Final CFIUS Mandatory Declaration Rule Shifts Focus to Export Control Requirements

October 14, 2020

US businesses that manufacture or are involved with critical technologies should consider whether they need an export license under the final CFIUS mandatory declaration requirements, effective October 15, 2020.

The US Department of the Treasury on September 15 finalized recent changes to the Committee on Foreign Investment in the United States (CFIUS) mandatory declaration requirements to focus on the export controls framework to identify US businesses that manufacture or are otherwise involved with critical technologies. The final rule is effective on October 15, and will apply to all subsequent transactions under CFIUS jurisdiction, subject to certain transitional rules included in the regulations.

While largely codifying the changes in the May 2020 proposed rule, the final rule clarifies certain aspects of the proposed rule and completes the transition away from the Pilot Program’s use of the 27 North American Industry Classification System (NAICS) codes, pivoting toward a focus on export licensing requirements under four regulatory regimes.

The immediate impact of this change will be the need to develop a more detailed and accurate export classification analysis of products and technology made by the US business that is the subject of the transaction and a determination of whether an export license would be required for the foreign investor/purchaser involved in the covered transaction. Incorrect or inaccurate export classifications can be costly since parties risk a financial penalty up to and including the value of the transaction if a submission is not made to CFIUS when the transaction is subject to the mandatory declaration program.[1] To aid parties with this analysis, the final rule clarifies when this export control analysis must be performed, including the effect of how the parties should treat a scenario whereby the export classifications of its products or technology changes.

In the long term, this export analysis will likely benefit foreign persons from countries subject to lesser levels of export controls, especially those who did not benefit from the initial designation of Excepted States and Excepted Investors, which were limited to Australia, Canada, and the United Kingdom and their qualifying entities or persons. This also appears supported by the final rule’s retention of three license exceptions from the Export Administration Regulations (EAR) that may otherwise except the covered transaction from a mandatory submission requirement. Conversely, foreign persons from countries whose geopolitical or military interests diverge from those of the United States (and possibly its allies) are subject to more stringent export controls and will likely result in increased mandatory declaration requirements.

Final Rule and Required Export Control Analysis

The previous mandatory declaration program required a submission to CFIUS if a transaction was a “covered transaction” that constituted a “covered investment” or would result in a change in control of a Technology, Infrastructure, or Data (TID) business and (1) concerned a US business that produced, designed, tested, manufactured, fabricated, or developed one or more “critical technologies” as defined under FIRRMA and the implementing regulations; and (2) the US business used or specifically designed such technology for use in an industry identified under one of 27 NAICS codes.

Under the previous regulations, the export control analysis focused on whether the US business had technology controlled for export under the export control regimes referenced in the definition of “critical technology.” This process disregarded the identity and nationality of the foreign investor/purchaser and instead focused on the reach into and control over the TID US business’s technology the foreign purchaser would receive as a result of the transaction.

Now, and in place of the NAICS code determination, the new rule introduces a definition of “US regulatory authorization,” which will apply to covered change-of-control transactions and noncontrolling investments. As a result, a transaction will now be subject to a mandatory submission if (1) the US business produces, designs, tests, manufactures, fabricates, or develops one or more “critical technologies,” and (2) a US regulatory authorization would be otherwise required for the export, reexport or transfer of that critical technology to any foreign party that

  • could directly control the US business;
  • is directly acquiring an interest that is a covered investment in the US business;
  • has a direct investment in the US business, and the change in rights of that foreign person could result in a covered control transaction or a covered investment;
  • is a party to a transaction or other arrangement that is designed or intended to evade or circumvent FIRRMA; or
  • individually holds, or is part of a group of foreign persons that in the aggregate holds, an applicable “voting interest,” which is defined as “a voting interest, direct or indirect, of 25 percent or more.”

In this context, “US regulatory authorization” means any of the following:

  • A license or other approval issued by the US Department of State under the International Traffic in Arms Regulations (ITAR)
  • A license from the US Department of Commerce under the EAR
  • A specific or general authorization from the US Department of Energy under the regulations governing assistance to foreign atomic energy activities at 10 CFR part 810 other than the general authorization described in 10 CFR 810.6(a)
  • A specific license from the Nuclear Regulatory Commission under the regulations governing the export or import of nuclear equipment and material at 10 CFR part 110[2]

The final rule also confirms that a transaction that meets the above criteria is nevertheless not subject to the mandatory declaration requirements if the export, reexport, or transfer is eligible for at least one of the following license exceptions under the EAR:

  • Technology and Software – Unrestricted (TSU)[3]
  • Encryption commodities, software, and technology (ENC) that meet certain self-classification conditions or have been classified by the US Department of Commerce[4]
  • Strategic Trade Authorization (STA) for exports, reexports, or transfers to countries that are identified by the Department of Commerce as close allies of the United States[5]

Finally, and of critical interest, the final rule also addresses for the first time when parties should conduct an export controls analysis to determine whether a mandatory filing condition is triggered. As the final rule clarifies, deciding whether a US business’s product or technology qualifies as critical technology shall be determined as of the first date on which one of the following conditions is met:

  • The completion date of the transaction
  • The parties to the transaction have executed a binding written agreement, or other binding document, establishing the material terms of the transaction
  • A party has made a public offer to shareholders to buy shares of a US business
  • A shareholder has solicited proxies in connection with an election of the board of directors of a US business or an owner or holder of a contingent equity interest has requested the conversion of the contingent equity interest[6]

Importantly, this guidance on the timing for assessing the export control requirements appears to provide a limited safe harbor for US businesses that subsequently conclude they have critical technology following the first occurrence of one of the four events identified above.

For example, an export controls analysis concludes that a US business does not manufacture a critical technology on the date a foreign party executes a binding written agreement to purchase the US business that does not manufacture a critical technology. Following that agreement but prior to the closing, however, the US business determines it manufactures a product controlled under the United States Munitions List (e.g., through the submission of a commodity jurisdiction determination), which would require a license from the Department of State to export to the foreign purchaser. Notwithstanding the fact that both elements of the mandatory submission requirements are met, there is no requirement to submit a declaration to CFIUS (although CFIUS may retain jurisdiction).

The final rule does not affect the popular structuring technique often employed in noncontrolling investments involving “critical technology” to preclude mandatory CFIUS review where the foreign person agrees (1) not to have a board representative or observer, and (2) not to have any access to “material non-public technical information.”


The final changes to the CFIUS mandatory declaration requirements expand the potential industries affected through the elimination of the 27 NAICS codes, but also fine tune the scope of the program to focus on those foreign persons who are subject to US export licensing requirements for the “critical technology” in question. As a result, these changes may benefit foreign persons in jurisdictions where the US imposes fewer export controls and result in increased mandatory declarations for jurisdictions with more robust licensing requirements or presumptions of denial. Finally, the final rule does not affect the ability of a foreign person in a non-controlling investment to give up a board seat or observer rights and access to “material non-public technical information” involving “critical technologies” in order to preclude subjecting the transaction to the mandatory declaration rules, and this will remain a popular structuring technique.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Carl Valenstein

Washington, DC
Giovanna Cinelli
Kenneth Nunnenkamp
Ulises Pin
Heather C. Sears
Katelyn Hilferty
Christian Kozlowski

[1] 31 C.F.R. § 800.901(b) (“Any person who fails to comply with the requirements of [the mandatory declaration program] may be liable to the United States for a civil penalty not to exceed $250,000 or the value of the transaction, whichever is greater. The amount of the penalty imposed for a violation shall be based on the nature of the violation.”).

[2] 31 C.F.R. § 800.254.

[3] 15 C.F.R. § 740.13.

[4] 15 C.F.R. § 740.17(b).

[5] 15 C.F.R. § 740.20(c)(1).

[6] 31 C.F.R. § 800.104(b)(1)-(4).