CFIUS issues final FIRRMA regulations for foreign investment reviews

If you work on cross-border M&A deals involving tech, infrastructure, or data, January 17, 2020, changed your world. The Treasury Department issued final regulations implementing the Foreign Investment Risk Review Modernization Act (FIRRMA), dramatically expanding when foreign investments trigger national security review. Mandatory filings kicked in February 13, and the scope of what counts as a "covered transaction" got much wider.

This is the biggest expansion of CFIUS authority ever

CFIUS—the Committee on Foreign Investment in the United States—has historically focused on transactions that give foreign persons control of US businesses. FIRRMA expanded that to cover non-controlling investments that provide access to sensitive technologies, infrastructure, or data. You do not need to acquire a controlling stake to trigger review; you just need access to the right information or decision-making authority.

Why did Congress do this? The traditional focus on "control" missed transactions where foreign investors gained strategic insight without formal control. Minority investments with board observer seats. Contractual arrangements providing access to technical information. Joint ventures that share sensitive data. These structures let foreign parties—particularly from countries of concern—gain national security-relevant access while flying under the regulatory radar.

The regulations close those gaps. If your transaction involves a "TID U.S. business" (technology, infrastructure, or data) and gives a foreign person defined access rights, you are likely in CFIUS territory even without a controlling stake.

Understanding TID business definitions

Technology businesses are defined by export control classifications, not NAICS codes. If your products or technologies require export licenses under ITAR, EAR, or certain Commerce Department controls—including the emerging and foundational technology categories—you are a critical technology business. This creates compliance complexity because export control analysis now drives investment review obligations.

Critical infrastructure businesses perform specified functions in enumerated sectors: telecommunications, energy, financial services, defense industrial base, transportation. The definitions are technical and sector-specific. If you operate in these sectors, you need to map your activities against the regulatory definitions to understand your exposure.

Sensitive personal data businesses maintain or collect data on more than one million US persons in covered categories, or are government contractors with access to sensitive government data. The data threshold is lower than you might expect—many commercial data businesses easily exceed it. And the government contractor angle affects a wider range of companies than obvious defense contractors.

Mandatory filings are real and have consequences

Certain critical technology transactions now require mandatory 30-day declarations—a shortened filing format that still triggers CFIUS review. The trigger is not optional: if your transaction meets the criteria, you must file. Failure to submit mandatory declarations can result in civil penalties up to the transaction value and potential compulsory divestiture.

The mandatory filing criteria are tied to export control classifications. If the foreign investor would obtain defined access rights and the target business's products or technologies would require US regulatory authorization for export to certain countries, mandatory filing requirements likely apply. This creates a two-step analysis: first determine if your technology has export control implications, then assess whether the investment structure triggers mandatory filing.

The practical impact on deal timelines is significant. CFIUS review adds uncertainty and duration to transactions. Deals that previously closed quickly now require regulatory clearance that can take months. For competitive auction processes, CFIUS exposure can disadvantage certain bidders or affect valuation.

Real estate rules create new geographic considerations

A companion rule addresses foreign real estate transactions near sensitive government and military facilities. Purchases, long-term leases, and concession arrangements within prescribed distances of enumerated airports, maritime ports, and military installations can trigger CFIUS jurisdiction.

This affects data center siting, logistics facilities, and manufacturing locations. Property near covered facilities may have CFIUS implications that were not previously considered. Due diligence for real estate acquisitions now needs to include proximity analysis to sensitive sites—a factor that was not on most checklists before FIRRMA.

Excepted foreign states provide limited relief

The regulations create an "excepted foreign state" category with simplified treatment for investments from allied nations. Initially, this covers Australia, Canada, and the United Kingdom—countries with strong export control and foreign investment regimes aligned with US national security objectives.

Excepted status means reduced scrutiny for certain covered transactions, though exemptions can be revoked if countries fail compliance assessments. Additional countries may be added as their regulatory regimes mature. For investors from these countries, excepted status provides competitive advantages in deals where CFIUS exposure affects bidding dynamics.

What this means for your deal process

Map your business against TID definitions. Understand your export control classifications, critical infrastructure activities, and data holdings. This analysis should happen early—ideally before you are in active deal discussions—so you understand your CFIUS exposure baseline.

Update deal checklists and due diligence questionnaires. Capture foreign investor rights, board observer arrangements, data access provisions, and real estate proximity to covered facilities. These factors now determine regulatory filing obligations.

Coordinate with experienced CFIUS counsel early in deal processes. The regulatory analysis is technical and consequences of getting it wrong are serious. Counsel can help structure transactions to manage CFIUS exposure where structuring flexibility exists.

For sellers, understand that CFIUS exposure affects buyer pools and deal certainty. Some foreign buyers may face obstacles that domestic buyers do not. Auction processes may need to account for varying regulatory timelines among bidders.

Practical next steps

• Assess your business against TID definitions—technology (export controls), infrastructure (sector activities), and data (volume and sensitivity).
• Review current foreign investment arrangements for potential retroactive implications.
• Update M&A playbooks to include CFIUS analysis as standard due diligence.
• Train deal teams on FIRRMA basics so they can spot issues early.
• Establish relationships with CFIUS-experienced counsel before you need them urgently.
• For real estate transactions, add proximity analysis to sensitive facilities as standard due diligence.

FIRRMA fundamentally changed the foreign investment environment. Transactions that previously proceeded without regulatory scrutiny now require careful analysis and potentially mandatory filings. Organizations that build CFIUS awareness into their deal processes will navigate this environment more effectively than those discovering these requirements mid-transaction.

See also

Selected articles on related subjects.

Governance · Credibility 91/100 · January 16, 2020

NIST releases Privacy Framework 1.0

NIST just released Privacy Framework 1.0—think of it as the NIST Cybersecurity Framework's sibling for privacy risk. It is voluntary, flexible, and designed to help organizations think about privacy beyond just…

Governance · Credibility 88/100 · January 16, 2020

NIST Privacy Framework 1.0 release

NIST’s January 2020 Privacy Framework 1.0 sets up a Cybersecurity Framework-aligned structure—Core outcomes, Profiles, and Tiers—to manage privacy risk, guide engineering controls, and help leaders communicate…

Governance · Credibility 83/100 · January 21, 2020

UK Age Appropriate Design Code finalized

Building anything online that kids might use? The UK's Age Appropriate Design Code is now final, and it is broad—if children could realistically access your service, you are covered. That means high-privacy defaults…

Governance · Credibility 91/100 · January 22, 2020

NSA guidance on mitigating cloud vulnerabilities

The NSA just published a surprisingly practical cloud security guide. The short version: most cloud breaches come from the same misconfigurations—overly permissive IAM policies, flat networks, exposed management…

Governance · Credibility 73/100 · January 30, 2020

Governance — WHO PHEIC

January 30, 2020—WHO declared COVID-19 a PHEIC. This was before most of the world took it seriously, but it triggered international health coordination and emergency funding. The pandemic was officially global.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Governance, Risk, and Oversight Playbook

  Operationalise board-level governance, risk oversight, and resilience reporting aligned with Basel Committee principles, ECB supervisory expectations, U.S. SR 21-3, and OCC…

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

Cited sources

1. Provisions Pertaining to Certain Investments in the United States by Foreign Persons — U.S. Department of the Treasury
2. Provisions Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States — U.S. Department of the Treasury
3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization