation. Equivalent requirements sit in NIS2 Article 21, ISO 27001 Annex A 8.2, the Dutch BIO classification duty and DORA Article 6. Classification is not a standalone choice, it is the technical base under multiple frameworks at once.
Both are enterprise classification platforms from Fortra. Titus focuses on classification at creation: a user picks a label in Outlook, Word, Excel, PowerPoint or SAP GUI, supported by ML suggestions. Boldon James focuses on discovery: it scans existing data on file shares, SharePoint and endpoints, recognises 300+ data types and labels unlabeled files automatically. Titus covers new production, Boldon James clears the historical backlog.
A Proof of Concept takes 30 days and runs on your own production data. After the POC you have concrete figures on adoption, label consistency and DLP impact. A full enterprise rollout takes 4 to 6 months, depending on the number of platforms, the complexity of your schema and the integrations you want with DLP, MFT and SIEM. Pilot groups of 50 to 200 users are live within two weeks.
Yes. Labels are stored as metadata inside the file itself, not in an external database. Any DLP that can read metadata (Microsoft Purview, Digital Guardian, Symantec DLP, Forcepoint, Netskope) filters on those labels. Titus plus DLP operates on real classification instead of regex, which cuts false positives sharply and keeps DLP policy sets manageable for the security team.
Fortra licenses per user per year for Titus and Boldon James, per mailbox or per gateway for Clearswift and per protected file for Vera. Concrete Dutch pricing depends on volume and support tier and is quoted by your Fortra partner after a short intake. The POC is free of charge for qualifying organisations and produces a substantiated 3-year TCO within 30 days.
In the Netherlands implementation runs through Neo Security as the technical delivery party with Dutch-speaking engineers. Schema design, policy server installation, DLP integration, SIEM onboarding and user training sit inside scope. License contracting runs through the Fortra partner structure. First-line support and incident handling are delivered by the same team that ran the implementation, so there is no handover between project team and operations.
A 60-minute technical intake, not a sales call. We map your current DLP stack, regulatory scope, data storage and user counts. Within two working days afterwards you have an architecture sketch with a proposed POC approach on your own production data. The 30-day POC produces the concrete numbers you need internally for budgeting and steering committee sign-off.
Further reading: why data classification, solutions overview, about the implementers, contact.