Executive Order 14117 for Technology Companies: Data Localization and Access Controls for Restricted Categories (2026)

Executive Order 14117 introduces significant data localization and access control requirements for technology companies operating within the United States. This regulation aims to enhance national security by restricting access to sensitive data and ensuring that certain categories of data remain within U.S. borders. Organizations must navigate the complexities of compliance to avoid severe penalties.

Regulation	Executive Order 14117
Max Penalty	Criminal and civil penalties under IEEPA
Enforcing Authority	Department of Justice (DOJ)
Official Source	White House

What Is Executive Order 14117?

Executive Order 14117, issued in 2022, establishes a framework for data localization and access controls specifically targeting technology companies. The order is designed to mitigate risks associated with foreign adversaries accessing sensitive data that could threaten national security. It mandates that organizations implement robust data management practices, particularly for restricted categories of data, which include personal information, critical infrastructure data, and other sensitive information deemed vital to national interests.

The order reflects a growing trend in the U.S. to prioritize data sovereignty, aligning with similar international regulations such as the Personal Information Protection Law (PIPL) in China and the General Data Protection Regulation (GDPR) in the European Union. Compliance with EO 14117 is essential for technology companies that handle sensitive data, as failure to adhere to its provisions can lead to significant legal and financial repercussions.

Who Must Comply

All technology companies operating in the United States that handle restricted categories of data are subject to the provisions of Executive Order 14117. This includes organizations involved in data processing, storage, and transmission, regardless of their size or the nature of their operations. Companies that provide cloud services, data analytics, or any technology solutions that involve personal or sensitive data are particularly impacted.

Additionally, foreign entities that engage with U.S. data or have operations within the U.S. must also comply with the order. This broad scope ensures that any organization that interacts with sensitive data must implement the necessary safeguards to protect that information from unauthorized access or misuse.

Core Compliance Requirements

Data localization mandates. Organizations must ensure that restricted categories of data are stored and processed within the United States. This requirement is critical for maintaining control over sensitive information and preventing unauthorized access by foreign entities.

Access controls. Companies are required to implement stringent access controls to limit who can access restricted data. This includes establishing user authentication protocols, role-based access controls, and regular audits to ensure compliance with access policies.

Data minimization principles. Organizations should adhere to data minimization principles, collecting only the data necessary for their operations. This practice not only reduces the risk of data breaches but also aligns with best practices under GDPR and other privacy frameworks.

Incident response protocols. Companies must develop and maintain incident response protocols to address potential data breaches or unauthorized access incidents. These protocols should include procedures for reporting incidents to the Department of Justice and other relevant authorities.

Regular compliance assessments. Organizations are required to conduct regular assessments of their data management practices to ensure ongoing compliance with EO 14117. This includes evaluating data storage practices, access controls, and incident response capabilities.

Penalties and Enforcement

The enforcement of Executive Order 14117 falls under the jurisdiction of the Department of Justice (DOJ). Non-compliance with the order can result in severe penalties, including both criminal and civil sanctions under the International Emergency Economic Powers Act (IEEPA). Organizations found in violation may face substantial fines, restrictions on their operations, or even criminal charges against responsible individuals.

The DOJ has indicated that it will actively monitor compliance and investigate potential violations. Companies should be aware that enforcement actions may include audits, investigations, and potential legal proceedings, making it crucial to establish a robust compliance framework to mitigate risks.

Building a Defensible Compliance Program

To effectively comply with Executive Order 14117, organizations should develop a comprehensive compliance program. The following steps outline a structured approach to building a defensible compliance program:

1. Assess current data practices — evaluate existing data management practices against EO 14117 requirements.

2. Identify restricted categories of data — categorize data based on sensitivity and compliance obligations.

3. Implement data localization measures — ensure that restricted data is stored and processed within U.S. borders.

4. Establish access control mechanisms — develop user authentication and role-based access policies.

5. Create incident response protocols — design procedures for responding to data breaches and unauthorized access.

6. Conduct regular compliance training — provide ongoing training for employees on data protection and compliance requirements.

7. Perform regular audits — schedule periodic assessments to evaluate compliance with EO 14117.

8. Engage legal counsel — consult with legal experts to ensure that compliance measures align with evolving regulations.

Practical Implementation Priorities

Risk assessment and management. Organizations should prioritize conducting a thorough risk assessment to identify vulnerabilities in their data management practices. This assessment will inform the development of targeted strategies to mitigate risks associated with restricted data.

Data mapping and inventory. Maintaining an accurate inventory of data assets is essential for compliance. Organizations should map out where restricted data is stored, processed, and transmitted to ensure that all data localization requirements are met.

Stakeholder engagement. Engaging stakeholders across the organization is crucial for fostering a culture of compliance. This includes collaborating with IT, legal, and operational teams to ensure that compliance measures are integrated into daily operations.

Documentation and record-keeping. Organizations must maintain comprehensive documentation of their compliance efforts, including policies, procedures, and training records. This documentation will be vital in demonstrating compliance during audits or investigations.

Run a Free Privacy Scan

Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against Executive Order 14117 requirements within minutes.

Run your free scan or speak with a privacy expert to discuss your compliance obligations under Executive Order 14117 and build a prioritized remediation plan.

Regulatory Crosswalk

Organizations subject to this regulation often operate under these overlapping frameworks: PIPL data localization, GDPR Chapter V, NIST CSF. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.