New Irish FDI Screening Regime: Cyber-related M&A Deals in Scope

This new regime is expected to come into force in September 2024 and dealmakers will need to remain vigilant regarding cyber-related transactions that potentially fall within scope. Our DEG team examine what you need to consider in more detail.

The Screening of Third Country Transactions Act 2023 newly establishes a foreign direct investment (“FDI”) screening regime in Ireland in relation to transactions with an Irish nexus which involve third country investors. Consistent with the trend across most other Western jurisdictions over the last decade or so, the new regime will ensure the Irish Government has the power to review transactions in sensitive sectors that present potential national security concerns and impose mitigating measures in the event of concerns.

Under the new regime, cybersecurity is designated to be a sensitive sector and so any M&A transaction involving a cyber-related business may be subject to a new pre-closing, mandatory filing requirement that will present a new regulatory hurdle for dealmakers. As the new regime is expected to come into force in September 2024, dealmakers need to remain vigilant of cyber-related transactions potentially within scope.

Scope

Under the new regime, a transaction is mandatorily notifiable to the Minister for Enterprise, Trade and Employment (the “Minister”) if the following conditions are met:

  1. A third country (ie, non-EU/EFTA so including the US and UK) undertaking or a connected person as a result of the transaction: (i) acquires control of an asset in the State; or (ii) changes the percentage of shares or voting rights that it holds in an undertaking in the State from below 25% to above 25% and from below 50% to above 50%;
  2. The value of the transaction is at least €2 million (taking into account all transactions between the parties in the last 12 months); and
  3. The transaction relates to, or impacts upon, one or more of the sensitive sectors set out in Article 4(1)(a)-(e) of Regulation 2019/452.

As regards the third condition in particular, the relevant sensitive sectors include critical technologies and dual-use items as defined in Regulation 428/2009, which in turn include businesses in the cybersecurity sector as well as the related sectors such as artificial intelligence. Accordingly, where the transaction relates to, or impacts upon, the cybersecurity sector, the transaction may be ‘in scope’ under the new FDI screening regime. This will primarily be the case where the target business is directly active in the cybersecurity sector or an important related sector, but there may be instances where the activities of the purchaser groups could bring the transaction ‘in scope’ under the new regime.

Note the Minister also has the power to ‘call in’ a transaction for review where the following conditions are met:

  1. Where the Minister has reasonable grounds for believing that the transaction affects, or is likely to affect, security or public order in the State; and
  2. Where the transaction results in a third country undertaking acquiring control, legal rights or the ability to exercise effective participation in the management or control of an asset or undertaking in the State (ie a lower threshold compared with the mandatory thresholds).

Therefore, where a transaction in the cybersecurity or related sectors does not meet the mandatory thresholds, it could still be ‘called in’ by the Minister for review.

Procedure

The Minister will conclude the review within 90 days of the date of the screening notice. This may be extended to 135 days by notice in writing. Where the Minister issues a notice of information (ie RFI), the review period is suspended until the parties fully comply with the information notice and the Minister certifies compliance.

The substantive test which the Minister must apply is whether the transaction affects, or would be likely to affect, the security or public order of the State.

If the Minister concludes that the transaction affects or is likely to affect security or public order in the State, the Minister can direct that certain other steps are undertaken by the parties (eg, divestment of assets, cessation or modification of certain practices, restrictions on the flow of competitively sensitive information etc.), or otherwise prohibit the transaction. Such decisions may be appealed to an adjudicator appointed by the Minister or directly by way of judicial review to the High Court.

Any person or undertaking that fails to notify a notifiable transaction, fails to comply with an information notice, or intentionally or recklessly provides information that is false in a material particular shall be guilty of an offence.

Looking Forward

As the new regime is expected to come into force in September 2024, dealmakers need to remain vigilant of any transactions potentially within scope.

From now on, all transactions with an Irish nexus by third country investors in the cybersecurity or related sectors should be subject to an Irish foreign investment screening review and, where appropriate, should include drafting in the transaction documents for a springing Irish condition precedent to cover the possibility of a mandatory notification or a ‘call in’ after the regime commences.

For queries, please contact our Digital Economy Group partners for further information

Which Cookies We Use

Disclaimer

Privacy Policy

Back to Index
Read next article: Spotlight: Cyber Incident Reporting Obligations