New Executive Order Creates Roadmap of Heightened CFIUS Scrutiny for Cross-Border M&A | Insights

President Joe Biden signed an Executive Order (E.O.) on Sept. 15, 2022, clarifying and elaborating key U.S. industries and business sectors that should expect heightened regulatory scrutiny from the Committee on Foreign Investment in the United States (CFIUS). Section 721(f) of the Defense Production Act of 1950 (50 U.S.C. App. 2170(f)), as amended by the Foreign Investment Risk Review Modernization Act (FIRRMA), sets forth a number of national security factors that guide the CFIUS review process.

The new E.O. – the first one issued since CFIUS was established in 1975 – provides definitive guidance to CFIUS so that the review of cross-border investments and acquisitions remains responsive to evolving national security risks, including by expanding on the factors identified in Section 721. In particular, the E.O. outlines five specific sets of factors that CFIUS is now directed to consider when reviewing transactions.

Resilience of Critical U.S. Supply Chains

First, CFIUS is directed to consider how a transaction will affect the resilience of critical U.S. supply chains that may have national security implications, including those outside of the defense industrial base. Foreign investment that shifts ownership, rights or control to a foreign person in certain manufacturing capabilities, services, critical mineral resources or technologies that are fundamental to national security may make the United States vulnerable to future supply disruptions of critical goods and services. These considerations include the degree of diversification through alternative suppliers across the supply chain, including suppliers located in allied or partner countries, supply relationships with the U.S. government and the concentration of ownership or control by the foreign person in a given supply chain.

Potential Impacts

CFIUS has long considered the vulnerabilities presented by an investment transaction on the supply and resiliency of the defense industrial base. U.S. government contractors involved in cross-border mergers and acquisitions (M&A) were frequent targets for CFIUS reviews when taking investment from or being acquired by a foreign person.

Supply chain shortages over the last three years in a variety of sectors ranging from public health (e.g., COVID-19 prevention and response materials) to micro-electronics (e.g., semiconductors) to energy (e.g., rare earth minerals) have widened the national security aperture.

CFIUS is expected to exercise greater scrutiny of foreign investments that touch on industries central to U.S. domestic capacity – whether or not the U.S. business is involved in the defense industrial base. To the extent a foreign investment or acquisition would shift control of critical goods and services – for example, where the U.S. business is a single qualified source for a U.S. government contract or provides an essential input or resource for a critical domestic manufacturing capacity – CFIUS is more likely to take interest.

U.S. Technological Leadership

Second, CFIUS is directed to consider the effect on U.S. technological leadership in areas affecting U.S. national security, including microelectronics, artificial intelligence (AI), biotechnology and biomanufacturing, quantum computing, advanced clean energy (such as battery storage and hydrogen), climate adaptation technologies, critical materials (such as lithium and rare earth elements) and elements of the agriculture industrial base that have implications for food security.

Potential Impacts

Retaining technological leadership is embedded in a range of statutory and regulatory regimes, including FIRRMA and U.S. export control laws. While the E.O. in no way presents an exhaustive list, it does place discrete industries on notice that foreign investments in these areas will likely be met with greater regulatory scrutiny.

Notably, the industries identified in the E.O. are a more definitive elaboration of broader topics that were previously the focus of FIRRMA – namely critical infrastructure and critical technology companies. In this regard, the recent biotechnology and biomanufacturing E.O. issued by President Biden,1 which among other things, aims to spur government actions that will anticipate threats and vulnerabilities in this sector and mitigate related risks. Cross-border transactions involved in this industry sector should expect heightened scrutiny, as biotechnology is now considered critical technology subject to increased U.S. Department of Defense (DOD) investment and federal government analysis.   

Finally, CFIUS is tasked with considering whether a covered transaction could reasonably result in future advancements and applications in technology that could undermine national security. In other words, CFIUS will be interested not only in the existing U.S. business that is the subject of a transaction but also how that same U.S. business’s technology may be used in the future, including the plans and product road maps for early-stage technology companies. This is another example of CFIUS’s more recent position that economic security is national security.

Aggregate Investment Trends of Repeat Foreign Investors

Third, CFIUS is directed to examine investment trends that may have consequences on U.S. national security. Certain investments by the same foreign person in a sector or technology may appear to pose a limited threat when viewed in isolation, but when viewed in the context of previous transactions, it may become apparent that such investments can facilitate sensitive technology transfer in key industries or otherwise harm national security by having the foreign investor amass a significant market share in the specific industry sector.

Potential Impacts

For repeat foreign investors, the E.O. serves as a clarion call that CFIUS will consider the totality of an investment pattern, including incremental and add-on investments. While there may be a comparatively low threat associated with a foreign company or country acquiring a single firm in a sector, the E.O. notes that there may be a much higher threat associated with a foreign company or country acquiring multiple firms within the sector.

To respond to such threats, the E.O. directs CFIUS to consider the risks arising from a covered transaction in the context of multiple acquisitions or investments in a single sector or in related sectors by the same foreign investor.

Cybersecurity Risk

Fourth, CFIUS will closely monitor cybersecurity risks that threaten to impair national security. Investments by foreign persons with the capability and intent to conduct cyber intrusions or other malicious cyber-enabled activity may pose a risk to national security. The E.O. directs CFIUS to consider whether a covered transaction may provide a foreign person (or their relevant third-party ties) with access to conduct such activities in addition to the cybersecurity posture, practices, capabilities and access of all parties to the transaction that could allow a foreign person (or their relevant third-party ties) to manifest such activities.

Potential Impacts

The U.S. government’s focus on cyber threats and vulnerabilities is well-established and long-standing. This prong of the E.O. merely memorializes several areas of emphasis that CFIUS practitioners have come to expect. CFIUS will closely review the cybersecurity posture, practices and capabilities of both the foreign buyer and the U.S. target.

Moreover, CFIUS will continue to pay special attention to third-party connections of the foreign buyer, which has several dimensions, including the relationship between a foreign buyer and foreign governments and potential threats posed by third-party cyber-related connections, including elements incorporated into the information and communications technology (ICTS) supply chain and the location where data is stored and processed.

Risks to U.S. Persons’ Sensitive Data

Fifth, the E.O. calls out the continued national security risks associated with U.S. persons’ sensitive data.

Potential Impacts

National security vulnerabilities stemming from data exploitation have been on CFIUS’s radar since long before they were codified in FIRRMA. The E.O. makes explicit the U.S. government’s focus on how advances in technology, combined with access to large data sets, increasingly enable the re‑identification or de-anonymization of what once was considered unidentifiable data. The E.O. states that CFIUS shall consider whether a covered transaction involves a U.S. business with access to U.S. persons’ sensitive data and whether the foreign investor has, or the parties to whom the foreign investor has ties, have sought or have the ability to exploit such information to the detriment of national security, including through the use of commercial or other means.

Concluding Thoughts

The E.O. does not change the legal or regulatory requirements for transaction parties in the context of CFIUS, but it does provide a roadmap for companies evaluating whether to make a voluntary CFIUS filing, including the likelihood that a non-notified transaction will be subject to a post-closing inquiry from CFIUS. The E.O. codifies recent CFIUS practice and concerns with supply chains, big data, critical technologies and cybersecurity, and provides insight into the types of transactions and industry sectors that are currently the focus of CFIUS and the Biden Administration. As CFIUS acts by consensus and ultimately requires a political sign-off from the heads of department of the agencies represented on CFIUS, the E.O. suggests which transactions will be subject to increased scrutiny and likely increased mitigation.

In light of the E.O. directives, the following trends are expected:

  1. an uptick in the volume of voluntary filings as companies in affected industries that were on the fence about making filings now have presidential guidance to factor into the equation
  2. repeat foreign investors in the U.S. economy will reconsider the impact of low-risk investments or acquisitions in the context of aggregate investments or acquisitions over time
  3. a continual re-evaluation of national security vulnerabilities as the Office of Science and Technology Policy (OSTP), in consultation with other members of CFIUS, is tasked with periodically updating technology sectors that are fundamental to United States technology leadership in relevant areas of national security.

If you have any questions about this alert or seek assistance formulating a CFIUS strategy, reach out to the authors or another member of Holland & Knight’s CFIUS and Industrial Security Team. Our attorneys have the knowledge and experience to conduct the necessary due diligence to identify covered transactions, prepare the necessary CFIUS risk assessments to equip business leaders with tools to evaluate regulatory risk and help navigate the evolving CFIUS landscape.


1Executive Order on Advancing Biotechnology and Biomanufacturing Innovation for a Sustainable, Safe, and Secure American Bioeconomy” (Sept. 12, 2022).

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.