DOJ’s Bulk Data Transfer Rule: Why Identity Visibility is Now a Compliance Requirement

On April 8, 2025, the U.S. Department of Justice (DOJ) implemented a bulk data transfer rule under Executive Order 14117, aimed at preventing unauthorized access to sensitive data by individuals from six specified countries: China, Cuba, Iran, North Korea, Russia, and Venezuela. The rule categorizes transactions as either prohibited or restricted, with stringent compliance requirements involving cybersecurity standards, auditing, and reporting, particularly for data like biometric, health, financial, and genomic information. Enforcement began on July 8, 2025, and by October 2025, organizations are required to establish a Data Security Program that includes comprehensive identity and access management. Companies like Veza provide solutions to help multinational enterprises navigate these regulations by offering tools for identity visibility, governance, and compliance proof. The rule reflects a broader global trend towards stricter data sovereignty and identity governance, emphasizing that understanding who can access data is crucial for regulatory compliance and operational resilience. This regulatory shift highlights the importance of identity visibility not only as a security measure but as a critical component in maintaining regulatory and operational standards across global business environments.