CFIUS Mandatory Declarations for TID Businesses: When You Must File and What Happens Next

The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) fundamentally restructured the voluntary nature of the CFIUS process that had existed since 1975. Before FIRRMA, all filings with CFIUS were voluntary: parties could choose whether to notify the committee, with the understanding that an unreviewed deal remained subject to presidential review indefinitely. FIRRMA changed that framework by creating, for the first time, mandatory pre-closing filing obligations for specific categories of transactions. If those obligations are triggered and the parties close without filing, the violation is complete at the moment of closing, regardless of any subsequent remediation.

The mandatory declaration regime is narrower than CFIUS's overall jurisdiction. Not every covered transaction requires a mandatory filing. The obligation applies to two specific factual patterns: transactions where a foreign government holds or will hold a substantial interest in the acquirer, and transactions where the target is a critical technology business whose technology is export-controlled. Both triggers are designed to capture the categories of investment most likely to present direct national security risks without requiring the committee to screen every cross-border deal.

This sub-article is part of the CFIUS Review in M&A: National Security Clearance for Cross-Border and Foreign-Backed Transactions guide. It covers both mandatory filing triggers in detail; how TID business status is determined across the three independent definitions of critical technology, critical infrastructure, and sensitive personal data; the distinction between covered investments and control transactions for mandatory declaration purposes; excepted investor status and how it eliminates the obligation; declaration content and supporting documentation requirements; the 30-day review clock and its three possible outcomes; retroactive enforcement of non-notified transactions; and civil penalty exposure for failure to file.

Acquisition Stars advises foreign acquirers, domestic targets, and investment fund sponsors on CFIUS jurisdiction, mandatory filing analysis, and declaration and notice preparation. Nothing in this article constitutes legal advice for any specific transaction.

Why Mandatory Filings Matter More Than Voluntary Ones

Voluntary CFIUS filings are a risk management decision: parties weigh the cost and delay of review against the benefit of obtaining a no-action letter or clearance that forecloses future presidential intervention. The calculus for mandatory filings is different. There is no cost-benefit analysis. The obligation exists by statute, and failure to satisfy it is a per se violation regardless of the national security outcome of the underlying transaction.

The practical consequence of this distinction is that mandatory filing analysis must occur before signing, not as an afterthought during due diligence. If a transaction triggers a mandatory declaration obligation, the parties cannot close without first submitting the declaration and waiting for CFIUS to act. Closing without filing exposes both the acquirer and the U.S. business to civil monetary penalties, and CFIUS has the authority to refer transactions to the President for divestiture or other remedial action even after closing. An acquirer who closes in violation of the mandatory obligation owns the U.S. business subject to that enforcement risk indefinitely.

Mandatory declarations also establish a different negotiating posture with CFIUS than voluntary filings. Because the parties are required to be before the committee, they cannot use the threat of withdrawing the filing to manage the review timeline or to signal dissatisfaction with the process. The committee controls the clock and the outcome. Understanding what the committee will ask for in a mandatory declaration proceeding, what documentation it expects, and what the three possible outcomes mean for deal certainty is therefore essential to structuring the transaction timeline.

For deal counsel advising on transactions involving foreign acquirers or foreign-backed funds, mandatory filing analysis should be a threshold item in the legal due diligence checklist alongside antitrust HSR analysis. The questions are distinct but the structure is similar: jurisdiction is either present or absent, the filing obligation is either triggered or not, and the consequences of getting the analysis wrong are proportional to the size and sensitivity of the transaction.

The First Trigger: Foreign Government Substantial Interest

The first mandatory declaration trigger applies when a transaction results in a foreign government or a person controlled by or acting on behalf of a foreign government holding a substantial interest in any TID business. This trigger does not require that the foreign government itself be the direct acquirer. It applies whenever a foreign government holds 25% or more of the voting interest in the acquirer entity, whether that entity is a corporation, fund, joint venture, or other vehicle.

The 25% threshold is measured at the level of the foreign government's voting interest in the acquirer, not the acquirer's resulting interest in the TID business. An investment fund with a 30% limited partner interest held by a foreign sovereign wealth fund will trigger the mandatory declaration when that fund acquires any covered investment in a TID business, even if the fund's total stake in the target is a minority position. The look-through analysis traces the foreign government's interest through each holding layer.

For investment funds, CFIUS applies an aggregation rule. A single foreign government whose direct or indirect interest in the fund equals or exceeds 49% of the total interest in the fund triggers the substantial interest test at the acquirer level. Multiple foreign governments whose combined interest reaches 49% also satisfy the threshold. The regulations treat a foreign government holding 49% of a fund as having a substantial interest in the fund even if no single government holds 25% alone, because the collective governmental presence at that level is deemed to represent the kind of influence that raises national security concerns.

The practical implication for fund sponsors is that investor due diligence before closing a cross-border acquisition must include a review of the LP base for foreign governmental investors. This means not just identifying sovereign wealth funds but also looking at state pension funds, public universities controlled by foreign governments, and other entities where government control may not be obvious from the name. Missing a governmental LP in the ownership chain and closing without the required declaration creates liability for the fund and its managing partners.

The Second Trigger: U.S. Critical Technology Export Controls

The second mandatory declaration trigger applies to covered investments and control transactions in U.S. critical technology businesses when the investment or transaction involves certain specified industries and the critical technology at issue is subject to U.S. export controls. The regulations identify the industry sectors covered by this trigger by reference to North American Industry Classification System (NAICS) codes in 31 C.F.R. Part 800, Appendix B.

The NAICS code list in Appendix B covers a defined set of industries where critical technology use is concentrated, including aerospace product and parts manufacturing, computer and electronic product manufacturing, navigational and measuring instruments, electromedical equipment, semiconductor and other electronic component manufacturing, military armored vehicle manufacturing, defense aircraft, defense missile guidance, and others. A U.S. business whose primary NAICS code falls within a listed sector and that produces, designs, tests, manufactures, or integrates critical technology is subject to the mandatory declaration when a covered transaction occurs.

Critical technology for purposes of this trigger includes items controlled under the Export Administration Regulations (EAR) as Export Control Classification Numbers (ECCNs) in certain categories, items on the U.S. Munitions List (USML) under the International Traffic in Arms Regulations (ITAR), items subject to Department of Energy nuclear-related export authorizations, select agents and toxins controlled by the Centers for Disease Control and Prevention, and emerging and foundational technologies controlled under export regulations adopted pursuant to the Export Controls Act of 2018.

The key analytical question for this trigger is not simply whether the target is in a listed NAICS sector but whether the target actually produces, designs, tests, manufactures, or integrates a controlled item. A business in the semiconductor sector that only distributes finished commercial products without any design or manufacturing activity may not trigger the mandatory declaration even if its NAICS code appears in Appendix B. The analysis requires both a sector assessment and a product-by-product export control classification review conducted by counsel with ITAR and EAR expertise.

Identifying a TID Business: Critical Technology

A U.S. business is a TID business under the critical technology definition if it produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies. The definition does not require that the business's primary purpose be the development of controlled technology. A company whose core product is a commercial software platform but that also produces an item subject to an ECCN in a sensitive category may qualify as a critical technology TID business based on that product line alone.

The scope of items that qualify as critical technology under CFIUS regulations is broader than what most technology company counsel routinely assess. USML items include defense articles controlled under the 21 USML categories, ranging from firearms to satellite systems to nuclear weapons components. ECCN items subject to mandatory declaration include those in the 3xxx (electronics), 4xxx (computers), 5xxx (telecommunications and information security), 6xxx (sensors and lasers), 7xxx (navigation and avionics), and 9xxx (aerospace and propulsion) categories when they are controlled for national security (NS), anti-terrorism (AT), or regional stability (RS) reasons and require a license for export to certain destinations.

Emerging and foundational technologies designated by the Department of Commerce pursuant to the Export Controls Act are also included in the critical technology definition. These designations have covered areas including certain artificial intelligence and machine learning technologies, advanced computing and semiconductors, quantum information science, biotechnology, and advanced manufacturing technologies. The emerging technology designation process is ongoing, which means the critical technology prong of TID status can expand over time as new control designations are issued.

For counsel conducting TID analysis on a target, the critical technology assessment requires obtaining the company's product list, reviewing export control classifications for each product, and confirming with the company's export compliance team whether any products have been classified under controlled ECCNs or USML categories. A target that has never engaged export counsel and lacks formal export classifications should be treated with caution: the absence of a classification does not mean the products are EAR99. An internal analysis of the product against current control list criteria is necessary before concluding the critical technology prong is not met.

Identifying a TID Business: Critical Infrastructure

The critical infrastructure prong of TID business status is defined by reference to Appendix A to 31 C.F.R. Part 800, which lists 28 specific subsectors within the broader critical infrastructure category. A U.S. business that owns, operates, manufactures, supplies, or services critical infrastructure in one of those subsectors qualifies as a TID business under this prong, and covered transactions in that business may trigger mandatory declaration obligations if the foreign government substantial interest trigger is also present.

The Appendix A list is specific, not general. It does not cover all infrastructure that might be considered critical in a national security context; it covers the particular subsectors Congress and Treasury determined present the most acute risks. The list includes internet exchange points; submarine cable landing stations; satellite telecommunications facilities providing U.S. domestic service; interstate natural gas pipelines; liquefied natural gas facilities; oil pipelines carrying crude oil to refineries; liquefied petroleum gas facilities; electric transmission organizations; generation facilities providing at least 100 megawatts of capacity to the bulk power system; public water systems serving at least 3,300 persons; financial market utilities designated by the Financial Stability Oversight Council; securities exchanges; clearing agencies; insured depository institutions; bank holding companies; foreign bank branches operating in the U.S.; certain insurance companies with systemic importance designations; rail carriers; public airports; and maritime port facilities.

Also on the list are facilities involved in the production of covered chemical agents, stealth aircraft components, certain nuclear materials including reactors and enrichment facilities, and high-power microwave systems. The breadth of the Appendix A list reflects the interconnected nature of modern infrastructure and the wide range of assets that, if compromised, could harm national security or public safety.

For transactions involving businesses in regulated industries, TID analysis under the critical infrastructure prong should be completed concurrently with sector regulatory analysis. A business subject to FERC, NERC, FCC, OCC, or FAA oversight is often in an Appendix A sector. The overlap between sector regulatory review and CFIUS TID analysis is significant enough that counsel managing multi-agency regulatory clearance for a cross-border deal should coordinate the analyses from the outset rather than treating them as independent workstreams.

Identifying a TID Business: Sensitive Personal Data

A U.S. business qualifies as a TID business under the sensitive personal data prong if it maintains or collects identifiable data in specified categories on more than one million individuals, targets or tailors its products or services to sensitive U.S. government personnel or contractors with access to classified information, or has a demonstrated business objective to maintain or collect such data on more than one million individuals even if it has not yet reached that volume threshold.

The regulated data categories cover financial data including consumer reporting data and non-public account information; insurance application and claims data; health and wellness data beyond general wellness information, including genetic data and mental health records; biometric enrollment data including fingerprints, voiceprints, iris scans, and facial recognition data; precise geolocation data derived from devices or applications; data about users' government identification numbers, passport numbers, or financial account credentials; and content of electronic communications. A business that maintains data in any one of these categories at the applicable volume threshold meets the sensitive personal data TID definition regardless of its industry sector.

The government-targeting criterion applies independently of volume. A business that offers products or services targeted specifically at members of the U.S. military, intelligence community contractors, or employees with security clearances qualifies as a TID business under this criterion even if it serves fewer than one million individuals. The regulation treats government-targeted data collection as presenting a distinct risk profile because the data enables potential adversaries to identify and potentially exploit or blackmail individuals with access to classified information.

Many technology and healthcare businesses encounter the sensitive personal data prong without recognizing it during routine M&A diligence. A fitness and health application, a telemedicine platform, a financial services aggregator, a consumer genetics service, or a location-based advertising platform may maintain data on more than one million individuals in categories that bring it within the TID definition. Counsel should include a data inventory review as part of standard TID analysis for any target that processes consumer or employee data at scale.

Covered Investment vs Control Transaction Analysis

CFIUS jurisdiction reaches two distinct categories of transactions: control transactions, which are transactions through which a foreign person acquires control of a U.S. business, and covered investments, which are a narrower subset of non-controlling investments in TID businesses that nonetheless provide certain access rights or information rights to the foreign person. The mandatory declaration obligation applies to both categories when the applicable trigger is met, but the analysis for each differs in important ways.

A control transaction exists whenever a foreign person acquires the ability to determine, direct, or decide important matters affecting a U.S. business. Control is not defined solely by voting percentage; it can arise through board representation rights, veto rights over material business decisions, approval rights over capital expenditures or significant contracts, or exclusive licensing arrangements that effectively transfer control over core assets. The regulations define control broadly to capture contractual arrangements that accomplish through governance rights what a majority equity stake would accomplish through voting.

Covered investments are non-controlling investments in TID businesses that afford the foreign person access to material nonpublic technical information, board membership or observer rights, or involvement in substantive decisionmaking about the use, development, acquisition, or release of critical technology, critical infrastructure, or sensitive personal data. The covered investment definition is targeted at minority investments that, while not conferring legal control, provide a foreign person with visibility into the TID business's sensitive operations, technology, or data.

For transactions structured as minority investments without board rights or information rights beyond what is customary for passive investors, the covered investment analysis may conclude that the transaction does not meet the definition, even in a TID business. The threshold question is whether the specific rights negotiated in the transaction documents create the kind of access to material nonpublic information or decisionmaking involvement that the regulations target. Standard financial information rights, drag-along and tag-along rights, anti-dilution protections, and pro-rata participation rights generally do not by themselves constitute covered investment triggers.

Excepted Investor Status and Exclusions

Excepted investor status is the most significant structural exclusion from the mandatory declaration obligation for covered investments in TID businesses. An excepted investor is a foreign person from an excepted foreign state who meets additional eligibility conditions set out in the regulations. CFIUS has designated four countries as excepted foreign states: Australia, Canada, New Zealand, and the United Kingdom. These countries were selected based on their defense cooperation relationships with the United States and the compatibility of their foreign investment review regimes with CFIUS standards.

To qualify as an excepted investor, a foreign national must be a national of an excepted foreign state and must not also be a national of a non-excepted foreign state. A foreign entity must be organized under the laws of an excepted foreign state, have its principal place of business in an excepted foreign state, and not be controlled by a non-excepted foreign person. An entity fails the excepted investor test if a non-excepted foreign person holds 10% or more of its voting interest, or if two or more non-excepted foreign persons collectively hold 25% or more. This look-through analysis mirrors the foreign government substantial interest calculation and must be applied to the full ownership structure of the investor.

Excepted investor status eliminates the mandatory declaration obligation only for covered investments in TID businesses. It does not affect CFIUS jurisdiction over control transactions by foreign persons from excepted states, which remain subject to CFIUS review under the general jurisdiction for control transactions. An Australian company acquiring a controlling interest in a U.S. TID business is not required to file a mandatory declaration but may still be subject to CFIUS review if the transaction raises national security concerns, and a voluntary filing may be appropriate.

Excepted investor status can also be lost after the transaction closes. If the excepted investor's ownership structure changes so that a non-excepted foreign person acquires 10% or more of the investor's voting interest, or if the investor redomiciles to a non-excepted state, the investor is no longer excepted. Changes of this kind in the post-closing period do not by themselves create a new CFIUS filing obligation, but they affect the analysis of subsequent transactions in which the investor participates.

Declaration Content and Supporting Documentation

A mandatory declaration must be submitted through the CFIUS e-filing system using the declaration form prescribed by the committee. The declaration is substantially shorter than a full notice but must include specific categories of information about the parties, the transaction structure, and the TID business's activities. Incomplete or materially inaccurate declarations are not accepted, and the 30-day review clock does not begin until CFIUS confirms acceptance of a complete declaration.

The declaration must identify all parties to the transaction, including the ultimate beneficial owners of the acquirer through each layer of the ownership structure. For investment fund acquirers, this requires disclosing all general partners, managing members, and any limited partners holding 5% or more of the fund's economic interest or voting interest. The identification requirement for ultimate beneficial owners extends to all entities in the ownership chain, not just the direct acquirer, and must address the nationality and control of each entity disclosed.

The declaration must describe the U.S. business and its TID activities with sufficient specificity to allow CFIUS to evaluate the national security implications. For critical technology TID businesses, this means identifying the specific USML categories or ECCN classifications applicable to the controlled items the business produces. For critical infrastructure TID businesses, it means identifying the specific Appendix A subsector and describing the nature and scale of the infrastructure assets. For sensitive personal data TID businesses, it means identifying the data categories maintained and the approximate volume of individual records.

Supporting documentation typically submitted with a declaration includes organizational charts showing the ownership structure of the acquirer and the TID business, the definitive transaction agreement, any ancillary agreements that affect governance or information rights, export control classifications for products of a critical technology TID business, and a description of any existing foreign ownership, control, or influence (FOCI) mitigation arrangements affecting the TID business. CFIUS may request additional documentation after accepting the declaration as it conducts its 30-day review.

The 30-Day Declaration Review Clock and Outcomes

The mandatory declaration review period is 30 calendar days from the date CFIUS accepts a declaration as complete. This is a shorter window than the 45-day initial review period for full notices, and it reflects the more limited scope of information included in a declaration. The clock runs regardless of weekends and federal holidays, and CFIUS does not toll the clock for periods when the parties are providing supplemental responses to committee requests, which means responsive communication with CFIUS staff during the review period is operationally important.

At the end of the 30-day period, CFIUS can take one of three actions. First, it can issue a no-action letter stating that the committee has completed its review and has not identified a basis for recommending any action. A no-action letter does not constitute clearance in the same sense as a clearance issued after a full notice, but it satisfies the mandatory filing obligation and allows the transaction to proceed without further CFIUS action absent material misrepresentation in the declaration. Second, CFIUS can issue a formal clearance, which has the same legal effect as clearance after a notice and bars future review absent misrepresentation.

Third, and most consequentially, CFIUS can request that the parties file a full notice. When CFIUS makes this request, the mandatory declaration obligation is satisfied by the declaration itself, but the parties must now submit a notice and undergo the full review process if they wish to obtain clearance. The notice triggers a new 45-day initial review period, which may be extended into a 45-day investigation period and further extended in exceptional circumstances. The decision to request a notice rather than resolve the matter at the declaration stage signals that CFIUS has identified national security concerns that warrant deeper analysis.

From a deal timeline perspective, the possibility of a notice request means that mandatory declaration cases cannot be reliably scheduled to close within 30 days of CFIUS acceptance. Parties should build into the merger agreement a CFIUS condition that remains open through the full notice process if a notice request is received, and the long-stop date should accommodate the possibility of a 45-day review plus a 45-day investigation plus any time required to negotiate and implement mitigation conditions.

Non-Notified Transactions and Retroactive Enforcement

CFIUS has broad authority to investigate transactions that were not voluntarily submitted and to take action on those transactions even after they close. This authority, sometimes called the non-notified transaction review program, applies to any covered transaction regardless of when it closed and regardless of whether a mandatory filing obligation existed. For transactions that triggered a mandatory declaration obligation, the failure to file before closing means the transaction is both a non-notified transaction and a per se violation of the mandatory filing requirement.

CFIUS identifies non-notified transactions through a variety of channels. The committee monitors public filings including SEC disclosure filings, press releases, and regulatory submissions. Other federal agencies including the Department of Defense, the Department of Energy, the Department of State, and the intelligence community refer transactions to CFIUS when they become aware of foreign investment in sensitive sectors. The committee also receives tips and referrals from competitors, employees, and others with knowledge of specific transactions.

When CFIUS identifies a potentially covered non-notified transaction, it may issue a unilateral initiation letter notifying the parties that the committee is reviewing the transaction. At that point, the parties are in a reactive posture: they must provide information to CFIUS on the committee's timeline, and the committee applies the same review standards it would apply to a voluntarily submitted notice but without the procedural predictability that the notice process provides. The committee may ultimately clear the transaction, impose mitigation conditions, or recommend presidential action requiring divestiture.

For mandatory declaration violations specifically, CFIUS's unilateral initiation of review also triggers the penalty analysis described in the following section. The combination of a violation penalty and a substantive national security review means that parties who close in violation of the mandatory obligation face both the direct financial exposure of the penalty and the deal-certainty risk of a retroactive national security review that could require them to undo the transaction.

Penalties for Failure to File a Mandatory Declaration

Section 721(h) of the Defense Production Act, as amended by FIRRMA, authorizes CFIUS to impose civil monetary penalties on any person who fails to comply with a mandatory filing obligation. The statute sets the maximum penalty at the greater of $250,000 or the value of the transaction. This means that for any transaction of meaningful size, the penalty exposure equals the full deal consideration rather than a fixed statutory cap. A $50 million acquisition that should have been preceded by a mandatory declaration and was not creates up to $50 million in penalty exposure.

CFIUS has issued penalty notices and imposed penalties for mandatory declaration violations in a growing number of cases since the FIRRMA-era mandatory filing rules took effect in 2020. The committee's enforcement posture reflects the priority it places on mandatory compliance: unlike the voluntary filing regime where failure to file is not itself a violation, the mandatory declaration framework treats non-compliance as a substantive regulatory failure, not a procedural oversight.

The penalty determination process allows the respondent to submit a written response to CFIUS's penalty notice and to request a meeting with committee staff. Mitigating factors considered by CFIUS include whether the parties self-identified the violation and voluntarily approached the committee before CFIUS initiated its own review, whether the parties cooperated fully with the committee's subsequent investigation, the national security impact of the transaction, the size and sophistication of the parties, and the nature of any remedial action taken. Self-disclosure before CFIUS discovers a violation independently has been a meaningful mitigating factor in the committee's enforcement practice.

Beyond monetary penalties, CFIUS has authority to take or recommend additional action for mandatory declaration violations. The committee can require the parties to submit a full notice even if it was not requested during the declaration review, can impose mitigation conditions as a condition of continuing to allow the foreign person to hold the acquired interest, and can recommend to the President that the transaction be unwound. The combination of penalty exposure and potential divestiture requirement means that the consequence of a mandatory filing violation can exceed the value of the transaction itself when remediation costs, legal fees, and business disruption are included.

Frequently Asked Questions