CFIUS Review - When Foreign Buyers Trigger National Security Scrutiny in Cross-Border M&A
Learn how CFIUS national security review affects foreign acquisitions of U.S. businesses and strategies for navigating the review process successfully
You’ve found your perfect buyer. A well-capitalized strategic acquirer offering premium valuation, excellent cultural fit, and a compelling vision for your company’s future. There’s just one complication: they’re headquartered in Singapore, Munich, or Toronto. Suddenly, a four-letter acronym enters the conversation that can add months to your timeline, impose ongoing operational restrictions, or kill the deal entirely: CFIUS.
Executive Summary
The Committee on Foreign Investment in the United States (CFIUS) reviews transactions involving foreign acquirers of U.S. businesses for national security implications. For business owners in the $2 million to $20 million revenue range, CFIUS national security review has evolved from an obscure regulatory process affecting only defense contractors into a significant consideration for any cross-border transaction.
Recent legislative changes have dramatically expanded CFIUS jurisdiction, making review mandatory for certain transaction types while increasing scrutiny across technology, data, and critical infrastructure sectors. The practical implications are substantial: review processes that can add 45 to 120 days to transaction timelines depending on filing type and review complexity, mitigation conditions that impose ongoing compliance obligations, and the risk of deals being blocked or unwound when national security concerns cannot be resolved.
Based on Treasury Department annual reports, most filed transactions receive clearance often with no conditions or with manageable mitigation requirements. But this statistic doesn’t capture deals not pursued due to anticipated CFIUS challenges or buyers who withdrew before filing. The key is understanding when and how CFIUS scrutiny applies, structuring transactions appropriately from the outset, and managing the review process strategically rather than reactively.
This article examines CFIUS review triggers including the factors that determine whether voluntary or mandatory filing applies, identifies the industry categories and transaction characteristics that attract heightened scrutiny, and provides frameworks for managing CFIUS processes. Understanding these dynamics before engaging with foreign buyers allows you to structure transactions appropriately, set realistic timeline expectations, and avoid the devastating scenario of a deal collapsing months into the process due to regulatory intervention.
Introduction
Cross-border M&A activity has become increasingly common in the lower middle market. Foreign strategic buyers often bring compelling advantages: access to international markets, complementary capabilities, and sometimes premium valuations driven by currency differentials or strategic imperatives that domestic buyers cannot match. For business owners seeking maximum value realization, excluding foreign acquirers from consideration can mean leaving significant money on the table.
But the regulatory landscape governing foreign acquisitions of U.S. businesses has shifted dramatically over the past decade. What was once a relatively narrow review process focused primarily on defense and intelligence-related acquisitions has expanded into a broad examination of transactions across numerous industry sectors. The Foreign Investment Risk Review Modernization Act (FIRRMA), enacted in 2018 as part of the John S. McCain National Defense Authorization Act and fully implemented in 2020, fundamentally transformed CFIUS jurisdiction and review processes by extending authority to cover certain non-controlling investments and real estate transactions near sensitive facilities.
For business owners contemplating exits, understanding CFIUS national security review has become needed due diligence. Not because every transaction involving a foreign buyer will face challenges, but because the consequences of failing to anticipate CFIUS issues can be severe. Deals have been unwound years after closing. Buyers have been forced to divest acquired businesses at fire-sale prices. Transaction timelines have extended by six months or more while parties navigate unexpected review processes.
The good news is that proper preparation significantly improves outcomes. The key is understanding when and how CFIUS scrutiny applies, structuring transactions appropriately from the outset, and managing the review process strategically rather than reactively.
Understanding CFIUS Jurisdiction and Authority
CFIUS is an interagency committee chaired by the Treasury Department that reviews transactions involving foreign investment in U.S. businesses to identify and address national security concerns. The committee includes representatives from the Departments of Defense, State, Commerce, Homeland Security, and Energy, among others, reflecting the broad scope of national security considerations that inform review decisions.
The committee’s authority extends to any transaction that could result in foreign control of a U.S. business, as well as certain non-controlling investments in businesses involved with critical technologies, critical infrastructure (as defined under 31 CFR 800.248), or sensitive personal data. This jurisdictional scope means that CFIUS national security review can apply to traditional acquisitions, minority investments, joint ventures, and even certain real estate transactions near sensitive government facilities.
Understanding whether your transaction falls within CFIUS jurisdiction requires analyzing several factors. While buyers from allied countries generally face less scrutiny, buyer-specific characteristics including government relationships, prior CFIUS interactions, and transaction history significantly influence review intensity. The nature of your business operations, the technologies you develop or use, and the data you collect and maintain all influence CFIUS interest in the transaction.
Mandatory vs. Voluntary Filing Requirements
CFIUS filings fall into two categories with dramatically different implications for transaction planning.
Mandatory filings apply to specific transaction types and carry legal obligations to notify CFIUS before closing. Failure to file when mandatory filing applies can result in civil penalties of up to the transaction value under 31 CFR 800.901. Mandatory filing requirements currently apply to transactions where a foreign government has a substantial interest in the acquirer and the target U.S. business is involved with critical technologies, critical infrastructure, or sensitive personal data. Certain investments involving critical technologies that require export licenses for the investor’s home country trigger mandatory filing obligations.
Voluntary filings apply to most other transactions within CFIUS jurisdiction. While not legally required, voluntary filing provides transaction certainty through formal CFIUS clearance for the specific transaction reviewed. Without filing, transactions remain subject to potential CFIUS review, particularly if they later gain attention for national security reasons. The committee has authority to review and potentially unwind transactions years after closing if concerns emerge.
For most lower middle market transactions, filing is technically voluntary but practically needed when national security considerations are plausible. The cost of obtaining CFIUS clearance is modest relative to transaction values, and the certainty provided protects both parties from post-closing regulatory risk.
Industry Categories Attracting Heightened Scrutiny
While CFIUS national security review can apply across industry sectors, certain business categories face elevated scrutiny that significantly affects transaction feasibility and process complexity.
Defense and Government Contracting
Businesses with defense contracts, security clearances, or involvement in government programs face the most intensive CFIUS review. Even relatively modest defense-related revenue can trigger significant scrutiny if the business has access to classified information, develops technologies with military applications, or provides services to intelligence agencies. Foreign acquisition of cleared defense contractors is possible, but clearance typically requires substantial mitigation measures including governance restrictions, operational segregation, and ongoing compliance monitoring.
Critical Infrastructure Sectors
CFIUS defines critical infrastructure broadly, encompassing energy, telecommunications, transportation, financial services, and healthcare sectors among others. Businesses providing needed services or operating systems whose disruption could affect public health, safety, or economic security face heightened review. The specific subsector and operational role matter. A healthcare IT company processing patient data across major hospital systems attracts more scrutiny than a medical device distributor, even at similar revenue levels.
Technology and Intellectual Property
Technology businesses face CFIUS scrutiny based on the nature of their technology, its potential applications, and export control status. Critical technologies subject to export licensing requirements create mandatory filing obligations in many cases. Emerging technologies including artificial intelligence, quantum computing, advanced semiconductors, and biotechnology attract particular attention even when not formally export-controlled. Businesses developing dual-use technologies with both commercial and potential military applications should anticipate significant CFIUS interest.
Data-Intensive Businesses
The expansion of CFIUS jurisdiction to cover sensitive personal data represents one of the most significant changes affecting lower middle market transactions. Businesses that collect, maintain, or process sensitive personal data on substantial numbers of U.S. persons may face CFIUS national security review regardless of industry classification. Sensitive data categories include genetic information, biometric data, personal financial data, geolocation data, and health information. Data aggregators, analytics platforms, and businesses with large consumer databases should evaluate CFIUS implications carefully.
The CFIUS Review Process and Timeline
Understanding CFIUS review mechanics allows for realistic transaction planning and timeline management.
Pre-Filing Preparation
Before formal filing, parties should conduct thorough analysis of CFIUS risk factors and develop responses to anticipated concerns. This preparation phase typically requires 30 to 60 days for typical middle-market transactions, though complex cases involving sensitive technologies or extensive data holdings may require longer. The process involves detailed information gathering about the foreign acquirer’s ownership structure, government relationships, and prior CFIUS interactions, as well as documentation of the target business’s national security-relevant activities.
Pre-filing consultations with CFIUS staff are available and often valuable for transactions with significant national security considerations. These informal discussions allow parties to gauge committee interest, understand likely concerns, and refine transaction structures or mitigation proposals before formal filing.
Declaration vs. Notice Filing
CFIUS accepts two filing types with different timelines and review depths.
Short-form declarations provide abbreviated review within 30 days. CFIUS may clear the transaction, request a full notice, or indicate that it cannot complete review based on the declaration alone. Declarations work best for straightforward transactions with limited national security concerns.
Full notices trigger a 45-day initial review period, extendable by an additional 45-day investigation period when the committee determines that extended review is necessary. The total statutory timeline can reach 90 days or more, though extensions are possible in complex cases.
Review Outcomes and Mitigation
CFIUS national security review concludes with one of several outcomes affecting transaction viability.
Clearance without conditions allows the transaction to proceed as structured. This outcome is most common for transactions with limited national security concerns or where the foreign acquirer’s profile presents minimal risk.
Clearance with mitigation permits the transaction subject to conditions addressing identified national security concerns. Mitigation requirements vary significantly and can include governance requirements, operational restrictions, information security obligations, and ongoing compliance monitoring that affects business flexibility. The scope and burden of mitigation varies based on the nature of concerns identified. Some conditions are manageable administrative requirements while others impose meaningful operational constraints.
Withdrawal and refiling sometimes occurs when parties need time to develop mitigation proposals or when transaction structures require modification. Withdrawn filings can be refiled, though the process adds significant timeline.
Presidential prohibition represents the most severe outcome. The President can block transactions or order divestiture when national security concerns cannot be adequately addressed. While relatively rare, presidential action has occurred in high-profile cases and remains a possibility for transactions with significant unresolvable concerns.
Strategic Approaches to CFIUS Navigation
Business owners can take proactive steps to manage CFIUS risk and improve review outcomes.
Transaction Structuring Considerations
How transactions are structured can affect both CFIUS jurisdiction and review intensity. Minority investments face different treatment than control acquisitions. Carve-outs of particularly sensitive business lines before foreign acquisition can reduce CFIUS concerns. Governance structures that preserve U.S. control over sensitive activities may support mitigation approaches.
Working with advisors experienced in CFIUS matters during transaction structuring rather than after deal terms are set provides maximum flexibility to address national security considerations while preserving commercial objectives.
Buyer Selection and Qualification
Not all foreign buyers present equivalent CFIUS risk. Acquirers from allied countries with established security relationships generally face less scrutiny than those from countries of concern, though buyer-specific factors often matter more than country of origin. Buyers with government ownership or control present different issues than purely private investors. Prior CFIUS experience and existing mitigation compliance affects committee perspective on new transactions.
When evaluating foreign acquisition interest, understanding the specific buyer’s CFIUS profile helps assess transaction feasibility and likely timeline. Requesting information about buyer ownership structure, government relationships, and prior CFIUS interactions during due diligence allows early identification of potential concerns. But in competitive auctions, consider addressing CFIUS issues during formal due diligence rather than preliminary discussions to avoid signaling excessive concern that could affect competitive dynamics.
Timeline and Certainty Provisions
CFIUS review creates timeline uncertainty that must be addressed in transaction documentation. Purchase agreements should include appropriate regulatory condition provisions, timeline extensions for extended review, and termination rights if clearance cannot be obtained within reasonable periods.
Reverse termination fees payable by buyers if CFIUS blocks or imposes unacceptable conditions protect sellers from bearing the cost of regulatory failure. These fees typically range from 2% to 5% of transaction value, though the appropriate level depends on transaction specifics and negotiating dynamics. Meaningful fees create buyer incentive to pursue clearance vigorously, though sellers should recognize that substantial fee requirements may reduce initial bid prices as buyers factor regulatory risk into their valuations. The net economic calculation requires weighing protection value against potential bid reduction.
Mitigation Readiness
Understanding likely mitigation requirements for your situation can help evaluate post-transaction operating implications before committing to a foreign buyer. But developing specific mitigation proposals proactively requires careful judgment. While proactive mitigation can demonstrate cooperation and accelerate review, proposals developed without experienced counsel risk over-committing to unnecessary restrictions or inadvertently confirming concerns that CFIUS might not have identified. Common mitigation elements include:
| Concern Category | Typical Mitigation Measures |
|---|---|
| Governance | U.S. citizen board members, security committees, proxy arrangements |
| Information Security | Better cybersecurity, access restrictions, data localization |
| Personnel | U.S. citizen requirements for sensitive positions, security clearance maintenance |
| Operational | Segregation of sensitive activities, limitations on technology transfer |
| Compliance | Ongoing reporting, third-party auditing, government inspection rights |
The Cost Reality of CFIUS Navigation
Business owners considering foreign buyers need realistic cost expectations for CFIUS processes.
Professional Advisory Costs
CFIUS navigation requires specialized expertise that general M&A counsel may not possess. Based on our experience advising middle-market transactions, CFIUS legal fees typically range from $150,000 to $500,000 or more for complex transactions involving sensitive technologies or significant national security considerations. Simpler transactions with straightforward facts may fall toward the lower end, while transactions requiring extensive mitigation negotiations or multiple filing rounds can exceed these ranges.
For straightforward transactions with limited national security concerns, general M&A counsel with CFIUS consultation may be sufficient. The cost differential is typically 30% to 50% compared to specialized CFIUS practitioners, but specialized expertise becomes needed for complex technology transactions, mandatory filing situations, or cases involving buyers from countries of concern.
Additional costs may include economic or technical experts ($25,000 to $100,000 depending on complexity) and filing fees that scale with transaction size (ranging from zero to $300,000 based on current fee schedules).
Indirect Costs
Beyond direct advisory fees, factor in management time devoted to information gathering, document preparation, and CFIUS consultations. Typically 40 to 80 hours of executive time for moderate complexity transactions. Opportunity costs from delayed closings, management distraction, and potential impacts on customer and employee relationships during extended review periods can exceed direct costs in some cases.
Total Cost Perspective
For a typical middle-market transaction requiring CFIUS review, total costs including legal fees, executive time, and timeline-related impacts commonly range from $200,000 to $500,000. Complex cases involving extensive mitigation negotiations or presidential review can exceed these ranges significantly. These costs must be weighed against the premium valuations that foreign buyers, particularly those seeking technology and strategic assets, may offer compared to domestic alternatives.
Practical Implications for Exit Planning
CFIUS national security review should inform exit planning decisions for business owners considering foreign buyers or operating in sensitive sectors.
Valuation and Buyer Pool Effects
CFIUS considerations can affect both the pool of viable buyers and achievable valuations. Some foreign buyers may be unwilling to pursue transactions requiring extensive CFIUS review or accept significant mitigation obligations. Others may discount valuations to reflect regulatory risk and timeline uncertainty. Understanding these dynamics helps set realistic expectations when marketing to international acquirers.
Conversely, foreign buyers willing to navigate CFIUS processes may offer premium valuations particularly for technology and strategic assets that fit their expansion strategies, reflecting their limited acquisition options and strategic importance of U.S. market access. But extensive mitigation requirements or uncertain clearance prospects can lead to valuation discounts that offset these premiums. The key is understanding specific buyer motivations and CFIUS risk tolerance early in the process.
CFIUS processes also carry risks including buyer withdrawal due to complexity. Buyers unfamiliar with U.S. regulatory processes or those with alternative acquisition opportunities may exit transactions when CFIUS requirements become clear. Early buyer education about process expectations and reverse termination fee provisions help mitigate this risk.
Timeline Planning
CFIUS review adds meaningful time to transaction completion. Typically 90 to 180 days beyond normal closing timelines for transactions requiring review. This timeline assumes straightforward facts, responsive information provision, and limited mitigation requirements. Best-case scenarios with declaration filings may achieve clearance faster, while worst-case scenarios involving withdrawal and refiling, presidential review, or extensive mitigation negotiations can extend beyond six months.
Building CFIUS timeline into overall exit planning ensures appropriate expectations and prevents the surprise of extended deal processes when foreign buyers are involved.
Professional Team Assembly
Engaging advisors with specific CFIUS experience improves both process efficiency and outcome probability. These specialists should be involved early in transactions with potential CFIUS implications, ideally during buyer qualification and deal structuring rather than after terms are agreed.
Actionable Takeaways
Assess your CFIUS profile now. Before engaging with any foreign buyer, evaluate your business for national security-relevant factors including defense relationships, critical infrastructure involvement, technology export control status, and sensitive data holdings. Consider engaging CFIUS-experienced counsel for an initial assessment, particularly if you operate in technology or data-intensive sectors. Understanding your profile shapes buyer targeting and process planning.
Qualify foreign buyers carefully. Request information about ownership structure, government relationships, and CFIUS history during formal due diligence. Buyer profile including specific characteristics beyond country of origin dramatically affects review intensity and outcome probability.
Structure transactions with CFIUS in mind. Work with experienced advisors to design transaction structures that address national security considerations while preserving commercial objectives. Structure flexibility diminishes once terms are agreed.
Build realistic timelines. Add 90 to 180 days to transaction schedules when CFIUS national security review is likely. Set expectations with all stakeholders including employees, customers, and your own planning accordingly. Complex cases may require longer.
Budget appropriately. Plan for CFIUS-related costs of $200,000 to $500,000 or more for complex transactions, including legal fees, executive time, and timeline-related impacts. Weigh these costs against potential valuation premiums from foreign buyers.
Negotiate appropriate protections. Purchase agreements should include reverse termination fees (typically 2% to 5% of transaction value), timeline extensions, and clear conditions regarding CFIUS clearance. Understand that substantial fee requirements may affect bid prices.
Prepare mitigation strategically. Understand likely mitigation requirements for your situation, but work with experienced counsel before committing to specific proposals. Premature or excessive mitigation offers can result in unnecessary operational restrictions.
Conclusion
CFIUS national security review has evolved from an obscure regulatory process into a significant consideration for any business owner contemplating a foreign buyer. The expanded jurisdiction, increased scrutiny across technology and data sectors, and potential for extended timelines or deal prohibition require thoughtful planning that begins well before buyer engagement.
For business owners in the $2 million to $20 million revenue range, CFIUS rarely presents an absolute bar to foreign acquisition, but it does require strategic navigation and realistic cost and timeline expectations. Understanding your business’s national security profile, qualifying foreign buyers appropriately, structuring transactions with CFIUS considerations in mind, and engaging specialized expertise when needed allows you to access the premium valuations and strategic benefits that foreign acquirers often provide while managing regulatory risk effectively.
The owners who succeed in cross-border transactions are those who treat CFIUS as a manageable process element rather than an unexpected obstacle. That management begins with understanding what triggers review, what factors drive outcomes, and how to position transactions for successful clearance. Armed with that understanding and realistic expectations about costs, timelines, and potential complications, you can pursue foreign buyers confidently while protecting yourself from the regulatory surprises that derail less prepared sellers.