Last updated: April 16, 2026
Titus Data Classification Suite is an enterprise classification tool by Fortra that lets users of Outlook, Word, Excel, PowerPoint and SAP GUI apply labels to email and documents at creation. Each label travels along as metadata and is read by DLP, CASB and MFT. Primarily for CISOs and security leads at Dutch organisations with 1,000 to 10,000 FTE under NIS2, ISO 27001, BIO or DORA. Creator-driven, not discovery-driven.
What: a plug-in in Outlook, Office and SAP GUI that lets the user pick a sensitivity label when sending or saving, with an ML-assisted suggestion.
Who for: organisations with 1,000 to 10,000 FTE under NIS2 article 21, ISO 27001 Annex A 8.2/8.3, BIO classification or DORA article 6.
Where: on the workstation of every knowledge worker who produces documents or email. Labels in OOXML metadata and SMTP headers, readable by Microsoft Purview, Digital Guardian, Forcepoint, Netskope and Clearswift.
When: after a data breach, ahead of a NIS2 audit, during ISO (re)certification, at an M&A moment, or when implementing DORA.
Cost indication: per user per year. Concrete figures depend on volume and support tier and are issued by Korper ICT.
Lead time: 30-day POC, then 3 to 6 months for the full rollout.
Titus is a desktop and server product that lets knowledge workers apply a label to every document and every email they create. The category is called creator-driven classification. An ML model looks at the content, the recipients and the context, and proposes a label. The user accepts the suggestion, adjusts it, or escalates to a stricter level. The chosen label is written into the file as metadata: a custom property in OOXML for Office documents, and an X-header or visible footer block for email.
The product line was built by Titus Inc. in Ottawa, acquired by HelpSystems in 2019, and now sits inside Fortra. In the Netherlands Titus is delivered and supported as part of the Fortra portfolio. Licensing runs through Korper ICT; implementation and configuration run through Neo Security.
The product delivers three things that loose scripts or basic Office macros do not. First, a centrally managed classification schema that users cannot bypass and that is rolled out via group policy. Second, machine-readable labels in a stable metadata format that every downstream DLP understands. Third, an audit log of every classification action, including the gap between ML suggestion and final user choice, readable by Splunk, Sentinel and any other SIEM.
Titus is not a DLP. It does not block outbound traffic and it does not encrypt files. It produces the label on which your DLP, CASB and MFT act. That makes Titus the front stage of a chain that continues with Boldon James for discovery, Clearswift for gateway inspection, and Vera for persistent rights management.
Primary audience: CISOs, security leads and enterprise architects at Dutch organisations with 1,000 to 10,000 FTE. Those organisations usually have a Microsoft 365 tenant, an existing DLP in production, and a compliance programme governed by NIS2, ISO 27001, BIO or DORA. They face the question of how to demonstrably show the difference between public and confidential the moment the Autoriteit Persoonsgegevens or an ISO auditor asks.
Secondary audience: compliance officers and data protection officers at semi-public bodies (healthcare, municipalities, executive agencies) that need to prove BIO, ENSIA and GDPR accountability at once. For them, Titus is the enforcement layer on the classification duty written into the BIO: departmental confidential and state secret are no longer just organisational agreements, they become machine-readable values on every document.
Titus fits three types of organisations less well. Small SMEs under 100 FTE face administrative overhead that outweighs the return. Organisations that do not yet run a DLP in production lack the enforcement layer, so the labels have no technical effect. Organisations with fully unstructured work flows where documents mostly circulate via ad-hoc tools (chat, external shares, personal clouds) offer a user experience too fragmented to anchor a creator-driven model. In those cases a different order makes sense: first discovery via Boldon James, then Titus on the creation side.
Sectors where Titus shows up most in the Netherlands: financial services under DORA, healthcare institutions handling special categories of personal data, central government and executive agencies under the BIO, industrial organisations with intellectual property, and semi-public bodies with an ENSIA accountability duty. The common thread: they produce confidential information in Office and must demonstrably capture that sensitivity at creation.
Titus runs on the knowledge worker's workstation and on a central policy server. The workstation plug-in appears as a ribbon button in Outlook, Word, Excel and PowerPoint, with a visible label bar at the top of the document. For SAP users a separate GUI plug-in imposes labels on transaction data before and at export. For files outside Office there is the Titus Desktop Classifier, operated through a right-click menu in Windows Explorer. Mobile users label via Outlook for iOS and Android, with a reduced attribute set via the mobile client.
The policy server runs on Windows Server with SQL Server as backend. Schema definitions, ML models and audit logs are managed centrally. Distribution to workstations runs through Microsoft Endpoint Manager, SCCM, or a comparable MDM solution. A high-availability setup consists of two policy servers behind a load balancer, geographically separated, sharing a SQL AlwaysOn cluster.
Integration points Neo Security configures most often in Dutch environments: Microsoft Purview for label synchronisation and enforcement, Digital Guardian or Forcepoint as DLP with policy triggers on Titus labels, Splunk or Microsoft Sentinel for audit log ingestion, Active Directory for identity context in the ML suggestions, and GoAnywhere MFT for regulated file exchange where the label decides which route a file takes. At email gateway level, Clearswift MIMEsweeper reads the label and applies content rules that without that label would never fire.
The platform reads and writes standard metadata fields: custom properties in OOXML, X-TITUS-Metadata headers in SMTP, and a footer block with visible classification at the bottom of every outbound email. That visibility is not a cosmetic choice. ISO 27001 Annex A 8.3 explicitly requires that classification is visible and machine-readable for the recipient. Without a visible marking, a certification audit does not pass.
Concrete trigger events. After a data breach where the Autoriteit Persoonsgegevens asks for a report: you must be able to show after the fact which categories of data were hit and which protection measures based on classification were active. Ahead of a NIS2 audit where you have to demonstrate article 21 (risk management measures) and article 23 (notification within 24 hours): without a label on your data, you do not know within 24 hours what exactly has leaked, and the notification to the CSIRT stalls on incompleteness.
During ISO 27001 certification or surveillance audit, where Annex A 8.2 (information classification) and A 8.3 (labelling of information) are explicit controls. During a merger, acquisition or joint venture where data from two organisations must stay together but must not mix, and where the receiving party must be able to show which schema applies to which dataset. During BIO testing by ENSIA for co-governments and executive agencies. During DORA implementation for financial entities, where article 6 has required classification of ICT assets and data explicitly since 17 January 2025.
Organic triggers beyond direct regulation: you see the DLP false positive ratio rising because the rules keep running on regex and location while users learn to move data around. You see complaints from the business that email is blocked incorrectly. You notice your Microsoft Purview rollout has stalled on the enforcement side without solid label discipline on the creation side. You get questions from a regulator about which specific files contain personal data, and you can only answer that question with a full rescan of your file system instead of a query on labels.
Advisories from national and European authorities reinforce the need. The Nationaal Cyber Security Centrum regularly publishes advisories naming classification as part of baseline hygiene. ENISA describes classification as one of seven foundations under NIS2 implementation. Both align with what Annex A 8.2 has been asking for years.
Honest answer first: many Dutch organisations pick Microsoft Purview Information Protection, and for some environments that is the right call. We are not going to make the difference look rosier than it is. Purview is included in the E5 licence you probably already consume, integrates natively with the rest of the Microsoft stack, and requires no separate server infrastructure.
Even so, customers we support pick Titus in specific scenarios. Four reasons recur.
Schema flexibility. Purview works with a hierarchy of sensitivity labels and sub-labels. That is enough for a simple model, but gets tight for schemas with multiple orthogonal attributes: sensitivity, compartment, retention, destination. Titus supports multi-dimensional attributes and free tags per label, which fits BIO classification with compartments and ministry-specific enforcement rules better. No three-dimensional schema rebuilt to fit a two-dimensional tool, just a schema that reflects your actual governance model.
Coverage beyond Microsoft 365. Purview covers Office and Windows well; SAP GUI, desktop files outside Office, and legacy applications it covers poorly or not at all. For organisations with a significant SAP footprint or many non-Office files, Titus is the only serious option that covers Office and SAP with the same schema and the same metadata.
User interface and adoption. Purview labels appear through the built-in Office sensitivity bar, which works technically but often gets dismissed by users. Titus forces the labelling moment explicitly with a modal or a mandatory choice before sending. Adoption is higher, with less downward drift to the lowest label. The trade-off is added friction; that is a deliberate choice.
Co-existence. Titus and Purview are not either/or. The two write to the same metadata fields and can synchronise. A common hybrid: Titus for creation, schema governance and SAP; Purview for encryption, rights management, and the E5 enforcement chain. That pulls the strong sides out of both without locking you into one ecosystem.
Alternatives outside Purview that also come up: Secureworks Classifier, Bluefin Classifier, and open-source variants based on Apache Tika with custom metadata. None of those three has a serviceable vendor structure in the Netherlands with Dutch-speaking engineers and a SAP plug-in. That is why Titus is most common at Dutch enterprise customers outside the pure Microsoft-only line.
The architecture in prose. A Dutch customer with 5,000 FTE runs Titus on two policy servers on Windows Server 2022, geographically split between a data centre in Amsterdam and a fallback in Eindhoven. Behind them sits a SQL Server 2019 AlwaysOn cluster that hosts schema definitions, audit logs and ML training data. The workstation component is rolled out to 5,000 endpoints in waves of 500 via Microsoft Endpoint Manager, with the pilot group running a feedback loop with administrators for the first two weeks to adjust the schema.
The ML suggestions are fed by a locally trained model running on the policy server, not in the cloud. That is an explicit choice by Dutch customers that demand data sovereignty. Model accuracy starts at 70 to 80 percent after one week of training on historical data and grows to 90 to 95 percent after three months of production use, depending on the diversity of document types. The gaps between suggestion and user choice are logged and used for retraining.
Integration with the environment. Labels flow through a synchronisation connector to Microsoft Purview, where the E5 rights management layer applies encryption to confidential and secret. Labels travel as an X-header on outbound mail through Exchange to the email gateway, where Clearswift MIMEsweeper reacts to the label and performs deep content inspection on attachments. Labels flow through the audit log connector to Microsoft Sentinel, where a workbook shows real-time label distribution and deviations to the SOC. For regulated file exchange with external parties, GoAnywhere MFT reads the label and picks a route based on destination.
Failure modes we see in practice. A too-complex schema where users stop navigating after four weeks: an organisation that starts with seven levels and eleven categories ends up flatlining on internal after a month. Remedy: maximum four levels at start, expanding based on production data. A second failure mode is DLP policy that reacts too hard to new labels, breaking legitimate workflows, teaching users to label everything as internal, and causing the business to pull the rollout. Remedy: first monitor mode for 4 to 6 weeks, then phased escalation to blocking. A third failure mode is uneven coverage: Titus runs on Outlook and Office but not on SharePoint or file shares, leaving half the data out of reach. Remedy: combine Titus on the creation side with Boldon James on the discovery side for the existing backlog.
A fourth failure mode deserves separate attention. When the ML model runs in the cloud while the customer requires data sovereignty, a contractual and GDPR risk arises that breaks down at audit. At Dutch customers we run the model locally on the policy server by default; cloud scoring is only introduced after an explicit DPIA and approval.
The lead time of a typical rollout. Weeks 1 to 4: POC on 50 to 200 pilot users, schema fine-tuning, initial integration with DLP in monitor mode. Months 2 to 3: rollout in waves of 500 users, audit log connector to SIEM, Purview synchronisation activated. Months 4 to 6: DLP moves from monitor to enforcement, SAP GUI plug-in for the SAP user group, external MFT integration for regulated file exchange. The next step in the chain after Titus is almost always Boldon James, because for every newly labelled email you have a comparable volume of unlabelled historical data on file shares and SharePoint that needs discovery.
For the underlying question of why this matters at all, see the full regulatory deep dive. For a broader portfolio overview with Boldon James, Clearswift and Vera, see the solutions page. For a first conversation or a POC request, the contact page is the starting point.
Titus places a label bar in the ribbon of Outlook, Word, Excel and PowerPoint. Before you send an email or save a document, Titus asks for a sensitivity label. A machine learning model proposes a suggestion based on content, recipients and context. You accept, adjust or escalate. The chosen label is written into the metadata of the file or message.
Titus supports any hierarchical schema with additional sub-labels and free attributes. Four levels are typical: public, internal, confidential and secret, supplemented with categories such as personal data, financial, or customer data. For Dutch central government a BIO classification with departmental confidential and state secret is common. The schema is managed centrally and rolled out via group policy.
Titus writes labels into the same metadata fields that Purview uses and synchronises with Purview sensitivity labels through a connector or shared schema. You can use Titus on the creation side and Purview on the enforcement side for encryption and access control. Many customers pick that combination to deliver a richer labelling experience without dropping the Purview investment.
Yes. Titus ships with a dedicated SAP GUI plug-in that imposes classification on regulated SAP transaction data, and a desktop classifier for files outside Office. There is support for macOS Office and for Outlook on iOS and Android via the mobile client. The backend is platform-agnostic and reads and writes labels as X-headers on email and as custom properties in OOXML.
Almost certainly yes. Titus labels sit in standard metadata fields read by Microsoft Purview, Digital Guardian, Symantec DLP, Forcepoint, Netskope, Zscaler and Clearswift. During the POC we validate that your specific DLP version interprets the labels correctly and that the policy fires at label level in practice. That is a configuration exercise, not an integration problem.
Three mechanisms work together. First, the ML model proposes a label based on content, so downgrading is an explicit action. Second, Titus logs the gap between suggestion and choice. Third, a DLP rule checks after sending whether the label is consistent with known patterns such as BSN or IBAN. Escalation happens on deviation thresholds, not per individual case.
A 30-day POC on your own production data, followed by a full rollout of 3 to 6 months. Lead time depends on the number of connected platforms, schema complexity and integration with Purview, DLP and MFT. A pilot group of 50 to 200 users runs within two weeks, with concrete adoption figures for the steering committee inside the POC window.
Titus only labels new or edited documents at creation. For the backlog of unlabelled files on file servers, SharePoint and OneDrive, you deploy Boldon James Classifier. It scans, recognises 300+ data types and labels automatically. The two products share the same schema and metadata structure, so a mixed rollout creates no duplicate work for administrators or users.
Regulatory sources: GDPR 2016/679, NIS2 2022/2555, ISO/IEC 27001:2022.