Geen categorie

Scaling Data Classification & DLP in O365 for NIS2 Compliance with help of the Cyfun framework version september 2025

Geschreven door Danny Zeegers
19 juli 2025

From Cyfun Basic to Essential, from Tier 1 to Tier 4: Scaling Data Classification & DLP in O365 for NIS2 Compliance

From Risk-Aware to Resilient: How One MSP Secured Its Future

When a mid-sized Managed Service Provider (MSP) onboarded its first DORA-regulated clients, its security practices were structured but basic. Policies existed—data was labeled manually, and DLP was limited to high-risk roles. They operated at Tier 2, where security was guided by risk awareness, but not deeply embedded in operations.

Then came a turning point: a client incident where sensitive configuration data was accidentally shared via email, triggering an audit. The MSP realized that policy on paper wasn’t enough—controls had to be automated, enforced, and monitored across every department.

Over the next 18 months, they transformed:

Sales began using CRM-only data sharing, blocking external emails with sensitive quotes.
Finance auto-labeled every payroll and invoice with encryption and forced MFA access.
Support teams integrated secure, in-application ticket workflows—no more copy/paste, no more PDFs flying around.
Compliance and legal routed contracts via secure portals with built-in approval trails.

Using Microsoft 365’s DLP, auto-labeling, and Power Automate for approvals, and aligning with NIST CSF 2.0, the MSP reached Tier 4: a state where data security is continuous, contextual, and enforced without exceptions.

Today, they’re not just compliant—they’re trusted. Regulators see defensible controls. Clients sleep better. And the MSP? They’re winning bigger deals than ever—because security is no longer a checkbox. It’s a competitive advantage.

What caused the magic…

As European companies operationalize NIS2, data classification and protection using Microsoft 365 (O365) tools such as Purview Information Protection, DLP policies, and Sensitivity Labels are often initiated at a basic level but lack full maturity.

In this article we will explore how organizations can grow from Cyfun Basic to Cyfun Essential maturity by aligning with NIST CSF 2.0 and using a phase-wise roadmap focused on data classification and DLP within the O365 ecosystem growing in maturity level from Tier 2 to 4.

Baseline: Where Cyfun Basic Meets NIS2 Minimums

At Cyfun Basic level, companies:

Use manual labeling or ad hoc Sensitivity Labels.
Lack a consistent information classification policy.
May have reactive DLP policies, often disconnected from actual risk or legal obligations.
Don’t leverage threat analytics or usage patterns to refine policies.

Although this stage meets minimal NIS2 obligations (such as basic risk treatment and asset identification), it lacks control coverage and traceability.

Phase-wise Roadmap: Maturing from Basic to Essential

Let’s explore how the organization evolves through Tiers 2–4, gradually expanding both NIS2 control coverage and NIST CSF maturity.

Tier 2 – Risk-Informed (Structured Governance & Policy)

🔹 NIS2 Enhancements:

Implement a formal Data Classification Policy mapped to business risk and regulatory needs.
Assign data owners responsible for labelling strategy and control enforcement.

🔹 O365 Tools Used:

Create published Sensitivity Labels and auto-labeling rules in Microsoft Purview.
Establish baseline DLP policies for M365 apps (email, OneDrive, Teams).

🔹 Cyfun/CSF Functions Activated:

Govern: Establish classification taxonomy and policy governance.
Identify: Understand where sensitive data lives.
Protect: Begin enforcing basic protection policies.

🔹 Outcome:

Organization now reacts to risk, not just incidents.
Visibility improves across structured and unstructured content.

From scattered efforts to structured discipline, the organization’s journey reflects a critical shift—from reacting to chaos to anticipating risk. With Microsoft Purview and foundational Cyfun and CSF functions in place, what began as “labeling files” has matured into a dynamic, governed ecosystem.

The leap from Cyfun Basic to Cyfun Essential, and from CSF Tier 2 to Tier 4, wasn’t just about tools or checklists—it was about cultivating awareness, control, and readiness. The story is no longer about chasing incidents; it’s about owning the narrative of risk.

Tier 3 – Repeatable (Operationalized and Auditable)

🔹 NIS2 Enhancements:

Embed classification and DLP into onboarding processes, training, and awareness.
Align enforcement with contractual, GDPR, and sectoral mandates (e.g., for finance or health).

🔹 O365 Tools Used:

Expand to contextual DLP (location, device, risk score).
Configure incident response workflows using Defender for Cloud Apps.
Monitor label usage and policy overrides using Microsoft Compliance Center.

🔹 CSF Functions Activated:

Protect: Scalable enforcement across cloud and on-premise data.
Respond: Incident workflows and alerting tied to risk posture.
Detect: Audit logs and behavioral analytics linked to data misuse.

🔹 Outcome:

The system is now documented, measurable, and enforceable across teams.
Demonstrates due diligence under NIS2 Article 21 & 23.

At Tier 3, the organization doesn’t just have a security program—it lives it. Classification and protection aren’t abstract policies; they’re embedded in how people onboard, how systems respond, and how compliance is proven.

With contextual DLP and automated incident workflows humming beneath the surface, the once-fragmented efforts now form a synchronized rhythm of defense and detection. Microsoft 365 tools become not just enablers, but sentinels of accountability.

This is the moment the organization steps into operational maturity—where every action is traceable, every deviation is caught, and due diligence isn’t claimed, it’s demonstrated.

Tier 4 – Adaptive (Context-Aware and Learning)

🔹 NIS2 Enhancements:

Data classification aligns with threat intelligence, supply chain risk, and time sensitivity.
Classifications dynamically evolve based on business context and legal updates.

🔹 O365 Tools Used:

Enable machine learning-based auto-classification.
Correlate with Insider Risk Management and Microsoft Priva for personal data flows.
Integrate external systems (SIEM/XDR) for real-time DLP extension.

🔹 CSF Functions Activated:

Recover: Integrate classification into ransomware response and restoration priority.
Govern: Continuously refine governance based on learning loops.
Identify: Predictive mapping of data flows and future risks.

🔹 Outcome:

The DLP/classification system is self-correcting, threat-aware, and part of enterprise risk modeling.
Empowers leadership, regulators, and auditors with full oversight.

Tier 4 marks the transition from control to intelligence. Here, the system doesn’t just follow rules—it learns, adapts, and anticipates. Classification evolves in real time, shaped by shifting threats, regulatory changes, and operational demands.

With machine learning, Insider Risk Management, and SIEM integrations working in concert, the organization achieves a kind of situational awareness once reserved for the elite. It’s no longer about reacting to what happened, but preparing for what’s next.

Data protection becomes a living system—strategic, predictive, and deeply embedded in enterprise risk. At this level, security isn’t just a function—it’s a competitive advantage.

The Real Threat Isn’t Hackers—It’s Overwhelmed Humans

Multitasking is a myth.

No one truly focuses on two things at once. Instead, the brain switches—and in those moments of switch, judgment falters. Even strong DLP controls rely on human behavior not bypassing the system.

Employees don’t set out to break the rules.
But when urgency meets fatigue, the path of least resistance wins.

That’s why Tier 4 maturity is not about stricter policies—it’s about making the right action the easiest one.
Automated labels. Policy-enforced workflows. Guardrails that don’t ask for permission—they just act.

Because protection shouldn’t depend on memory. It should depend on design.

Lets turn theory in practice

Tracking Maturity: Profiles, Tiers & C2M2

To track and validate progress:

Use CSF 2.0 Profiles to define your current and target maturity state.
Regularly assess your Tier alignment using NIST’s Implementation Tiers (from Partial to Adaptive).
Leverage C2M2 or sector-specific maturity models (e.g., ENISA’s maturity framework) to benchmark coverage.

A Cyfun Essential company would typically score:

Tier 3 or 4 on CSF maturity.
Show demonstrable risk-based policy execution, monitoring, and adjustment.
Be able to link data protection to business continuity and critical service delivery under NIS2 Article 21–24.

Conclusion: Maturity Is a Journey

Many NIS2 organizations underestimate the complexity of data classification and DLP, especially within sprawling Microsoft environments. But by following a phased, CSF-driven roadmap, companies can:

Begin with clear policies,
Expand to operational integration,
And evolve into a resilient, adaptive system.

This journey—from Cyfun Basic to Cyfun Essential—doesn’t just check compliance boxes. It builds a defensible, agile cybersecurity posture.

You are not alone, the industry gives support

Link: https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp

Microsoft Tech Community – DLP Blog and Case Studies

Link: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/bg-p/SecurityandCompliance

Microsoft Purview Compliance Portal – Insider Risk & DLP Integration

Link: https://compliance.microsoft.com

NIST CSF 2.0 Support for O365 Data Classification & DLP Maturity

The NIST Cybersecurity Framework 2.0 provides the strategic and technical structure to move from a foundational setup to an adaptive, proactive posture. Its six core Functions—Govern, Identify, Protect, Detect, Respond, Recover—allow organizations to incrementally mature their capabilities through tiered implementation.

Each Tier reflects not just increasing technical sophistication but also integration into business decision-making and risk management.

Tier	Description	Key Features for O365 DLP/Data Classification
Tier 1 (Partial)	Ad hoc, informal	Manual labeling, inconsistent DLP; minimal governance
Tier 2 (Risk-Informed)	Policy-backed, siloed risk awareness	Sensitivity labels, basic DLP per department
Tier 3 (Repeatable)	Standardized and enforced org-wide	Auto-labeling, policy exceptions monitored, governance involvement
Tier 4 (Adaptive)	Continuous improvement, threat-informed	Self-adjusting rules, ML-driven classification, user behavior analytics, policy auditing

NIS2 Mandate: No Exceptions for Foundational Controls

NIS2 Articles 21–23 clearly mandate that essential and important entities must ensure proportional, risk-based security controls are implemented and monitored.

That includes:

Ongoing risk assessment and asset classification (CSF: Identify, Govern).
Confidentiality, integrity, and availability controls for sensitive information (CSF: Protect).
Incident response workflows, including data leakage (CSF: Respond).

Therefore: exceptions to basic DLP and classification are not acceptable at the governance level.
Email, shared documents, and chats containing sensitive content must be governed by enforceable, monitored policies—especially for management, finance, and legal functions.

Tier 4 Evaluation: Adaptive O365 DLP for High-Risk Users

At Tier 4, we move to context-aware, enforced classification and restriction policies. Let’s assess how this can be applied in Microsoft 365.

Mandatory Policy Example:

All outgoing emails from Finance & Executive Management must default to:

Sensitivity label: Confidential – Internal Only
DLP enforcement: Block external send or require justification
Justification audit: Logged and reviewed monthly by GRC function

Microsoft Purview supports:

Scoped DLP policies: Targeted at users/groups with Finance/Management roles.
Auto-labeling via AI classifiers: Can identify terms like “budget,” “invoice,” “strategic plan,” and apply labels without user input.
Blocking & Override with Audit: You can require justification with manager override (4-eyes principle) and log every action.

Implementing 4-Eyes Approval Workflow (Tier 4)

Microsoft 365 allows integration of approval workflows using Power Automate, Microsoft Defender for Cloud Apps, and Compliance Center policies.

Example: “Confidential Mail Escalation” 4-Eyes Workflow

Trigger:
An email from CFO or Finance Manager contains content labeled Confidential – Internal Only but is addressed externally.
Automation:
- Power Automate blocks send and sends approval request to a second approver (e.g., GRC, Legal, or designated peer).
- Approver sees the email metadata (not content), intent, and justification.
Decision:
- If approved: mail is released with audit tag.
- If denied: sender is alerted, logged incident is flagged in Microsoft 365 Audit Log.
Audit Trail:
- Reviewed weekly by CISO and included in GRC metrics.

Cyfun v2 and CSF 2.0 Function Mapping at Tier 4

CSF Function	Application in Tier 4 O365 DLP
Govern	Mandatory data protection policies scoped by role, enforced by technology.
Identify	Classification of data flows, behavioral risk scoring for high-impact users.
Protect	Auto-labeling, scoped DLP, encryption, restrictions by role/context.
Detect	Alerts on anomalies, override attempts, shadow IT data transfer.
Respond	Escalation workflows, 4-eyes review, incident tickets generated.
Recover	Classification aligned to restore priority, forensic trails in data breaches.

Key Takeaways

CSF 2.0 Tier 4 enables risk-aware, policy-enforced, role-based DLP through O365.
No exceptions for C-Level, Finance, or Legal when handling sensitive data—this is a NIS2 baseline requirement.
4-eyes control is achievable with Power Automate, Microsoft Purview DLP, and scoped Sensitivity Labels.
Auditability and adaptability form the cornerstone of Cyfun Essential-level maturity—allowing teams to continuously refine controls while ensuring regulatory alignment.

WHO is the BOSS the CEO/CISO or the user?

In a boardroom moment we’ve all witnessed—an urgent email, a sensitive file, a quick decision—someone asks: “Can I just send this?” But at Tier 4 maturity, that question no longer belongs to the user. The era of discretionary data sharing is over. The true boss of data governance isn’t the CEO, the CISO, or even the end user—it’s the policy.

Here, every action is guided by adaptive logic, zero-trust enforcement, and a cross-departmental principle: sensitive data stays where it belongs—in the right app, under the right controls, visible only to the right eyes. Let’s explore how each business function enforces this, not through persuasion, but through precision.

Tier 4 Maturity: Proactive, Adaptive, Policy-Enforced Data Governance

At Tier 4 of the NIST CSF 2.0 maturity model, organizations demonstrate:

Fully automated and adaptive controls, driven by risk signals.
Zero exception tolerance for sensitive/GDPR/confidential data leakage.
Integration of DLP + in-app controls, scoped per function and risk zone.
Audit-ready, policy-embedded workflows across departments.

Let’s evaluate each function’s enforcement model below.

Common Principle Across All Departments

“Sensitive data must only be shared within the business application environment using in-app controls + M365 DLP.”

Enforced via	Description
Sensitivity Labels	Auto-applied based on content, metadata, user role (e.g. “Confidential – Internal Use Only”)
Purview DLP Policies	Block or restrict sharing via Exchange, SharePoint, Teams, OneDrive, with context-based rules
In-application data governance	Only allow data exchange within structured apps (CRM, ticketing, ERP)
ML Classifiers	Detect GDPR, personal data, financial keywords dynamically
Audit + 4-eyes override	Any override request triggers manager or compliance approval

Departmental Enforcement Examples at Tier 4

“It’s not just IT’s job anymore.”

At Tier 4 maturity, data protection is no longer a siloed initiative—it’s an enterprise-wide discipline. Every department becomes a strategic player, aligning daily processes, tools, and collaboration patterns with the core principle:

“Sensitive data must only be shared within the business application environment using in-app controls + M365 DLP.”

This isn’t a one-size-fits-all edict—it’s a tailored ecosystem where Sales, Marketing, Finance, and Operations each apply the principle with precision, using the tools that make sense for their context.

Like instruments in a digital orchestra, each function plays its part:

Sales enforces CRM-bound deal handling, turning quotes into confidential assets.
Marketing protects identity-rich campaigns with pseudonymized pipelines and alert-driven oversight.
Finance locks down payroll and forecasts using auto-labeling, encryption, and airtight access paths.
Operations (even helpdesks and ticketing tools) ensure personal data in support cases never leaves the system unchecked.

All of this is made possible through a powerful stack:

Sensitivity Labels that know what to protect.
Purview DLP that enforces policy where people work.
In-app governance that respects business workflows.
ML classifiers that keep up with risk.
Audit + approval flows that balance security with agility.

What emerges isn’t just compliance—it’s a culture. One where every function, every workflow, and every decision aligns with a single truth: data deserves governance, everywhere it flows.

Let’s now explore how each department operationalizes this principle, turning policy into practice.

1. Sales

Tooling: Dynamics 365 / Salesforce, Outlook, Teams

Risk: Sharing customer quotes, IDs, contracts, or discovery notes externally.

Tier 4 Controls:

All opportunities and quotes stored and shared only via CRM internal notes or secure SharePoint folders.
Emails with customer identifiers auto-labeled “Confidential – Internal Use Only”.
DLP policy blocks external send; requires override with manager approval if justified.
Sales decks or demos containing pricing/PII cannot be uploaded to public file shares (e.g. OneDrive links externally disabled).
External documents must be shared using expiration-bound M365 Share Links with “view-only” and watermark restrictions.

2. Marketing

Tooling: SharePoint, Adobe Cloud, Mailchimp, LinkedIn Campaign Manager

Risk: Exposing email lists, campaign segments, A/B test data with identifiable info.

Tier 4 Controls:

Data export from CRM to third-party tools is only allowed via internal API with tokenized identity fields (pseudonymization).
DLP policies in M365 monitor and alert on file uploads with high-risk patterns to unsanctioned destinations.
Campaign briefs mentioning strategic targets or product roadmaps are auto-labeled “Internal Confidential”.
External collaboration requires sponsor-based access provisioning with default “read-only” mode.
M365 DLP monitors uploads to LinkedIn Ads, Mailchimp, and flags high-risk payloads.

3. Finance

Tooling: Dynamics NAV, Excel Online, Outlook, SharePoint

Risk: Data breach of payroll, invoices, financial forecasts.

Tier 4 Controls:

All financial files are auto-classified based on template recognition (e.g. IBAN, VAT ID, salary tables).
Excel files opened outside the Finance SharePoint group are encrypted with MIP and cannot be sent externally.
DLP policies block external mail with financial labels unless 4-eyes approval via Power Automate.
Internal collaboration uses Teams with conditional access policies restricting copy/paste and file download.
Quarterly reports cannot be shared via email—must be pulled from secure SharePoint with MFA.

4. Operations (Helpdesk/Support Tools)

Tooling: Jira Service Management, Freshdesk, ServiceNow

Risk: Support ticket leakage with user PII or security-related metadata.

Tier 4 Controls:

Support agents access tickets only within the ticketing platform, protected by role-based access.
No ticket export or copy/paste to external channels is permitted (browser restrictions enforced via Intune and Defender for Endpoint).
M365 DLP policies monitor Teams/Outlook for ticket ID, error logs, and customer names to enforce label + prevent send.
External collaborators (e.g. subcontractors) only access tickets via limited, monitored guest accounts.
Automated redaction tools strip personal info from system logs before external sharing.

5. Compliance & Legal

Tooling: OneNote, Outlook, SharePoint, eDiscovery, Priva

Risk: Exposure of regulatory assessments, contract clauses, legal positions.

Tier 4 Controls:

Legal memos and compliance assessments are stored in restricted libraries with auto-labeling and encryption.
Emails sent with attachments from these folders are blocked by DLP if sent to external domains.
Document access requires 2FA, and download is disabled by default.
Contracts are routed via Adobe Sign or MS365 eSignatures, tracked and stored with a classification label.
Use of Microsoft Priva to track personal data use, retention, and policy violations.

Summary: Tier 4 Cyfun 2.0 and CSF 2.0 Coverage

CSF Function	Implementation
Govern	No exceptions to policy; enforced by system rules and controls
Identify	Automatic tagging and classification per role, channel, and content
Protect	Conditional access, encryption, restricted sharing by DLP and in-app guardrails
Detect	Real-time monitoring of violations and data movement
Respond	Alerting, ticket creation, 4-eyes override workflows
Recover	Recovery priorities tied to data sensitivity and regulatory importance

Final Note: NIS2 Compliance Leaves No Gaps

Under NIS2 Article 21(2)(e) and Article 23(1):

Entities must ensure the security of systems and facilities handling personal or critical data, with traceable, risk-based access control and data usage monitoring.

At Tier 4, departments cannot rely on user discretion or manual policy checks. Instead, technical enforcement, centralized policy governance, and adaptive classification must converge to provide continuous, resilient protection.

Conclusion: From Obligation to Opportunity

Uplifting DLP isn’t just about ticking boxes—it’s about reclaiming control in a world flooded with data, risk, and complexity. As organizations rise from Cyfun Basic to Cyfun Essential, from Tier 2 to Tier 4, they don’t just comply—they lead.

By embedding data protection into every workflow, every role, and every decision, we move from reactive firefighting to proactive resilience.
And in doing so, we prove that compliance isn’t the finish line—it’s the foundation for trust, agility, and long-term digital confidence.

Final Thought: A Non-Negotiable Upgrade

The September 2025 update to Cyfun, aligned with NIS2 and CSF 2.0, isn’t just another framework release—it’s a milestone. A necessary leap forward for every organization navigating the realities of digital trust, regulatory scrutiny, and operational risk.

Why? Because NIS2 no longer leaves room for interpretation. It demands enforceable, measurable controls. And Cyfun 2025 delivers the blueprint—translating those mandates into practical, technology-backed action.

If you’re serious about resilience, ready to shift from reactive to adaptive security, and aiming to turn compliance into a competitive edge, this upgrade is not optional.

It’s unmissable.