On September 15, President Biden issued an Executive Order on “Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States” in response to “an evolving national security landscape and the nature of investments that pose related risks to national security.”

The Executive Order directs CFIUS to consider five specific “sets of factors” as part of its review of covered transactions (i.e., transactions that could result in control of a U.S. business by a foreign person, as well as certain non-controlling investments in a limited set of U.S. businesses). The White House describes two of the factors as “elaborations” on the illustrative national security factors that Congress included in section 721(f) of the Defense Production Act, while the remaining three are not among the 721(f) factors.

Specifically, the five factors are:

• Elaborating on § 721(f)(3), a given transaction’s impact on supply chain resilience and security inside and outside the defense industrial base, including in such areas as “critical materials (such as lithium and rare earth elements)” and “elements of the agriculture industrial base that have implications for food security.” The EO makes clear that CFIUS should not only consider the “degree of involvement of the foreign person who is a party to the covered transaction and who might take actions that threaten to impair the national security of the United States as a result of the transaction,” but also a foreign person “who might have relevant third-party ties that might cause the transaction to pose such a threat,” as well as the overall degree of diversification across the supply chain.

• Elaborating on § 721(f)(5), a given transaction’s effect on U.S. technological leadership in areas affecting U.S. national security in sectors such as “microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaptation technologies, and elements of the agricultural industrial base that have implications for food security.”

• Incremental investments by a foreign person or country in a particular industry that would facilitate sensitive technology transfer in key industries in a way that an individual acquisition or limited investment would not.

• Cybersecurity risks associated with a foreign person (or their third-party ties) − namely, whether the transaction provides them with a greater ability to conduct cyber intrusions or other “malicious cyber-enabled activity.”

• Risks to U.S. persons’ sensitive data, especially in light of technological advances and the availability of large data sets that may enable re-identification or de-anonymization of what had been considered unidentifiable data.

While arguably CFIUS already could − and likely did in many instances − consider the three new factors in its review of covered transactions, the formal nature of an Executive Order both will regularize the practice and send a message that the Biden administration is focused on these particular factors. Concerns regarding U.S. person data are especially high, as various Treasury officials made clear during the CFIUS Conference in June 2022. Of the new factors, the directive for CFIUS to take into consideration incremental investments by foreign persons or countries in a particular industry likely will introduce the most uncertainty on the part of parties to transactions. It is not difficult to imagine CFIUS applying additional scrutiny to a transaction involving a limited acquisition by a particular foreign person in light of transactions in the industry involving other foreign persons from the same country. To the extent they already were not doing so, parties to transactions in sensitive industries now will need to consider how best to present their particular transaction in the context of such industry trends.