Lawzana Lawzana Logo
FIND A LAWYER
Lawzana Logo
For Lawyers
✦ Flow AI Pricing & Plans Websites for lawyers Marketing services Legal Jobs Blog
REGISTER FOR FREE

Existing user? Sign in

US CFIUS Review Checklist for Cross-Border Tech Acquisitions: A Complete Guide for United States

United States
Updated Mar 13, 2026

  • Determine TID status immediately: Assess whether the US target company deals in critical Technology, Infrastructure, or sensitive Data (TID) to establish CFIUS jurisdiction.
  • Check mandatory filing triggers: Foreign investments involving critical technologies subject to upcoming 2026 export control updates or foreign government-backed buyers often require mandatory declarations.
  • Wait for safe harbor: Closing a cross-border tech acquisition before receiving CFIUS clearance leaves the deal vulnerable to forced unwinding and severe financial penalties.
  • Map beneficial ownership: CFIUS demands total transparency regarding the acquiring entity's ultimate beneficial owners (UBOs) and any foreign government ties.
  • Plan for mitigation: Prepare proactive strategies for National Security Agreements (NSAs) to address potential CFIUS concerns without derailing the transaction.

What is a CFIUS Review for Tech Acquisitions?

The Committee on Foreign Investment in the United States (CFIUS) evaluates cross-border transactions to identify and address national security risks. If a foreign person or entity acquires control over-or makes certain non-passive investments in-a US business, CFIUS has the authority to review the deal, impose strict mitigation measures, or recommend the President block the transaction entirely. For technology acquisitions, scrutiny is exceptionally high due to concerns over intellectual property transfer, supply chain integrity, and data security.

US CFIUS Review Checklist for Cross-Border Tech Acquisitions

This actionable checklist outlines the critical phases a foreign buyer and US target must complete to ensure compliance with CFIUS regulations and secure transaction clearance. Use this framework during the initial due diligence phase of your M&A transaction.

Phase 1: Jurisdiction and Due Diligence

  • Analyze target operations: Confirm if the US business develops, designs, or tests critical technologies, manages critical infrastructure, or collects sensitive personal data (TID).
  • Identify the buyer's foreign status: Determine if the acquiring entity is legally classified as a "foreign person" under CFIUS regulations.
  • Map the ownership structure: Trace the buyer's corporate structure up to the Ultimate Beneficial Owners (UBOs).
  • Check for foreign government ties: Identify any direct or indirect funding, voting control, or board seats held by foreign state-owned enterprises or governments.

Phase 2: Filing Determination

  • Conduct an export control classification: Evaluate the target's technology against current Commerce Control List (CCL) requirements and upcoming 2026 export control updates.
  • Assess mandatory filing triggers: Determine if a mandatory declaration is required due to critical technology export licensing requirements or substantial foreign government backing.
  • Evaluate voluntary filing benefits: Decide if submitting a voluntary Notice is advantageous to secure safe harbor clearance and prevent post-closing reviews.

Phase 3: Preparation and Submission

  • Gather biographical data: Collect passports, CVs, and background information for all foreign directors and significant shareholders.
  • Draft the Declaration or Notice: Prepare the required legal filings detailing the transaction structure, commercial rationale, and cyber security protocols.
  • Pay filing fees: Calculate and remit the required filing fee to the US Department of the Treasury (applicable for Notices, not Declarations).

Phase 4: Review and Post-Filing Strategy

  • Establish a mitigation strategy: Draft proposed structural or operational changes in case CFIUS identifies national security risks.
  • Monitor the statutory timeline: Track the 30-day Declaration assessment or the 45-day Notice review period.
  • Delay transaction closing: Ensure the deal does not legally close until official CFIUS clearance (safe harbor) is granted.

Identifying Critical Technologies, Infrastructure, and Data (TID)

A US target company is classified as a "TID U.S. business" if it produces critical technologies, manages critical infrastructure, or maintains sensitive personal data of US citizens. Establishing whether a target falls into this category is the most critical step in determining CFIUS jurisdiction and mandatory filing requirements.

CFIUS heavily scrutinizes businesses involved in these three areas:

  • Critical Technologies: This includes items regulated by the International Traffic in Arms Regulations (ITAR), certain items on the Commerce Control List (CCL), and emerging technologies like artificial intelligence, quantum computing, and advanced semiconductors.
  • Critical Infrastructure: Facilities, systems, or assets whose incapacitation would debilitate national security, economic security, or public health. This includes telecommunications networks, energy grids, and specialized manufacturing plants.
  • Sensitive Personal Data: Companies that maintain or collect identifiable data on over one million US citizens, or data related to US military personnel, biometric records, genetic information, or precise geolocation data.

Evaluating Mandatory Declarations Under 2026 Export Control Lists

Foreign buyers must file a mandatory CFIUS declaration if the US target produces critical technologies that would require US export licenses to export to the buyer's home country. As the US government tightens controls on emerging tech, M&A teams must align their due diligence with the anticipated 2026 export control list updates, which expand licensing requirements for AI, biotechnology, and semiconductor manufacturing equipment.

Failing to submit a mandatory declaration carries a civil penalty up to the total value of the transaction. To determine if a mandatory filing is required, the transaction parties must:

  1. Identify the Export Control Classification Numbers (ECCNs) of all target company products, software, and technology.
  2. Determine if an export license would be required to transfer that technology to the foreign buyer's principal place of business or the nationality of its UBOs.
  3. Check if any license exceptions (such as ENC for encryption commodities) apply, though CFIUS strictly limits which exceptions bypass the mandatory filing rule.

Detailed regulations on mandatory declarations and critical technologies can be referenced in 31 CFR Part 800, the official federal code governing CFIUS.

Securing CFIUS Safe Harbor Before Closing

Closing a cross-border transaction before securing CFIUS safe harbor exposes the buyer to catastrophic risk, including forced divestment of the acquired company. Safe harbor is a formal legal assurance that CFIUS has concluded its review and will not initiate a subsequent investigation into the transaction, barring any material misstatements or fraud during the filing process.

Foreign buyers often make the mistake of closing deals quickly to lock in market advantages, assuming CFIUS will not notice smaller acquisitions. However, CFIUS actively monitors non-notified transactions using commercial databases, press releases, and tips from competitors. If CFIUS calls in a closed deal for review and identifies unmitigable national security risks, they can order the transaction completely unwound, resulting in massive financial losses, wasted legal fees, and reputational damage.

Preparing Disclosures on Foreign Government Ties and Ultimate Beneficial Owners

CFIUS requires complete transparency regarding the ultimate beneficial owners (UBOs) and any foreign government relationships connected to the acquiring entity. Concealing or misrepresenting the ownership chain guarantees severe penalties and transaction rejection.

When preparing your filing, you must trace ownership all the way to the human individuals or sovereign entities at the top of the corporate structure. The disclosure must detail:

  • Voting power and board rights: The exact percentage of voting shares and the ability to appoint board members or observers.
  • Sovereign wealth funds: Any direct or indirect capital provided by state-sponsored investment vehicles.
  • Foreign military ties: Any contracts, historic relationships, or advisory roles between the UBOs and foreign defense establishments.
  • Third-party rights: Any unique veto rights over business decisions held by minority foreign shareholders.

Drafting a Mitigation Agreement Strategy

A mitigation agreement allows a transaction to proceed by imposing structural, operational, or governance conditions to neutralize identified national security risks. Proposing a viable mitigation strategy early in the review process can prevent a transaction from being blocked.

Typical CFIUS mitigation measures (often formalized in a National Security Agreement or Letter of Assurance) include:

  • Data localization: Requiring all sensitive personal data of US citizens to be stored on servers located within the United States.
  • Access controls: Restricting the foreign parent company from accessing the target's source code, IP, or critical US facilities.
  • Corporate governance: Mandating the appointment of a US citizen as a Chief Security Officer (CSO) or establishing an independent security committee on the board of directors.
  • Third-party auditing: Requiring the company to hire an independent, CFIUS-approved auditor to submit annual compliance reports to the US government.

Common CFIUS Misconceptions

  • "We are an allied nation, so CFIUS does not apply." While investors from "excepted foreign states" (currently Australia, Canada, New Zealand, and the UK) enjoy certain exemptions from non-controlling investment reviews, they are not entirely immune to CFIUS jurisdiction, particularly for transactions resulting in foreign control of a US business.
  • "Minority investments are exempt from review." CFIUS jurisdiction extends to non-controlling investments if the foreign investor gains access to material nonpublic technical information, board observer rights, or involvement in substantive decision-making regarding a TID US business.
  • "Small deal values fly under the radar." CFIUS jurisdiction is not tied to monetary thresholds. A $1 million acquisition of a small seed-stage startup developing critical defense technology is scrutinized just as heavily as a $1 billion corporate merger.

Frequently Asked Questions

How long does the CFIUS review process take?

The CFIUS timeline depends on the filing type. A short-form Declaration takes 30 days to assess. A full Notice requires a 45-day initial review period, which can be followed by an additional 45-day investigation period if national security risks are identified.

What are the filing fees for a CFIUS review?

Filing a short-form Declaration is free. Submitting a voluntary or mandatory Notice requires a tiered filing fee based on the transaction value, ranging from $0 for deals under $500,000 up to $300,000 for transactions exceeding $750 million. Exact fee structures are published by the US Department of the Treasury.

What happens if a mandatory declaration is not filed?

Failure to file a mandatory declaration when required can result in civil penalties up to the value of the transaction or $250,000, whichever is greater, alongside potential forced divestiture of the acquired assets.

When to Hire a Lawyer

You should engage experienced M&A counsel specializing in international trade and national security immediately upon identifying a US-based target company for acquisition. Because CFIUS jurisdiction hinges on complex definitions of critical technology and export controls, attempting to self-diagnose filing requirements exposes the transaction to fatal regulatory risks. Consulting United States lawyers with direct CFIUS experience is essential before signing term sheets or initiating definitive agreements.

Next Steps

  1. Conduct Preliminary TID Assessment: Review the target company's product lines, data collection practices, and government contracts to determine if they qualify as a TID US business.
  2. Map the Acquirer's Ownership: Create a detailed organizational chart mapping all beneficial owners, foreign government ties, and voting structures of the acquiring entity.
  3. Engage Regulatory Counsel: Hire specialized counsel to perform a formal export control classification and determine if your transaction triggers a mandatory CFIUS declaration.

Similar Articles

United States Jan 14, 2026

How to File a Business Lawsuit in Florida 2026 United States

What types of business disputes justify a lawsuit in Florida? Business lawsuits in Florida typically arise when one par...

Read Article
United States Mar 07, 2026

United States HSR Act Merger Filings - 2026 Antitrust FAQ

US HSR Act Merger Filings FAQ: 2026 Antitrust Guide for Foreign Acquirers The Hart-Scott-Rodino (HSR) Act requires for...

Read Article
United States Feb 03, 2026

California CCPA 2026 for United States International Firms

International businesses are subject to the California Consumer Privacy Act (CCPA) if they meet specific revenue or da...

Read Article

Need Legal Guidance?

Connect with experienced lawyers in your area for personalized advice.

No obligation to hire. 100% free service.

Find Lawyers

Lawyers in United States

Disclaimer:
The information provided on this page is for general informational purposes only and does not constitute legal advice. While we strive to ensure the accuracy and relevance of the content, legal information may change over time, and interpretations of the law can vary. You should always consult with a qualified legal professional for advice specific to your situation.

We disclaim all liability for actions taken or not taken based on the content of this page. If you believe any information is incorrect or outdated, please contact us, and we will review and update it where appropriate.