The Azure Forum Strategic Insights

Combatting low cost foreign takeovers of vulnerable companies in
medical and strategic sectors in the wake of Covid-19 – New powers are
not enough.

Paddy McGuinness | 10 July 2020


The discourse on the hazards to EU Member States’ economies from foreign direct investment at a time of business vulnerability caused by the pandemic tends to focus on new regulation. A practitioner from the United Kingdom, Paddy McGuinness, took part in an expert panel discussion in June 2020 as part of The Azure Forum for Contemporary Security Strategy 2020 series on ‘Peace, security and defence during and beyond the Covid-19 Crisis: Lessons for future global crises’, with support from University College Dublin. Paddy McGuinness cautions that the practical use of such regulation, especially on national security or public order grounds, requires capacity, capabilities, partnerships and a culture which are not yet in place in EU Member States including Ireland.


Over the last decade a number of States have broadened their conception of national security beyond traditional defence and security and into resilience in the face of hazards as well as threats. Covid-19 is such a hazard event. It is no surprise that the response has been driven by EU Member States rather than the Union in Brussels – often drawing on national security capabilities for which they retain competence. The United Kingdom’s 2010 National Security Strategy for the first time included “resilience” as a highest priority national security task. At the time, this was more a reaction to George W. Bush’s difficulties in response to flooding in New Orleans than to hybrid warfare from hostile
states. That has since become the main justification for the prominence of ‘Resilience’ in many States’ strategies.

Even before the Covid-19 pandemic arose, concern about the economic and technological strategies of non-European Union States (so-called third countries) was driving the development of new mechanisms to intervene in foreign investments and takeovers. The limited nature of the EU’s response in the March 2019 Foreign Direct Investment (FDI) Screening Regulation reflects the complexities of the Union’s architecture in this context. Although resilience to hazards has long been coordinated at European level and the mechanisms for overseeing Mergers and Acquisitions (M&A) and other market interventions are now commonplace, national security continues to remain a
Member State competence. In the 14 of the 27 EU Member States that have so far legislated in this area, national security has, in the main, driven the agenda.

The FDI Screening Regulation can be summarised as “cooperation, information sharing and a minimum level of transparency regarding FDI control between the European Commission and Member States”. Even though the Regulation is only due to be implemented later this year, we now see aspects in action with the April 2020 exhortation by way of emergency guidance for Member States to enhance their screening in response to Covid-19 and any investment activity that might undermine the Union’s “security and public order”. In other words, Member States are being called upon to advance their plans to implement the EU Directive.

There was a surprising moment in March of this year when EU Commission President Ursula Von Der Leyen asserted that “…we have the tools to deal with this situation under EU and national laws….”. This was an oddity because of the manifest shortfall in Member State legislation in this area. That said, this declaration may have been alluding to the full range of M&A and other powers that could be bent to this purpose alongside the national security FDI legislation which has been introduced. President Von Der Leyen clearly also meant to deter. Investors, even those backed or directed by hostile states, rarely want to engage in drawn out litigation to achieve their ends.

National security aspects of investment: Excessive focus on legislation and regulation

As a national security practitioner who has chaired a body advising the Government of the UK on national security aspects of investment, I worry about an excessive focus on legislation and regulation. Legislating is only the beginning of the challenge for Member States and, indeed, the European Commission in this area. As I see it, at least eight related capabilities are required for effective national security intervention in FDI, which are also relevant to Covid-19 measures.

First, and fundamentally, any legislation must be applicable and applied in practice. Over recent years, the Government of the UK has been wrestling with the shortcomings of the Enterprise Act which was designed for a different purpose and has inadequate criteria and thresholds for intervention. This is as much about a past failure to use the powers within this Act as making their use now difficult to defend in the face of any Judicial Review. As I write, new Statutory Instruments have been brought into law to “patch” the Act for Covid-19 related interventions – actions that are along a similar line of thinking to those called for by the EU Commission President.
Second, governments must have a way of learning about an investment or merger where there are national security impacts – and learning early on in the investment process so as not to be presented with a fait accompli. The nature and scope of the primary legislation on National Security and Investment that is now expected to be introduced in the UK in the Autumn is not yet clear. The 2018 White Paper developed under Theresa May’s administration proposed only voluntary notification but with a cautionary power to call in for review even after a deal was complete. The legislation brought forward by Boris Johnson’s administration is likely to go further. Those EU Member States without
investment screening mechanisms may well pause to examine the utility of voluntary as opposed to mandatory notifications as well as the timing of these notifications in light of the UK’s imminent experiment.

Third (and perhaps obviously) the Departments of State who are to be informed need capacity. The UK Government has a concept of Lead Government Departments for sectors of Critical National Infrastructure, which means responsibility will not fall solely on the Business Ministry. The Competition and Markets Authority (CMA) will have a role but will not perform the national security screening. Notably in the UK, the CMA handles tens of cases a year from a larger set of notifications. In the 2018 consultation the number of national security notifications was envisaged to be around 200. Now that the criteria look set to broaden, the number of notifications and cases will be commensurately larger so that the likely scale of this will be challenging. While this number would be proportionately smaller in a country like Ireland, it is still a burden in prospect for EU Member States to consider.

Fourth, there is a need for recognised national technical authorities to advise on which technologies or components are in scope. For areas where there is treaty or conventional obligation – such as some nuclear technologies or (Covid-19 related) pathogens – this is relatively straightforward. In states, like the UK, there are established bodies such as the National Cyber Security Centre which can take a reliable view on communication technologies or the Defence Science and Technology Lab (DSTL) for Defence technologies. It is, however, more difficult to establish an authority on supply chains which have been shown to be vital by this pandemic given the range of CNI sectors impacted. Over the longer term, the inclusion of semiconductor components and artificial intelligence technologies will test both objective technical expertise and legal definitions. Few EU Member States have established bodies with the capability and capacity to play this role, especially at scale and speed.
Fifth, there must be an assessment mechanism that can make a recognised judgement on the national security impact of the investment or takeover – and this must be defensible in law. This does not mean that all aspects of its deliberation must be made public: for instance on protected aspects of defence systems or any commercially protected material or secret intelligence drawn upon when making the assessment. But the body must be recognised by a court of law if a government’s decision is challenged.

Sixth, a capacity for partnership with friendly states within and beyond the EU, and most especially with the United States is vital to the good conduct of business. This is not as straightforward as it sounds because consideration of investment is generally tightly held for competition reasons – indeed such confidentiality is built into the Committee on
Foreign Investment in the United States (CFIUS). Given that Ireland has become one of the U.S. Big Tech’s bridges for entry to the EU market and either is or aspires to be a centre for innovation on the back of that presence, it will likely be impacted by this. From experience, CFIUS processes will weigh heavy where U.S. interests are in play and these
processes are rarely transparent to those outside the U.S. administration. Working closely with U.S. counterparts is required to manage the constraints.

Seventh, it helps to have a system and culture that can handle Secret Intelligence and understands intelligence mechanisms in countries where its use is prevalent. It is not always the driver for national security interventions in investments or mergers but frequently features – especially when Five Eyes countries such as the U.S. are involved.
U.S. counterparts simply will not share fully if they lack the established means of doing so securely. Intelligence systems and culture are uneven across EU Member States and chronically lacking in Brussels. It is to be hoped that recent Irish moves to build national security assessment and policy capability such as the formation of the National Security Analysis Centre are seen through so that Ireland can leverage its comparative advantage in European, Trans-Atlantic and, indeed, Anglo-Irish relationships.

Finally, speed is of the essence. Some states have set a 60-day target for national security review of investments by official mechanisms. The Government of the United Kingdom is now talking about a 30-day period. The strain on Lead Government Departments will be considerable.

To conclude, these challenges are not insurmountable but they do suggest that effective intervention in Ireland and other EU Member States to protect medical and strategic sectors and reassure concerned European and U.S. partners would require a concerted and considered national effort and is not simply a matter of relying on European
regulation and practice.

Paddy McGuinness

Paddy McGuinness


Paddy McGuinness is a senior advisor to Brunswick Group the International Critical Issues firm and from 2014-2018 was the UK Prime Minister’s Deputy National Security Adviser for Intelligence Security and Resilience overseeing the UK Government’s Investment Security Group.


Authors’ views are their own and do not represent the official position of The Azure Forum. These commentaries may be reproduced with prior permission from The Azure Forum and due recognition to the author(s) and The Azure Forum. Please contact Caitríona Heinl, Editor, The Azure Forum Strategic Insights at