Key Takeaways
- FIRRMA expanded CFIUS jurisdiction beyond control transactions to cover non-controlling investments in TID US businesses: those that produce critical technology, own critical infrastructure, or collect sensitive personal data of US citizens.
- Mandatory declarations are required for foreign government-backed acquirers of any interest in TID US businesses and for critical technology transactions where the acquirer obtains substantive rights. Failure to file when mandatory triggers civil penalties.
- National Security Agreements impose perpetual post-close obligations on the acquirer and the US business. NSA compliance costs are real and must be modeled into the transaction economics and integration plan.
- Investors from Australia, Canada, New Zealand, and the United Kingdom qualify as excepted foreign investors and are exempt from the expanded TID US business non-control investment rules, though control transactions remain subject to CFIUS review.
Cross-border M&A transactions that involve acquisition of a US business by a foreign person require careful analysis of CFIUS jurisdiction before the parties sign a letter of intent or a purchase agreement. CFIUS, the Committee on Foreign Investment in the United States, is an interagency committee with authority to review covered transactions for national security implications and to recommend or impose conditions that mitigate those risks - or to recommend that the President block the deal entirely. The committee's jurisdiction expanded substantially with the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which extended coverage beyond traditional control acquisitions to encompass non-controlling investments in a defined category of sensitive US businesses and certain real estate transactions near sensitive US government sites.
This sub-article is part of the Cross-Border M&A: A Legal Guide. It addresses the full scope of CFIUS review as it applies to foreign acquisitions of US businesses: the statutory and regulatory framework, the categories of covered transactions, the mandatory filing triggers, the procedural steps from declaration through investigation, the mitigation architecture, excepted foreign states, critical technology and infrastructure categorization, real estate jurisdiction, filing fees, pre-close operating covenants, and the treatment of CFIUS risk in M&A purchase agreements. For the parallel withholding and tax analysis applicable to cross-border deals involving US real property, see the companion article on FIRPTA withholding for foreign sellers.
Acquisition Stars represents buyers and sellers in cross-border M&A transactions, including transactions requiring CFIUS filings and NSA negotiations. The framework below describes CFIUS review as a general matter based on the statutory framework and publicly available regulatory guidance. Nothing in this article constitutes legal advice for any specific transaction; each situation requires individualized analysis.
CFIUS History and the FIRRMA Reform of 2018
CFIUS was established by executive order in 1975 and given statutory authority by the Exon-Florio Amendment to the Defense Production Act in 1988. For its first three decades of operation, CFIUS review focused almost exclusively on transactions in which a foreign person sought to acquire control of a US business, with control defined broadly to include any means through which a foreign person could determine, direct, or decide important matters affecting the management or operations of the US business. The committee reviewed transactions voluntarily submitted by the parties and also retained authority to self-initiate review of transactions that were not voluntarily filed when CFIUS determined that the transaction presented national security concerns.
The Foreign Investment Risk Review Modernization Act of 2018, signed into law as part of the John S. McCain National Defense Authorization Act for Fiscal Year 2019, represented the most significant expansion of CFIUS authority since Exon-Florio. FIRRMA made three categories of structural changes. First, it expanded the definition of covered transactions beyond control acquisitions to include non-controlling investments in TID US businesses - those involved in critical technology, critical infrastructure, or sensitive personal data - when the investment affords the foreign investor any of a defined set of governance rights. Second, it created a mandatory filing regime for specified categories of transactions, replacing the purely voluntary filing system that had existed previously. Third, it extended CFIUS jurisdiction to cover certain real estate transactions near sensitive US government facilities, even when no US business is involved in the transaction.
The implementing regulations for FIRRMA were finalized in January 2020 and have been updated on several occasions since. The current regulatory framework is codified at 31 C.F.R. Parts 800 and 802. Part 800 covers covered transactions and TID US business investments; Part 802 covers covered real estate transactions. Cross-border M&A counsel must ensure they are working from the current version of the regulations, as amendments have been made to the excepted foreign state list, the mandatory filing trigger definitions, and various procedural requirements since the initial 2020 implementation.
Covered Transactions: Control and Non-Control Investments in TID US Businesses
CFIUS jurisdiction requires a covered transaction. Under the current regulatory framework, there are three primary categories of covered transactions involving US businesses. The first, and historically most common, is any transaction in which a foreign person acquires control of a US business. Control is defined to include any means, whether or not legally enforceable, through which a foreign person directly or indirectly can determine, direct, or decide important matters affecting the management, operations, or financial position of a US business. Control includes but is not limited to ownership of a majority of voting interests. Even minority ownership can constitute control if accompanied by governance rights - veto rights, board appointment rights, or approval rights over key decisions - that give the foreign investor effective decision-making authority.
The second category, created by FIRRMA, covers non-controlling investments in TID US businesses when the investment affords the foreign investor any of the following: access to material nonpublic technical information in the possession of the TID US business; membership or observer rights on the board of directors or equivalent governing body, or the right to nominate a person to such a position; or involvement in substantive decisionmaking regarding the use, development, acquisition, or release of sensitive personal data of US citizens, critical technology, or critical infrastructure. This category extends CFIUS jurisdiction to investments that would previously have been outside the committee's reach - minority stakes, venture investments, and debt with governance rights - when those investments involve a TID US business.
The third category covers changes in the rights held by a foreign investor that cause the investment to move from a non-covered position into a covered one - for example, a foreign investor who already holds a non-controlling minority stake in a TID US business and who then receives board observer rights through a subsequent governance arrangement has entered a covered investment even though the equity percentage has not changed. Counsel must therefore review not only the current transaction but also any prior investments by the foreign acquirer in the same US business and any governance rights held by affiliates of the acquirer.
Mandatory Filing Triggers: The 25% Foreign Government Test and Critical Technology
FIRRMA created a mandatory declaration requirement for two categories of covered transactions. Unlike voluntary filings, which the parties may choose to submit to obtain CFIUS clearance certainty, mandatory declarations must be submitted at least 30 days before closing or the parties face civil penalties.
The first mandatory trigger applies when a foreign government, or an entity in which a foreign government holds a 25% or greater voting interest at any tier of the ownership chain, is acquiring any interest - including non-controlling interests - in a TID US business. The 25% threshold is measured looking through the ownership chain: if a foreign government holds 25% or more of a fund, and that fund is acquiring any interest in a TID US business, the mandatory declaration requirement is triggered regardless of how small the fund's direct investment is. The breadth of this trigger reflects the congressional judgment that foreign government involvement in TID US businesses warrants automatic committee review even for small investments.
The second mandatory trigger applies to covered transactions involving US critical technology businesses when the transaction would result in a foreign person holding any of the following: membership or observer rights on the governing body; the right to nominate a person to the governing body; substantive decision-making rights over critical technology; or access to material nonpublic technical information. Critical technology for this purpose is defined broadly and includes items controlled under the Export Administration Regulations, the International Traffic in Arms Regulations, the Atomic Energy Act, the Nuclear Non-Proliferation Act, and certain other regulatory frameworks. Whether a specific technology qualifies requires careful analysis of the export control classification and any applicable agency determinations.
The civil penalty for failure to submit a mandatory declaration when required can reach the value of the transaction itself - a penalty that dwarfs the compliance cost of preparing and filing the declaration. Even parties who believe their transaction is exempted from mandatory filing should conduct a careful written jurisdiction analysis and retain that analysis in their files in the event of a future CFIUS inquiry.
Declaration vs. Notice: Choosing the Right Filing Vehicle
Parties with a covered transaction that does not trigger the mandatory declaration requirement must decide whether to file a short-form declaration, a full-form notice, or to proceed without filing. Proceeding without filing is an option for voluntary transactions, but it does not eliminate CFIUS jurisdiction: the committee retains authority to self-initiate review of any covered transaction at any time, including after closing, and a transaction that closes without a filing and is subsequently reviewed by CFIUS does not benefit from safe-harbor protections.
The declaration is a summary submission limited to five pages (plus attachments of required party information). It initiates a 30-day review clock. During those 30 days, CFIUS may take one of four actions: clear the transaction (providing safe harbor); request that the parties file a full notice; inform the parties that it is unable to conclude action on the declaration (which does not provide clearance or safe harbor); or take no action. If CFIUS requests a full notice, the timeline resets and the notice review process begins. If CFIUS takes no action, the parties technically may proceed to close, but without safe harbor, meaning future CFIUS review remains possible. The practical utility of the declaration pathway depends on the transaction's national security footprint: low-risk transactions from non-sensitive acquirers in non-TID businesses may resolve quickly through the declaration process, while transactions with meaningful national security considerations typically require a full notice.
The notice is a comprehensive submission that includes detailed information about the parties' ownership structures and ultimate beneficial owners, a description of the US business including its operations, revenues, and customer base, a description of the transaction structure and the rights being acquired, and an analysis of the national security considerations and any proposed mitigation measures. The notice is certified by a senior officer of each party. Preparing an accurate and complete notice requires significant coordination between M&A counsel, the US business's operations team, and often outside national security specialists. For cross-border transactions with material CFIUS considerations, notice preparation should begin during the due diligence phase, in parallel with preparation of the transaction documents, not as an afterthought after signing.
The Review Timeline: 30-Day Declaration, 45-Day Review, and 45-Day Investigation
The CFIUS review process operates on statutory timelines that the parties must plan around in structuring the transaction schedule. Understanding these timelines at the letter-of-intent stage allows the parties to set realistic closing expectations and to build appropriate CFIUS-related conditions precedent into the purchase agreement.
A declaration initiates a 30-calendar-day review period that begins when CFIUS accepts the declaration as complete. CFIUS will not accept an incomplete declaration, and the clock does not start until the committee confirms completeness. Submitting a well-prepared declaration well before the planned closing date is important because CFIUS has up to 10 business days to determine whether the declaration is complete after submission, and the parties need sufficient time before closing for CFIUS to act on the declaration and for any requested follow-on notice to be filed and reviewed.
A notice initiates a 45-calendar-day initial review period. At the end of the initial review period, CFIUS may clear the transaction or open a formal investigation. If an investigation is opened, a further 45-calendar-day investigation period begins. Investigations are required in specified circumstances, including when the transaction involves a foreign government-controlled acquirer, when the acquisition would result in foreign control of critical infrastructure or critical technology businesses, and when the initial review reveals unresolved national security concerns that require further analysis. If CFIUS is unable to complete its investigation within the 45-day investigation period, it may request that the parties withdraw and refile the notice, effectively restarting the clock. Involuntary withdrawal-and-refile sequences can extend the total CFIUS timeline by months.
The combined maximum statutory timeline for a notice - 45-day review plus 45-day investigation - is 90 days. In practice, transactions involving national security mitigation negotiations can take substantially longer, particularly when NSA terms must be negotiated between the parties and CFIUS member agencies before clearance can be issued. Cross-border purchase agreements should generally set a CFIUS condition deadline that is at least 90 to 120 days after notice filing, with a mechanism for the parties to extend that deadline by mutual agreement.
National Security Agreements: Structure, Negotiation, and Compliance Obligations
When CFIUS determines that a covered transaction presents national security risks that are mitigable but not tolerable without mitigation, the committee negotiates a National Security Agreement with the parties as a condition of clearance. An NSA is a legally binding agreement between the foreign acquirer, the US business being acquired, and the US government - typically represented by the lead CFIUS member agencies most directly responsible for the relevant national security concern, which may include the Department of Defense, the Department of Energy, or the appropriate industry regulator.
The specific obligations in an NSA are negotiated based on the particular national security concerns identified during the CFIUS review. While each NSA is tailored to the specific transaction and risk profile, several categories of obligations appear consistently. Personnel obligations typically require that certain positions at the US business be held by US citizens or persons with specific security clearances, and that foreign nationals from specified countries of concern be prohibited from accessing sensitive facilities, systems, or information. Physical security obligations require implementation of access controls, visitor logs, and security procedures for facilities that handle sensitive technology or government-classified work. Information security obligations require adoption and maintenance of cybersecurity standards consistent with US government requirements, often incorporating standards from NIST or specific agency guidance. Notification obligations require the acquirer to inform CFIUS member agencies of material changes in the US business's operations, ownership structure, or business direction.
Audit and monitoring provisions in NSAs give CFIUS member agencies the right to audit the US business's compliance with the NSA obligations, often on an annual basis and on special examination request. The US business typically must designate a security officer or security committee responsible for overseeing NSA compliance and serving as the primary contact for government monitors. Government technology transfer restrictions prohibit the transfer of specified technology, systems, or information to foreign persons or to specific countries without prior government consent. These restrictions can affect the US business's ability to work with offshore affiliates of the acquirer and must be analyzed carefully as part of the integration planning.
The NSA is perpetual in the sense that it survives the M&A closing indefinitely and remains binding on the US business and its successive owners. A future acquirer of the US business in a later M&A transaction must either assume the NSA obligations or negotiate an amendment with CFIUS as part of that subsequent transaction. The perpetual nature of NSA obligations means they have real economic value implications for the US business's future transferability and must be disclosed as part of due diligence in any subsequent sale.
Mitigation Measures Beyond NSAs: Proxy Arrangements and Structural Separation
In addition to NSAs, which are the most common form of CFIUS mitigation for cleared transactions, CFIUS can require or accept more substantial structural mitigation in transactions that present more significant national security concerns.
A proxy agreement is a structural mitigation that interposes a layer of US persons between the foreign acquirer and the operations and governance of the US business. Under a proxy arrangement, voting rights, governance rights, and operational control of the US business are held not by the foreign acquirer directly but by a proxy board composed of US citizens with appropriate security clearances and approved by CFIUS. The proxy board exercises the shareholder and board-level functions of the US business, and the foreign acquirer's relationship to the US business is reduced to a financial interest without operational control. Proxy arrangements are demanding: the proxy board must have genuine governance authority and the foreign acquirer cannot exercise control through side arrangements or influence. They are used when the foreign acquirer's nationality or government connections make direct ownership of the US business's governance untenable for national security purposes, but the economic investment can be retained.
A Special Security Agreement (SSA) is a mitigation instrument used specifically when the US business holds or is seeking US government facility security clearances (FCLs). Under an SSA, the US business establishes a board-level Government Security Committee (GSC) composed of US citizens approved by the Defense Counterintelligence and Security Agency (DCSA), and the GSC holds all security-related authorities for the business's classified work programs, shielding those programs from foreign acquirer access while permitting the foreign ownership structure to remain in place. An SSA is less complete an isolation than a proxy but allows the US business to continue holding and performing on classified government contracts while under foreign ownership.
Carve-out or divestiture mitigation requires the US business to divest or separate a specific division, program, contract, or technology before closing, eliminating the national security concern by removing it from the perimeter of what the foreign acquirer is actually acquiring. This approach is used when only a portion of the US business's operations raises national security concerns and the rest of the business can be acquired without restriction. The carve-out must be completed before the CFIUS clearance condition is satisfied, and the structure of the carve-out - asset sale, spin-off, or licensing arrangement - must address the mechanics of separating the sensitive component cleanly from the rest of the business.
Divestiture Orders and Presidential Blocking: The Ultimate Sanction
When CFIUS concludes that a covered transaction poses national security risks that cannot be mitigated through any available mitigation measure, the committee refers the transaction to the President of the United States with a recommendation that the President act. The President has statutory authority under FIRRMA to take three categories of action: prohibit a transaction that has not yet closed, require divestiture of an interest in a US business that has already been acquired, or require the acquirer to take other remedial action.
Presidential action is rare relative to the total volume of CFIUS filings. CFIUS resolves the large majority of transactions either through clearance without mitigation or through negotiated NSA or SSA agreements. Referral to the President occurs only when CFIUS unanimously agrees that no mitigation is sufficient and that the President should act - a high threshold that reflects the committee's preference for negotiated resolution over presidential intervention. When presidential action does occur, it is typically in transactions involving critical infrastructure, advanced technology with direct military or intelligence applications, or acquirers with direct foreign government control and a record of intelligence-related concern.
The practical significance of presidential blocking authority for M&A parties is that it must be treated as a real risk for any transaction where the national security considerations are material and the mitigation path is uncertain. A purchase agreement that is conditioned on CFIUS clearance without a meaningful walk-away provision if CFIUS refers the matter to the President may leave the parties without a clean exit if presidential action becomes a possibility. Reverse termination fee provisions in cross-border purchase agreements typically address the consequences of CFIUS failure to clear, including whether and to what extent the acquirer bears the risk of presidential blocking.
Excepted Foreign States: Australia, Canada, New Zealand, and the United Kingdom
FIRRMA created a category of excepted foreign states whose investors receive more favorable treatment under the CFIUS regulatory framework. The current excepted foreign states are Australia, Canada, New Zealand, and the United Kingdom. The designation reflects the close national security and intelligence-sharing relationships between these countries and the United States, as well as the presence of functional foreign investment screening regimes in each country that are considered equivalent in relevant respects to the US CFIUS process.
An investor who qualifies as an excepted foreign investor - an entity organized under the laws of an excepted foreign state, with its principal place of business in an excepted foreign state, and without a controlling interest held by a non-excepted foreign person - is exempt from the expanded TID US business non-control investment rules. This means that an excepted foreign investor can make a minority investment in a TID US business that affords it board observation rights, access to material nonpublic technical information, or substantive decision-making involvement without triggering CFIUS jurisdiction for that non-control investment. The excepted foreign investor exemption eliminates a significant category of CFIUS filing obligation for investors from these four countries.
However, excepted foreign investors remain fully subject to CFIUS jurisdiction when they seek to acquire control of any US business, including TID US businesses. The exemption applies only to the expanded non-control investment category introduced by FIRRMA, not to the traditional control acquisition jurisdiction that predates FIRRMA. A UK private equity firm acquiring a controlling interest in a US critical technology company must complete a CFIUS filing just as any other foreign acquirer would. The excepted status simply means that pre-FIRRMA-scope transactions involving UK, Australian, Canadian, or New Zealand investors proceed under the traditional control-only framework rather than the expanded TID investment framework.
Investors who believe they may qualify as excepted foreign investors must conduct a careful analysis of their ownership structure, including looking through any fund structure or holding company chain to identify whether any non-excepted foreign person holds a controlling interest at any level. The excepted foreign investor status is determined at the time of the transaction and must be certified in any CFIUS filing. For cross-border transactions involving investors from the excepted foreign states, this analysis should be part of the initial jurisdiction assessment conducted before signing. See the Cross-Border M&A Legal Guide for additional context on the full scope of US regulatory review applicable to foreign acquisitions.
Critical Technology, Critical Infrastructure, and Sensitive Personal Data: Defining TID US Businesses
The TID US business category is the central organizing concept of the FIRRMA-expanded CFIUS framework. A US business that falls within any of the three TID categories is subject to the expanded CFIUS jurisdiction applicable to non-control investments, mandatory filing triggers, and the full weight of the committee's national security review authority.
Critical technology is the broadest and most rapidly evolving of the three categories. It includes items subject to export controls under the Export Administration Regulations (EAR), including items on the Commerce Control List and the Emerging and Foundational Technology controls being developed by the Bureau of Industry and Security; items controlled under the International Traffic in Arms Regulations (ITAR) administered by the Department of State; nuclear material and technology controlled under the Atomic Energy Act and related statutes; select agents and toxins controlled by the Centers for Disease Control and the Animal and Plant Health Inspection Service; and specifically designed or modified goods for military use that are subject to additional export controls. A US company that designs, manufactures, produces, tests, fabricates, or develops any item within these control categories is a critical technology US business for CFIUS purposes.
Critical infrastructure covers a defined list of systems and assets that are vital to national security, public health or safety, or economic security. The CFIUS regulations enumerate specific covered sectors: telecommunications networks, internet exchange points, satellite payloads and ground stations, oil and natural gas facilities, maritime ports, public water systems, financial market utilities, aviation and rail networks, and electric generation and transmission facilities above certain capacity thresholds. Ownership, operation, manufacture, supply, or servicing of any covered critical infrastructure makes the US business a TID US business.
Sensitive personal data of US citizens is the third TID category and is defined with reference to several data types: identifiable data related to health or medical records; financial data including credit, bank account, or tax return information; geolocation data; biometric identifiers; government identification data; records of communications; data linked to national security clearance holders or government employees; and data from specific categories of businesses (consumer financial services, health and wellness, government contractors) that collect the data as part of their core operations. A US business is a TID US business if it maintains or collects sensitive personal data on more than one million individuals, or if it has a demonstrated business objective to collect data on more than one million individuals.
Pre-Signing Covenants, Interim Operating Restrictions, and CFIUS Representations in Purchase Agreements
CFIUS review imposes obligations not only through the filing process itself but also through the obligations that well-drafted cross-border purchase agreements impose on the parties during the period between signing and closing while CFIUS review is pending.
Interim operating covenants in cross-border M&A purchase agreements typically require the US business to operate in the ordinary course of business between signing and closing, without making acquisitions, entering new lines of business, divesting assets, or taking other extraordinary actions that could affect the national security analysis or the CFIUS review. These covenants serve the CFIUS process by ensuring that the business the committee reviews is the same business that closes, avoiding the need to update the CFIUS filing for material changes. Counsel must also include affirmative covenants requiring the parties to cooperate in preparing and filing the CFIUS declaration or notice, to respond promptly to CFIUS requests for additional information (RFIs), and not to take actions that would prejudice the CFIUS review or give the committee grounds to request additional investigation.
Representations in cross-border purchase agreements address CFIUS-specific facts: whether the US business is a TID US business, whether any prior CFIUS agreements or NSAs are in place, whether the US business holds facility security clearances, whether any foreign person currently holds governance rights in the US business, and whether the acquirer's ownership structure meets the requirements for excepted foreign investor status if applicable. These representations are typically made as of signing and are brought down to closing, meaning that any change in facts between signing and closing that would affect the accuracy of the CFIUS representations must be disclosed and may require a new or supplemental CFIUS filing.
The allocation of CFIUS risk between buyer and seller in the purchase agreement is a substantive negotiating point. Sellers typically negotiate for the buyer to bear the risk of CFIUS failure - by accepting a reverse termination fee obligation if the deal fails due to CFIUS non-clearance rather than a termination right for the seller that returns the parties to the pre-signing status quo. Buyers typically negotiate for caps on their CFIUS mitigation obligations - refusing to accept NSA terms that would impose costs or operational restrictions beyond what was modeled in the deal economics. The interaction between CFIUS risk allocation and deal economics requires coordination between M&A counsel and national security specialists. For an overview of how cross-border deal structure affects this analysis, see the deal structure guide.
Filing Fees, State Antitrust Overlays, and Practical Preparation Checklist
CFIUS filing fees, authorized by FIRRMA and implemented beginning in fiscal year 2020, apply to notice filings on a tiered schedule based on transaction value. The current schedule runs from no fee for transactions valued below $500,000, through $750 for transactions at $500,000 to $5 million, $7,500 for transactions at $5 million to $50 million, $75,000 for transactions at $50 million to $250 million, $150,000 for transactions at $250 million to $750 million, and $300,000 for transactions at $750 million or above. Fees are paid jointly by the parties and are non-refundable once the notice is accepted. Declaration filings are not subject to fees. Parties considering whether to file a declaration or a notice for a voluntary filing should factor the fee differential into their analysis, though the more important considerations remain the national security profile of the transaction and the degree of clearance certainty each filing vehicle provides.
State antitrust review may overlay CFIUS review for transactions that affect markets in particular states. Several states have enacted their own foreign investment review or competition review statutes that may apply independently of or in addition to the federal CFIUS process. State antitrust review is conducted by state attorneys general under state antitrust statutes, and in some states there are specific filing obligations for transactions above certain size thresholds. The interaction between state and federal review is generally parallel rather than sequential, but parties must ensure that state filing deadlines are calendared alongside CFIUS and HSR timelines to avoid missing state review obligations.
A practical CFIUS preparation checklist for cross-border M&A counsel includes: an early-stage jurisdiction analysis identifying whether the transaction is a covered transaction and, if so, which category of covered transaction; identification of mandatory filing obligations and the deadline for submission; an assessment of the TID US business status of the target; a review of the acquirer's ownership structure for foreign government involvement at or above the 25% threshold; a determination of whether the acquirer qualifies as an excepted foreign investor; identification of any prior CFIUS agreements, NSAs, SSAs, or government security commitments that apply to the US business; development of a national security analysis addressing the likely CFIUS concerns and potential mitigation arguments; preparation of the filing (declaration or notice) in parallel with transaction document preparation; and coordination of the filing timeline with the purchase agreement's closing condition framework. For transactions involving the acquisition of US businesses in regulated sectors, CFIUS review is one component of a broader regulatory clearance analysis that may include Hart-Scott-Rodino (HSR) antitrust review, Federal Communications Commission approvals, Federal Energy Regulatory Commission approvals, or other sector-specific regulatory consents. The M&A transaction services overview addresses how Acquisition Stars coordinates multi-regulatory clearance for complex cross-border transactions.
Frequently Asked Questions
What transactions trigger a mandatory CFIUS filing rather than a voluntary one?
A mandatory CFIUS filing is required in two primary categories. First, if a foreign government, or an entity in which a foreign government holds a 25% or greater voting interest (directly or indirectly), is acquiring any interest in a TID US business (a business that produces, designs, tests, manufactures, fabricates, or develops critical technology; owns, operates, manufactures, supplies, or services critical infrastructure; or maintains or collects sensitive personal data of US citizens), a mandatory declaration is required. Second, any covered transaction involving a US critical technology company triggers a mandatory declaration when the foreign acquirer will hold any of a defined list of rights, including board seats, observer rights, approval rights over material decisions, or access to material nonpublic technical information. Failure to submit a mandatory declaration when required exposes the parties to civil penalties of up to the value of the transaction. A party is not absolved of the mandatory filing obligation simply by closing without submitting - CFIUS retains jurisdiction over transactions that were required to file but did not.
What is the difference between a CFIUS declaration and a CFIUS notice?
A CFIUS declaration is a short-form submission, limited to no more than five pages, that summarizes the transaction, the parties, and the relevant national security considerations. The declaration initiates a 30-day review period during which CFIUS may clear the transaction, request that the parties file a full notice, or take no action. If CFIUS takes no action on a declaration, the parties have safe-harbor protection against future CFIUS review only if the declaration was complete and accurate and no material change has occurred. A CFIUS notice is a long-form submission that includes comprehensive information about the parties, the transaction structure, the US business, and the national security landscape. Notices initiate a 45-day initial review period, which may be extended by a 45-day investigation period if the committee cannot complete its review within the initial period. Parties may file a full notice voluntarily even when a declaration would suffice, typically when the transaction raises national security considerations that benefit from a full and documented CFIUS review to achieve clearance certainty.
What are the five categories of excepted foreign states and why do they matter?
CFIUS regulations identify a category of 'excepted foreign states' whose investors are eligible for certain exemptions from the broader TID US business investment restrictions. As of the current regulatory framework, the excepted foreign states are Australia, Canada, New Zealand, and the United Kingdom. These four countries are treated as excepted because their national security relationships with the United States, intelligence-sharing frameworks, and investment screening regimes meet the standards established by CFIUS regulations. Investors who qualify as 'excepted foreign investors' under the regulations because they are organized in, and meet principal place of business and ownership or control requirements linked to, an excepted foreign state are not subject to the expanded TID US business jurisdiction that applies to all other foreign investors. They remain subject to CFIUS jurisdiction for control transactions involving any US business, including TID US businesses, but the non-controlling TID investment rules that apply to other foreign investors do not apply to them. The excepted foreign investor status is not automatic and depends on meeting all applicable ownership thresholds and certification requirements.
What is a National Security Agreement and how does it affect M&A closing?
A National Security Agreement (NSA) is a legally binding agreement between the foreign acquirer, the US business, and the US government (represented by CFIUS member agencies) that imposes ongoing obligations on the parties as a condition of CFIUS clearance. NSAs are negotiated when CFIUS determines that the transaction poses national security risks that can be mitigated through structural or operational commitments, but that do not require blocking the transaction outright. The specific content of an NSA depends on the national security concerns identified during the CFIUS review. Common NSA provisions include obligations to maintain the US business's US persons workforce and limit foreign national access to sensitive facilities or technology; obligations to appoint a security officer or security committee with defined responsibilities; requirements to implement information security protocols consistent with US government standards; notification obligations when certain changes in ownership, control, or operations occur; audit rights allowing CFIUS member agencies to inspect the business's compliance with NSA obligations; and obligations not to transfer covered technology to certain countries or persons without prior government consent. Closing cannot occur until the NSA is executed. An NSA is a perpetual obligation that survives the closing indefinitely and creates ongoing compliance costs and limitations that the acquirer must factor into the transaction valuation.
Can a presidential divestiture order unwind a completed transaction?
Yes. The President of the United States has statutory authority under FIRRMA to block or unwind a covered transaction that the President determines poses a threat to national security, and this authority applies to transactions that have already closed. If CFIUS reviews a transaction and determines that no mitigation measures are sufficient to address the national security risk, it refers the matter to the President, who may then issue an order prohibiting the transaction, requiring divestiture of the acquired interest, or requiring other remedial action. Presidential divestiture orders are relatively uncommon and have historically been reserved for transactions involving critical assets with significant foreign government involvement, but the authority is real and has been exercised. Transactions that close without completing a CFIUS filing when one was required, or that are referred to the President after a completed CFIUS review, are subject to this authority. The practical consequence for M&A parties is that a completed deal is not truly final until CFIUS review is resolved, and parties should not assume that closing eliminates CFIUS exposure for transactions that were filed voluntarily or that have material national security dimensions that could have supported a mandatory filing.
How does CFIUS treat real estate transactions near sensitive US government facilities?
CFIUS has extended jurisdiction over certain real estate transactions that do not involve acquisition of a US business, specifically targeting purchases, leases, or concessions of real property by foreign persons that are in close proximity to US military installations, government facilities, or other sensitive sites identified in the CFIUS regulations. The FIRRMA regulations define three geographic categories of coverage: property within one mile of certain identified military installations; property within 100 miles of certain other identified installations; and property located in certain counties or other geographic areas regardless of distance. A transaction that is solely a real estate transaction and does not involve a US business may nonetheless be a covered transaction subject to CFIUS jurisdiction if the property falls within a covered geographic zone. The regulations identify the covered installations by reference to a list maintained by CFIUS, and parties to real estate transactions in markets near military bases, intelligence facilities, or ports of entry should conduct CFIUS jurisdiction analysis before signing. The filing procedures for covered real estate transactions parallel those for covered investments - declaration or notice - and the same timeline and mitigation framework applies.
What are CFIUS filing fees and when do they apply?
Congress authorized CFIUS to collect filing fees from parties submitting notices beginning in fiscal year 2020. Fees apply only to notices, not to declarations. The fee schedule is tiered based on the transaction value. As of the current schedule, transactions valued below $500,000 are not subject to fees. Transactions valued at $500,000 or more but less than $5 million are subject to a $750 fee. Transactions valued at $5 million to less than $50 million are subject to a $7,500 fee. Transactions valued at $50 million to less than $250 million are subject to a $75,000 fee. Transactions valued at $250 million to less than $750 million are subject to a $150,000 fee. Transactions valued at $750 million or more are subject to a $300,000 fee. Fees are paid by the parties jointly, with joint and several liability. The fee schedule is set by regulation and subject to change. Parties planning cross-border transactions should confirm the current fee schedule at the time of filing. Filing fees are separate from and in addition to any legal and advisory costs associated with preparing and submitting the CFIUS filing.
What representations and warranties in an M&A purchase agreement address CFIUS risk?
Purchase agreements in cross-border M&A transactions typically include a set of representations and covenants specifically addressing CFIUS jurisdiction and compliance obligations. On the target side, representations typically address whether the target is a TID US business (covering critical technology production, critical infrastructure ownership, and sensitive personal data collection), whether the target's business involves any US government contracts that carry security clearances or foreign ownership restrictions, and whether the target has any prior CFIUS agreements or government security commitments already in place. On the acquirer side, representations typically address the acquirer's ownership structure and whether any foreign government holds a 25% or greater interest, the acquirer's principal place of business and place of organization for purposes of determining whether it qualifies as an excepted foreign investor, and the accuracy of the representations made in the CFIUS filing. Covenants in the purchase agreement address the parties' obligation to cooperate in preparing and submitting the CFIUS filing, the timing obligations, interim operating restrictions pending CFIUS clearance, and the allocation of risk if CFIUS imposes mitigation conditions or if the President blocks the transaction. A well-drafted cross-border purchase agreement treats CFIUS clearance as a closing condition and addresses the consequences - including termination rights and reverse termination fees - if clearance is not obtained.
Evaluate a Cross-Border Transaction with CFIUS Exposure
Acquisition Stars works with buyers and sellers in cross-border M&A transactions, including transactions requiring CFIUS filings, NSA negotiations, and proxy or SSA arrangements. Submit your transaction details for an initial assessment.