Disclosure and Confidentiality in Investment Screening
Author: Dorieke Overduin (Sovereign Arbitration Advisors)
Introduction
In order to assess risks posed by foreign direct investments to national security, authorities must understand not only the target business, but also the investor, its ownership structure, sources of financing, governance arrangements, and potential foreign state involvement. As a result, investment screening procedures impose extensive and often highly detailed disclosure obligations. This places investors in a vulnerable position by requiring disclosure of information that may be commercially valuable, proprietary, or strategically sensitive.
While much attention has focused on the outcomes of investment screening procedures, comparatively little consideration has been given to the underlying information that must be disclosed by investors, and in parallel, what obligations do States assume once they compel disclosure of sensitive information. This blogpost examines the rationale underpinning disclosure requirements, how confidentiality of that information is protected under those regimes, and the risks that may arise when sensitive information enters the hands of the State.
I. Why Investment Screening Requires Disclosure
The rationale behind disclosure requirements in investment screening is straightforward. Unlike traditional merger control, which focuses on competition and market structure, investment screening seeks to assess risks to national security and public order. Authorities therefore require information not only about the transaction itself, but also about who ultimately controls the investment, how that control may be exercised and whether it may be used in ways that give rise to security concerns.
For investors, these disclosure obligations are not entirely unfamiliar. Comparable information is routinely submitted in merger control proceedings and financial prudential assessments. Investment screening regimes build upon a broader regulatory practice in which businesses disclose ownership structures, governance arrangements, and financing sources to public authorities as a condition for regulatory approval. However, the objective of investment screening is different. Whereas merger control seeks to protect competition and prudential review focuses on financial stability and integrity, investment screening addresses national-security concerns.
This relationship between investment screening and other regulatory approval mechanisms was expressly acknowledged during the preparation of the Dutch Wet veiligheidstoets investeringen, fusies en overnames (“Wet Vifo”). The Dutch legislature deliberately built upon concepts and procedures familiar from merger control and sectoral supervision. For example, the Wet Vifo adopts the competition-law concept of ‘control’ (zeggenschap) and incorporates procedural mechanisms designed to facilitate efficient review and coordination with existing approval processes, while emphasizing that the substantive assessment serves a distinct objective: the protection of national security rather than competition or market structure (see Kamerstukken II 2020/21, 35 880, nr. 3, paras. 3.4, 4.6 and 6.2.).
II. What Must Investors Disclose?
Across investment screening frameworks, investors are generally required to submit extensive and highly detailed information. The scope of these disclosure obligations reflects the underlying objective of screening regimes: assessing not merely the transaction itself, but also the broader corporate, financial, and geopolitical context in which the investment occurs.
In the United States, the Committee on Foreign Investment in the United States (“CFIUS”), operating under section 721 of the Defense Production Act, reviews foreign investments that may affect U.S. national security (50 U.S.C. § 4565). CFIUS jurisdiction and review procedures are implemented through Treasury regulations contained in 31 C.F.R. Part 800.
The contents of information that must be submitted for a CFIUS screening, are prescribed in detail in 31 C.F.R. § 800.502, which requires parties to submit accurate and complete information concerning both the transaction and the parties involved. Despite the title ‘voluntary notices’, these provisions govern the substantive contents of any full notice submitted to CFIUS. The regulation contains an elaborate list of information an investor must submit, which includes detailed information concerning the transaction itself, such as its structure, purpose, financing arrangements, and supporting transaction documentation. Parties must also disclose immediate and ultimate ownership structures, beneficial owners, and post-transaction control arrangements, supported by organizational charts and governance documentation. Filings must further describe the U.S. business, including business activities, products and services, facilities, competitors, and government contracts.
Depending on the nature of the transaction, filers may be required to disclose information relating to critical infrastructure, export-controlled technologies, cybersecurity measures, defense-related activities, and the collection or maintenance of sensitive personal data. The regulation also requires information concerning foreign-government ownership or influence, prior mitigation agreements, and detailed personal identifier information for directors, senior officers, and significant owners to be disclosed. Should it be deemed necessary, CFIUS may further request supplementary information to understand indirect ownership, foreign-government influence, or security risks associated with the transaction.
The European Union (“EU”) approaches screening differently.
Unlike the United States, the EU does not operate a centralized screening authority or harmonized filing system. Instead, Regulation (EU) 2019/452 establishes a framework for cooperation between Member States and the European Commission concerning foreign investments that may affect security or public order. The current Regulation leaves Member States considerable discretion regarding the design and operation of national screening mechanisms, which will be replaced and lead to greater harmonization of screening procedures and minimum substantive standards across the Union.
The Regulation does not prescribe a uniform European filing process. Rather, in Article 9, it establishes minimum parameters for cooperation and information-sharing while leaving Member States considerable discretion over the design of national screening systems. This flexibility is deliberate. Article 3 confirms that Member States retain responsibility for maintaining, amending, or adopting screening mechanisms in accordance with their own security priorities. In other words, within the EU, the principal disclosure obligations arise under national screening regimes, which may extend beyond the categories identified in the EU framework.
The Dutch Wet Vifo, which entered into force in June 2023, illustrates this approach. Article 10 Wet Vifo requires parties to provide information necessary for national-security assessment, while the Besluit Vifo and mandatory notification form operationalize those obligations (see Regeling veiligheidstoets investeringen, fusies en overnames, arts. 2–3 and Annex 1 (Meldingsformulier Wet Vifo), containing the detailed list of information and mandatory notification form applicable under the Wet Vifo). Like CFIUS, the Dutch regime requires detailed disclosure concerning the transaction, the investor, and the target undertaking. Investors must describe the acquisition structure, relevant sectors or technologies, ownership and control arrangements, and post-transaction governance. Particular attention is devoted to sensitive technologies and vital providers, including export-control classifications, technological applications, and operational relevance. The filing further examines foreign-state influence, sanctions exposure, criminal history, political exposure, acquisition history, cybersecurity incidents, and transaction financing.
III. Protecting Confidential Information
Extensive disclosure naturally raises a second question: how is the information protected once submitted?
The U.S. and EU systems adopt different approaches. Under 50 U.S.C. § 4565(c), information filed with CFIUS may not be publicly disclosed except in limited statutory circumstances. CFIUS filings are further exempt from disclosure under the Freedom of Information Act (“FOIA”). This protection extends beyond final decisions and encompasses notices, declarations, supporting documentation, and information generated during the review process itself. Treasury guidance expressly links confidentiality to the effectiveness of the screening regime, emphasizing that investor cooperation depends upon assurances of strict confidentiality (see U.S. Department of the Treasury, CFIUS Confidentiality).
The EU approach operates differently. Article 10 of Regulation (EU) 2019/452 requires Member States and the European Commission to protect confidential information exchanged through the cooperation mechanism and to comply with applicable rules governing classified information and personal data. The Regulation thus recognizes confidentiality as an essential precondition for effective information exchange among screening authorities, while leaving the detailed protection and handling of such information largely to national legal frameworks.
The Dutch Wet Vifo, however, does not contain a categorical confidentiality clause comparable to CFIUS or a blanket exclusion from the Wet open overheid (“Woo”). Instead, confidentiality is protected through the ordinary exemption framework of the Woo, meaning that transparency is the norm, unless the information falls under one of the exemptions, such as an exemption to publish confidential business information; personal data; information that harms the economic and financial interests of the State; or otherwise causes disproportionate harm to affected parties (see Kamerstukken II 2020/21, 35 880, nr. 3, para. 6.3). The consequence is not necessarily weaker protection, but a different institutional model: confidentiality is secured through balancing and exception mechanisms rather than through a categorical legislative prohibition.
Although no reported Woo case appears to concern disclosure of a Vifo filing itself, the treatment of Huawei and telecom-security documents provides a useful analogue. In 2019, the Ministry of Economic Affairs and Climate Policy decided on an access to document request concerning Huawei-related documents and telecom-network security. The request did not seek access to an investment-screening filing comparable to a Vifo or CFIUS notification, but concerned government-held documents relating to Huawei and telecom-security policy. The Ministry disclosed a list of available documents, but withheld or heavily redacted most documents.
IV. Why This Matters
Despite increasingly expansive disclosure obligations, there is remarkably little publicly available jurisprudence involving governmental leaks or dissemination of screening information. Several explanations are possible: confidentiality safeguards may be functioning effectively; disputes may remain private, or proving commercial harm resulting from disclosure may be difficult.
But the absence of public cases should not be mistaken for the absence of risk. Across investment screening regimes, investors are required to disclose extensive and often highly sensitive commercial information. Public disclosure—whether through access-to-documents requests, cybersecurity failures, or unauthorized circulation within or between governmental authorities—may have serious consequences for affected businesses. Much of the information submitted in screening procedures possesses independent economic value. Where trade secrets, proprietary technologies, strategic business plans, or sensitive commercial data are involved, disclosure may cause tangible competitive harm and undermine the commercial position of the investor concerned.
Investment treaties rarely address screening confidentiality directly. Investors may argue that they submitted commercially sensitive information in reliance on statutory, regulatory, or express assurances of confidentiality and suffered demonstrable competitive harm when that information was improperly disclosed. Such claims could be framed as a breach of fair and equitable treatment, including legitimate expectations or protection against arbitrary treatment, particularly where investors relied upon express or implied assurances of confidentiality or suffered demonstrable competitive harm through unauthorized disclosure. Where the disclosure affects the conduct or outcome of the screening process itself, for example by undermining an investor’s ability to present its case or creating an appearance of bias, it may also raise concerns of procedural fairness and due process. In certain circumstances, other treaty protections, such as non-discrimination obligations or umbrella clauses, may also come into play. The threshold for such claims would undoubtedly remain high. Not every administrative error, leak, or disclosure would amount to an internationally wrongful act. Yet as investment screening expands and the information demanded becomes increasingly sensitive, the relationship between disclosure obligations and State responsibility deserves closer attention—perhaps in a future blogpost.
