On July 12 the German federal government adopted important amendments (the amendments) to the German Foreign Trade and Payments Ordinance (the Ordinance), allowing for wider control of foreign corporate takeovers with a view to enhancing the protection of companies that are active in security-sensitive areas and that provide critical infrastructure.
Under the Ordinance, the Federal Ministry for Economic Affairs and Energy can scrutinize, and eventually prohibit or restrict, an acquisition of a shareholding of at least 25 percent in a German company by a non-EU investor if such acquisition endangers Germany’s public order or security.
Prompting this initiative by the German government are increasing activities by Chinese investors to acquire, or at least attempt to acquire, German companies active in security-sensitive areas. In light of these and other significant recent direct investments of foreign companies, and given the ever-increasing importance of supply-relevant key infrastructure, the federal government adopted the amendments to the Ordinance.
I. Focus on Companies Functioning in Security-Sensitive Areas and Providing Critical Infrastructure
In the amendments, the federal government has specified in which cases “an endangerment for the public order or security of Germany” exists. The Ordinance now defines the following cases and key industries as generally posing risks, thereby giving rise to scrutiny
- Companies that operate critical infrastructuresNegative impacts on companies that operate critical infrastructures can have far-reaching social and economic consequences. To determine which companies can be regarded as operating critical infrastructures and are thus subject to scrutiny under the Ordinance, the federal government makes reference to German legislation that already names the following critical infrastructures: energy, information technology, telecommunications, transport, health, water, nutrition, finance and insurance
- Companies that manufacture software for critical infrastructuresCyber-attacks on critical infrastructure can have extremely harmful consequences for society, government and economy, and therefore for the state’s ability to act. The federal government regards manufacturers of key IT applications as particularly relevant to security because they specifically develop or alter IT applications that meet the needs of companies that operate critical infrastructures. The acquisition of the manufacturers of IT applications by non-EU companies risks the loss of security-relevant information about the operation of critical infrastructure and may cause a lack of trustworthy alternatives.
- Companies that are entrusted with telecommunications surveillance measures (such as wiretapping), or that manufacture or have knowledge about technical equipment for the implementation of these measuresGerman law provides for the possibility of telecommunications surveillance such as wiretapping for law enforcement purposes and for the prevention of serious crimes. Because of their relevance to fundamental rights, these measures are allowed only under strict conditions. The involvement and contribution of companies in this regard are especially relevant to security, as information obtained using these measures can be of system-relevant significance for the security of Germany, in particular if violent offences endangering the state are imminent. Therefore, the federal government regards the availability of trustworthy and long-term technical providers as crucial. With the amendments, the German government therefore intends to prevent these companies from becoming a focus of foreign intelligence services.
- Companies that operate cloud computing servicesThe acquisition of a company that operates cloud computing services can also be especially relevant for security, for example, if the company to be acquired can access server farms of certain critical operators in the area of, e.g., energy, water, information technology, telecommunications or health. In this regard, operators of cloud computing services potentially have unlimited access to system-relevant personal data (e.g., data for identification purposes, medical data, bank account data, passwords) and factual data (e.g., geographic data, data regarding patents or products used by the state for security reasons) belonging to the operators of critical infrastructure. The federal government sees the failure to scrutinize the acquisition of companies that operate cloud computing services as risking access to and subsequent use of these data by foreign governments, potentially acting through the involvement of a private investor. The inclusion in the Ordinance of the acquisition of these companies is in line with recent EU legislation imposing security requirements on cloud computing services.