Compliance Briefing — July 12, 2023

The European Commission adopted the Implementing Regulation and detailed notification forms for the Foreign Subsidies Regulation (FSR) on 12 July 2023, confirming how companies must report foreign financial contributions that could distort the internal market. Regulation (EU) 2022/2560 entered into force earlier in 2023, but the implementing act clarifies procedural rules, thresholds, and information requirements ahead of the 12 October 2023 start of mandatory notifications for large mergers and public procurement bids. Boards, legal counsel, and compliance teams must now mobilise governance frameworks to map state support received outside the EU, prepare data repositories that withstand European Commission scrutiny, and integrate privacy safeguards so personally identifiable information in submissions can be retrieved for data subject access requests (DSARs) without breaching trade secrets.

The FSR addresses gaps in EU competition, state aid, and trade policy by empowering the Commission to investigate subsidies granted by non-EU countries to companies operating in the Union. The July implementing regulation—published as Commission Implementing Regulation (EU) 2023/1441—sets out notification templates for concentrations (M&A transactions) and public procurement, procedural timelines, document formatting, and confidentiality protocols. It also explains how the Commission will conduct in-depth investigations, accept commitments, and impose redressive measures. Companies exceeding the thresholds—€500 million EU turnover and €50 million foreign financial contributions for concentrations, or €250 million procurement contract value with €4 million foreign contributions—must notify and suspend closing until clearance. Governance bodies must therefore ensure enterprise risk registers capture these obligations and that deal pipelines include FSR gating criteria alongside merger-control and foreign direct investment (FDI) reviews.

Governance implications

Boards and audit committees should require management to inventory all foreign financial contributions received since 12 July 2020, the look-back period specified by the regulation. Contributions include not only direct grants but also tax exemptions, loans, guarantees, and the provision of goods or services on favourable terms by third-country authorities. Governance frameworks should mandate quarterly reporting from treasury, tax, and regional business units to confirm completeness of the contribution register. Multinationals should also update delegation-of-authority matrices so that no concentration or procurement bid above the thresholds proceeds without a documented FSR assessment and legal sign-off. Boards should expect management to integrate FSR compliance into enterprise policies on state aid, subsidies, and government engagement, with clear escalation paths to the chief legal officer or competition counsel.

Risk committees must consider geopolitical exposure. The Commission has signalled enforcement attention on strategic sectors such as semiconductors, critical infrastructure, and renewable energy, where subsidised players may distort competition. Companies with significant operations in China, the United States, Middle Eastern sovereign funds, or state-owned enterprises should stress-test scenarios where the Commission opens ex officio investigations even below notification thresholds. Governance reporting should cover resource allocation for responding to information requests, the ability to ring-fence sensitive data, and contingency plans if the Commission imposes behavioural commitments, divestitures, or repayment orders.

Implementation workstreams

Implementation leads should organise workstreams around data gathering, process integration, and technology enablement. The data-gathering workstream must design a central repository—often built on enterprise resource planning (ERP) or contract-lifecycle management (CLM) platforms—to log foreign financial contributions, including counterparties, granting authorities, amounts, terms, and links to supporting documentation. This repository should support versioning, audit trails, and role-based access controls. Legal teams should create playbooks for interviewing business units, verifying data against treasury records, and reconciling contributions with financial statements. Organisations should ensure the repository can produce the tabular disclosures required by Annexes I and II of the implementing regulation, which demand granular information on subsidies exceeding €1 million and aggregate totals by third-country authority.

Process integration requires embedding FSR checkpoints into existing transaction governance. M&A teams should update due diligence checklists to request subsidy information from targets and sellers, including any support received from non-EU governments or state-owned investors. Deal committees must add FSR risk sections to investment memoranda and ensure transaction timelines incorporate the Commission’s 25-working-day preliminary review and possible 90-working-day in-depth investigation. Procurement functions should revise tender management procedures so bid/no-bid decisions consider whether foreign subsidies could trigger notification obligations or remedial measures. Contract managers must ensure tender documentation includes privacy notices, acknowledging that personal data (for example, employee cost information or subcontractor details) submitted to the Commission may be accessed during DSAR processes.

Technology enablement should focus on tooling that automates data ingestion and safeguards sensitive information. Companies can leverage data-classification engines to flag personal data within subsidy documentation—such as employee payroll records underpinning wage subsidies—so privacy teams can catalogue processing activities. Secure data rooms used for Commission filings must support encryption-at-rest, granular permissions, and logging that can evidence who accessed DSAR-relevant records. Organisations should also integrate e-signature workflows for attestations required by senior management when submitting notifications, keeping immutable records for audit and potential litigation.

DSAR and confidentiality considerations

FSR notifications often contain personal data: names of contact persons, remuneration details of key employees, or information about beneficiaries of training grants. The implementing regulation obliges notifying parties to provide both confidential and non-confidential versions of submissions. Privacy officers should collaborate with competition counsel to define redaction standards that protect business secrets while preserving individuals’ rights under the GDPR. Data subject access request procedures must be updated so privacy teams know where FSR records reside, how to retrieve them within statutory timelines, and how to balance disclosure with Article 48 protections (rights and freedoms of others). Organisations should maintain logs documenting legal basis assessments (typically legitimate interest or legal obligation) for processing personal data in FSR filings, as these logs may be requested by supervisory authorities or included in DSAR response packs.

Because the Commission may share information with Member State authorities, companies must track onward transfers and ensure processor agreements with external counsel, economic consultants, or translation providers include DSAR cooperation clauses. Firms should conduct data protection impact assessments (DPIAs) when implementing new FSR data repositories, especially if they centralise sensitive financial information about employees or counterparties. DPIAs should evaluate retention periods aligned with the regulation’s limitation periods—10 years for redressive measures—and document secure deletion protocols once obligations lapse.

Monitoring and assurance

Internal audit should review FSR preparedness before the October notification go-live, testing whether contribution registers are complete, whether transaction governance checklists include FSR approvals, and whether privacy teams can evidence DSAR readiness. Compliance analytics should track metrics such as number of contributions logged, average time to compile notification annexes, and DSAR fulfilment times involving FSR data. Organisations should monitor Commission guidance, including the 12 July 2023 Q&A and future updates to the notification templates, and brief executive stakeholders through competition compliance committees. Early engagement with the Commission’s Directorate-General for Competition (DG COMP) can de-risk complex cases; companies should rehearse pre-notification meetings, ensuring documentation is searchable and segregated so personal data disclosures remain controlled.

By establishing strong governance, disciplined implementation workstreams, and privacy-aware evidence management, companies can navigate the Foreign Subsidies Regulation without derailing strategic deals or infrastructure bids. The July 2023 implementing package provides clarity but also raises the bar for documentation quality. Organisations that invest now in data integrity, DSAR alignment, and cross-functional coordination will be better placed to respond swiftly to Commission queries and demonstrate responsible stewardship of both public subsidies and personal information.