Changes to investment screening law are pending both in Germany and at EU level (see also: Further tightening of FDI screening (taylorwessing.com)). The German government is planning to revise and specify the current 27 industry groups that trigger a notification requirement. In addition, greenfield investments and research cooperation are also to be subject to investment screening in future. The introduction of an outbound control regime is planned at European level. Further changes will now result from the implementation of the so-called NIS 2 Directive.
With this directive, the EU aims to ensure a sufficiently high standard of security against cyberattacks that is binding throughout the EU and thus maintain the functioning of the EU's internal market. The directive is being implemented in Germany through the NIS-2 Implementation and Cyber Security Strengthening Act (
NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz,
"NIS2UmsuCG"), which is currently going through the legislative process at federal level. The NIS2UmsuCG also leads to amendments to the Foreign Trade and Payments Ordinance (
Außenwirtschaftsverordnung,
"AWV") in the area of investment screening. Below we provide a brief overview of the effects of the new terminology on investment screening:
The NIS2UmsuCG
The NIS2UmsuCG, in particular the amendment to the BSI Act (BSI-Gesetz, "BSIG-E") contained therein, considerably expands the group of companies affected by the IT security regime. Particular attention is paid to companies and organizations that may suffer particularly high monetary losses as a result of cyberattacks or that may suffer far-reaching consequences in the event of a cyberattack, such as the risk to life and limb of the population. First and foremost, the concept of "critical infrastructures" will be adapted or expanded. In future, a distinction will be made between "important" and "particularly important facilities" as well as "critical facilities". In addition, a number of sectors have been included in which various obligations are imposed on companies that reach certain thresholds (e.g. company size, number of employees, annual turnover). The thresholds for critical facilities are set individually for each facility.
The companies concerned are obliged to fulfill various obligations depending on their classification. These include reporting and registration obligations as well as risk management measures and measures to ensure operational continuity. Companies that qualify as particularly important or important facilities must therefore submit the information specified in Section 33 BSIG-E to the BSI within three months. In future, the reporting obligations will be more extensive than before. The newly introduced Section 32 BSIG-E provides for a multi-stage reporting procedure. Any security incidents must be reported to the BSI within 24 hours and with follow-up reports. Proof of compliance with the requirements for ensuring information security must also be provided. By tightening measures against cyber attacks, companies must be able to assess the risk of a cyber attack via their supply chain. Violations of the requirements can lead to significant fines and personal liability for the management. This can already occur if the relevant evidence is not provided in full.
Amendments to the AWV: "Critical infrastructures" become "critical facilities"
The NIS2UmsuCG already provides for a specific change in the area of cross-sector review regime. The case groups of Section 55a para. 1 no. 1 and 2 AWV will be slightly adjusted. In future, operators of "critical infrastructures" will no longer be covered, but rather operators of "critical facilities" (Section 55a para. 1 no. 1 AWV). The same applies to sector-specific software for the operation of "critical facilities" (Section 55a para. 1 no. 2 AWV). The connecting criterion is therefore the term "facility". However, this does not restrict or even expand the scope of the investment review, as the concept of facilities is already used in the Ordinance on the Determination of Critical Infrastructures under the BSI Act ("BSI-KritisV"). Critical infrastructures currently only serve as a generic term. In Section 1 (1) BSI-KritisV, "facilities" are currently defined in the definitions as "premises and other fixed installations; machinery, equipment and other mobile installations; or software and IT services that are necessary for the provision of a critical service". Facilities, on the other hand, are not mentioned separately in the definitions in the BSI-KritisV, as they are already covered by the installations and their definition. Therefore, according to the future legal situation, the use of the term "facility" instead of "infrastructure" "does not restrict or expand the material scope of the investment review in the area of "KRITIS".
Do "particularly important facilities" also fall within the scope of the investment review?
The new overarching category of "particularly important facilities" within the meaning of Section 28 (1) BSIG-E is not included in the investment screening regime. In addition to operators of critical facilities, "particularly important facilities" also include providers of qualified trust services, providers of public telecommunications services and networks as well as companies from particularly sensitive sectors (including energy, transportation, finance and healthcare) that employ at least 250 people or have an annual turnover of more than EUR 50 million. However, a separate case group within the scope of Section 55a para. 1 AWV will not be created for "particularly important facilities" - at least for the time being. However, in view of the steadily increasing tightening of the German investment screening regime in recent years, the future inclusion of "particularly important facilities" as a separate case group in the area of cross-sector screening cannot be completely ruled out. Particularly in view of the fact that some of the companies in this category are of considerable importance for the functioning of the German economy and the security of supply, a further adjustment of the AWV is at least conceivable. In this way, the legislator could also bring a certain stringency to the legal system with regard to companies in the KRITIS sector.
On the other hand, the inclusion of "particularly important facilities" as a separate case group under Section 55a (1) AWV would result in a significant expansion of the scope of the investment screening regime. This is because the list of sectors mentioned in the BSI-E is long. From our point of view, it should also be considered that the significance of "particularly important facilities" - unlike that of "critical facilities", for example, for which activity-related thresholds apply - is rather determined by the size of the company, i.e. the number of employees and annual turnover. The question arises as to whether the acquisition of a "large" company by a foreign acquirer is actually just as likely to affect public order or security as the acquisition of a company that is de facto of particular importance in a critical sector.
Outlook
As lawyers specializing in foreign trade law, we always keep an eye on the changes in the area of investment screening. We will continue to inform you about relevant changes here. We will be happy to assist you with any questions you may have in this regard.