The remaining requirements of the Data Security Program (DSP) Rule became effective today, October 6, 2025. The DSP Rule prohibits or restricts access to U.S. sensitive personal data (and other covered data). The Rule may apply to any company that collects, stores or processes specified volumes of sensitive personal data of U.S. residents.
Under newly effective sections of the DSP Rule, due diligence and audit requirements apply to restricted transactions, annual reports are required regarding restricted transactions and reports must be filed on rejected prohibited transactions. In addition, the U.S. Department of Justice, National Security Division (DOJ NSD) issued a September 24 update to its Frequently Asked Questions (FAQs) about the Rule. The FAQs clarify the scope, compliance obligations, and interaction with other national security frameworks
As indicated in our last advisory on the subject, many provisions of the DSP Rule (28 CFR 202) took effect on April 11, 2025. On July 8, the DOJ NSD ended a period of targeted enforcement focused on willful violations. The DOJ NSD is now fully enforcing the DSP Rule, including the newly effective provisions.
Effective October 6, 2025 under the DSP Rule:
- Companies engaging in any restricted transactions must develop and implement a data compliance program.
- Companies that engage in any restricted transactions must conduct an audit that complies with the DSP Rule.
- Companies that engage in restricted transactions involving cloud-computing services, and that have 25% or more ownership by a country of concern or covered person, must file an annual report with the DOJ NSD.
- Companies that reject a transaction because it is prohibited under the DSP Rule must file a report with the DOJ NSD within 14 days of rejecting the transaction.
For companies that collect, store or process sensitive personal data of U.S. residents, it is important to:
- Establish a data compliance program and conduct audits if engaged in any restricted transactions.
- Ensure that reports are filed with the DOJ NSD if required under the newly effective DSP Rule requirements.
- Know your company data and assess risks related to company data and transactions.
- Remediate agreements by including contractual language with vendors, employees, and investors requiring compliance with the DSP Rule and restricting onward transfer of data.
- Perform due diligence on counterparties, including by checking individuals and entities against the DOJ’s Covered Persons List.
- Implement governance & training to ensure personnel fully understand company and individual obligations under the DSP Rule.
Enforcement Outlook
Non-compliance with the DSP Rule can result in civil enforcement by the DOJ NSD, as well as criminal penalties for willful violations or attempts to evade the Rule. Companies should anticipate increased NSD scrutiny and possible information requests in Q4 2025.
How We Can Help
The CommLaw Group assists clients with DSP compliance assessments, contractual remediation, due diligence and reporting requirements. We also offer a comprehensive DSP Compliance Guide, available for purchase, which includes model contract language, risk assessment templates, and step-by-step implementation checklists to accelerate your compliance efforts.
Contact:
Brian Alexander – bal@commlawgroup.com