1. Cfius Compliance Frameworks and National Security Review Standards
CFIUS is an interagency committee chaired by the Treasury Secretary reviewing foreign investments in U.S. .usinesses for national security risk under DPA Section 721 (50 U.S.C. § 4565) and FIRRMA. The 2018 FIRRMA expansion brought non-controlling investments in TID U.S. .usinesses dealing in critical technology, infrastructure, or sensitive data within CFIUS jurisdiction. Reviews follow 31 CFR Parts 800 and 802, moving from filing through review, possible investigation, and clearance, mitigation, or Presidential action.
| Process | Filing Type | Statutory Authority | Result |
|---|---|---|---|
| Declaration | Short-form, 5 pages | FIRRMA / 31 CFR § 800.401 | 30-day review and disposition |
| Joint Voluntary Notice | Long-form | DPA § 721 / 31 CFR § 800.501 | 45-day initial review |
| Investigation | Post-review escalation | DPA § 721(b) | 45 more days for mitigation |
| Presidential Action | Last resort | DPA § 721(d) | Block, divest, or approve |
What Triggers Cfius Review of a Transaction?
CFIUS reviews "covered transactions" where a foreign person could acquire control of a U.S. .usiness, plus FIRRMA "covered investments" giving foreign access, board rights, or substantive decision-making in TID businesses. Real estate near sensitive sites, military installations, or ports also falls under CFIUS authority through Part 802. Effective foreign investment compliance analyzes each deal element to determine review obligations.
How Does Firrma Expand Cfius Jurisdiction?
FIRRMA expanded CFIUS reach from traditional control transactions to non-controlling investments giving foreign parties material non-public technical information, board observer rights, or substantive TID business decisions. The legislation introduced mandatory declarations for specified TID and foreign-government transactions, with civil penalties for non-compliance. Mergers and acquisitions practice screens every cross-border deal against the FIRRMA covered investment framework.
2. Foreign Investments, Mandatory Filings, and Ownership Restrictions
Mandatory CFIUS filings apply to two categories under 31 CFR § 800.401: TID transactions involving critical technology subject to export licensing, and transactions where a foreign government holds substantial interest in the acquirer. Voluntary notices remain available for other covered transactions, with parties often filing for pre-clearance. Failure to file when required carries civil penalties up to the transaction value.
When Are Mandatory Cfius Filings Required?
Mandatory filings apply to (1) TID U.S. .usiness transactions involving critical technology subject to U.S. .xport controls and (2) transactions where a foreign government holds 49 percent or greater interest in the foreign investor. Filing deadlines run 30 days before closing, with parties bearing the burden of timely identification. Foreign investment law screening at letter-of-intent stage identifies mandatory triggers before deal momentum overtakes review.
What Foreign Ownership Restrictions Apply?
Beyond CFIUS, sector restrictions apply in defense (facility security clearances), communications (FCC Section 310 foreign ownership limits), banking (Bank Holding Company Act), maritime, and aviation. Some defense contractors operate under Special Security or Proxy Agreements limiting foreign access to classified information. International acquisition practice navigates the interplay between CFIUS, sector regulators, and foreign direct investment rules across jurisdictions.
3. Critical Technology, Data Security, and Regulatory Risk Management
Critical technology covers the U.S. Munitions List, Commerce Control List items controlled for specified reasons, select agents and toxins, nuclear equipment, and emerging and foundational technologies designated by Commerce. Critical infrastructure includes 28 subsectors under 31 CFR Part 800 Appendix A, from energy to telecommunications. Sensitive personal data covers identifiable data of one million or more individuals collected by certain businesses, plus genetic and other specially protected categories.
Which Critical Technologies Trigger Cfius Scrutiny?
Critical technology categories include USML defense articles, dual-use CCL items controlled for national security, nuclear items under 10 CFR Part 110, select agents and toxins, and emerging technologies including AI, semiconductors, biotech, quantum, and advanced manufacturing under recent BIS rules. Industrial technology protection review catalogs each technology against current export control and CFIUS rules, since classifications change as Commerce updates lists.
How Are Data Security and Export Control Risks Reviewed?
CFIUS evaluates whether foreign investors could access sensitive personal data, genetic information, or critical data systems, with heightened scrutiny when the acquirer's home jurisdiction has adversarial data-sharing relationships. Parallel compliance under ITAR and EAR governs technology transfer pre-closing, post-closing access, and operations. Export control law integrates with CFIUS analysis on classification, technology transfer, and licensing.
4. Cfius Investigations, Mitigation Agreements, and Enforcement Proceedings
CFIUS proceedings move from declaration or notice through initial review, optional 45-day investigation, and potential Presidential referral if concerns cannot be resolved through mitigation. Mitigation agreements impose conditions from board governance and information access limits to facility security, divestiture, and ongoing monitoring. Recent enforcement has included civil penalties for material misstatements, mitigation breaches, and failure to file.
How Does the Cfius Review and Investigation Process Work?
Initial review begins after CFIUS accepts the filing, with 30-day declaration review or 45-day notice review on calendar days. CFIUS may clear, request a notice, initiate a 45-day investigation, or recommend Presidential action. The 2018 Broadcom-Qualcomm Presidential block demonstrated authority to block deals pre-agreement, with merger clearance managing parallel antitrust and CFIUS review.
How Do Cfius Mitigation Agreements Work?
Mitigation agreements bind parties to conditions designed to address national security concerns, often including U.S. .oard members, secure facilities, IT separation, restricted information flows, and third-party monitors. Breach can trigger civil penalties up to $250,000 per violation per day under current regulations, with willful violations carrying further consequences. M&A litigation handles disputes over mitigation compliance, divestiture orders, and post-closing CFIUS actions.
19 May, 2026
