Foreign Investment Review: How Cfius Affects Your Deal

CFIUS can review covered transactions that could result in foreign control of a US business, certain non-controlling investments in businesses involved in critical technology, critical infrastructure, or sensitive personal data, and certain real estate transactions near sensitive government or military sites.

The jurisdiction has several pillars. The traditional core is the covered control transaction, any deal that could give a foreign person control of a US business, regardless of industry. FIRRMA added two important categories: certain non-controlling but more-than-passive investments in "TID" US businesses, those involved in critical technology, critical infrastructure, or sensitive personal data, and certain covered real estate transactions. Covered real estate analysis may apply to certain purchases, leases, or concessions of property near specified military installations, airports, maritime ports, or other sensitive US government sites, and it should account for the updated Part 802 military-installation list, which expanded CFIUS real-estate jurisdiction around numerous additional sites.

The type of target often determines the exposure. CFIUS and US national security review reaches not only control acquisitions but certain minority investments and real estate near sensitive sites.

Most CFIUS filings are voluntary, made to obtain clearance and a safe harbor, but certain transactions, particularly some involving critical technology or substantial foreign-government ownership, require a mandatory filing, and when one applies the parties generally must file at least 30 days before completing the transaction.

The filing decision is strategic and sometimes required. Historically, CFIUS filings have been voluntary, because clearance provides a safe harbor that reduces the risk CFIUS later reopens the same deal absent false statements, omissions, or material changes. FIRRMA introduced mandatory filing requirements for defined categories. Mandatory filing analysis usually focuses on whether the target is a TID US business, whether critical-technology export-control rules are triggered, and whether a foreign government holds a substantial interest in the investor or transaction. When a mandatory filing applies, the parties generally must submit a declaration or notice at least 30 days before closing, so the filing analysis should occur before signing or before the closing schedule is fixed.

Determining the filing obligation early shapes the deal. A foreign investor acquiring a TID US business may need FIRRMA compliance analysis before signing, not only before closing.

A declaration generally receives a 30-day assessment, a full notice triggers a 45-day review after acceptance, and an investigation, if opened, runs roughly another 45 days, with limited extensions, so a CFIUS-affected deal should plan for weeks to months of review depending on the path.

The two filing types differ in speed and certainty. A declaration is shorter and may produce a faster response, but CFIUS may clear the transaction, request a full notice, initiate its own review, or state that it cannot conclude action based on the declaration alone, in which case the parties may still need to file a full notice. A full written notice starts a 45-day review after acceptance, and CFIUS may open a 45-day investigation if national-security concerns require deeper analysis. Extraordinary circumstances allow a limited extension. Because these timeframes stack, parties should map the likely path early and build it into the deal's outside date and conditions.

The path chosen drives the schedule. Compliance and regulatory affairs work helps parties choose between a declaration and a notice and plan around the resulting timeline.

When CFIUS identifies national-security risks, it often resolves them through mitigation agreements, conditions the parties must accept to proceed, and only in unresolved cases recommends that the President block a new deal or order divestment of a completed one.

Mitigation is the common middle path. Rather than blocking a deal, CFIUS frequently negotiates measures to neutralize the risk, such as limits on access to sensitive technology or data, security protocols, governance restrictions, or ongoing monitoring and compliance obligations. The parties must agree to these conditions to obtain clearance, and the conditions can carry long-term obligations enforced over the life of the investment. Outright blocks are rare and reserved for risks that cannot be mitigated, where CFIUS may refer the matter to the President, who can prohibit a pending deal or order an investor to divest a completed one. The prospect of mitigation or, in extreme cases, divestment is why parties weigh CFIUS risk before committing.

Mitigation terms can bind the business for years. Due diligence and regulatory affairs review helps parties anticipate and negotiate the mitigation conditions CFIUS may require.

CFIUS can identify and review transactions that were never filed, called non-notified transactions, and can impose penalties for failing to make a mandatory filing or for violating a mitigation agreement, so skipping a required review does not make the risk go away.

The absence of a filing does not end the exposure. CFIUS has expanded its tools to request information about non-notified transactions and to monitor mitigation compliance, and it can open a review of a completed deal even years later, potentially leading to mitigation or, in serious cases, divestment. It can also impose civil penalties, up to $5 million or the transaction value for a missed mandatory filing, and penalties for breaching a mitigation agreement. This enforcement capacity is why parties cannot simply avoid review by not filing: an unreviewed deal in a sensitive sector carries lasting uncertainty. Voluntary filing, where prudent, exists partly to remove this lingering risk through a safe harbor.

The risk of later review persists after closing. Cross-border and international transactions carry CFIUS exposure that can surface long after a deal closes if no filing was made.

The deals carrying the most national-security scrutiny involve critical technologies, critical infrastructure, sensitive personal data, defense-related businesses, or foreign-government-controlled investors, especially from countries viewed as higher risk, where CFIUS is most likely to examine the transaction closely.

Certain features draw heightened attention. Targets in critical technology, semiconductors, AI, biotech, advanced manufacturing, or those holding large amounts of sensitive personal data, are prime candidates for close review, as are critical-infrastructure and defense-adjacent businesses. The identity of the investor matters too: substantial foreign-government ownership or control, and investors from countries seen as posing greater risk, increase scrutiny and the chance of mandatory filing or mitigation. Real estate near sensitive sites is similarly sensitive. Recognizing these high-scrutiny features early lets parties plan for a filing, build in timing, and structure the deal to address concerns before they become obstacles.

Identifying high-scrutiny features early is decisive. CFIUS and US national security review concentrates on critical technology, sensitive data, infrastructure, and government-linked investors.

Export controls and sanctions intersect with CFIUS because the same critical technology that triggers CFIUS review is often subject to export-control rules, and the same parties and countries that raise CFIUS concerns may be restricted under sanctions, so a single deal can require parallel analysis under all three.

The regimes overlap by design. A US target's critical technology may be controlled under export-control rules, which can make a CFIUS mandatory filing more likely and independently restrict how technology is shared with a foreign investor. Sanctions can prohibit dealing with certain parties or in certain regions, affecting whether a deal can proceed at all. Because these rules operate separately from CFIUS but apply to the same transactions, parties often must clear CFIUS while also confirming export-control and sanctions compliance. Treating them together, rather than sequentially, avoids a situation where a CFIUS-cleared deal still cannot close because of an export or sanctions problem.

The regimes must be analyzed together. Transactions involving controlled technology or restricted parties may require parallel export control law and economic sanctions review alongside CFIUS analysis.

The outbound investment program is not CFIUS review; it is a separate Treasury-administered regime that restricts or requires notification for certain US-person investments into covered technologies in countries of concern, pointing the opposite direction from CFIUS's screening of inbound foreign investment.

This is a distinct, newer regime. Where CFIUS screens inbound foreign investment in US businesses, the outbound rules, effective January 2, 2025, address certain US-person investments involving covered persons in countries of concern, currently China, Hong Kong, and Macau, in specified semiconductors and microelectronics, quantum information technologies, and artificial-intelligence activities. Depending on the transaction, the program can require notification or prohibit the investment outright. Because it is newer and continues to develop, its scope and requirements should be checked carefully for any qualifying outbound deal. For investors active in both directions, both regimes may need to be considered, each with its own rules and administrators.

The two regimes serve opposite purposes. Foreign direct investment planning now considers both inbound CFIUS review and the separate outbound restrictions, depending on the deal's direction.

Foreign investment review is the US government's national-security screening of foreign investment in American businesses, technology, and real estate, conducted principally by CFIUS, the Committee on Foreign Investment in the United States. CFIUS examines whether a transaction giving a foreign person control of, or certain access to, a US business or sensitive real estate poses national-security risks. It can clear the deal, clear it with mitigation conditions, or recommend the President block or unwind it. The framework was modernized by FIRRMA, which expanded review to certain non-controlling investments and real estate. Its focus is national security, not the commercial merits, and it can reach deals across many industries.

It depends on the foreign investor, the US target, and what the target does. Most filings are voluntary, made to obtain clearance and the certainty of a safe harbor, but some require a mandatory filing, particularly certain investments in critical-technology businesses and certain deals involving substantial foreign-government ownership. When a mandatory filing applies, the parties generally must file at least 30 days before closing. A deal may also be reviewable if it gives a foreign person control of a US business, a more-than-passive stake in a business involved in critical technology, infrastructure, or sensitive data, or certain real estate near sensitive sites. Because the rules are detailed and a missed mandatory filing can bring penalties, the filing question should be analyzed early.

It depends on the filing type and whether concerns arise. A declaration generally receives a 30-day assessment, a faster route that may or may not produce a final clearance. A full written notice triggers a 45-day review after acceptance, and CFIUS may open a 45-day investigation if national-security concerns require deeper analysis, with a limited extension possible in extraordinary circumstances. If CFIUS refers a matter to the President, a further short decision window applies. Because these timeframes can stack, a CFIUS-affected deal should plan for weeks to months of review and build that timeline into the closing schedule and outside date.

A missed mandatory filing can carry civil penalties up to $5 million or the value of the transaction, whichever is greater, and material misstatements or omissions in CFIUS submissions can trigger significant penalties as well. Beyond monetary penalties, an unfiled deal remains exposed: CFIUS can identify and review non-notified transactions even years after closing, potentially requiring mitigation or, in serious cases, divestment. Violating a mitigation agreement can also bring penalties. This combination of monetary penalties and lasting exposure is a major reason parties often file voluntarily even when not strictly required, because clearance provides a safe harbor that removes the uncertainty.

CFIUS has a range of outcomes. It can clear a transaction; clear it subject to mitigation measures, conditions the parties must accept to address national-security risks, such as limits on data or technology access, security requirements, or ongoing monitoring; or, if risks cannot be resolved, refer the matter to the President, who can suspend or prohibit a pending deal or order divestment of a completed one. CFIUS can also review transactions that were never filed and pursue penalties for a missed mandatory filing or a violated mitigation agreement. Most reviewed deals are ultimately cleared, often with conditions, but the process can affect timing and structure.

No. The outbound investment program is a separate Treasury-administered regime, not part of CFIUS. While CFIUS screens inbound foreign investment into US businesses, the outbound rules, effective January 2, 2025, restrict or require notification for certain US-person investments into covered technologies, specified semiconductors and microelectronics, quantum information technologies, and artificial intelligence, involving covered persons in countries of concern, currently China, Hong Kong, and Macau. The two regimes point in opposite directions and have different rules. An investor active in both inbound and outbound deals may need to consider both, but they should not be confused, because one reviews investment coming in and the other restricts investment going out.