What Is DLP: Types, NIS2/GDPR Fit and Deployment Mistakes

DLP is the set of controls that detect, monitor and block the unauthorised exit of sensitive information from an organisation. The acronym stands for Data Loss Prevention. Covers accidental leaks (an employee attaches the confidential pricing notebook to the wrong email) and intentional exfiltration (an attacker with internal access or a disgruntled employee taking the client database). In 2026 the market splits between classic DLP (Symantec, Forcepoint, Trellix), DLP integrated into cloud suites (Microsoft Purview, Google Workspace DLP) and the new DSPM (Data Security Posture Management) category oriented to multi-cloud.

This guide explains what DLP specifically is, the four types by control point (endpoint, network, email, cloud), how to deploy step by step, how it fits NIS2, DORA, GDPR and ISO 27001, the seven mistakes most seen in real deployments and which metrics measure whether the programme works or is just ticking boxes.

What DLP is

A DLP system is a stack of controls that identifies sensitive data, observes how it moves and applies policies that block, alert or encrypt unauthorised exit. The three questions it answers:

1. What data do we have to protect? Identification and classification: PII, financial data, intellectual property, trade secret, credentials, cryptographic keys.
2. Which way could they leave? Email, USB, printers, cloud storage (Dropbox, Google Drive, personal OneDrive), messaging apps, web upload, generative AI.
3. What do we do when someone tries to take them out? Block, alert, encrypt, log, justify.

What it gives operationally:

• Visibility. Real map of what sensitive data exists, where it lives, who touches it.
• Reduction of accidental leak. Most incidents aren't sophisticated attackers but distracted employees.
• Traceability for audit and incident. Detailed logs of data movement.
• Documentable compliance. NIS2, DORA, GDPR, ISO 27001 demand controls on sensitive data. DLP materialises them.
• Internal deterrence. Knowing a control exists reduces temptation.

What limits DLP:

• Doesn't stop an attacker with time and privileges. Someone who has been inside for months and knows the controls finds paths.
• Generates many false positives in the first phase. Without tuning, drowns the team and ends up ignored.
• High operational cost. A DLP not operated is decoration.

The four types by control point

Endpoint DLP

Agent installed on every device. Monitors copying to USB, screenshots, drag-and-drop to cloud apps, printing. Usually integrates with the EDR or exists as a standalone agent.

Typical cases: blocking copy to unencrypted USB, watermarking sensitive documents, mandatory justification before uploading a classified file to an external domain.

Products: Microsoft Purview Endpoint DLP, Forcepoint, Trellix, CrowdStrike Falcon Data Protection.

Network DLP

Sensors on the corporate network that inspect outbound traffic looking for sensitive data. Detection by signatures, regex patterns (Spanish DNI, IBAN, card number), exact data match (hash of the real database), machine learning on classified documents.

Modern caveat: with widespread TLS 1.3 and ECH on the way, network inspection without endpoint loses a lot of visibility. The trend is shifting the control to the endpoint or to the gateway with authorised TLS termination.

Email DLP

Historical subcategory with its own weight because email remains the main leak vector. Integrates into Microsoft 365 (Exchange Online Protection + Purview) or Google Workspace, into corporate SMTP servers or email gateways (Proofpoint, Mimecast).

Typical cases: blocking sends to external domains with classified attachments, automatic encryption of emails with sensitive content, sandbox scanning of suspicious attachments.

Cloud DLP / DSPM

Fastest growing category. Inspects S3 buckets, Azure Blob, Google Cloud Storage, SharePoint, Salesforce, ServiceNow, Jira, Confluence looking for sensitive data poorly stored. The DSPM (Data Security Posture Management) sub-brand extends the problem to multi-cloud and third-party SaaS environments without a single agent covering everything.

Products: Microsoft Purview, Varonis, Wiz, Cyera, Sentra, Symmetry Systems.

How to deploy DLP step by step

A serious deployment always follows these phases.

1. Define what to protect

Before anything else, data classification policy: public, internal, confidential, restricted. With clear criteria (financial, PII, intellectual property, trade secret, credentials). Document approved by the CISO and management committee.

Without this, the DLP doesn't know what to look for and generic rules get generated that don't work.

2. Discover existing data

Discovery over every possible location: file shares, SharePoint, OneDrive, Google Drive, Dropbox Business, S3, Azure, databases, client devices. Result: real map of where sensitive data lives, not where it's assumed to live.

The phase that surprises most. Folders with complete databases appear in personal OneDrive, Excel sheets with credit cards in shared mailboxes, code repositories with cloud secrets.

3. Design policies

Concrete rules per data type and channel: "Spanish DNIs can't leave by email to external domains", "files marked as confidential can't be copied to USB without justification", "corporate GitHub repos can't contain cloud secrets". Each policy with an action (block, alert, justify, encrypt) and documented exceptions.

4. Deploy in monitor mode first

Policies get activated in alert-only mode for 4-8 weeks. The team reviews the volume of incidents, adjusts thresholds, refines patterns, communicates with affected areas. Without this phase, DLP breaks legitimate processes and generates internal political opposition that ends up disabling it.

5. Activate with blocking

After calibration, switch to blocking mode on critical policies. The affected user receives a clear message about why it got blocked and how to justify if legitimate. The false positive rate at this point should be below 5% for the system to be sustainable.

6. Continuous operation

Periodic review of incidents, pattern adjustment, training for repeat offenders, monthly reporting to CISO and committee. Policies evolve with the organisation: new cloud services, new SaaS applications, new categories of critical data.

Compliance fit

A serious DLP programme provides direct evidence in several frameworks.

NIS2 (article 21)

Demands technical and organisational information security measures, including information management, incident handling and logical access. DLP covers these three fronts: data classification, exfiltration detection, evidence for post-incident forensic analysis.

DORA (article 9)

Digital operational resilience in financial services. DLP is a common control in banks, insurers and payment entities, especially for client data (PII), market information and transactional data.

GDPR (articles 5, 32)

Personal data security and integrity principle. GDPR doesn't nominally require DLP but the AEPD values its deployment positively in large companies and, in recent sanctions, has cited the absence of leak prevention controls as aggravating.

ISO 27001:2022

Relevant controls:

• 5.10 Acceptable use of information.
• 5.12 Classification of information.
• 5.13 Labelling of information.
• 5.14 Information transfer.
• 8.10 Information deletion.
• 8.11 Data masking.
• 8.12 Data leakage prevention. Specific control introduced in the 2022 version, requiring mechanisms to prevent information leakage on networks, systems and devices.

DLP provides direct evidence for 8.12 and supports several of the above.

PCI DSS v4.0

For environments processing card data, requirements 3 (protected stored data) and 4 (encrypted transmission) rely on DLP to detect leaks in email, tickets, repositories and backups.

ENS Royal Decree 311/2022

Measures op.exp.10 (information in transit), op.exp.7 (incident management), mp.info (information protection). DLP fits directly.

Typical mistakes in real deployments

What gets seen in audits and consulting projects with clients having DLP bought but poorly operated.

Buying before classifying. The client deploys Forcepoint or Microsoft Purview without having defined which data is critical. The system starts with template policies generating thousands of false positives and nobody tunes them. Sunk cost without value.

Trusting only regex patterns. Detection that only covers generic formats (DNI, IBAN, card) leaves out real intellectual property (source code, strategic plans, contracts). Exact data match and machine learning on classified documents are critical.

Blocking mode from day one. The policy blocks before calibration, users lose days of productivity, the business area forces general deactivation. The programme dies in weeks.

Ignoring non-corporate cloud. The corporate DLP covers Microsoft 365 and file shares but not the personal Dropbox account an employee forwards documents to so they can "work from home". Endpoint DLP or CASB is the answer.

Not including generative AI. Employees pasting confidential information into ChatGPT, Claude, Gemini or cloud copilots without policy. Modern DLP platforms have specific detection for this case, but the organisation has to activate it.

Alerts nobody reviews. The SIEM receives DLP events, nobody looks at them, breaches get detected months later by third parties. The programme only works if there's a dedicated team for triage and investigation.

No user training. The block appears without explanation, the user perceives the system as IT obstruction. There should be an awareness programme explaining what's being protected and why.

Metrics that show whether it works

A mature DLP programme reports:

• Inventory coverage. Percentage of endpoints with active agent, percentage of cloud services covered.
• Volume of incidents per category. Monthly trend, not just total.
• False positive rate. Realistic target below 5% on critical policies.
• Mean triage time. How long the team takes to review and resolve an alert.
• Legitimate justification rate. Percentage of alerts the user justifies correctly and that get accepted.
• Repeat offenders. Users triggering policies more than N times per month. Indicates pending training or malicious intent.
• Channel coverage. Email, USB, cloud, web, IM, generative AI. Each one with its active policy or documentation of why not.

Without these metrics, the programme only "exists" on paper.

Frequently asked questions

Is DLP mandatory under NIS2?

NIS2 doesn't name DLP specifically. It demands risk management measures that in mid-large companies practically require a leak prevention control to be defensible. For essential or important entities with critical data, its absence is hard to justify in an audit.

Difference between DLP and DSPM?

Classic DLP focuses on outbound flows (what tries to move). DSPM (Data Security Posture Management) focuses on static posture (where sensitive data is, who has access, whether buckets are well configured). In 2026 serious providers offer both integrated; conceptually they're complementary.

Does Microsoft Purview work for everything?

Covers Microsoft 365 and Windows endpoints well. Reduced macOS presence. For multi-cloud (AWS, GCP) or third-party SaaS (Salesforce, ServiceNow), it requires additional integrations or complementing with CASB and DSPM. For mostly-Microsoft companies, it's a reasonable entry point.

Is monitoring employee email with DLP legal?

In Spain and EU yes, with conditions. The employee must be informed in writing (internal protocol, communicated policy, contract), the purpose must be legitimate and proportional, manifestly personal communications can't be inspected, and the resulting data is subject to GDPR. The López Ribalda v. Spain ruling (ECtHR 2019) set the standard. Without adequate prior information, the evidence obtained may be invalid in court and the AEPD sanctions.

What about generative AI in DLP?

It's the 2024-2026 frontier. Employees pasting confidential information into ChatGPT, Claude or Gemini without policy. Microsoft Purview, Forcepoint and Symantec have specific detection. The realistic policy is to categorise allowed uses by role, require enterprise versions with DPA instead of free accounts, and block mass copy/paste to unauthorised interfaces.

Are DLP and EDR the same?

No. EDR detects and responds to threats on endpoints (malware, anomalous behaviour). DLP prevents data leak. They partially overlap because both live on the endpoint and many vendors integrate the two functions, but they're distinct disciplines with distinct metrics.

How long does a serious DLP deployment take?

For a mid-sized company of 500-1000 employees: 6-12 months from policy definition to stable operation. Speeding it up below that guarantees uncontrolled false positives and internal rejection. The discovery and classification phase is the one that gets most underestimated.

Related resources

• NIS2 in Spain: how to comply: the framework that most drives DLP-type control formalisation in affected companies.
• DORA compliance: demands ICT controls in financial services supporting DLP deployment.
• ISO 27001 explained: the 2022 version introduces control 8.12 Data Leakage Prevention.
• What is a CISO: the role typically leading DLP implementation and operation.
• What is ransomware: scenario where exfiltration prevention (part of modern double extortion) has direct impact.
• What is an EDR: complementary control sharing the endpoint agent but covering different threats.

DLP deployment and audit at Secra

At Secra we work on the client side in three typical DLP situations: pre-purchase analysis (which provider fits the existing Microsoft or multi-cloud stack, which regulatory framework controls each one covers), validation of existing deployment (audit of real coverage, policy, false positives, metrics) and programme design when the company starts from scratch (classification, discovery, technical policy, operation plan). The usual deliverable is a risk map by data category with concrete priorities. If your organisation is starting with NIS2, DORA or ISO 27001:2022 and needs defensible DLP fit before audit, get in touch via contact or check our GRC consulting services.