Written by Oded Kadosh, Guy Milhalter, and Austin Ochoa
If you’re a non-U.S. investor or a U.S. business seeking investment, CFIUS is one acronym you should become familiar with. Whether or not an investment falls within the jurisdiction of the Committee on Foreign Investment in the United States, or CFIUS, is no longer an abstract risk. It has become a central consideration in cross-border deals involving U.S. businesses. With expanded jurisdiction, robust enforcement, and shifting policy priorities under the current Administration, CFIUS could potentially delay, derail, or unwind your transaction. The consequences for non-compliance are steeper than ever.
What is CFIUS?
CFIUS is an interagency committee of the U.S. government, chaired by the Secretary of the Treasury, that serves the President in overseeing potential national security risks posed by certain foreign investments in U.S. businesses. The assessments focus on threats and vulnerabilities to national security, and impacts on U.S. supply chains, critical minerals, and priority technologies such as AI, quantum, biotech, and microelectronics.
Originally established under the Defense Production Act of 1950 and formalized by Executive Order in 1975, the authority of CFIUS was significantly expanded by the Foreign Investment Risk Review Modernization Act (FIRRMA) in 2018.
When CFIUS was first established, its jurisdiction was limited to examining the acquisition of U.S. businesses by foreign entities. It did not cover non-controlling investments in U.S. businesses, and there were no mandatory filing requirements.
This changed in 2018 with the passage of FIRRMA, which broadened the scope of transactions under CFIUS jurisdiction. FIRRMA extended CFIUS’s reach to certain non-controlling investments, authorized Treasury to establish mandatory filing requirements, and created the streamlined declaration process. The subsequent regulations implemented those authorities and now define the framework within which CFIUS operates.
Why It Matters
If you’re a foreign investor or a U.S. business, ignoring CFIUS is not an option, even for minority investments. CFIUS can block, unwind, or penalize transactions that fail to comply, and its reach is broad. The burden of identifying whether a filing is required falls on the transacting parties. Failure to submit a mandatory filing can trigger civil penalties of up to $5 million or the full value of the transaction, whichever is greater.
Even voluntary filings can be a strategic move. They provide a “safe harbor” against future scrutiny, which is important in emerging sectors like AI, biotech, data, or defense because U.S. national security priorities are increasingly focused on these technologies as critical to economic and military leadership. Since CFIUS can initiate a review years after a transaction closes, regulatory risk doesn’t end when the deal is signed.
In today’s environment, where enforcement is ramping up, tech is politicized, and China-facing deals are under the microscope, early planning is critical. If your deal even brushes up against national security concerns, CFIUS should be part of your diligence checklist from day one.
When does CFIUS have jurisdiction?
CFIUS jurisdiction is triggered by:
- Covered Control Transactions: Any transaction that could result in foreign control of a U.S. business.
- Covered “Non-Control” Investment in TID U.S. Business (defined below): Non-controlling investment that still gives a foreign investor:
- Access to material nonpublic technical info
- Board membership, observer rights, or nomination rights
- Involvement in substantive decision-making about:
- Critical technologies (defense articles, export-controlled items, nuclear technologies, select biological agents, and emerging tech like AI and semiconductors)
- Critical infrastructure
- Sensitive personal data of U.S. citizens
- What is a “TID U.S. Business”? A U.S. business that:
- Produces, designs, tests, manufactures, fabricates, or develops a critical technology;
- Operates, services, or manufactures any critical infrastructure; or
- Maintains or collects sensitive personal data of U.S. citizens.
Voluntary Filing vs. Mandatory Declaration
Parties can choose to voluntarily file a notice for covered transactions, and doing so may provide a “safe harbor” that protects the deal from future CFIUS review. However, this protection can be revoked if the parties submit false information, breach a mitigation agreement, or lose excepted investor status within three years.
Filing is often strategic for deals involving emerging tech, sensitive data, or foreign government ties. If parties don’t file, CFIUS can initiate a review at any time post-closing, with no deal size threshold or statute of limitations on its ability to review unfiled covered transactions. Filings can be demanded years after an investment is made.
However, mandatory declarations are required in two scenarios involving a TID U.S. business:
- When a foreign investor with a foreign government holding a substantial interest (49%+) acquires a substantial stake (25%+) in the TID U.S. Business.
- If the deal involves critical technology that requires U.S. export authorization, and the foreign investor obtains access, a board seat, or decision-making rights over that tech.
Voluntary filings are permitted for most covered transactions, and parties may submit what’s known as a “declaration” or a “notice” to CFIUS.
Declarations (short-form filings) offer a faster review process (30-day review window) but may result in CFIUS requesting a full notice.
Notices (long-form filings) allow for detailed review and typically take longer (CFIUS has 10 business days to accept or comment; once accepted, a 45-day review period begins).
Whether by short-form declaration or detailed notice, CFIUS assigns a case officer who may request additional documents or clarification with quick turnaround times. The case officer will send follow-up question requests with extremely tight deadlines of two business days. Failing to provide the requested information within this timeframe may lead to the Committee rejecting the filing outright. This situation leaves parties with the options to either refile under a new 30-day review period for declarations or a 45-day period for notices, abandon the deal, or risk having CFIUS compel the parties to file later on in the case of a mandatory filing.
According to the latest Annual Report to Congress by CFIUS, in 2024, the Committee received a total of 116 declarations (up from 109 in 2023), of which 36 were subject to mandatory filing requirements. Additionally, CFIUS received 209 notices (down from 233 in 2023) and conducted 116 investigations based on those notices.
Recent Developments
New Enforcement Rules (Effective December 2024)
The Department of the Treasury recently issued a final rule amending certain CFIUS regulations:
- Penalties increased to over $5 million per violation for failure to file, misstatements, or mitigation breaches.
- Expanded subpoena power and ability to demand information from third parties.
- Timeline limits on party responses during mitigation discussions
CFIUS Under the Trump Administration (2025)
President Trump issued a Presidential Memorandum in February 2025 titled America First Investment Policy, reshaping CFIUS policy:
- Fast-Track for Allies: CFIUS is directed to streamline review for investors from allied nations, allocate more resources to facilitate those deals, and end the use of overly complex and open-ended mitigation agreements for investments from foreign adversaries. In May 2025, the Department of the Treasury announced its intent to launch a Fast Track Pilot Program to facilitate greater investment in U.S. businesses from ally and partner sources.
- Enhanced Scrutiny of China: Chinese investments will face expanded review and additional restrictions, especially in agriculture, healthcare, energy, and real estate near sensitive sites.
- Encouragement of Passive Investment: The memorandum states that the U.S. will welcome and encourage passive investments from all foreign persons, which include non-controlling stakes and shares with no voting, board, or other governance rights and that do not confer any managerial influence, substantive decision-making, or non-public access to technologies or technical information, products, or services.
Final Thoughts
In 2025, the strategic use of CFIUS filings has become an essential tool in cross-border deal planning. Understanding CFIUS jurisdiction, compliance obligations, and recent policy trends is critical for non-U.S. investors and U.S. businesses navigating global capital markets.
If you need help evaluating your transaction or deciding whether a filing is mandatory, contact legal counsel early in the deal process. Delays and penalties can often be avoided with proactive review.
Practical Takeaways
- Know if you’re a TID U.S. business. If your business touches critical technologies, infrastructure, or sensitive personal data, assume CFIUS may have jurisdiction.
- Messaging discipline: Avoid overhyping capabilities, exaggerated claims can be cited back by CFIUS.
- Understand what rights a foreign investor is receiving. Board seats, veto rights, access to critical technology or personal data can all trigger a filing requirement.
- Evaluate whether a mandatory filing is triggered. Especially if a foreign government interest is involved or the deal implicates controlled technologies.
- Consider voluntary filings for risk mitigation. Even if a filing isn’t mandatory, voluntarily filing can provide a clean safe harbor from future review. Filings can be made early based on deal terms from LOI.
- Work with counsel with CFIUS experience: CFIUS issues are complex; early advice can save time and money.
- Track outbound investment rules. As of January 2025, the new Outbound Investment Security Program limits U.S. capital flows to China in semiconductors, AI, and quantum.
