Used Services and Cookies

Our website uses cookies to enhance your user experience. Some cookies are essential for the operation and management of the site, while others are used for anonymous statistics or personalized content. Please note that limiting cookie use may impair certain functions of the website.

More information: ,

Essential cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website or, for example, saving your cookie settings. The website cannot function properly without these cookies. This category cannot be deactivated.
  • Name:
    ukie_a_cookie_consent_manager
  • Domain:
    blomstein.com
  • Purpose:
    Stores the cookie preferences of website visitors.
  • Name:
    blomstein_session
  • Domain:
    blomstein.com
  • Purpose:
    The session cookie is essential for the basic functioning of the website. It allows users to navigate through the site and use its basic features.
  • Name:
    XSRF-TOKEN
  • Domain:
    blomstein.com
  • Purpose:
    This cookie serves security purposes and aids in preventing Cross-Site Request Forgery (CSRF) attacks. It is a technical necessity.
These cookies collect information about how you use a website, e.g. which pages you have visited and which links you have clicked on.
  • Name:
    _ga
  • Domain:
    blomstein.com
  • Purpose:
    The Google Analytics cookie _ga is used to distinguish users by assigning a unique identification number to each visitor. This number is sent to Google Analytics each time a page is accessed in order to collect user, session and campaign data and to statistically evaluate the use of the website. The cookie helps website operators to understand how visitors interact with the website by collecting information anonymously and generating reports.
  • Name:
    _ga_*
  • Domain:
    blomstein.com
  • Purpose:
    The _ga_[container_id] cookie, specific to Google Analytics 4 (GA4), is used to distinguish website visitors by assigning a unique ID for each session and each user. It enables the collection and analysis of data on user behavior on the website in anonymized form. This includes tracking page views, interactions and the path users take on the website to give website operators deeper insights into the use of their site and improve the user experience.
  • Name:
    _gid
  • Domain:
    blomstein.com
  • Purpose:
    The _gid cookie is a cookie set by Google Analytics that is used to distinguish users. It assigns a unique identification number to each visitor to the website, which is sent to Google Analytics each time the page is accessed. This makes it possible to track and analyze user behavior on the website over a period of 24 hours.
  • Name:
    _gat_gtag_UA_77241503_1
  • Domain:
    blomstein.com
  • Purpose:
    The _gat_gtag_UA_77241503_1 cookie is part of Google Analytics and Google Tag Manager and is used to throttle the request rate, i.e. it limits data collection on high traffic websites. This cookie is linked to a specific Google Analytics property ID (in this case UA-77241503-1), which means that it is used for performance monitoring and control of data collection for that specific website property.

Cybersecurity and Foreign Direct Investment Controls

10.11.2020

Digital information and online communication are becoming more and more important. As a result, people are increasingly aiming to protect their IT systems against attacks. Cybersecurity considerations play a special role in governmental restrictions on foreign direct investments (FDI) to protect against foreign interference in key infrastructure or security-related sectors. In Germany, this has led to increased scrutiny of M&A transactions by the German Federal Ministry for Economic Affairs and Energy (FMEA) – not limited to companies active in key areas of software development or IT security.

Background

Governmental restrictions on FDI are aimed at protecting national security and public order from dangers, which could arise from foreign investments in German companies. The FMEA can investigate such foreign investments and prohibit them where appropriate. In previous years, its review of M&A transactions was seen as a formality, but they are taken increasingly seriously. Following the widespread publicity surrounding the acquisition of robot manufacturer KUKA by the Chinese investor Midea in 2016, the German government tightened its investment control and is continuing to do so.

In 2019, the EU FDI Screening Regulation established the very first European framework for foreign direct investment, which has been directly applicable in all EU member states since October 11, 2020. The German legislator has already implemented requirements of the EU Screening Regulation in the First Amendment to the Foreign Trade and Payments Act (Außenwirtschaftsgesetz – AWG) and the 16th amendment to the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung – AWV). In particular, the standard of review has been modified. Now, FDI screenings will no longer be based on an “actual threat” but on an “expected impairment” of public safety or order taking into consideration the interests of other EU member states as well. Additionally, a ban on enforcement of investments for the duration of the screening procedure was introduced. Further tightening of the German FDI screening framework is expected as a result of the upcoming 17th amendment to the AWV. According to most recent announcements, the obligation to report investments will be expanded, especially with regard to critical technology areas such as cybersecurity or AI. The previous tightenings are also becoming apparent in practice. Meanwhile, the screening periods of up to four months are often fully exhausted and clearance is sometimes only granted under certain conditions – e.g. the disposal of security-related parts of the business.

Cybersecurity and National Security

The German system of FDI control is three-fold. The strictest control applies to sector-specific investments covered by Section 60 Foreign Trade and Payments Ordinance (FTPO) (category 1). This usually applies to foreign investments in German companies dealing with weapons or other military equipment. Such investments must be reported to the FMEA and require explicit clearance. Before clearance is granted the M&A contracts will not come into force.

Other investments must be reported to the Ministry, but no clearance is required (category 2). The FMEA can block these investments if they endanger national security or public order. Investments by non-EU companies in German companies that have been classified on this basis as security-related may be restricted. This includes companies active in critical infrastructure (e.g. energy, water, the finance and insurance sector, health and transport) and, as of recently, companies in the media industry as well.

For all other investments, there is no reporting obligation (category 3). However, the FMEA can generally review any foreign investment, if it considers such review necessary for security reasons. In practice, in some instances, it can be advisable to apply voluntarily for a clearance certificate, and make clearance by the FMEA a closing condition in M&A contracts.

Some investments in cybersecurity companies fall within category 1. This applies, in particular, to manufacturers of products authorised by the German Federal Office for Information Security with IT security functions (i.e. encryption technology products), and to companies that have manufactured them in the past (even if it was just a business unit), regardless of the size of the business (no de minimis threshold). Investments in such companies must therefore be thoroughly reviewed to ensure that any reporting obligation is met. If the reporting obligation is not fulfilled, the FMEA can still block the investment after several years – and in the worst case can declare the M&A contract void.

The vast majority of non-EU investments in cybersecurity companies likely falls into category 2. This is because IT and telecommunication companies are often part of critical infrastructure. Additionally, investments in companies that develop software for operating critical infrastructure, providers of cloud computer services or communication tools in the health sector (so called “telematics infrastructure”), have to be reported (Section 55 Para. 1 S. 2 & Para. 4 FTPO). The FMEA can prohibit such investments.

Extensive use of Investment Control a Result of Lowering the Review Threshold?

German investment control laws have undergone many changes in the past few years. The fear of theft of “know-how”, additionally fuelled by the pandemic caused by the SARS-CoV-2 virus, is driving national and European legislators towards an extensive investment control. This tendency became especially apparent with the lowering of the FDI screening thresholds for companies of category 1 and 2 in 2018. The German government believed that this was the only way to protect the relevant sectors (e.g. cybersecurity) against damaging foreign investments. It can be assumed that the number of reportable company acquisitions will increase again due to the upcoming regulatory measures, especially in the cybersecurity industry.

Conclusion

The increasing restrictions on foreign investments under the banner of cybersecurity appears to be successful. However, this has meant a reduction in the intensity of competition while increasing government intervention. The government is using its powers of intervention to an even greater extent – especially to protect digital infrastructure. Foreign investors considering an acquisition of a company active in IT infrastructure or surveillance technology are advised to keep these regulatory developments in mind, to avoid delays or failure of the acquisition. Experience shows that transparent communication with the FMEA has a positive effect on the transaction.

BLOMSTEIN will continue to monitor and report on the developments. If you have questions about the potential impact of cybersecurity in your company or sector, Roland M. Stein and Leonard von Rummel are more than happy to provide assistance.

back to overview