DLP started with email. Then cloud. Then endpoints. Every wave of regulation followed the same pattern: a new threat emerges, regulators respond, vendors comply, CISOs check the box.
But there is one vector that every regulation — across every country — has consistently ignored: the data visible on the screen. Not data in transit. Not data at rest. Data that is right there, readable by anyone with eyes or a phone camera.
This is the DLP compliance gap. And in 2026, it sits at the intersection of seven major regulatory frameworks worldwide.
The DLP Evolution Nobody Finished
Each generation of regulation addressed the previous generation of threat. The screen threat is happening now — the regulations haven't caught up yet.
Email DLP — 2005
First wave. Regulators mandate controls on outbound email after high-profile data leaks. Vendors build keyword scanning, content inspection, policy enforcement at the mail gateway.
Cloud DLP — 2012
Second wave. Cloud adoption outpaces email controls. Regulators extend requirements to SaaS, IaaS uploads, and cloud storage. CASB tools emerge. The perimeter moves to identity.
Endpoint DLP — 2016
Third wave. USB drives, local printing, unmanaged devices. Regulators mandate endpoint agents. Data classification at the device level becomes standard. Every major DLP vendor ships an endpoint module.
Screen DLP — ???
The threat is live. Employees photograph screens. Shoulder surfers harvest credentials. AI tools capture screen content. The regulation hasn't been written yet — but the incidents are already happening.
7 Regulations. One Blind Spot.
Here is how each major framework approaches workstation and data protection — and where each one stops.
🇺🇸 United States — HIPAA + GLBA
What it covers: HIPAA Physical Safeguards require workstation use policies and automatic screen locks for any workstation accessing ePHI. The HIPAA screen lock requirements under §164.312(a)(2)(iii) mandate automatic logoff after inactivity — a control now fully mandatory under 2026 updates, with the "addressable" carve-out eliminated. The GLBA Safeguards Rule workstation provision extends similar endpoint protections to financial institutions covering customer financial data. Together, these frameworks establish the most detailed HIPAA workstation security ePHI requirements of any global jurisdiction.
THE GAP
Neither HIPAA nor GLBA addresses what happens when a nurse photographs a patient screen, or when a banker's colleague glances at account data over their shoulder. The HIPAA physical safeguards screen requirement stops at the software boundary. The threat doesn't. There is no HIPAA provision for "detect phone camera pointed at clinical workstation" — because in 2003, that threat didn't exist.
🇪🇺 European Union — DORA
What it covers: DORA (Digital Operational Resilience Act), in force since January 2025, requires all EU financial entities to implement comprehensive ICT risk management, continuous monitoring, and full audit trails for every security event. DORA compliance workstation controls apply to all 22,000 financial entities across the EU. The DORA ICT risk management endpoint framework is among the most rigorous in the world — requiring continuous threat monitoring, penetration testing, and documented resilience capabilities. DORA screen security financial entities falls under the broader endpoint and access management controls. The DORA audit trail requirements mandate that every security-relevant event must be logged and attributable.
THE GAP
DORA's audit trail requirement is rigorous — but only for digital events. Physical screen exposure leaves zero logs. When a DORA examiner asks "show me your logs for this incident," visual exfiltration events simply don't exist in the record. You cannot audit what you cannot detect. And no technology in DORA's scope today detects a phone camera held up to a trading desk.
🇮🇱 Israel — נב"ת 364
What it covers: The Bank of Israel's directive 364, effective May 18, 2026, replaces three previous directives and creates a unified framework covering IT risk, cyber protection, incident management, and third-party risk for all Israeli banking institutions. נב"ת 364 אבטחת עמדות עבודה mandates strict controls on workstation access and session management. The Bank of Israel directive 364 workstation provisions require documented security policies and technical enforcement at the endpoint level.
THE GAP
נב"ת 364 mandates automatic workstation locking after inactivity — but only enforces the lock, not what happened to the data before the lock triggered. An employee who photographs a screen before walking away leaves no audit trail whatsoever. נב"ת 364 הגנה ויזואלית — visual protection — is entirely absent from the directive's scope.
🇭🇰 Hong Kong — HKMA CFI 2.0
What it covers: The HKMA's Cybersecurity Fortification Initiative 2.0, operational since January 2021, is the primary cyber resilience framework for Hong Kong's banking sector. HKMA CFI 2.0 endpoint security covers access controls, device management, and intelligence-led simulation testing (iCAST). HKMA cybersecurity workstation controls were significantly strengthened in CFI 2.0, adding IoT security requirements and enhanced monitoring. Hong Kong's forthcoming Critical Infrastructure Cybersecurity Law, expected 2026, will extend these requirements to operators of critical infrastructure — including financial institutions and major entertainment and gaming operators. The Hong Kong Critical Infrastructure Cybersecurity Law 2026 is expected to add mandatory incident reporting and control attestation requirements.
THE GAP
CFI 2.0 explicitly strengthened access security and IoT controls — but the HKMA C-RAF visual threat category doesn't exist. Casino floors, trading desks, and back-office environments in Hong Kong have some of the highest concentrations of sensitive screen data anywhere in the world. None of it is covered by a framework addressing visual exfiltration. The Hong Kong bank screen security compliance gap is particularly acute in high-footfall financial environments.
🇸🇬 Singapore — MAS TRM
What it covers: The Monetary Authority of Singapore's Technology Risk Management Guidelines require financial institutions to implement robust endpoint security, access controls, and continuous monitoring. MAS TRM guidelines screen security fall under the broader endpoint and access management requirements. MAS Technology Risk Management workstation provisions cover device hardening, patch management, and access control enforcement. Singapore's financial sector is among the most tightly regulated in Asia, and Singapore financial institution DLP screen requirements are expected to evolve as the MAS updates its digital risk guidance.
THE GAP
MAS TRM focuses on system integrity and data-in-motion protection. MAS TRM endpoint visual protection is not addressed. Screen-level visual exposure — particularly in Singapore's dense, open-plan trading and banking environments — falls outside any current requirement. The MAS has not yet defined a control category for physical-visual exfiltration.
🇦🇺 Australia — APRA CPS 234
What it covers: APRA's CPS 234 (Information Security) requires Australian banks, insurers, and superannuation funds to maintain information security capabilities proportional to threats. APRA CPS 234 information security workstation controls are included within the broader control framework requirement. The regulation mandates documented control frameworks, annual testing, and board-level accountability for information security outcomes. Australian financial institution data protection screen requirements are embedded within CPS 234's risk-proportionate approach.
THE GAP
CPS 234 requires organizations to test their controls — but you cannot test what you haven't defined. The CPS 234 control gaps visual category represents an untested surface in every Australian financial institution's control framework. No APRA-regulated entity currently includes visual screen exfiltration in its threat model, because no regulation has directed them to — and no vendor has given them a tool to address it.
🇬🇧 United Kingdom — NHS DSPT + Cyber Resilience Bill
What it covers: The NHS Data Security and Protection Toolkit requires NHS organizations to implement workstation security controls protecting patient data. NHS DSPT screen lock requirements are explicitly included — organizations must demonstrate that workstations auto-lock and that policies govern screen exposure. NHS data security workstation protection provisions apply to all NHS trusts, CCGs, and contracted suppliers. The UK's forthcoming UK Cyber Resilience Bill 2026 endpoint provisions will extend mandatory cyber controls to a broader range of critical infrastructure operators, likely including minimum endpoint security standards.
THE GAP
NHS environments are the highest-risk clinical screen exposure scenario in the world: workstations in open wards, shared nursing stations, and clinical rooms display patient records continuously. The NHS screen security clinical workstation requirement stops at screen lock policy — there is no provision requiring detection of phone cameras near clinical workstations, shoulder surfing, or real-time visual threat response. The gap between DSPT policy and technical enforcement is the widest of any framework reviewed here. UK financial services screen DLP faces the same structural gap under FCA/PRA guidance.
The Common Thread
Every one of these frameworks shares three characteristics:
- They were written to address the threats of five years ago
- They all require audit logs — but only for digital events
- They all have a workstation security section that stops at the software boundary
None of them have a word about what happens when someone holds a phone up to a screen.
This isn't an oversight. In 2020, when most of these frameworks were last substantially updated, AI-powered camera detection that could run on a laptop in real time didn't exist. The threat was theoretical. The technology to address it wasn't ready. The regulators moved on.
The technology is ready now. The threat is real now.
Why AI Makes This Urgent in 2026
The screen DLP gap was always there. AI made it dangerous.
In 2023, a Morgan Stanley survey found that 57% of financial services employees were using personal AI tools at work. Each one of those interactions is a potential screen photography event — data captured on screen, uploaded to an external model.
The threat model regulators wrote in 2020–2022 did not include "employee photographs CRM screen and feeds client data to ChatGPT." That threat is real today. It happens every day in every industry covered by every framework on this list.
The next wave of regulations will address it. DORA's 2026 review cycle has already flagged AI-assisted exfiltration as an emerging risk category. NHS DSPT guidance is expected to include AI tool usage controls in the next annual update. The MAS has published consultation papers on AI risk that include data exfiltration via AI interfaces.
Organizations that adopt screen DLP now will be compliant before the requirement lands — and more importantly, protected before the incident occurs.
What Regulators Will Ask Next
When any of these regulators audits your organization, the first question is always the same: "Show me your logs."
Digital DLP logs every email, every USB transfer, every cloud upload. That audit trail exists because the detection technology existed first.
Screen events? Zero logs. Not because no one cared — because until recently, no technology could detect them.
A complete compliance posture under any of these seven frameworks means every threat vector is auditable. That includes the one no regulation has named yet. The organizations that will pass the next round of audits are the ones building the audit trail now — before the examiner asks to see it.