CFIUS and FIRRMA: Foreign Investment Review in Cross-Border M&A

“CFIUS isn’t theoretical. FIRRMA gave it teeth that reach far beyond defense contractors — into technology, infrastructure, healthcare data, even venture-scale investments. Cross-border M&A that ignores CFIUS is M&A that can be unwound after the fact.”

Key Takeaways

• CFIUS reviews foreign-buyer acquisitions of US businesses for national-security implications.
• FIRRMA (2018) substantially expanded CFIUS’s jurisdiction beyond traditional defense-focused review.
• FIRRMA brought critical technology, critical infrastructure, and sensitive personal data (TID businesses) into expanded review.
• Some transactions involving TID businesses and certain foreign-government investors require mandatory CFIUS filings.
• Voluntary filings are common for higher-risk deals where parties want regulatory certainty.
• CFIUS review can run 30-90 days through full investigation; complex deals can take longer.
• CFIUS can clear, mitigate, block, or require unwinding of transactions found to raise national-security concerns.
• Cross-border M&A planning should include CFIUS analysis at the LOI stage, not after the deal is signed.

What CFIUS Is and What It Does

CFIUS — the Committee on Foreign Investment in the United States — is an interagency committee chaired by the US Treasury Department, with members from State, Defense, Commerce, Homeland Security, Justice, Energy, USTR, and other agencies depending on the transaction. Its authority comes from Section 721 of the Defense Production Act of 1950, as amended (most importantly by FIRRMA in 2018).

CFIUS’s job is to review certain transactions involving foreign investment in US businesses to assess whether they raise national-security concerns. If a transaction is found to raise such concerns, CFIUS can negotiate mitigation measures with the parties, recommend the President block or unwind the transaction, or require the parties to abandon it. The President has authority to suspend or prohibit transactions that threaten US national security.

Historically, CFIUS focused on what most people would intuitively recognize as national-security territory: defense contractors, sensitive infrastructure, dual-use technologies. FIRRMA significantly broadened that scope, capturing categories like critical technology, critical infrastructure, and sensitive personal data — often abbreviated as TID businesses (Technology, Infrastructure, Data). This expansion has pulled in many deals that previously would have been outside CFIUS jurisdiction altogether.

The practical implication is straightforward: any cross-border deal with a US target needs CFIUS analysis at the front end. Not every deal triggers filings, and not every deal raises real concerns — but the analysis itself is no longer optional in serious cross-border M&A. Skipping it creates risk that can surface long after closing.

What FIRRMA Changed

FIRRMA — the Foreign Investment Risk Review Modernization Act of 2018 — substantially modernized and expanded CFIUS’s jurisdiction. Understanding the key changes is essential to understanding the current CFIUS landscape:

Expanded transaction types. Pre-FIRRMA, CFIUS jurisdiction focused on transactions where a foreign person could acquire ‘control’ of a US business. FIRRMA expanded this to include certain non-controlling investments in TID businesses, certain real estate transactions, and any change in foreign rights that could result in control or access to material non-public technical information.

TID businesses defined. FIRRMA created the concept of TID businesses (Technology, Infrastructure, Data) — US businesses involved in critical technologies (subject to export controls or related restrictions), critical infrastructure (subject to specific functional categories), or maintaining sensitive personal data of US citizens. Deals involving TID businesses get heightened scrutiny.

Mandatory filings. Pre-FIRRMA, almost all CFIUS filings were voluntary. FIRRMA created categories of mandatory filings, including certain foreign-government-controlled investments in TID businesses and certain investments in companies producing critical technologies. Failure to make a mandatory filing carries civil penalties.

Real estate jurisdiction. FIRRMA gave CFIUS jurisdiction over certain real estate transactions involving foreign persons — particularly real estate near military bases or other sensitive US government locations.

Filing fees and resources. FIRRMA authorized CFIUS to collect filing fees on voluntary notices and expanded the staffing and resources of the committee. This made CFIUS a more capable and active reviewer than the historically resource-constrained pre-FIRRMA committee.

Together these changes mean modern CFIUS reaches far broader than the pre-2018 version. A cross-border deal team operating on pre-FIRRMA assumptions is operating on outdated understanding — and may miss real filing obligations or review risks.

Which Deals Trigger Mandatory CFIUS Filings

FIRRMA-era CFIUS distinguishes between mandatory filings (required by regulation) and voluntary filings (made by the parties to obtain CFIUS clearance and finality). Understanding which deals fall into mandatory territory is essential:

Foreign-Government-Controlled Investments in TID Businesses

Mandatory filings are generally required for certain covered transactions where a foreign person in which a foreign government has a substantial interest acquires a substantial interest in a US TID business. The thresholds and definitions are technical and CFIUS-counsel territory, but the principle is clear: foreign-government-linked capital meeting a US TID business triggers heightened obligations.

Investments in Critical Technology Companies

Certain transactions involving US businesses that produce, design, test, manufacture, fabricate, or develop critical technologies (with definitions tied to export-control regulations) can trigger mandatory filing requirements when the foreign investor would receive certain rights or access. Critical technologies cover a substantial portfolio of dual-use, emerging, and foundational categories.

Civil Penalties for Non-Filing

Failing to make a required mandatory filing can result in significant civil penalties — historically up to the value of the transaction. CFIUS has actively enforced filing obligations, and ‘we didn’t know’ is not a defense. Cross-border deal teams must affirmatively analyze whether mandatory filing applies.

Technical Analysis Required

Whether a specific transaction triggers a mandatory filing involves a detailed technical analysis: precise definitions of foreign person, foreign-government investor, TID business, covered transaction, and applicable thresholds. This is CFIUS-counsel work, not something to assess from a summary. The point of awareness here is to know when to engage that counsel.

Voluntary Filings: When Parties Choose to File

Beyond mandatory filings, parties can voluntarily submit transactions to CFIUS review. Voluntary filings have always been the primary form of CFIUS engagement and remain common in significant cross-border M&A. The decision to file voluntarily — even when not legally required — turns on several considerations.

Voluntary filings provide regulatory certainty. A successful CFIUS clearance (whether by a no-action letter following a voluntary notice or short-form ‘declaration’) gives the parties a ‘safe harbor’ — CFIUS generally cannot later force review of the transaction absent specified circumstances. This finality is valuable. Without a voluntary filing, CFIUS retains authority to review the transaction at any time, indefinitely.

Voluntary filings can de-risk financing and integration. Lenders, equity co-investors, and corporate partners often want CFIUS clearance — or at least a clear assessment that one isn’t needed — before committing to a transaction. Voluntary filing is the cleanest path to documented clearance.

Voluntary filings have real costs. Filing fees on voluntary notices can be substantial (tied to deal value), the process takes time (often 30-45 days for the initial review, 45 more for a full investigation if launched), and the disclosure to CFIUS involves substantial detail about the parties, the transaction, and the business. Parties weigh these costs against the certainty and risk-mitigation benefits.

Many cross-border deals don’t need to file at all. For transactions clearly outside CFIUS jurisdiction (no foreign person, no covered US business, no covered transaction structure), voluntary filing serves no purpose. The analysis of whether filing is worthwhile is itself a substantive CFIUS-counsel question — but the framework is: mandatory filings are required, voluntary filings are strategic choices for transactions that could be reviewed and where the parties want finality.

The CFIUS Review Process and Timelines

When a CFIUS filing is made — whether mandatory or voluntary — the review process follows a defined timeline that deal teams need to plan around.

Short-form declaration vs. full notice. FIRRMA introduced a short-form ‘declaration’ option (typically 5 pages) that parties can use instead of a full notice (substantially longer). After a declaration, CFIUS has 30 days to clear the transaction, request a full notice, initiate a review, or take no action (which leaves CFIUS authority preserved). Declarations are typically used for lower-risk transactions where parties want a faster, lighter-touch path.

Full notice and review period. A full CFIUS notice triggers a 45-day initial review period. If CFIUS doesn’t clear the transaction in that period, it can launch a 45-day investigation. After investigation, CFIUS clears, negotiates a mitigation agreement, or refers the matter to the President. The total review-plus-investigation period is up to 90 days, though pre-filing consultations and tolling agreements can extend the effective timeline meaningfully.

Mitigation agreements. If CFIUS identifies national-security concerns that can be addressed without blocking the transaction, it can negotiate a mitigation agreement with the parties — imposing specific conditions like governance structures, access restrictions, security plans, divestiture of certain assets, or ongoing reporting. Mitigation lets deals proceed that would otherwise be blocked but adds compliance obligations.

Presidential action. If CFIUS determines a transaction poses unmitigable national-security concerns, it refers the matter to the President, who has 15 days to decide whether to block or unwind. Presidential blocks are rare but real — and have happened often enough that parties take the prospect seriously.

Tolling and pre-filing. In practice, parties often engage CFIUS pre-filing through informal consultation to identify issues early. Tolling agreements can pause statutory clocks. The ‘official’ timeline is the floor, not the ceiling, and complex transactions routinely run longer than the headline numbers.

Practical Implications for Buyers

For foreign buyers (or buyers with foreign capital) acquiring US businesses, CFIUS is part of the deal-structuring conversation from the start. Key practical implications:

CFIUS analysis at LOI stage. The first question is whether the target is a TID business, whether the buyer is a foreign person, and whether the transaction structure triggers covered-transaction status. This analysis should happen at the LOI stage, not after a definitive agreement is signed.

Filing or no-filing decision. With the analysis done, the buyer (with counsel) decides whether a mandatory filing applies, whether a voluntary filing is strategically warranted, or whether the deal sits clearly outside CFIUS reach. Each path has different timeline implications.

Deal documents reflect CFIUS. Where filings are contemplated, the definitive agreement typically includes CFIUS-related conditions: closing conditioned on CFIUS clearance, allocation of CFIUS-related risk between parties, definitions of acceptable mitigation, walk-away rights if CFIUS imposes unacceptable conditions. These provisions are heavily negotiated in cross-border M&A.

Capital partner disclosure. Buyers often have foreign capital sources (LPs in funds, co-investors, lenders) whose identity affects CFIUS analysis. Foreign-government-linked LPs in a US fund can create CFIUS issues even when the GP and most of the capital are US. Understanding the full capital stack’s foreign exposure is part of the analysis.

Integration planning. Even after CFIUS clearance, mitigation agreements (where required) impose ongoing obligations. Buyers integrate these into their post-close operating plans — particularly for security, technology access, and governance.

Practical Implications for Sellers

For US sellers receiving interest from foreign buyers, CFIUS is equally important — and many sellers underestimate how it can affect deal certainty, timeline, and price.

Buyer qualification includes CFIUS risk. A foreign buyer that comes with a high CFIUS profile (state-linked capital, target in critical-technology space) introduces real deal risk: extended timelines, possible mitigation requirements, possible block, or a deal that closes but is later unwound. Sellers should understand this risk early.

Timeline impact. CFIUS review takes time — minimum 30 days for a declaration outcome, often 75-90 days through full review. In competitive processes, longer-to-close foreign buyers may need to compete on price to offset their timeline disadvantage against US buyers who can close faster.

Reverse termination rights. Cross-border M&A frequently includes reverse termination fees or other constructs that compensate the seller if the deal fails on CFIUS grounds. These need to be negotiated meaningfully — a deal that fails after months of process with no compensation hurts the seller substantially.

Confidentiality of CFIUS process. CFIUS filings are confidential, but the existence of a filing and the deal it covers can become public through other channels. Sellers running confidential processes need to plan for the disclosure dynamics.

Bid-multiple impact. In a competitive process, foreign buyers facing CFIUS risk sometimes have to bid more aggressively to win — which can benefit a seller running a process across both domestic and foreign buyers. The CFIUS premium is real.

Getting CFIUS Right

Putting it together, here’s the practical playbook for cross-border M&A teams on CFIUS:

Engage CFIUS counsel early. The analysis is technical, the categories are precise, and the stakes are high. Specialist CFIUS counsel — typically at major law firms with active CFIUS practices — is the right resource. Not your generalist deal lawyer.

Do the analysis at LOI stage. Identify whether the target is a TID business, whether the buyer is foreign, whether the transaction is covered, and whether mandatory filing applies. This shapes everything that follows.

Decide on the filing path. Mandatory filings are required. Voluntary filings are strategic — weigh the certainty benefit against time and cost. Some deals legitimately need no filing at all.

Build CFIUS into the deal documents. Conditions, risk allocation, mitigation framework, walk-away rights, reverse termination fees. These are heavily negotiated provisions in cross-border M&A and they matter enormously.

Plan for the timeline. CFIUS adds 30-90 days minimum to deal timelines and often more. Build that into the schedule and the financing arrangements.

Plan for mitigation. If a mitigation agreement is likely, anticipate its operational impact. Some mitigation terms are minor; others impose significant ongoing obligations on the buyer.

The broader point: CFIUS is a normal, manageable part of well-run cross-border M&A — when teams take it seriously, engage qualified counsel, and plan for it from the start. Deals that ignore CFIUS or treat it casually are deals that run into preventable problems, sometimes long after closing. The cost of doing CFIUS right is small relative to the cost of getting it wrong.

Conclusion

Frequently Asked Questions

What is CFIUS?

CFIUS — the Committee on Foreign Investment in the United States — is the interagency body that reviews acquisitions of US businesses by foreign persons for national-security concerns. Chaired by the US Treasury Department with members from State, Defense, Commerce, Homeland Security, and other agencies.

What did FIRRMA change about CFIUS?

FIRRMA (Foreign Investment Risk Review Modernization Act of 2018) substantially expanded CFIUS’s jurisdiction — particularly over non-controlling investments in TID businesses (technology, infrastructure, sensitive data), real estate near sensitive US sites, and certain foreign-government-linked investments. It also created mandatory filing categories backed by civil penalties.

What is a TID business?

TID = Technology, Infrastructure, Data. A TID business is a US business involved in critical technologies (subject to export controls and related restrictions), critical infrastructure (per specific functional categories), or maintaining sensitive personal data of US citizens. TID businesses get heightened CFIUS scrutiny under FIRRMA.

When is a CFIUS filing mandatory?

Mandatory filings are generally required for certain transactions involving foreign-government-controlled investments in TID businesses and for certain transactions involving US critical-technology businesses where the foreign investor would receive specified rights or access. The technical analysis requires qualified CFIUS counsel.

Should I make a voluntary CFIUS filing?

Voluntary filings give parties regulatory certainty — a CFIUS clearance provides safe harbor against later review of the transaction. They cost time and filing fees but provide finality. Whether voluntary filing is worthwhile depends on the deal’s risk profile, financing partners’ requirements, and the parties’ need for certainty. Counsel will advise.

How long does CFIUS review take?

A short-form declaration triggers a 30-day CFIUS response window. A full notice triggers a 45-day initial review, potentially followed by a 45-day investigation if not cleared — up to 90 days total. Pre-filing consultations and tolling agreements can extend the effective timeline meaningfully. Plan for 60-120 days minimum on most CFIUS-filed deals.

Can CFIUS block my deal?

Yes. If CFIUS determines a transaction poses unmitigable national-security concerns, it refers the matter to the President, who has 15 days to decide whether to block or require unwinding. Presidential blocks are rare but real. More commonly, CFIUS negotiates mitigation agreements that let the deal proceed with conditions.

What is a mitigation agreement?

A mitigation agreement is a deal CFIUS negotiates with the parties when national-security concerns can be addressed without blocking the transaction. Mitigation can include governance structures, access restrictions, security plans, divestiture of specific assets, or ongoing reporting requirements. Mitigation lets deals proceed but adds compliance obligations.

What happens if I don’t file when I should have?

Failing to make a required mandatory filing can result in significant civil penalties — historically up to the value of the transaction. CFIUS has actively enforced filing obligations. ‘We didn’t know’ is not a defense. Cross-border deal teams must affirmatively analyze whether mandatory filing applies.

When should I bring CFIUS counsel into a cross-border deal?

At LOI stage. The analysis of whether the target is a TID business, whether the buyer is foreign, whether the structure is a covered transaction, and whether mandatory filing applies should happen before the definitive agreement is drafted. CFIUS issues identified late can derail a deal or force costly restructuring.