Last updated: April 16, 2026
Data classification is the systematic labelling of files, email and documents based on sensitivity, and is required by GDPR articles 5(2) and 32, NIS2 articles 21 and 23, ISO 27001:2022 Annex A 8.2 and A 8.3, the Dutch BIO classification obligation and DORA article 6, for organisations with a processing register, a certification, a critical function or a financial licence, so that your auditor sees demonstrable enforcement instead of a policy document on paper.
GDPR: article 5(2) (accountability), article 30 (record of processing), article 32 (appropriate technical measures), article 33 (notification within 72 hours), article 83(5) (fines up to €20 million or 4% of worldwide annual turnover).
NIS2: article 21 (ten specific risk management topics), article 23 (early warning within 24 hours, formal report within 72 hours), article 32 (supervision and enforcement powers). Applies to essential and important entities.
ISO 27001:2022: Annex A 8.2 (information classification), A 8.3 (labelling), linked to A 8.10 (information deletion) and A 8.12 (data leakage prevention).
BIO: classification obligation (departmentally confidential, state secret confidential, secret and top secret) for central government, municipalities and public bodies, tested through ENSIA. BIO 2.0 is in the pipeline.
DORA: article 6 (ICT risk management framework) with classification obligation for ICT assets and data. In force since 17 January 2025 for financial entities.
The core: without classification your auditor sees a policy document. With classification your auditor sees demonstrable enforcement.
No European or Dutch regulation literally prescribes a data classification tool. Every relevant regulation does, however, prescribe that you secure appropriately, control demonstrably and report in time. Appropriate presumes you know sensitivity. Demonstrable presumes that evidence is machine-verifiable. In time presumes that at the moment of an incident you immediately know which data was affected. That triad translates to classification as a verifiable base layer.
The obligation is therefore indirect but inescapable. An organisation without classification leans on manual inventories that are outdated on day one, on policy no one can test, and on DLP rules running on regex instead of meaning. Three forms of evidence that evaporate under pressure from a supervisor.
The chain regulators actually test in 2026: scheme, application, enforcement, reporting. A classification scheme approved by leadership and security governance. Application on production data, visible in metadata of files and email. Enforcement through DLP, MFT, encryption and access control acting at label level. Reporting from SIEM or compliance dashboard that an auditor understands without further explanation. Miss one link and the rest is cosmetic.
Source: ENISA publications on NIS2 implementationDutch organisations in 2026 almost always fall under more than one regime at the same time. GDPR applies to anyone processing personal data. NIS2 adds a further layer for essential and important entities. BIO applies to government and public execution. DORA applies to financial services. ISO 27001 is not a statutory obligation but is imposed contractually by customers, supply chain partners and insurers.
| Regime | Who | Testing moment |
|---|---|---|
| GDPR | Anyone processing personal data, public and private, from 1 FTE upward. | DPA supervisory check, DPIA, breach notification. |
| NIS2 essential | Large entities in energy, transport, banking, health, drinking water, digital infrastructure. | Proactive supervision, annual reporting, incident notification. |
| NIS2 important | Medium-sized entities in postal services, waste, food, digital providers, research. | Reactive supervision, incident-driven review. |
| BIO | Central government, municipalities, provinces, water authorities, public bodies and chain partners. | ENSIA self-assessment, internal audit department, horizontal supervision. |
| DORA | Banks, insurers, payment institutions, investment firms, pension funds, crypto service providers, critical ICT third parties. | ICT risk management framework, TIBER tests, third-party register. |
| ISO 27001 | Organisations certified or contractually required to be. | Certification audit and annual surveillance audit. |
A medium-sized Dutch healthcare provider in 2026 typically falls under GDPR, NIS2 essential and ISO 27001. A municipality falls under GDPR, BIO, ENSIA and, in certain services, NIS2. An insurer falls under GDPR, DORA, NIS2 and ISO 27001. Stacked regimes are the norm, not the exception. Classification is the only control layer that serves all five at once.
Source: wetten.overheid.nl and NCSC advisoriesClassification is not a standalone tool in a corner of the security stack. It touches every place where data is created, stored, shared or routed out. Six places return every time.
Email. The largest exfiltration channel in almost every organisation. Without a label on outbound email your gateway operates on keywords and attachment extensions. With labels, Clearswift at the gateway reads which categories are leaving and which rules must trigger.
File shares and SharePoint. This is where the historical backlog sits. Terabytes of unlabelled files that compound year after year. Discovery and auto-labelling through Boldon James serve this layer.
SaaS applications. Microsoft 365, Google Workspace, Salesforce, ServiceNow, Workday. Labels carried along via Purview or native fields enable CASB policy based on meaning. Without labels your CASB sees only data traffic.
Endpoints. The laptops and workstations where documents are created. Titus or a comparable creator-driven tool places the labelling moment there, in Outlook and Office, before the file leaves the workstation.
SAP and ERP. Transaction data leaves SAP through exports, reports and integrations. Without classification at SAP level, financial and HR data leaks through legitimate channels at the edges of the system.
Third-party connections. MFT routes to accountants, insurers, vendors, auditors. Classification determines which route is allowed. A confidential file does not belong on a standard HTTPS upload; it belongs on an encrypted MFT route with receipt confirmation. Vera adds persistent rights management on top for data that leaves the organisation.
Source: IBM Cost of a Data Breach Report on the channels through which data leaks.Classification rarely appears on the boardroom table because someone volunteers to put it there. Six moments when it becomes unavoidable.
Post-incident. After a breach, ransomware attack or accidental external send, the question arises which data was affected. Without classification that becomes a forensic project of weeks. With classification it is a query of minutes.
NIS2 audit. The Dutch implementation of NIS2 through the successor to the Wbni is in force in 2026. Supervisors test against articles 21 and 23. The first question is almost always how you assess risk per asset. Without classification that conversation stalls in the first twenty minutes.
ISO recertification. A recertification every three years, with surveillance audits in between. Annex A 8.2 and A 8.3 are explicit checklist items. Auditors ask for evidence at metadata level, not at policy level.
DPIA. A Data Protection Impact Assessment forces you to map categories of personal data and risks. Without classification the DPIA rests on estimates, which the Dutch DPA immediately treats as weak evidence during a supervisory check.
M&A. In an acquisition or merger the buyer wants to know which data categories transfer. In a joint venture, data must be shared without mingling. Classification is the only mechanism that delivers this machine-readably within the due-diligence window.
BIO check through ENSIA. Dutch municipalities and public bodies complete the ENSIA cycle annually. Classification is an explicit test point. The internal audit department validates it on a sample basis.
DORA readiness audit. Since 17 January 2025 DNB and AFM test DORA implementation. Article 6 is in the first battery of questions. Classification of ICT assets and data is explicitly part of it.
Almost every Dutch organisation has an information security policy. Almost every organisation has a classification paragraph in that policy. That is good for the letter, insufficient for the spirit. A policy that is not machine-enforceable is a statement of intent.
Three concrete differences an auditor sees in 2026. First: a policy document states that confidential data is stored encrypted. A classification scheme with metadata shows which files are labelled confidential and which encryption rules act on those labels. Second: a policy describes that personal data is shared only through secure channels. Classification linked to MFT determines per file which route is allowed, and logs deviations. Third: a policy mentions periodic review of data locations. Classification continuously produces the dataset for that review.
No paper policy, just demonstrable enforcement. That is the difference between an audit with findings and an audit with a certificate. The Dutch DPA, DNB, AFM and certification bodies work evidence-based without exception in 2026. Evidence is machine-readable or it does not count.
The General Data Protection Regulation came into force in May 2018 and remains the heaviest sanction regime on Dutch soil in 2026. Five provisions are relevant for classification.
Article 5(2) (accountability). The controller is responsible for and must be able to demonstrate compliance with the principles of paragraph 1. Being able to demonstrate is not a policy paragraph; it is machine-readable evidence. A classification scheme consistently applied to production data is the only evidence that fulfils the accountability obligation at scale.
Article 30 (records of processing activities). Every controller keeps a record with categories of personal data, purposes, recipients and retention periods. Without classification that record leans on periodic interviews with departments. That information is stale on day one. With classification the record derives directly from metadata in the underlying systems.
Article 32 (security of processing). Appropriate technical and organisational measures, having regard to the state of the art, costs and the nature of the risks. The word appropriate assumes a risk assessment per category of data. Without classification that assessment lacks the input it needs.
Article 33 (notification of a breach). A breach must be reported within 72 hours to the Dutch DPA. The notification includes the nature of the breach, categories and approximate numbers of affected persons, and likely consequences. Without classification the category question costs weeks, while you have 72 hours.
Article 83(5) (fines). Up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. The Autoriteit Persoonsgegevens issues fines for article-32 breaches, where the absence of classification structurally returns as a significant factor. The European Data Protection Board has published guidelines on this which member-state supervisors follow.
Source: Regulation (EU) 2016/679, EUR-LexThe Network and Information Security Directive 2 replaces the original NIS directive from 2016. European member states had to transpose NIS2 into national law by 17 October 2024. The Netherlands implements it through the successor to the Wbni. Three provisions are crucial for classification.
Article 21 (risk management measures). Essential and important entities take appropriate and proportionate technical, operational and organisational measures. Paragraph 2 lists ten specific topics, including policies on risk analysis, incident handling, business continuity, supply chain security, security in network and information systems, and policies on the use of cryptography. Classification is the precondition that ties all these topics together: you cannot analyse risks without classified assets, and you cannot roll out a cryptography policy without distinguishing between what must be protected and what need not.
Article 23 (reporting obligations). In case of a significant incident a staged notification obligation applies. Within 24 hours an early warning to the CSIRT or the competent authority. Within 72 hours an incident notification with an initial assessment, including severity and impact. Within one month a final report. Without classification you cannot give an impact assessment in 24 hours because you do not know which categories of data are affected.
Article 32 (supervision and enforcement). National supervisors receive powers for proactive supervision of essential entities and reactive supervision of important entities. Administrative fines can reach €10 million or 2% of worldwide annual turnover for essential entities, and €7 million or 1.4% for important entities. Directors can be held personally liable.
The scope is substantially expanded compared to NIS1. No longer just traditional critical infrastructure, but also digital providers, post, waste, food supply chain and government fall within scope. A medium-sized Dutch organisation in these sectors is almost certainly in scope.
Source: Directive (EU) 2022/2555, EUR-LexISO/IEC 27001 is not a law but is de facto contractually required in the Netherlands for vendors to government, healthcare and the financial sector. The 2022 version contains 93 controls in Annex A, grouped into four categories: organisational, people, physical and technological. Four controls touch classification directly.
A.8.2 Information classification. Information must be classified according to the security needs of the organisation, on the basis of confidentiality, integrity, availability and relevant requirements of interested parties. The control requires a scheme, a policy and consistent application. In 2026 auditors accept no flat policy document; they ask for samples on metadata.
A.8.3 Labelling of information. An appropriate set of procedures for information labelling must be developed and implemented in accordance with the classification scheme. Labelling is the visible and machine-readable translation of classification. An OOXML property or an SMTP header counts as a label; a sentence in the meeting minutes does not.
A.8.10 Information deletion. Information that is no longer needed must be deleted. Without classification you cannot determine which information falls under which retention period and when deletion must occur. A.8.10 is therefore a derivative of A.8.2.
A.8.12 Data leakage prevention. Preventive measures against leakage of sensitive information. The control implicitly refers to DLP. DLP without labels works on patterns. DLP with labels works on meaning. A.8.12 is therefore a derivative of A.8.3.
A certification body (for instance BSI, DNV, KIWA or Lloyd's Register) tests against these four controls in conjunction as standard in 2026. It is not enough to tick them off separately; auditors explicitly ask about the chain from scheme to labelling to retention to leakage prevention.
Source: ISO/IEC 27001:2022, iso.orgThe Baseline Informatiebeveiliging Overheid (Government Information Security Baseline) has been the Dutch standards framework for central government, municipalities, provinces, water authorities and public bodies since 2020. BIO is based on ISO 27002 and adds government-specific measures on top. For classification, the state classification obligation is the core.
State secret and departmentally confidential classification. The Netherlands has four state secret levels: departmentally confidential, state secret confidential, state secret secret and state secret top secret. Each level has its own processing and retention requirements. BIO requires that classification is applied visibly and machine-readably to documents and digital files. Without an enforcement tool on endpoints and email that requirement falls apart at the first send outside the department.
Commercial classification alongside state secret. Many public bodies operate a hybrid scheme: state secret levels for central government documents, commercial levels (internal, confidential, strictly confidential) for client files and chain collaboration. A good classification tool supports both schemes in parallel in one metadata structure.
ENSIA accountability cycle. ENSIA (Eenduidige Normatiek Single Information Audit) is the annual accountability system through which Dutch municipalities demonstrate compliance with BIO, SUWI, BRP, BAG and other frameworks. ENSIA combines self-assessment, peer review and IT audit into one executive declaration to the municipal council. Classification is a fixed part of the self-assessment. The internal audit department or external IT auditor validates it on a sample basis.
BIO 2.0. The successor is in development and expected around 2026 to 2027. The core remains, but alignment with NIS2 and the revised ISO 27001:2022 becomes explicit. Classification continues unchanged as an explicit requirement; the enforcement expectation becomes stricter.
Source: BIO on digitaleoverheid.nlThe Digital Operational Resilience Act is a European regulation with direct effect in every member state since 17 January 2025. DORA targets the digital operational resilience of the financial sector and works directly into the operations of banks, insurers, investment firms, pension funds, payment institutions and critical ICT third-party providers to that sector.
Article 6 (ICT risk management framework). Financial entities establish a complete and documented ICT risk management framework, reviewed and updated at least annually. The framework comprises strategies, policies, procedures, ICT protocols and tools necessary to protect ICT assets. Paragraph 8 explicitly requires an inventory of ICT assets and their classification. Classification is not an optional elaboration; it is in the regulation itself.
Article 7 (ICT systems, protocols and tools). Systems and tools must provide reliability, safety and capacity appropriate to the nature and sensitivity of the data. Without classification the yardstick against which appropriateness is tested is missing.
Article 8 (identification). Entities identify all sources of ICT risk, in particular the exposure to and interdependencies with other financial entities. The identification links directly to classification of data and assets.
Article 9 (protection and prevention). Policy for confidentiality, integrity and availability of data, including classification. The regulation names classification here explicitly as a mandatory component of the protection policy.
EBA guidelines. The European Banking Authority and ESMA publish regulatory technical standards in 2025 and 2026 that concretise the DORA provisions. For classification this means: a documented scheme, a risk assessment per asset class, and an audit trail of scheme changes. DNB and AFM follow these standards in their supervision.
For critical ICT service providers to the financial sector (cloud, SaaS, data centre services) DORA works through via contractual flow-down. A cloud provider that cannot demonstrate DORA-compliant ICT risk management loses the financial client.
Source: Regulation (EU) 2022/2554, EUR-LexSix questions that return in every NIS2, ISO, BIO or DORA audit in 2026. For each question a sample answer without classification (red flag) and with classification (green flag).
1. Show me the categories of personal data your HR department processes, including retention period. Without: a record of processing from 2024, with a note that an update is planned. With: a dashboard from the classification tool with a live overview of HR files per category, linked to retention policy.
2. Show me the list of confidential documents that left your organisation in the past month. Without: an export log from your mail gateway based on keywords, with an uncertain conclusion. With: a query on metadata in the gateway log, filtering on label confidential, with exact sender, recipient and filename.
3. How do you ensure labels travel to SharePoint, OneDrive and an external recipient? Without: a policy paragraph on persistent metadata. With: a live sample on three files, showing OOXML properties remain intact after all movements, and an audit log of synchronisation with Purview.
4. Show me the DLP rule that triggers on classification label and the incidents that followed in the past 90 days. Without: a DLP rule set on regex patterns and a false-positive report. With: a rule with explicit condition label equals confidential, and a SIEM report of blocked transactions, allowed exceptions and escalations to the security officer.
5. Describe your procedure upon discovery of misclassification on a set of files. Without: a policy memo on periodic review. With: a workflow in the classification tool, with reclassification rights for data owners, an audit trail of changes, and weekly reporting to governance.
6. Simulate: you discover a breach on server X now. How much time until you have a first impact estimate? Without: multiple days for a manual inventory of what sat on the server. With: minutes, through a query on labels in the discovery platform linked to the affected server.
Red answers produce findings. Green answers produce certificates and approving declarations. The difference is not in rhetoric, it is in the chain from scheme to application to enforcement to reporting. That chain is what Neo Security builds at Dutch organisations, demonstrably and step by step.
The word classification does not appear in GDPR. Article 5(2) (accountability) and article 32 (appropriate technical measures) make it de facto mandatory. You must demonstrate which categories of personal data you process and that your security measures match the risks. You cannot demonstrate that without a classification scheme. Virtually every DPIA and every supervisory check by the Dutch DPA relies on that logic.
Article 21 requires appropriate technical and organisational measures to manage risks to network and information systems. Paragraph 2 explicitly lists policies for risk management, incident handling and asset security. Without classification you cannot assess risk per asset or prioritise during incidents. Article 23 additionally requires an early warning within 24 hours, which only works if you immediately know which data was affected.
BIO classification uses a fixed state scheme: departmentally confidential, state secret confidential, secret and top secret. It is a closed vocabulary. Classification under ISO 27001 A.8.2 is an open control: you choose the scheme yourself, provided it is appropriate and consistently applied. In practice Dutch public bodies combine both: BIO classification as the base, augmented with commercial labels for external collaboration.
Probably yes if you are a financial entity. DORA has applied since 17 January 2025 to banks, insurers, payment service providers, investment firms, UCITS managers, pension funds, crypto-asset service providers and critical ICT third-party providers to that sector. If you supply SaaS or hosting to a financial party, DORA reaches you indirectly through contractual flow-down and your client's ICT third-party register.
Four levels are enough: public, internal, confidential and secret. The auditor does not look at the number of levels but at consistency and demonstrable application. More levels increase the risk of downward drift. What the auditor does want to see: a scheme document, an approved policy, evidence of organisation-wide application via metadata in files, and an audit trail of label changes. Depth is in the evidence, not in the scheme.
The notification obligation under NIS2 article 23 and GDPR article 33 forces a first report within 24 and 72 hours respectively. If the data context is missing, you report incompletely. Supervisors treat incomplete notifications as a failure to meet the duty of care. For GDPR incidents the Dutch DPA then looks at your appropriate-measures evidence, which loops directly back to classification. The notification phase becomes an accountability phase.
No. A phased approach is standard practice and defensible toward auditors, provided you set the policy organisation-wide from day one. Start with one department or one data flow with clear risk: HR, finance, R&D or customer contracts. Expand in waves. Document scope per phase. The auditor assesses whether the end state is realistic and whether you do not present the interim phase as permanent.
Three layers of evidence. One: metadata in files and email, sampled from your production systems. Two: audit logs from Titus or Boldon James showing label history and deviations between suggestion and choice. Three: DLP or SIEM reporting that shows policy rules actually triggering at label level. A policy document alone is not enough. The auditor asks for the chain from label to policy action.
GDPR article 32 targets personal data and requires appropriate technical and organisational measures against confidentiality and integrity risks. NIS2 article 21 targets network and information systems more broadly and requires a cybersecurity policy with ten specific topics. The two overlap around asset and risk management. Classification is the foundation in both, but the scope differs: GDPR follows the data, NIS2 follows the system.
The Dutch DPA rarely phrases fines as 'no classification'. In practice fines fall under GDPR article 32 for insufficient security, where the absence of a classification scheme weighs as significant evidence. Amounts run to several million euro. Under NIS2, essential entities can receive fines up to €10 million or 2% of worldwide annual turnover, whichever is higher.
Regulatory sources: GDPR 2016/679, NIS2 2022/2555, DORA 2022/2554, ISO/IEC 27001:2022, BIO.