Full Report
TikTok on Friday officially announced that it formed a joint venture that will allow the hugely popular video-sharing application to continue operating in the U.S. The new venture, named TikTok USDS Joint Venture LLC, has been established in compliance with the Executive Order signed by U.S. President Donald Trump in September 2025, the platform said. The new deal will see TikTok's Chinese
Analysis Summary
# Regulation/Compliance: Executive Order Mandating Divestiture/Restructuring of Foreign-Owned Technology Platforms (September 2025 EO)
## Overview
This requirement stems from a U.S. Executive Order targeting technology applications (like TikTok) owned by foreign entities, citing national security concerns related to potential data access or influence by a foreign government (specifically related to ByteDance/China). Compliance is achieved through the mandated restructuring of the U.S. operations into a majority-American owned joint venture (TikTok USDS Joint Venture LLC) along with extensive data and algorithmic safeguards.
## Key Details
- Issuing Authority: U.S. President Donald Trump (Executive Branch)
- Effective Date: The EO was signed in **September 2025**. The compliance deadline derived from the order was **January 23, 2026**.
- Jurisdiction: United States (U.S.) operations of the specified application/platform.
- Status: **In Effect** (Compliance achieved by the stated deadline).
## Requirements
### Mandatory Requirements
1. **Divestiture/Restructuring:** The operations must transition to a joint venture (TikTok USDS Joint Venture LLC) where there is **majority American ownership** (ByteDance retaining only 19.9% stake).
2. **Data Protection:** Implement **comprehensive data protections** for U.S. user data, utilizing a secure U.S. cloud environment (specifically Oracle's secure U.S. cloud).
3. **Algorithm Security:** The content recommendation algorithm for U.S. users must be **secured and updated** specifically for U.S. users, utilizing Oracle's cloud infrastructure.
4. **Content Moderation & Trust:** Operate under robust **trust and safety policies** and content moderation overseen by the independent U.S. entity.
5. **Auditing and Certification:** The independent entity must operate a comprehensive data privacy and cybersecurity program subject to **audits and certifications by third-party cybersecurity experts**.
6. **Scope of Compliance:** Safeguards must extend to related platforms and websites operating in the U.S. (e.g., CapCut, Lemon8).
### Recommended Practices
1. **Transparency Reporting:** Provide **continuous accountability** through transparency reporting mechanisms established by the joint venture.
2. **Adherence to Major Standards:** Align the implemented cybersecurity program with established industry frameworks (NIST CSF, NIST 800-53, ISO 27001).
## Affected Organizations
- Industries: Social Media, Video Sharing Platforms, Technology Services with substantial U.S. user bases controlled by foreign entities.
- Organization Size: Large platforms with significant national user engagement (TikTok has over 200 million American users mentioned).
- Geographic Scope: U.S. operations and U.S. user data.
## Compliance Timeline
- **April 2024 (Prior Leg.):** Legislation passed mandating service availability under American ownership or alternative entity.
- **September 2025:** President Trump signed the Executive Order, triggering a 120-day enforcement delay period.
- **January 23, 2026:** **Final deadline** for the contemplated divestiture/restructuring to be completed, avoiding enforcement of the national security law.
## Implementation Guidance
### Assessment Phase
- **Ownership Review:** Conduct an immediate assessment of current ownership structure relative to the majority American ownership requirement.
- **Data Mapping:** Identify all U.S. user data storage locations and processing flows to confirm segregation/relocation to the required U.S. secure environment.
### Implementation Phase
- **Contractual Finalization:** Execute the joint venture agreement and stake transfer to meet the majority American ownership threshold.
- **Infrastructure Migration:** Migrate or secure user data and recommendation algorithms onto the specified secure U.S. cloud environment (Oracle).
- **Policy Formalization:** Document trust, safety, and moderation policies clearly separated from the former parent entity.
### Validation Phase
- **Third-Party Audits:** Engage independent third-party cybersecurity experts to audit the new data protection, algorithmic security, and overall compliance program.
- **Certification Confirmation:** Obtain formal certification confirming adherence to required standards (NIST, ISO, CISA).
## Technical Requirements
- **Data Location:** U.S. user data must reside and be processed within **Oracle's secure U.S. cloud environment**.
- **Algorithm Security:** The recommendation algorithm must be secured and updated within the specified cloud infrastructure.
## Penalties & Enforcement
- Fines: Not explicitly detailed in the summary, but the underlying law previously led to a *brief ban* when enforcement was due previously.
- Other Consequences: Enforcement of the national security law (which the EO paused), which likely implies operational prohibition or forced divestiture if the new structure fails. A prior implementation resulted in a *federal ban* being enacted.
- Enforcement: Oversight bodies likely monitor the joint venture activities and audit reports required by the EO structure.
## Related Standards
- **NIST Cybersecurity Framework (CSF):** Required standard for the JV's cybersecurity program.
- **NIST Special Publication 800-53 (800-53):** Required standard for security and privacy controls.
- **ISO/IEC 27001:** Required international standard for Information Security Management Systems (ISMS).
- **CISA Security Requirements for Restricted Transactions:** Specific government requirements that must be adhered to.
## Resources
- Official Documentation: TikTok's official announcement regarding the JV (Referenced in the article).
- Guidance Documents: Specific requirements outlined in the September 2025 Executive Order and subsequent implementing regulations (not detailed here).
- Tools: Cybersecurity auditing tools necessary for achieving NIST/ISO compliance validation.
## Practical Recommendations
1. **Verify Majority Control:** Ensure all legal documentation confirms majority American control (voting rights, operational control) over the new JV entity.
2. **Restrict Data Flow:** Establish technical and contractual firewalls preventing access or influence over U.S. user data and algorithms by non-U.S. parent company stakeholders (ByteDance 19.9% stake).
3. **Proactive Auditing:** Schedule initial and recurring audits against NIST 800-53 and ISO 27001 *before* statutory deadlines to address potential gaps immediately.
4. **CISA Alignment:** Review the structure specifically against CISA requirements for Restricted Transactions to ensure adherence to unique governmental mandates.