Business & Legal
Foley Hoag, Live

CFIUS Year in Review: What to Expect from the Committee on Foreign Investment in the United States in Light of Recent Biden Administration Actions

Key Takeaways:

  • CFIUS reviewed a record number of transactions in 2021 according to its most recent annual report – and shows no signs of slowing down.
  • High technology (including quantum computing), life sciences, and green energy technology will continue to be key areas of interest to CFIUS, as will critical technologies.
  • A larger percentage of declarations are being cleared by CFIUS and the percentage of notices cleared with mitigation measures remains low and steady.
  • Non-notified/non-declared transactions will be under heightened scrutiny by CFIUS as it devotes resources to identifying such transactions through a variety of channels.
  • CFIUS has emphasized that it will increase enforcement including for non-notified/non-declared transactions where a filing was mandatory, along with non-compliance with CFIUS mitigation terms, and inaccuracies in CFIUS reporting.


On September 15, 2022, President Biden issued an Executive Order (the Order) instructing the Committee on Foreign Investment in the United States (CFIUS) to consider certain national security risk factors when reviewing covered transactions.

The Order was released a month after CFIUS published the Annual Report to Congress for Calendar Year 2021 on August 2, 2022. That Annual Report was the first to analyze CFIUS’s activities after a full calendar year under the expanded jurisdiction granted by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA).

The Order and the Annual Report followed a busy year of foreign investment. In 2021, foreign direct investors spent $333.6 billion to acquire, establish, or expand U.S. businesses, more than double the amount in 2020. Taken together, the two releases demonstrate a continuation of trends seen over the past few years. CFIUS continues to ramp up its activities, especially with respect to transactions in the life sciences, high technology (for example, software, quantum computing, and semiconductors), and green energy sectors. CFIUS has also shown progress in streamlining its review process and the percentage of declarations (short-form filings) cleared has increased while the percentage of notices (full-form filings) cleared with mitigation has remained steady. In addition, the number of “non-notified” transactions – that is, transactions that are reported to CFIUS by other agencies or third parties, not the transaction participants – continues to grow, and to draw increased scrutiny.

The recent release of the first-ever CFIUS Enforcement and Penalty Guidelines (“Enforcement Guidelines”), published on October 22, 2022 by the Department of Treasury as the Chair of CFIUS, additionally signals CFIUS’ growing emphasis on enforcement of non-compliance. The Enforcement Guidelines describe three categories of conduct that may constitute violations subject to penalties: non-notified/non-declared transactions that meet the criteria for a mandatory filing, non-compliance with CFIUS mitigation terms, and inaccuracies in CFIUS reporting. In addition, the Enforcement Guidelines outline the process CFIUS generally follows in imposing penalties in such circumstances. Although the Enforcement Guidelines are not legally binding, they provide important visibility into CFIUS’s enforcement approach.

I.    Executive Order 14083 

The Order ties CFIUS’ actions to the administration’s national security priorities – preserving U.S. technological leadership, protecting Americans’ sensitive data, and enhancing U.S. supply chain resilience – and seeks to ensure that CFIUS’ work continues to meet evolving security risks.

The Order directs CFIUS to consider five, specific national security risks when reviewing covered transactions. In each case, the Order instructs CFIUS to consider risks posed not just by the involved foreign person, but also by the foreign person’s third-party ties. The Order does not change CFIUS’ review process or expand its jurisdiction.

         1.   Effect on Critical U.S. Supply Chains

The Defense Production Act of 1950 (DPA) requires CFIUS to consider a covered transaction’s effect on supply chain security. The Order elaborates on this requirement and directs CFIUS to consider risks to manufacturing capabilities, services, critical mineral resources, or technologies that are fundamental to national security in the following sectors:

  • quantum computing;
  • biotechnology and biomanufacturing;
  • advanced clean energy (such as battery storage and hydrogen);
  • climate adaptation technologies;
  • microelectronics;
  • artificial intelligence;
  • critical materials (such as lithium and rare earth elements);
  • elements of the agriculture industrial base that have implications for food security; and
  • additional sectors set forth in Section 3(b) or 4(a) of the Executive Order 14017 of February 24, 2021 (America’s Supply Chains).

The Order also directs CFIUS to consider the impact of the transaction on the supply chains serving the U.S. government in these sectors, by considering:

  • the availability of a domestic supply chain;
  • the number and variety of suppliers across the supply chain, including in allied countries;
  • whether the U.S. business serves the U.S. government or the defense or energy industrial base; and
  • the degree of involvement of the foreign person in the U.S.’ supply chain, including the concentration of the foreign persons’ ownership or control in a given supply chain.

   2.   Effect on U.S. Technological Leadership

The Order provides further guidance on the DPA requirement that CFIUS consider the transaction’s potential effects on the U.S.’ international technological leadership in areas affecting national security. The Order instructs CFIUS to consider whether the covered transaction involves the manufacturing capabilities, services, critical mineral resources, or technologies that are “fundamental to U.S. technological leadership and therefore national security,” including those technologies listed above.

The Order also directs CFIUS to consider the risks posed by the foreign investor and its third-party ties and whether the covered transaction would facilitate future advancements in technology that could threaten national security. It additionally requires the White House Office of Science and Technology Policy (OSTP) to periodically publish a list of technology sectors that are fundamental to U.S. technology leadership in areas relevant to national security. OSTP has not yet indicated when it plans to release such a list.

       3.   Cumulative Investment Impact

The Order further directs CFIUS to consider the aggregate impact posed by incremental investments or acquisitions in a sector, technology, or business, particularly in those sectors related to manufacturing capabilities, services, critical mineral resources or technologies. Under this approach, a transaction that poses minimal risk in isolation could draw CFIUS scrutiny in the broader context of industry and investor trends. To aid in this analysis, the Order authorizes CFIUS to request relevant reports from the Department of Commerce’s International Trade Administration on trends in a particular industry or activities by particular foreign persons.

       4.   Cybersecurity Risks

Consistent with the President’s focus on cybersecurity risks, the Order directs CFIUS to consider “direct or indirect” access to data systems that could be exploited in cyberattacks, including those that target:

  • critical energy infrastructure, including smart grids;
  • stored data or data systems storing sensitive data; and
  • United States elections, critical infrastructure, the defense industrial base, or other national security priorities set forth in the Executive Order 14028 on Improving the Nation’s Cybersecurity.

The Order also clarifies that CFIUS should consider the “cybersecurity posture, practices, capabilities and access” of the foreign person and the United States business involved.

       5.   Risks to U.S. Persons’ Sensitive Data

Finally, the Order directs CFIUS to consider whether the covered transaction involves a U.S. business that (i) has access to a U.S. person’s sensitive data that could be exploited to identify the individual in a manner that threatens national security or that (ii) has access to data on U.S. sub-populations that could be used to target individuals or groups in a manner that threatens national security. A U.S. person’s sensitive data includes data on a U.S. person’s health, digital identity, or other biological data and any data that could be identifiable or de-anonymized. This factor reinforces a longstanding area of CFIUS focus on risks involving access to sensitive personal information (for instance, in social media, health data, and dating apps).

II.    Annual Report to Congress for Calendar Year 2021

A month before the Order was released, CFIUS published its Annual Report, which analyzed CFIUS’ activities in its first full calendar year under the expanded jurisdiction granted by FIRRMA.

       1.   By the Numbers

CFIUS reviewed a record number of transactions in 2021, including 164 declarations (up from 126 in 2020) and 272 notices (up from 187 in 2020), for a total of 436 filings. It also considered 135 non-notified/non-declared transactions (up from 117 in 2020), requesting filings for 8 such transactions.

A.    Declarations. Of the 164 total declarations, CFIUS cleared 120 (representing 73%, up from 64% in 2020), rejected 2 (one of which was withdrawn and the other of which was refiled), determined that it was unable to conclude action for 12, and requested that the parties file a written notice for the remaining 30. It took CFIUS an average of 5 to 6 days out of a required maximum of 10 days to accept a submitted declaration and 30 days to take action, including issuing any requests for withdrawal and refiling.

B.    Notices. CFIUS conducted an initial “review” (a maximum of 45 days) for 272 notices. It conducted a subsequent “investigation” (a maximum of 45 days) for 130 of the 272, then invoked a further 15-day extension for 3 such notices. CFIUS imposed mitigation measures and concluded all further action on 26 of the 272 notices (just under 10%). Seventy-four notices were withdrawn. Of these 74 notices, 9 were withdrawn and abandoned for failure to reach mutually acceptable mitigation terms and 2 were withdrawn and abandoned for economic reasons. The remaining 63 were later refiled by the parties (52 in 2021 and 11 in 2022). This number of cases represents a substantial increase from 2020, in which only 21 notices were withdrawn and refiled. No noticed transactions were rejected and no presidential decisions were issued. With the exception of the notices that were withdrawn, none of the notices that were accepted in 2021 were rejected by CFIUS in that year. By implication, CFIUS had no unresolved national security concerns about these transactions.

C.    Non-notified Transactions. There were 135 transactions identified through the non-notified/non-declared process in 2021, 8 of which prompted a request from CFIUS for the parties to submit a filing. These figures represent an increase in the number of non-notified/non-declared transactions identified by CFIUS (up from 117 in 2020), although fewer of the transactions ultimately resulted in a request to file (down from 17). CFIUS identified these transactions through interagency referrals, tips from the public, media reports, commercial databases, and congressional notifications. CFIUS states that it will continue to bolster processes for identifying non-notified transactions, including by expanding dedicated staffing, raising interagency attention to the issue, and increasing public awareness of the tip mailbox.

       2.   Key Countries

The declaration process continues to be increasingly utilized, with 164 declarations submitted in 2021, up 30% from 126 in 2020. Investors from U.S.-allied countries are using the process most frequently, with declarations by investors from Canada, Germany, South Korea, Singapore and Japan topping the list. Canada and Japan, followed by Singapore, South Korea, and the United Kingdom are also among the most frequent home countries of investors submitting notices; however, they trail behind China.

The number of notices involving investors from China more than doubled in 2021, from 17 in 2020 to 44 in 2021. This increase may reflect a desire to proactively mitigate CFIUS risk on the part of Chinese investors given the tense geopolitical environment vis-a-vis U.S.-China relations. The rise may simultaneously capture a shift by Chinese investors towards less sensitive targets; despite the high number of notices, CFIUS reviewed only 10 Chinese acquisitions of U.S. critical technology in 2021, fewer than six other countries.

       3.   Top Sectors

By industry sector, the greatest number of filings involved transactions relating to electronic power generation, transmission and distribution (39 filings), software publishers (38 filings), and computer systems design and related services (27 filings).

Additional filings pertained to transactions involving:

  • scientific research and design services;
  • telecommunications;
  • semiconductor and other electronic component manufacturing;
  • data processing, hosting and related services;
  • management of companies and enterprises;
  • insurance carriers, agencies, brokerages and other insurance-related activities; and
  • aerospace product and parts manufacturing.

Out of the 436 covered transactions, CFIUS reviewed 184 that involved acquisitions of U.S. critical technology companies in 2021.

III.    CFIUS Enforcement and Penalty Guidelines

The Enforcement Guidelines describe three key categories of conduct that may constitute violations subject to penalties:

  • failure to timely submit a mandatory declaration or notice;
  • non-compliance with CFIUS mitigation terms; and
  • material misstatements, omissions or false certifications in information provided to CFIUS, including during informal consultations or in response to requests for information.

The Enforcement Guidelines indicate that CFIUS engages in a fact-based analysis to determine appropriate penalties, including by considering the following factors:

  • accountability and future compliance of the violator, including through self-disclosure;
  • harm to U.S. national security;
  • negligence, awareness and intent of the violator;
  • timing and frequency of the violation;
  • response and remediation efforts of the violator; and
  • sophistication and record of compliance of the violator.

The Enforcement Guidelines lay out the process by which CFIUS seeks to impose penalties. First, CFIUS sends a notice of penalty to parties in non-compliance. Within 15 days of receipt of a notice, the recipient(s) may submit a petition for reconsideration to CFIUS, which the CFIUS Staff Chairperson then has 15 additional days to consider. If no petition for reconsideration is timely received, CFIUS typically will issue notice of a final penalty determination. Penalties can range up to the greater of $250,000 or the value of the transaction for failure to file and for non-compliance with mitigation terms and up to $250,000 per violation for providing materially inaccurate information to CFIUS.

IV.    Looking Ahead

  • With the number of reviewed transactions hitting a high in 2021 and CFIUS hiring to expand its capacity, CFIUS is likely to be increasingly active in the coming years.
  • Bolstered by the Order’s emphasis on sectors like quantum computing, biotechnology and green energy, CFIUS is likely to continue to focus heightened attention on transactions in these areas. CFIUS is also likely to continue to prioritize protecting U.S. critical technologies, which include items on the U.S. Munitions List and the Commerce Control List (including certain emerging and foundational technologies), as well as nuclear-related items and select agents and toxins  – cautioning in the Annual Report that foreign governments are “extremely likely to use a range of collection methods” in acquiring such technologies.
  • Transactions from China more than doubled in 2021, rising to 44 transactions, but most reviewed transactions will likely continue to involve foreign investors from allied countries, such as Canada, the United Kingdom, Germany, South Korea, Singapore and Japan, which pose less of a national security risk and are more likely to be approved by CFIUS without mitigation.
  • Assessing the security risks of a covered transaction will require a more holistic analysis of the investment. Transactions that appear to pose no threat in isolation, but that may represent a larger trend towards increasing control of a company or sector by such foreign investors, will continue to attract CFIUS’ attention. Transactions should be considered in their broader industry context and diligence should be done on the third-party ties of foreign investors.
  • We expect that a large percentage of declarations will continue to be cleared and that mitigation measures will be imposed in only a fraction of notified transactions.
  • CFIUS will likely increase enforcement activity, especially in regard to parties that fail to submit mandatory filings. Since there is no statute of limitations for CFIUS to exert jurisdiction over a transaction, failure to file as appropriate will increasingly result in unnecessary risk of a penalty and potentially to the transaction itself.
  • More broadly, CFIUS will continue to play an important role in implementing the President’s national security strategy. The National Security Strategy issued on October 12, 2022 prioritizes continued investments in technologies under CFIUS’ ambit, such as semiconductors and advanced computing, clean energy technologies, cybersecurity, and biotechnologies and biomanufacturing, among others. It also focuses on competition with China as America’s “most consequential geopolitical challenge.” To protect these investments from international exploitation, the Strategy states that the administration is “modernizing and strengthening” investment screening mechanisms.

As CFIUS’s increased activity shows no signs of abating, U.S. businesses and foreign investors should keep CFIUS in mind when contemplating cross-border transactions. Companies with questions about how CFIUS could impact proposed transactions should contact a member of Foley Hoag’s International Trade & National Security practice.

To review our Bloomberg piece “CFIUS Builds on 2022 Activity, Promising More Investor Oversight” published January 6, 2023, please click here.


This article was originally published by Foley Hoag.






Upcoming Events


Related Articles