On April 11, 2025, the DOJ’s National Security Division (NSD) issued a Compliance Guide, Implementation and Enforcement Policy, and FAQs for its Data Security Program (DSP), finalized pursuant to Executive Order 14117 and the 28 C.F.R. Part 202. The DSP is primarily designed to prevent certain cross-border data flows and transactions. Individuals and companies subject to the DSP are required to comply with new security requirements, reporting and recordkeeping duties, and due diligence rules.
The recently issued guidance makes evident NSD’s intent to make the DSP an enforcement priority for this administration. Access to Americans’ bulk sensitive or personal data or U.S. government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. The DSP is currently subject to a 90-day initial enforcement period, which is a limited enforcement window to give individuals and companies additional time to bring their transactions and processes into compliance with the DSP. After July 8, 2025, NSD will implement full enforcement of the DSP.