“Buying a company used to require a banker—now it requires a national security clearance.” The Committee on Foreign Investment in the United States (CFIUS) is the interagency U.S. government body that reviews foreign acquisitions, investments, and real estate transactions for national security risks—with the authority to impose conditions, require divestitures, or block transactions entirely.
Executive Summary
Originally established in 1975 and dramatically expanded by FIRRMA (Foreign Investment Risk Review Modernization Act, 2018), CFIUS now reviews transactions involving critical technology, critical infrastructure, sensitive personal data, and real estate near military installations—categories deliberately broad enough to capture minority investments, joint ventures, and licensing agreements previously outside its jurisdiction. The U.S. model has been replicated globally: the EU Foreign Subsidies Regulation, UK National Security and Investment Act (2021), Australian Foreign Investment Review Board (FIRB), and Japan’s Foreign Exchange and Foreign Trade Act have all been updated post-2018 to create parallel screening regimes, creating a multilateral investment screening architecture that fundamentally alters cross-border M&A transaction timelines and risk profiles.
The Strategic Mechanism
CFIUS operates through a three-phase review process:
- Voluntary declaration: Parties may file a short-form declaration (30-day review) or full notice (45-day investigation period, extendable to 90 days) for transactions involving TID U.S. businesses (Technology, Infrastructure, Data) with foreign acquirers.
- Mandatory filing triggers: Certain transactions—foreign government-connected investments in TID businesses or controlling investments in 27 critical technology sectors—require mandatory CFIUS filing, with civil penalties for non-filing.
- Mitigation and divestiture authority: CFIUS may impose national security agreements (NSAs) requiring operational changes, data segregation, or board composition restrictions—or recommend presidential order blocking or requiring divestiture of completed transactions.
Market & Policy Impact
- China-origin transaction scrutiny: Chinese-origin investments across all sectors face presumptive CFIUS scrutiny regardless of specific national security nexus, reflecting the policy determination that PRC state access to U.S. companies’ technology and data constitutes inherent security risk.
- Transaction timeline inflation: CFIUS review has added 3–6 months to affected transaction timelines and introduced deal certainty risk that has repriced M&A premiums in affected sectors.
- Outbound investment screening: The Biden administration’s 2023 executive order on outbound investment restrictions—covering U.S. investments into Chinese semiconductors, quantum, and AI—extended CFIUS-type review logic to capital flowing out of the U.S., a novel extraterritorial mechanism.
- Global fragmentation: With 40+ countries now operating investment screening regimes, multinational M&A transactions can trigger simultaneous parallel reviews in multiple jurisdictions with conflicting timelines, standards, and remediation requirements.
- Private equity impact: PE and VC funds with sovereign wealth fund or state pension LP bases face structural CFIUS exposure, requiring LP-level due diligence and, in some cases, fund structure modification to segregate foreign government-connected capital.
Modern Case Study: The TikTok/ByteDance Divestiture Order, 2024–2025
The TikTok/ByteDance case represents the most publicly prominent CFIUS-adjacent action in recent history—and the most consequential test of the U.S. government’s willingness to impose structural remedies on a scaled consumer technology platform. Following years of national security negotiations, Congress passed and President Biden signed legislation in April 2024 requiring ByteDance to divest TikTok’s U.S. operations within 270 days or face a ban. ByteDance challenged the law in federal court; the Supreme Court unanimously upheld it in January 2025. President Trump subsequently issued executive orders creating a 75-day review extension and signaling openness to a deal structure preserving partial ByteDance involvement—creating regulatory uncertainty that persisted through 2025 as prospective buyers (Oracle, various PE consortia) navigated both CFIUS requirements and Chinese government export control approval needed for the algorithm transfer. The episode demonstrated both the full reach of U.S. investment security architecture and its limits: even maximum legal pressure cannot easily unwind a platform with 170 million U.S. users and an algorithm owned by a state-adjacent Chinese entity unwilling to approve its transfer.