On April 8, 2025, the U.S. Department of Justice (DOJ) finalized its bulk data transfer rule, implementing Executive Order 14117. After a 90-day grace period, enforcement began on July 8, 2025. The rule is designed to prevent access to U.S. sensitive personal and government-related data by “covered persons” in six countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela
At first glance, this may seem like a geopolitical issue, but for multinational enterprises, it’s a compliance and access governance challenge. The rule is not only about what data you hold, it’s about who can access it, from where, and under what conditions.
What the Rule Requires
The DOJ’s final rule distinguishes between prohibited and restricted transactions:
- Prohibited transactions: Certain data brokerage activities, especially those involving biospecimen or genomic data, are completely banned.
- Restricted transactions: Many employment, vendor, or corporate group agreements involving access to bulk data are restricted. These require compliance with Cybersecurity and Infrastructure Security Agency (CISA) standards, auditing, and reporting obligations.
Data categories in scope include biometric identifiers, personal health and financial data, human genomic data, geolocation, and other sensitive classes.
To qualify as “bulk,” thresholds include:
- 1,000 U.S. persons for biometric data
- 10,000 U.S. persons for health or financial data
- 100 U.S. persons for genomic data
By October 2025, organizations must implement a formal Data Security Program (DSP) – including cybersecurity controls, audit trails, and DOJ reporting requirements.
The Identity Challenge
This is not just about encryption or choosing the right cloud region. The challenge lies in identity and access:
- Who are the users in countries of concern?
- What effective permissions do they hold across SaaS apps, cloud services, and data systems?
- Are there inherited or indirect access paths that expose U.S. data?
Without comprehensive visibility, enterprises can’t prove compliance, defend exemptions, or enforce access boundaries. As DOJ officials noted, the intent is to “make getting that data a lot harder.”
Violations carry steep consequences: civil fines up to double the value of the transaction, or criminal penalties up to $1M per willful violation and/or 20 years’ imprisonment
How Veza Helps
This is where Veza plays a critical role. Veza delivers identity visibility and governance across SaaS apps, data platforms, and cloud infrastructure — giving organizations the tools to comply with the DOJ rule:
- Map Access Across Borders: See who can take what actions on sensitive U.S. data, including effective permissions across global environments.
- Geo-Specific Controls: Restrict or monitor access by identities in countries of concern, without breaking core business processes.
- Support Exemption Requests: For enterprises applying under the corporate group transaction exemption, Veza provides the evidence trail needed to justify access.
- Automate Compliance Proof: Generate continuous, auditable reports that show regulators and auditors exactly how access is governed.
Large vs. Small Enterprises
Large organizations are likely to pursue exemptions, citing the operational need for global collaboration. Their challenge is proving necessity, and Veza helps deliver the proof.
Small and mid-sized businesses (SMBs) may not have the same resources and may need to restrict access outright. For them, Veza enables least-privilege enforcement without derailing daily operations.
The Bigger Picture
The DOJ rule underscores a global trend: identity is now the compliance perimeter. From GDPR in Europe to China’s data sovereignty laws, governments are drawing hard lines around who can access sensitive datasets.
For multinational organizations, identity visibility is no longer a nice-to-have for security teams; it’s a business requirement for regulatory compliance, cross-border operations, and operational resilience. Investors and boards are echoing the same concerns. In a recent KKR webinar, executives emphasized that data responsibility and cybersecurity are no longer just IT issues; they’re reputational risks, regulatory priorities, and material factors that impact company value. That aligns directly with what the DOJ’s rule is driving: enterprises must demonstrate control of sensitive data, not just to regulators, but to stakeholders and shareholders alike.
Takeaway: The DOJ bulk data transfer rule makes one thing clear: you cannot comply if you don’t know who can access your data. Veza helps organizations enforce access boundaries, support exemption requests, and reduce risk across multinational environments.
Cutting Through the Noise
It’s easy to look at the DOJ’s bulk data transfer rule and dismiss it as just another geopolitical move. In reality, it has a real operational impact on multinational organizations. A few truths stand out:
- While it feels like a “don’t send data to China” rule, it applies to six countries of concern: China, Russia, Iran, Cuba, North Korea, and Venezuela. China may be the big headline, but the scope is broader.
- The framework echoes the same logic the government tried with TikTok — only this time it’s structured to survive in court by being transaction- and data-driven.
- The rule doesn’t eliminate data brokerage; it regulates it. Certain sales are banned outright, but most fall into the “restricted” category, where companies must prove compliance.
- Compliance isn’t just about where data lives — it’s about who can access it. Employees, contractors, and service accounts in covered countries all come into scope.
- Large enterprises will likely pursue exemptions under the “corporate group transactions” allowance to maintain business continuity. Smaller companies may have no choice but to restrict access directly.
- At the end of the day, compliance comes down to identity visibility. You can’t enforce boundaries or prove exemptions if you don’t know exactly who can access your sensitive data.
That’s why identity visibility isn’t just a security advantage — it’s now a regulatory requirement. Organizations that get ahead of this curve won’t just stay compliant; they’ll simplify audits, streamline governance, and cut risk across the board. If you’re looking for where to start, the resources below are a solid roadmap.
Call to Action
To dig deeper into how organizations can prepare for regulations like the DOJ’s bulk data transfer rule, explore these Veza resources:
- Veza’s State of Access Report— uncover data-driven insights into identity risk trends across industries.
- Veza: The Next-Gen Identity Governance & Administration Platform — learn how Veza modernizes IGA for compliance and cross-border access governance.
- Veza Access Intelligence Datasheet — see how Veza delivers identity visibility, enforcement, and continuous compliance proof.
With these tools, you can turn regulatory mandates into opportunities to strengthen security, streamline compliance, and reduce risk.
