Executive Order 14083 (EO 14083), issued on September 15, 2022, sets out an expanded range of national security factors that the Committee on Foreign Investment in the United States (CFIUS) must consider when evaluating in-bound investment into the United States. The move is part of the Biden Administration’s continuing efforts to safeguard against potential national security risks from “competitor or adversarial nations,” with a particular focus on enhancing U.S. supply chain resilience and preserving U.S. technological leadership. Notably, although EO 14083 applies to all “covered transactions,” it emphasizes the concerns that CFIUS has most recently raised in blocking transactions involving Chinese investment in the U.S. technology sector (e.g., access to the sensitive personal data of U.S. citizens), including several proposed Chinese investments in the semiconductor sector.

Background

Section 721 of the Defense Production Act (the DPA) authorizes CFIUS to review any covered transaction to determine the potential effects of such transaction on the national security of the United States. The DPA provides that CFIUS may consider ten specific factors when assessing contemplated transactions, as well as any other factors the President or CFIUS may determine to be appropriate. The broad scope of these factors affords CFIUS significant leeway in its reviews of covered transactions.

EO 14083, however, directs CFIUS’s attention to factors of particular concern to current U.S. economic and national security interests and requires CFIUS to consider a certain group of factors – some already enumerated in the DPA, some new – when conducting its reviews. While CFIUS still retains discretion to prioritize certain factors over others, EO 14083 requires CFIUS to deliberate on certain key elements of a proposed transaction.

Considerations relating to existing national security factors in the DPA

EO 14083 introduces specific considerations relating to two of the factors already contained in Section 721 of the DPA:

• The control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security; and
• The potential effects of the proposed or pending transaction on U.S. international technological leadership in areas affecting U.S. national security.

Considerations relating to the control of U.S. industry and commercial activity

With respect to a proposed transaction’s potential impact on the control of U.S. industry and commercial activity, EO 14083 requires CFIUS to consider, among other things:

• A covered transaction’s effect on supply chain resilience and security, both within and outside of the defense industrial base, in manufacturing capabilities, services, critical mineral resources, or technologies that are fundamental to national security, including: microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy (such as battery storage and hydrogen), climate adaptation technologies, critical materials (such as lithium and rare earth elements), elements of the agriculture industrial base that have implications for food security, and other sectors;
• The degree of involvement in the U.S. supply chain by a foreign person who is a party to the covered transaction and who might take actions that threaten to impair the national security of the United States as a result of the transaction, or who might have relevant third-party ties that might cause the transaction to pose such a threat;
• The degree of diversification through alternative suppliers across the supply chain, including suppliers located in allied or partner economies;
• Whether the U.S. business that is party to the covered transaction supplies, directly or indirectly, the U.S. Government, the energy sector industrial base, or the defense industrial base; and
• The concentration of ownership or control by the foreign person in a given supply chain.

Considerations relating to U.S. technological leadership

With respect to a proposed transaction’s potential impact on U.S. technological leadership, EO 14083 requires CFIUS to consider, among other things:

• Whether a covered transaction involves manufacturing capabilities, services, critical mineral resources, or technologies that are fundamental to U.S. technological leadership and therefore national security, such as microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies;
• Relevant third-party ties that might cause the transaction to threaten to impair the national security of the United States; and
• Whether a covered transaction could reasonably result in future advancements and applications in technology that could undermine national security.

New national security factors and related considerations

EO 14083 also introduces new factors not currently listed in the DPA and requires CFIUS to consider these factors in its reviews. These new factors generally fall into three categories: (i) factors relating to aggregate industry investment trends; (ii) factors relating to cybersecurity risks; and (iii) factors relating to sensitive data risks.

Factors relating to aggregate industry investment trends

With respect to aggregate industry investment trends, EO 14083 requires CFIUS to consider, among other things:

• The risks arising from the covered transaction in the context of multiple acquisitions or investments in a single sector or in related manufacturing capabilities, services, critical mineral resources, or technologies, by any foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, or involving relevant third-party ties that might cause the transaction to pose such a threat.

In other words, this factor considers the potential market consolidation resulting from a proposed transaction. As part of this analysis, CFIUS may request the Department of Commerce’s International Trade Administration to provide an analysis of the industry or industries in which the U.S. business operates, and the cumulative control of, or pattern of recent transactions by, a non-U.S. person, including, directly or indirectly, a non-U.S. government, in that sector or industry.

Factors relating to cybersecurity risks

With respect to the potential cybersecurity risks arising from a proposed transaction, EO 14083 requires CFIUS to consider, among other things:

• Whether a covered transaction may provide a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, or their relevant third-party ties that might cause the transaction to pose such a threat, with direct or indirect access to capabilities or information databases and systems on which these actors could engage in malicious cyber‑enabled activities affecting the interests of the United States or U.S. persons; and
• The cybersecurity posture, practices, capabilities, and access of both the foreign person and the U.S. business that could allow a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, or their relevant third-party ties that might cause the transaction to pose such a threat, to manifest cyber intrusion and other malicious cyber-enabled activity within the United States.

Factors relating to sensitive data risks

With respect to the potential sensitive data risks arising from a proposed transaction, EO 14083 requires CFIUS to consider, among other things:

• Whether a covered transaction involves a U.S. business that: (i) has access to U.S. persons’ sensitive data, including U.S. persons’ health, digital identity, or other biological data and any data that could be identifiable or de‑anonymized, that could be exploited to distinguish or trace an individual’s identity in a manner that threatens national security; or (ii) has access to data on sub-populations in the United States that could be used by a foreign person to target individuals or groups of individuals in the United States in a manner that threatens national security; and
• Whether a covered transaction involves the transfer of U.S. persons’ sensitive data to a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, and whether the foreign person has relevant third-party ties that have sought to exploit such information or have the ability to exploit such information to the detriment of national security, including through the use of commercial or other means.

So what does this mean for in-bound U.S. M&A and investments? For the most part, these new rules simply formalize what CFIUS has already been doing – that is, focusing on enhancing U.S. supply chain resilience and preserving U.S. technological leadership, while seeking to safeguard sensitive data, resources, and infrastructure. Transaction parties must continue to think carefully, and in advance, about how to present their contemplated transactions to CFIUS. Further, parties must anticipate the potential questions that CFIUS may ask, and must also consider how to plan their transactions and construct their broader investment strategies in order to have the best chance of successfully navigating U.S. regulatory processes and obtaining CFIUS clearance.