The Year Ahead in National Security Regulation
February 21, 2024, Covington Alert
Executive Summary
As we predicted last year, 2023 was an inflection point in global national security regulation. The governments of the United States and other countries expanded their toolsets beyond traditional regulatory authorities in order to more effectively address perceived national security risks in a variety of regulatory domains, including data management, communications, and antitrust. The Biden Administration and the Congress took unprecedented actions to expand and strengthen U.S. national security authorities—particularly as they relate to China. President Biden issued executive orders regulating outbound investments and artificial intelligence (“AI”). Meanwhile, various Committees of Congress embarked on an ambitious agenda of investigations and hearings, laying the groundwork for national security-related legislation in a range of areas. Globally, more countries pursued the adoption and implementation of foreign investment review regimes, and the United Kingdom and European Union signaled their intent to evaluate the need for outbound investment screening.
Looking ahead to the rest of 2024, we anticipate a sustained—and growing—emphasis on further bolstering national security-related laws and regulations to address cross-border transactions. Key areas to watch in the United States include, among other things, the possibility of legislation expanding the jurisdiction and membership of the Committee on Foreign Investment in the United States (“CFIUS”); a rulemaking to operationalize the outbound investment regime contemplated by last year’s executive order; an executive order addressing transfers of sensitive personal data (expected to issue in the coming weeks); and possible new legislative measures or executive action targeting perceived risks in the biotechnology sector. These developments warrant close attention in the coming months.
Adding to this dynamic, 2024 will witness what promises to be a hotly contested presidential election in the United States. With a majority of Americans viewing China as the United States’s greatest national security threat and holding predominantly (83%) negative views of that country, both political parties are likely to perceive measures that are tough on national security or China as vote winners. This in turn could lead to a competition between the parties to be the most hawkish on China issues. Further informing—and complicating—U.S. national security policy is an increasingly fraught global geopolitical environment, exemplified by Russia’s ongoing war with Ukraine, the Israel–Hamas war in Gaza, and associated tensions across the Middle East. Consequently, alongside a likely surge in legislative and regulatory activity, there also will be continued pressure on existing frameworks like CFIUS to exercise caution and prioritize risk avoidance, especially in relation to all matters with a China or Russia dimension.
Finally, following years of concerted effort by the U.S. government to shore up allied support for inbound and outbound foreign investment screening and related trade control reforms, we foresee an acceleration in the implementation and refinement of foreign investment review regimes worldwide. While historically this activity has primarily been at a national level—especially within Europe—the shifting global politics of recent years has prompted a renewed focus on security cooperation. This has taken shape through formal security pacts such as AUKUS (which since 2021 has prompted policy and legislative developments to facilitate cooperation and strengthen mutual controls), bilateral policy announcements, and greater cooperation and harmonization of security driven trade and investment controls between economic partners—most notably within the European Union. We expect that this year will bring particular focus to the European Union, as it considers new mechanisms at the international level to make national foreign investment screening regimes more robust and consistent.
Given the pace of change in the national security regulatory landscape, it is imperative for businesses across industries to evaluate strategic decisions not only under existing law, but also with an eye toward how the law is likely to evolve in the near term. And for parties considering transactions that are subject to CFIUS jurisdiction, meticulous planning is crucial as reviews become lengthier and more demanding than ever before.
CFIUS in 2024: More Demands on the System
An expected increase in transactional activity in 2024—coupled with the presidential election and other stressors described above—almost certainly will tax a CFIUS process that has already grown more expansive and, in certain respects, challenging. With the election as the backdrop, we also expect amplified political rhetoric regarding strategic competition with China. This in turn will create pressures on the Committee to scrutinize not only transactions involving Chinese parties, but any transaction with an apparent nexus to China or to U.S.–China economic competition, including—to the likely surprise of many transaction parties—with respect to the U.S. business’s own operations in China.
As the election draws near, we expect that both the staff and the senior political officials involved in the CFIUS review process will be even more stretched than usual. Their attention and resources will be focused not only on CFIUS reviews but also on other Administration initiatives aimed at addressing U.S. national security interests. Indeed, many CFIUS offices and staff members across the various CFIUS member agencies are being called upon to support such emerging national security regulatory regimes as the Information and Communications Technology and Services Rule (“ICTS”), the Outbound Investment Executive Order, and the anticipated sensitive personal data executive order. This places significant strain on Committee resources, particularly at senior levels. The Committee also is expending more resources to work with allies and partners on their foreign investment processes, to address shared concerns regarding potential transactions involving countries of concern, and to oversee monitoring and enforcement matters related to existing national security agreements with CFIUS.
As CFIUS’s responsibilities expand in response to the increasing role it plays in protecting U.S. national security—and with the possibility of Congress considering legislation to address perceived gaps in CFIUS’s authorities—it will be particularly important for transaction parties to plan carefully and be prepared to lean into presenting information to CFIUS and addressing potential CFIUS concerns. This proactive approach is essential to mitigate potential delays and obstacles to transaction timing and execution. Put simply, CFIUS has evolved from a small and obscure regulatory backwater into a formidable bureaucratic behemoth. While it remains highly professional, the breadth and scope of the process—and the demands on CFIUS officials’ time—underscore the importance of thorough planning and anticipation of CFIUS concerns, together with a keen understanding of the process and its intricacies.
Is CFIUS Reform Legislation on the Horizon?
As the longstanding primary regulator of national security in the context of foreign direct investment, CFIUS historically has been an attractive tool to address an array of national security concerns. However, the Committee's statutory authorities have only undergone updates approximately once a decade, most recently in 2007 and 2018. Periodically, proposals emerge to broaden the Committee's membership and jurisdiction. For instance, it is often suggested that the Secretaries of Agriculture and Health and Human Services—both frequent ad hoc participants called on by CFIUS to assist with cases—should be made permanent members. But the frequency and seriousness of such proposals seems to have increased in the last year.
Notably, in December 2023, the U.S. House Select Committee on Strategic Competition between the United States and the Chinese Communist Party (“China Select Committee”) published a report entitled “Reset, Prevent, Build: A Strategy to Win America’s Economic Competition with the Chinese Communist Party” (the “Report”). The Report proposed various changes to CFIUS’s governing statute and regulations. While the China Select Committee lacks legislative authority, its recommendations nonetheless carry some weight. Some of its recommendations address long-perceived gaps in CFIUS’s authorities, such as expanding the definition of “critical technologies” and extending CFIUS’s jurisdiction to include greenfield investments; we expect that these recommendations in particular have a greater likelihood of becoming proposed legislation at some point.
Specifically, we expect the following recommendations included in the Report may, at least in principle, inform new legislation in the short- or medium-term:
- Expanding the definition of “critical technologies.” Certain transactions require a mandatory filing with CFIUS if the U.S. business is involved in producing, designing, testing, manufacturing, fabricating, or developing “critical technologies.” Currently, critical technologies are defined by reference to other lists maintained by the U.S. government, particularly in the export control realm, including the U.S. Munitions List and certain items on the Commerce Control List. Export control lists have been criticized as slow to keep up with evolving technologies and shifting risks; some in Congress and the national security agencies view the current CFIUS definition of “critical technology” as insufficiently narrow.
The Report proposes expanding these categories to include technologies that “directly or indirectly enable those technologies listed as a Critical and Emerging Technology by the White House of Science and Technology Policy.” This broadened scope would include technologies in sectors like advanced computing, AI, biotechnology, financial technology, quantum information technology, and semiconductors. It also would empower CFIUS to add any technology either by a majority vote of the CFIUS member agencies or by any one member agency in conjunction with the Treasury Department (in its capacity as Committee Chair). If adopted, this recommendation could substantially expand the range of transactions subject to a mandatory filing with CFIUS; it also could increase business uncertainty if the authority is used frequently.
- Expanding coverage of real estate transactions. Current law grants jurisdiction to CFIUS over certain real estate transactions involving properties situated in or near specific designated locations deemed sensitive from a national security perspective, including various military installations and military training and testing ranges. However, the existing list of designated locations does not encompass all U.S. military sites, leading to criticism that CFIUS lacks adequate authority to address all proximity-related risks arising from real estate transactions. The Report proposes a broad expansion of the rule to include “all military facilities, acknowledged intelligence sites, national laboratories, defense-funded university-affiliated research centers, and critical infrastructure sites.” It also recommends expanding CFIUS jurisdiction to cover non-urban, non-single-housing real estate transactions involving foreign adversary entities where such transactions could facilitate surveillance of sensitive sites.
- Greenfield investment. Under existing law, CFIUS has jurisdiction over acquisitions of control of, or certain investments in, existing U.S. businesses, including where such transactions may involve a joint venture. However, CFIUS does not have jurisdiction to review “greenfield” investments—i.e., where a foreign person establishes a new business entirely from scratch in the United States—outside of the real estate context. The Report proposes expanding CFIUS’s jurisdiction to, and mandating filings for, all greenfield investments, regardless of proximity to sensitive sites, by foreign adversary entities (including China), if such greenfield investment involves critical technologies, critical infrastructure, or sensitive personal data.
- Weakening the safe harbor. Under current law, once CFIUS clears a transaction, the transaction parties benefit from a “safe harbor”—i.e., CFIUS cannot re-open its review at a later time, except in certain narrow circumstances. This safe harbor is one of the principal incentives that encourage parties to file voluntarily with CFIUS. The Report, however, proposes that “in rare cases where the national security risk” relating to a transaction has “significantly heightened since the transaction was completed,” CFIUS be allowed to reopen or alter previously mitigated transactions. Notably, the Report does not suggest any temporal limit on this ability to disturb previously mitigated and settled transactions. This would both give CFIUS significant discretion as well as introduce uncertainty for any transaction that clears CFIUS review and subsequently closes.
- Additional Measures. The Report also recommends other measures, including adding the Secretary of Agriculture to the Committee, and streamlining the process for identifying Excepted Investors. This entails crafting guidance on the Excepted Investor provision to prevent its misuse as a means to circumvent CFIUS review. The Report further suggests granting CFIUS subpoena power for non-mandatory-filing transactions and creating confidentiality exceptions to encourage whistleblowers.
In addition to the above recommendations, the Report also contemplates certain changes that would represent significant departures from the current law and be deeply problematic for the process and transaction parties if adopted. We expect it is less likely that such proposals would be included in actual legislation. These recommendations include the following:
- Joint ventures with foreign adversary entities. The Report suggests that CFIUS ought to possess jurisdiction over all joint ventures involving foreign adversary entities, including those with minority stakes, and that a CFIUS filing should be mandatory. It also proposes establishing a presumption of unresolvability for joint ventures involving critical technologies. This means that CFIUS would start from a presumption of recommending that the President prohibit the transaction unless all concerns can be fully addressed through mitigation. Such a presumption, when combined with the previously noted risk aversion built into the present system, likely would lead to a significant increase in effective prohibitions.
- Three-year limit for mitigation agreements. The Report recommends requiring CFIUS to block any transaction for which the national security concerns cannot be resolved through a mitigation agreement within three years. It is unclear what this means. Virtually all CFIUS mitigation agreements last for longer than three years. It is possible that the authors of the Report may intend that any mitigation measures—such as required divestitures, security measures, etc.—be implemented within three years; however, this is not clear from the Report.
Outbound Investment
As we previously reported, the Biden Administration issued an executive order last August declaring a national emergency regarding the development of advanced technology by “countries of concern” and directing the Secretary of the Treasury to draft regulations controlling the flow of U.S. investments to China in certain sectors.
Within days following the release of the executive order, Treasury published an advance notice of proposed rulemaking (the “ANPRM”), outlining its proposed framework for implementing the executive order and inviting comments thereon. The ANPRM delineated a two-tier regulatory structure wherein investments in certain less sensitive sectors require notification to the Treasury Department, while investments in more sensitive sectors are prohibited outright.
We expect the Treasury Department will issue a proposed final rule implementing the executive order sometime in the coming months, possibly within weeks. The proposed final rule will need to resolve outstanding questions left open by the ANPRM, such as potential exceptions for “passive investments,” the definition of “covered foreign persons” subject to investment restrictions or required notifications, and the extraterritorial application of the new rules to foreign investments based on the involvement of U.S. persons.
There also is continuing momentum in Congress to legislate on outbound investment, potentially by expanding upon and codifying the executive order. One notable effort is the Preventing Adversaries from Developing Critical Capabilities Act (the “McCaul–Meeks Bill”) in the House of Representatives. This bill proposes a regulatory framework similar to the executive order, featuring a two-tier system categorizing sectors, or sub-sectoral transactions, by sensitivity. Less sensitive transactions would require mandatory notification, while more sensitive transactions would be prohibited outright. The McCaul–Meeks Bill would add supercomputing and hypersonics to the list of controlled sectors, and Iran, North Korea, and Russia to the list of countries of concern. Sponsored by Foreign Affairs Committee Chairman Michael McCaul (R-TX) and Ranking Member Gregory Meeks (D-NY), the bill has yet to pass the House.
Some members of the House—including House Financial Services Committee Chairman Patrick McHenry (R-NC) and China Select Committee member Andy Barr (R-KY)—prefer a sanctions-based approach over the regulatory framework proposed by the McCaul–Meeks Bill. Negotiations to resolve this intra-House and intra-party disagreement are ongoing. In short, while there is significant support for legislation enhancing regulation of outbound investment, the precise form of a bill that is able to garner House approval, or ultimately becomes law, remains uncertain.
The China Select Committee also called for restrictions on outbound investment in its report “The CCP’s Investors: How American Venture Capital Fuels the PRC Military and Human Rights Abuses” (“The Outbound Investments Report”). The Outbound Investments Report recommends prohibiting any U.S. investment in Chinese companies included on certain U.S. government sanctions and red flag lists, including the Uyghur Forced Labor Prevention Act Entity List, the Non-SDN Chinese Military-Industrial Complex Companies List, the Military End User List, the Federal Communications Commission’s Covered List, the Entity List, the Withhold Release Orders and Findings List related to forced labor, and the lists established in § 889 of the 2019 NDAA, § 1260H of the 2021 NDAA, and § 5949 of the 2023 NDAA. It further recommends prohibitions on U.S. investments in any Chinese company in certain sectors. Specifically, it notes the sectors identified as critical by the Office of Science and Technology Policy, and the sectors that the Chinese Communist Party identified in its 14th Five-Year Plan.
Other U.S. National Security Legislation and Executive Action
We are also seeing continued appetite in both the Administration and Congress to pursue additional measures to address concerns regarding sensitive personal data, especially in the biotechnology sector. These efforts are likely to persist throughout 2024. Two illustrative proposals—among potentially many others in the pipeline—are outlined below:
- EO on Sensitive Data Transfers. We expect that the Administration will soon release an executive order prohibiting the bulk transfer of certain U.S. sensitive personal data (such as through data broker transactions or the transfer of genomic data) as well as the transfer of any U.S. government data to countries of concern. The executive order may also restrict various other transactions, including vendor, employment, and investment agreements that involve data transfers. Our understanding is that these new regulations are not intended to constitute a comprehensive data protection regime akin to the General Data Protection Regulation (“GDPR”) in the European Union, nor are they intended to focus on individually reviewing transactions. Rather, they would entail targeted prohibitions on specific categories of transactions. The U.S. Department of Justice is likely to be the lead agency implementing and overseeing the regulations; it may also delineate certain excepted transactions such as the transfer of videos, emails, academic records, or matters of public record.
- Biosecure Act. The House and Senate are working on identical bills aimed at prohibiting the use of “Biotechnology Companies of Concern” in performing contracts that are ultimately for U.S. government customers and potentially barring their use altogether for companies that wish to sell to the U.S. government.
“Biotechnology companies of concern” include certain already identified companies, including BGI, MGI, Complete Genomics, Wuxi Apptec, and any subsidiary, parent affiliate, or successor of such entities. The legislation contemplates that additional companies may be added to the list, which would be based on such factors as whether the company falls under the jurisdiction, direction, control, or operates on behalf of the government of a foreign adversary, is involved to any extent in the manufacturing, distribution, provision, or procurement of biotechnology equipment or service, and poses a risk to national security.
The assessment of national security risk would be informed by whether the company (1) engages in joint research or otherwise is supported by or affiliated with a foreign adversary’s military, internal security forces, or intelligence agencies; (2) provides multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or (3) obtains human multiomic data via biotechnology equipment or services without express and informed consent. Overall, the bill has the potential to impose significant restrictions on collaborations with Chinese biotechnology companies (as well as with other foreign adversary countries such as Iran, Russia, and North Korea, though this would be less of an issue as a practical matter).
United Kingdom
It is noteworthy that the trend towards increased economic security regulations is global and involves many U.S. allies and partners.
This can be clearly seen in the United Kingdom, which, in a UK–U.S. joint statement in June 2023, identified a “shared objective in preventing [their] companies’ capital and expertise from fueling technological advances that will enhance the military and intelligence capabilities of countries of concern.” While in the United States work was already well underway on the proposals for targeted controls on outbound investments, and shortly thereafter resulted in the August executive order and ANPRM we have discussed above, the United Kingdom announced only an intent to consider complementary controls. The UK Department for Business and Trade has subsequently convened discussions with industry and stakeholder groups to establish an initial base of evidence to evaluate potential national security risks, and the potential options for policy responses and outbound investment controls, but has not yet publicly put forward a proposal.
The established, but still relatively young, inbound foreign investment regime in the United Kingdom is also expected to see changes in the coming year, as the UK government draws lessons from the first two years of its operation. The UK government issued a Call for Evidence at the end of 2023, seeking to inform potential changes to the scope of the mandatory notification requirements under the United Kingdom’s foreign investment review regime, and the process for the notification and assessment of transactions. The questions posed suggest that contemplated amendments could affect transactions in the communications and data infrastructure, semiconductors, and critical mineral sectors, and the treatment of internal restructurings under the regime. The consultation closed on January 15, 2024, and could result in material reforms to the practicalities, breadth, and transparency of the United Kingdom’s foreign investment screening regime during the coming year.
Enhanced Regulations in the European Union
In parallel, the European Union is also expected to take steps towards expanding its framework for regulating the foreign investment screening mechanisms of Member States. This initiative was outlined in the European Economic Security Package (“EESP”), announced on January 24, 2024. The EESP calls for a more resilient and consistent approach to screening foreign investment into the European Union, improved coordination of export control policy and enforcement among Member States, work to identify risks associated with outbound investments, and enhanced support for, and security around, research and development involving dual-use technologies. Covington’s full review of the EESP can be found here.
Particularly significant is the aspect of the EESP that would align European screening regimes under the framework more closely with the CFIUS approach. This would include formally extending screening of investments to EU investors ultimately controlled by non-EU countries and identifying a minimum set of sensitive sectors that all EU Member States must screen—although a crucial point will be whether the scope of these sectors will be clearly defined, or whether interpretation will be left to the responsible screening authorities of the 27 Member States.
Conversely, the outbound investments portion of the EESP holds less immediate significance, as it only calls for a period of study to be undertaken throughout 2024. In our view, it is likely that action on an EU outbound investments scheme will not materialize until at least 2025 or later, following the publication of an anticipated joint risk assessment report summarizing the results of the study period and recommending whether the European Commission should implement a regulatory policy response.
* * *
We will continue to monitor these developments and keep our clients apprised as the national security regulatory landscape evolves.