The 90-Day Grace Period is Ending, Are You Ready?
The Department of Justice’s (DOJ) 90-day grace period for compliance with the Data Security Program (DSP) ends on July 8, 2025, and enforcement is expected to begin. This regulatory regime was created for national security reasons. It restricts or prohibits cross-border data transfer with “countries of concern” and “covered persons” (described below). In practice, any business transferring data across borders to countries of concern (i.e., China (including Hong Kong and Macau), Russia, Iran, Cuba, North Korea and Venezuela) should be aware of the DSP’s requirements and prepare to comply.
1. The Grace Period Clock Expires on July 8 and Civil Enforcement is Next
The window for leniency is closing. The DOJ has made it clear that enforcement of the DSP will begin in earnest after the 90-day grace period. Companies must be able to show tangible, good-faith steps toward compliance to avoid penalties. Here’s what you need to know about the transition from grace period to enforcement:
- DOJ’s Implementation & Enforcement Policy: Between April 8 to July 8, 2025, the DOJ’s National Security Division (NSD) has not prioritized civil enforcement for entities making good-faith efforts to comply by having an accurate understanding of their data inventory and cross-border data flows.
- As of July 8: NSD is expected to pursue penalties, up to ~$370,000 per violation, plus potential criminal exposure (including imprisonment) for willful violations.
- Companies should be prepared to demonstrate compliance or face significant consequences.
- The rule requires U.S. companies’ contracts to include onward transfer restrictions and compliance language where applicable.
- Organizations handling covered data in restricted transactions will need to implement CISA security controls across relevant systems and processes.
- Regulators will look for evidence of compliance training and documentation of efforts.
2. Know Your Data and Your Counterparties: Who and What is Covered?
Understanding the scope of the rule is critical. Not all data and not all foreign counterparties are treated equally under the DSP. In-house counsel must be able to identify whether their companies have covered data and which business partners or vendors may trigger compliance obligations. Key definitions and diligence steps include:
- Covered Data: The rule targets “bulk sensitive personal data” (six categories: human genomic, biometric, precise geolocation, health, financial, and personal identifiers) and government-related data. Companies should assess whether they maintain data in these categories and, if so, whether third parties can access that data.
- Countries of Concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela.
- Covered Persons: Entities or individuals organized, based, or resident in countries of concern, or entities 50% or more owned by such parties or by countries of concern, are “covered persons.” The DOJ will maintain a public list, but persons meeting the criteria are covered whether or not publicly designated as such, and companies must also conduct their own diligence. The DOJ has yet to publish a list of covered persons.
- Due Diligence: The DOJ expects companies to use risk-based compliance approaches, leveraging existing anti-money laundering and know your customer, sanctions, and privacy workflows to screen counterparties and understand data flows.
3. Three Transaction Buckets: Prohibited, Restricted, Exempt
The DSP sorts data transactions into three main categories, each with its own set of requirements and restrictions. Understanding which bucket your transaction falls into is essential for compliance and risk management:
- Prohibited:
- The rule prohibits certain data brokerage transactions with countries of concern or covered persons.
- “Data brokerage” is very broad and includes, for example, any “sale of data, licensing of access to data or similar commercial transaction.”
- Transactions involving the transfer of bulk human ‘omic data, such as large-scale genomic datasets, are also prohibited.
- Restricted:
- The rule permits restricted transactions if certain restrictions are in place.
- Vendor, cloud, employment, and investment agreements are subject to CISA security controls and require a written DSP compliance program.
- Exempt:
- Certain types of data are exempt from the rule, including financial-services data flows, personal communications, intra-company administrative data transfers for routine business operations, and deidentified clinical trial data shared with the Food and Drug Administration.
4. The CISA Security Requirements are the Baseline for Restricted Transactions
The CISA security controls set a new minimum standard for organizations handling covered data in restricted transactions. Meeting the DSP’s security requirements is not optional. Companies should evaluate their current security measures and comply with the security standards now. The core elements include:
- Data minimization and masking to reduce unnecessary exposure of sensitive information.
- Encryption and privacy-enhancing technologies (PETs) to protect data at rest and in transit.
- Robust access controls, including role-based access, to limit data access to authorized personnel only.
- Organizational and system-level requirements, such as written security policies, regular risk assessments, incident response planning and the implementation of security measures across the organization’s systems and processes to ensure effective governance and oversight.
- Annual independent audits to assess and validate compliance with security requirements.
5. Documentation is Your Defense: Build the DSP Compliance File Now
When enforcement begins, documentation will be a key factor in demonstrating compliance. Regulators are expected to look for clear, organized records of compliance efforts, policies, and certifications. Key documentation requirements under the rule include:
- A written Data Compliance Program is required by October 6, 2025, for any companies engaging in restricted transactions, with board review recommended for timely implementation.
- Companies must maintain compliance records for at least ten years.
- An officer or responsible executive is required to certify compliance on an annual basis.
What’s Next?
Compliance with the DSP will be an ongoing process. The regulatory landscape is expected to evolve, and staying informed is essential. In the coming months, companies should be aware of:
- DOJ updates to FAQs, expansions of the Covered Persons List and clarifications regarding overlap with the Committee on Foreign Investment in the United States (CFIUS).
- Developments in state law requirements (such as California Consumer Privacy Act geolocation rules).
- The importance of ongoing communication with regulators and external counsel to remain current with changes.
See our prior articles for details about the new program here and here.
Anna Diaz Gessner (Summer Associate) contributed to this article.
[View source.]
