Brief·Cross-Border·May 2026

The CFIUS Expansion.

Three structural questions every inbound acquirer should resolve before the term sheet.

Cohen Capital Markets 12 min read

The Committee on Foreign Investment in the United States has spent the past five years steadily broadening the perimeter of transactions over which it asserts jurisdiction. The boards, sponsors, and founders considering inbound investment in 2026 face a CFIUS that is materially different from the one they would have encountered in 2018 — and the term sheet that does not anticipate the difference is the term sheet that re-trades.

This note sets out the three structural questions every inbound acquirer should resolve before signing — and the filing-strategy framework that determines whether the deal closes on time, closes with mitigation, or fails on review. The argument is that the CFIUS conversation belongs before the LOI, not after.

Executive Summary

What changed, what to ask, and what to file.

  • CFIUS jurisdiction has expanded across three vectors: critical and emerging technologies (semiconductors, AI, biotech, quantum), real estate adjacent to sensitive sites, and TID U.S. business categories (technology, infrastructure, sensitive personal data).
  • Mandatory declarations are no longer rare. Foreign-government-controlled investors and TID U.S. business transactions trigger filing obligations regardless of transaction size.
  • Resolve three questions before the term sheet: (1) Is this a TID U.S. business? (2) Is the investment non-passive? (3) What is the acquirer's home-country relationship with the U.S.?
  • Declaration vs full notice is a strategic decision. Declarations are 30 days; full notices are 45 + 45 + potential extension. Wrong choice adds months and signals to the Committee.
  • Mitigation is the most common outcome on covered transactions reviewed. A meaningful share of reviewed notices over recent years have closed with mitigation agreements rather than clean clearance; the structure of the deal should anticipate this.
~440
CFIUS Filings, Most Recent CY (approx.)
Declarations + notices combined; per Annual Report to Congress.
30d
Declaration Review Period
Short-form; vs 45 + 45 days for a full written notice.
Material
Mitigation Imposed on Notices
Annual Report shows meaningful share of reviewed notices closing with mitigation.
3 vectors
Expansion Surfaces
Critical tech · sensitive real estate · TID U.S. business categories.

The Expanded Jurisdiction.

Three vectors of expansion are now load-bearing on cross-border M&A involving U.S. targets.

1. Critical and emerging technologies.

FIRRMA and successor regulations established mandatory CFIUS notification for certain foreign investments in U.S. businesses producing, designing, testing, manufacturing, fabricating, or developing one or more critical technologies — including export-controlled items and certain emerging and foundational technologies. The lists of covered technologies have been extended through Commerce Department and Treasury actions, with material attention to semiconductors, AI infrastructure, biotechnology, quantum, and advanced materials.

Sources: 31 CFR Part 800; Treasury and Commerce Department public guidance through 2025–2026. Specific technology coverage and timing of filings should be confirmed against current regulatory text and counsel guidance.

2. Critical infrastructure and sensitive personal data.

The 2020 FIRRMA regulations brought "TID U.S. businesses" — those involving critical Technology, critical Infrastructure, or sensitive personal Data — under expanded CFIUS jurisdiction. Critical-infrastructure scope reaches energy, telecommunications, financial services, transportation, water, and other named sectors. Sensitive-personal-data scope captures the maintenance or collection of data on certain numbers of U.S. persons across enumerated categories.

The effect on M&A is that targets the parties might have considered outside CFIUS jurisdiction five years ago — health-tech aggregators, certain insurance platforms, location-data businesses, certain real-estate-adjacent businesses — frequently are not.

3. Real-estate proximity.

Separate CFIUS regulations bring certain real-estate transactions under jurisdiction by virtue of proximity to specified U.S. military or government facilities, ports, or other sensitive sites — even when no operating business is acquired. The list of covered sites has been extended through successive Executive Orders.

The CFIUS perimeter today reaches transactions the parties might have assumed were entirely commercial. The diligence question is which side of the perimeter the target actually sits on.

Three Structural Questions.

Question 1. Is the target a "TID U.S. business," and does its activity fall within a covered scope?

The first analytical question is jurisdictional. Three categories drive most coverage: (i) critical-technology businesses producing or developing items in the covered technology list; (ii) critical-infrastructure businesses operating in the enumerated sectors at a level that triggers coverage; (iii) sensitive-personal-data businesses maintaining or collecting personal data on identified populations.

A complete jurisdictional read of the target — done before the LOI — is the difference between a clean transaction and a transaction whose timeline is consumed by a CFIUS process the parties did not plan for.

Question 2. Is the investment "non-passive"?

CFIUS jurisdiction over TID U.S. businesses extends not only to acquisitions that result in foreign "control" of the target, but also to certain non-controlling investments that nonetheless provide the foreign person with access, board representation, or substantive decision-making rights. The threshold for "non-passive" is operational — the rights actually conveyed, not the legal label of the investment vehicle.

For minority deals, the term sheet language on board observation rights, information rights, and consent rights is the diligence question. A foreign minority investment with board representation in a critical-technology business is squarely within mandatory-filing jurisdiction; the same minority investment with passive economic rights only may not be.

Question 3. What is the acquirer's home-country relationship?

CFIUS analysis applies a country-specific lens. Investors from countries with which the United States maintains close national-security relationships face different review postures than investors from countries identified as "foreign adversaries" under the relevant Executive Orders and statutory frameworks. The acquirer's ultimate beneficial ownership, parent-company nexus, and any state-linked ownership influence the review trajectory.

This is not a question of merit — it is a question of how the filing is structured, what mitigation may be required, and whether the timeline supports the deal.

Three questions. The answers determine whether the term sheet stands, requires structural change, or requires a different acquirer.

The Filing Decision.

Mandatory versus voluntary.

CFIUS regulations identify specific transactions that must be notified — typically certain critical-technology investments and certain foreign-government investments meeting specified thresholds. Other transactions within CFIUS jurisdiction may be voluntarily notified. The decision between mandatory filing, voluntary filing, and (in lower-risk situations) no filing is partner-level judgment informed by counsel.

The discipline is that voluntary filing is often the right answer. CFIUS retains the authority to review non-notified transactions for years after closing; the parties who do not file and are later called in absorb the risk on the wrong side of the timeline.

Timing implications.

A typical CFIUS process runs through a 30-day declaration review or a 45-day notice review, with the option to extend to a 90-day investigation if the Committee identifies concerns. Add the time required to prepare the filing itself, negotiate any mitigation, and address Committee questions. The realistic timeline from kickoff to clearance for a transaction requiring full review is materially longer than 45 days.

The deal that signs without anticipating the CFIUS timeline is the deal whose closing slides.

Mitigation outcomes.

When the Committee identifies concerns, the deal can still close — but with mitigation. Common mitigation structures include governance restrictions (board-seat limitations, security-officer requirements, technology-access controls), operational ring-fences, and reporting and audit obligations. The acquirer who is prepared to negotiate mitigation in advance preserves the deal; the acquirer who treats mitigation as a surprise loses time and frequently loses leverage.

What This Means for 2026 Deals.

For inbound acquirers. The CFIUS analysis goes in front of the LOI. The diligence question — is the target a TID U.S. business, is the investment non-passive, what is the home-country posture — is answered before the term sheet, not after. The deal that survives review on the merits is the deal that was structured to survive review.

For U.S. sellers and divestors. The buyer's CFIUS exposure is the seller's timeline risk. Pre-LOI diligence on the buyer's home-country posture, ownership structure, and likely filing trajectory is now part of the bidder-evaluation conversation. The seller who underwrites this risk before signing the term sheet is the seller who closes on schedule.

For sponsors with foreign LPs. The look-through analysis on limited partner identity, voting rights, and information rights determines whether a sponsor-led acquisition triggers CFIUS jurisdiction by reason of its LP base. The fund structure that handled this question pre-FIRRMA is not necessarily the fund structure that handles it today.

For boards considering inbound investment. The board's role is to ensure the CFIUS analysis is done by counsel and is sized correctly to the transaction's risk profile. The board that approves the LOI without confirming the analysis has been done absorbs the consequence of a Committee process that was not planned.

Exhibit 1 · CFIUS Filing-Strategy Matrix
When to file, what to file, and what to expect.
A decision matrix for resolving the filing strategy as a function of mandatory triggers, sensitivity, and acquirer profile.
Transaction Profile Filing Required? Recommended Vehicle Expected Posture
Foreign-government-controlled investor · TID U.S. business Mandatory declaration Declaration; convert to notice if Committee requests Heightened scrutiny; mitigation likely
Allied private acquirer · non-TID U.S. business Voluntary No filing; document analysis in the file Low review risk; preserve optionality
Allied private acquirer · TID U.S. business (no government nexus) Mandatory in many cases Declaration; convert if Committee requests Clean clearance typical absent specific concerns
Country-of-concern investor · any U.S. business Presumptively required Full written notice from outset Mitigation likely; abandonment possible
Real estate adjacent to sensitive sites Mandatory in defined cases Declaration; full notice if complex Sensitivity-driven; geographic specifics determine outcome
Sponsor-led with foreign LPs · look-through triggers Depends on look-through analysis Counsel-driven; consider voluntary filing for certainty Variable; depends on LP voting and information rights
Matrix is illustrative and reflects the firm's framework for the filing-strategy conversation. Specific application requires qualified U.S. counsel. Treasury regulations at 31 CFR Part 800 control.
Sources & Methodology
  • CFIUS Annual Report to Congress. Treasury publishes annual reports detailing declarations and notices filed, transactions reviewed, mitigation imposed, and acquirer country of origin. Most recent reports cited as directional anchors for filing volumes and mitigation rates.
  • Statutory and regulatory framework. Defense Production Act of 1950, as amended; Foreign Investment Risk Review Modernization Act (FIRRMA, 2018); 31 CFR Part 800 (covered transactions); 31 CFR Part 802 (covered real estate). Treasury and Commerce Department public guidance through 2025–2026.
  • Outbound Investment Security Program. Executive Order 14105 (2023); Treasury Department final rulemaking on outbound investment in covered foreign-country businesses in semiconductors/microelectronics, AI, and quantum.
  • Allied jurisdiction FDI screening. UK National Security and Investment Act (2021); EU FDI Screening Regulation; Australian FIRB framework; comparable frameworks across allied jurisdictions.
  • Filing strategy framework. The firm's framework reflects practice patterns observed in coordination with named regulatory counsel on cross-border transactions. The matrix is illustrative, not prescriptive.

Methodology note: This brief is a general informational discussion of CFIUS, OISP, and related cross-border investment review frameworks. It does not constitute legal advice. Application to any specific transaction requires qualified U.S. counsel and, where relevant, counsel in the acquirer's home jurisdiction. Regulatory text and CFIUS practice continue to evolve; specific filing decisions should be confirmed against current regulations and Committee guidance.

CFIUS has continued to broaden. The transactions that close cleanly in 2026 are the ones in which the analysis was done before the term sheet, the filing strategy was designed with the deal structure, and the timing was sequenced against the regulatory calendar — not against it.

Submit a Confidential Inquiry →