United States of America: National Security Division released Implementation and Enforcement Policy of Data Security Program established by Executive Order 14117

On 11 April 2025, the National Security Division (NSD) released its Implementation and Enforcement Policy for the Data Security Program (DSP), established by Executive Order 14117 to prevent foreign adversaries from accessing US government-related and sensitive personal data. The DSP imposes prohibitions and restrictions on data transactions that pose national security risks, including data brokerage, employment agreements, and investment agreements, among others. The DSP's main provisions took effect on 8 April 2025 and certain obligations will become enforceable starting 6 October 2025. The NSD specified that it will exercise enforcement discretion, focusing on outreach and compliance support rather than civil penalties, provided entities demonstrate good-faith efforts to comply until 8 July 2025. The NSD retains the authority to take action against wilful or egregious violations during this period. Companies are encouraged to assess their data handling, review vendor relationships, and adopt necessary safeguards. NSD will not review formal license or advisory opinion requests during the 90-day enforcement grace period. After 8 July 2025, full compliance is expected, and enforcement will proceed accordingly.