Episode 3: Critical Infrastructure under CFIUS's "Foreign Investment Risk Review Modernization Act"

2024-09-24 22:39:29

On January 13, 2020, the U.S. Department of the Treasury issued the final regulations (hereinafter referred to as the "Final Regulations") to implement the "Foreign Investment Risk Review Modernization Act of 2018" (hereinafter referred to as "FIRRMA"). The Final Regulations expanded the jurisdiction of the Committee on Foreign Investment in the United States (hereinafter referred to as "CFIUS") to review foreign investments in U.S. businesses involved in critical technologies, critical infrastructure, or sensitive personal data (hereinafter referred to as "TID U.S. Businesses"). Among these, the Final Regulations include provisions related to "critical infrastructure" for TID U.S. Businesses.

According to the Final Regulations, critical infrastructure refers to systems and assets, whether physical or virtual, that are vital to the United States. The incapacity or destruction of such systems or assets would have a debilitating impact on U.S. national security. Specifically, the Final Regulations use the term "covered investment critical infrastructure" (hereinafter referred to as "specified critical infrastructure") to distinguish critical infrastructure subject to CFIUS oversight from the broader concept of critical infrastructure.

The appendix to the Final Regulations lists 28 categories of specified critical infrastructure, encompassing a range of technologies and assets—from the manufacturing of specialty metals to satellite systems servicing the U.S. Department of Defense. The appendix also details the functions (hereinafter referred to as "functions") provided by U.S. businesses for specified critical infrastructure. Only when the functions provided by a U.S. business align with the specified critical infrastructure does the business qualify as a TID U.S. Business under the Final Regulations.

For example, one function listed in the appendix is: owning or operating any facility capable of storing more than 30 million barrels of crude oil. Therefore, a U.S. company operating and maintaining a storage facility with a capacity of 35 million barrels of crude oil would be a TID U.S. Business. Conversely, a U.S. supplier providing fencing or general commercial cybersecurity software for such a facility would not qualify as a TID U.S. Business. Thus, under the Final Regulations, a TID U.S. Business must provide functions that match the specified critical infrastructure.

[Stay tuned for more updates]