The requirements affect data transfers by US companies to foreign individuals or entities that are directly or indirectly associated with a "country of concern". This includes:

• foreign companies that have their registered office or are established under the law of such a country,
• companies that are majority-owned by a “country of concern” or another covered person by 50 % or more,
• individuals whose main residence is in one of these countries,
• employees or contractors of such companies or governments.

In addition, the National Security Division ("NSD") can classify other persons - including US citizens - as "designated covered persons" if they meet certain control criteria. These persons are then included an official "covered persons list" which will be published.

Important: As part of their compliance program, US companies are obliged to check whether partners fall under the above categories.

Typical processes affected are

• data brokerage
• contracts with service providers or suppliers
• employment or investment contracts where data access is possible
• transfers of large volumes of data, for example on genetics, health, location or financial data

Important: It is sufficient that data access is theoretically possible - actual access is not necessary.

From certain data volumes ("bulk"), the following data is protected by the requirements:

Regardless of the data volume, the Final Rule also covers so-called "government-related data":

• Precise location data of sensitive US government facilities, such as military bases or operational locations of security-related authorities
• personal data linked to current or recently departed government employees, military personnel or intelligence personnel.

Important: Anonymized, pseudonymized, encrypted, de-identified or aggregated data is also covered if it exceeds the specified quantity thresholds. The decisive factor is not the form of processing, but rather the risk that such data can be used for re-identification - for example through traceability or cross-comparisons - and evaluated in a security-relevant manner.

There are a number of generally prohibited data transfers ("prohibited transactions") (with individual exceptions), e.g.:

• Commercially trading data with countries of concern or entities / individuals associated with them
• sharing large amounts of genetic data
• transactions that are aimed to circumvent the requirements or that are considered "straw man" constructs.

There are also certain "restricted transactions". These are only permitted if certain security standards are met. “Restricted transactions” include contracts with service providers or suppliers, employment or investment contracts with critical countries.

If the US companies subject to the Bulk Data Rule do not meet the required security standards (implementation of CISA guidelines on IT security, verifiable risk assessment and logging of data transfers), their ”restricted transactions” are also deemed to be prohibited.

There are two notable instances where this may be the case:

1. If a US company sells data to foreign third parties (e.g. via data brokers), these third parties must contractually guarantee that no data will be passed on to "countries of concern".
2. It is prohibited to violate the Bulk Data Rule provisions by circumventing them - for example, by using foreign third parties or governments as "proxies" for prohibited actors.

International data flows therefore remain permitted in principle - but companies must be vigilant to avoid unintentional breaches or liability risks.

Even if your company is based exclusively in the EU, you may be affected - for example by:

• Processing data as part of a group of companies with a US establishment
• contracts with US partners or customers
• use of service providers with headquarters in or connections to "countries of concern".

We would recommend taking the following steps:

1. Analyze data flows: What US data do you process? Who has access?
2. Assess risks: Are there direct or indirect points of contact with “countries of concern” or "covered persons"?
3. Check and adapt contracts: Do additional safeguards need to be built into contracts (e.g. to prevent data transfers to other countries)?
4. Establish a compliance program: Implement security requirements, document processes, prepare regular audits.
5. Prepare for new reporting obligations: From October 2025, new requirements for the retention, reporting and auditing of data flows will apply to the US companies directly affected. You should be able to support your affected partners in the US.

The Bulk Data Rule came into force on April 8, 2025. Since then, the basic restrictions on certain international data transactions apply - particularly with regard to access by countries of concern or covered persons.

However, the US Department of Justice (DOJ) provides for a transition period until July 8, 2025: During this period, civil enforcement actions will be waived if a company can prove that it is working on implementing suitable compliance measures.

Some key obligations for restricted transactions - in particular, regarding due diligence, documentation, auditing and reporting - will not come into force until October 5, 2025. US companies therefore have a limited preparation window to adapt processes, contracts and internal responsibilities to the new requirements. During this time, companies are likely to approach their partners abroad.