Cybersecurity and Foreign Direct Investment Controls
Digital information and online communication are becoming more and more important. As a result, people are increasingly aiming to protect their IT systems against attacks. Cyber security considerations play a special role in governmental restrictions on foreign direct investments to protect against foreign interference in key infrastructure or security-related sectors. In Germany, this has led to increased scrutiny of M&A transactions by the German Federal Ministry for Economic Affairs and Energy (FMEA) – not limited to companies active in key areas of software development or IT security.
Governmental restrictions on FDI are aimed at protecting national security and public order from dangers which could arise from foreign investments in German companies. The FMEA can investigate such foreign investments and prohibit them where appropriate. In previous years, its review of M&A transactions was seen as a formality, but they are taken increasingly seriously. Following the widespread publicity surrounding the acquisition of robot manufacturer KUKA by the Chinese investor Midea in 2016, the government tightened its investment control in 2017. The government proposed longer review periods and new reporting requirements. The approval process may now take up to four months, and this period is often fully used. In addition, sometimes clearance is only granted under certain conditions – e.g. the disposal of security-related parts of the business. In August 2018, the FMEA blocked a Chinese investment in the German tool manufacturer Leifeld.
At the same time, we are becoming increasingly dependent on interconnected IT components as a society. This heightens potential damage should the IT infrastructure be compromised. This led the German government to focus on tightening its investment control on the information technology sector in 2017 even further. Additionally, since 29 December 2018 the scope of investment control was widened yet again.
Cybersecurity and National Security
The German system of FDI control is three-fold. The strictest control applies to sector-specific investments covered by Section 60 Foreign Trade and Payments Ordinance (FTPO) (category 1). This usually applies to foreign investments in German companies dealing with weapons or other military equipment. Such investments must be reported to the FMEA and require explicit clearance. Before clearance is granted the M&A contracts will not come into force.
Other investments must be reported to the Ministry, but no clearance is required (category 2). The FMEA can block these investments if they endanger national security or public order. Investments by non-EU companies in German companies that have been classified on this basis as security-related may be restricted. This includes companies active in critical infrastructure (e.g. energy, water, the finance and insurance sector, health and transport) and, as of recently, companies in the media industry as well.
For all other investments there is no reporting obligation (category 3). However, the FMEA can generally review any foreign investment, if it considers such review necessary for security reasons. In practice, in some instances, it can be advisable to apply voluntarily for a clearance certificate, and make clearance by the FMEA a closing condition in M&A contracts.
Some investments in cybersecurity companies fall within category 1. This applies, in particular, to manufacturers of products authorised by the German Federal Office for Information Security with IT security functions (i.e. encryption technology products), and to companies that have manufactured them in the past (even if it was just a business unit), regardless of the size of the business (no de minimis threshold). Investments in such companies must therefore be thoroughly reviewed to ensure that any reporting obligation is met. If the reporting obligation is not fulfilled, the FMEA can still block the investment after several years – and in the worst case can declare the M&A contract void.
The vast majority of non-EU investments in cybersecurity companies likely falls into category 2. This is because IT and telecommunication companies are often part of critical infrastructure. Additionally, investments in companies that develop software for operating critical infrastructure, providers of cloud computer services or communication tools in the health sector (so called ‘telematics infrastructure’), have to be reported (Section 55 Para. 1 S. 2 & Para. 4 FTPO). The FMEA can prohibit such investments.
Extensive use of Investment Control a Result of Lowering the Review Threshold?
The latest amendments to the FTPO at the end of December 2018 lowered the threshold for triggering FDI control even further. Investments in companies in categories 1 and 2 now need to be reported if more than 10% of the German target are acquired. For all other cases the threshold is 25%. This means a substantial increase in the number of company acquisitions subject to a reporting obligation within the cybersecurity sector. The German government believed that this was the only way to protect the relevant sectors (e.g. cybersecurity) against damaging foreign investments.
The increasing restrictions on foreign investments under the banner of cybersecurity appears to be successful. However, this has meant a reduction in the intensity of competition while increasing government intervention. The government is using its powers of intervention to an even greater extent – especially to protect digital infrastructure. Foreign investors considering an acquisition of a company active in IT infrastructure or surveillance technology are advised to keep these regulatory developments in mind, to avoid delays or failure of the acquisition. Experience shows that transparent communication with the FMEA has a positive effect on the transaction. BLOMSTEIN will continue to monitor and report on the developments. If you have questions about the potential impact of cybersecurity in your company or sector, Roland M. Stein and Leonard von Rummel are more than happy to provide assistance.