5 Regulatory Issues to Consider When Acquiring a Business in the EU or UK

4 minute read | January.23.2023

Companies considering an acquisition in Europe must navigate a regulatory and enforcement environment that can seem like a minefield. Here are five things they should consider amid unfolding legislative change and growing scrutiny and enforcement, especially in the digital economy.

1. Many countries screen foreign direct investments.

European countries review or plan to start reviewing foreign direct investments for national security implications. That can add a layer of complexity to mergers and acquisitions, with the possibility of closings delayed until regulators provide clearance. Acquiring businesses should determine early on if they need clearance for a deal – and how long that may take.

  • France, Germany and the UK are among countries that look at foreign direct investment through a national security prism. They deploy regimes like those of the Committee on Foreign Investment in the United States, or CFIUS.
  • Other European countries plan to begin screening foreign direct investments.
  • Individual EU member states decide whether a transaction raises national security concerns. An EU system helps them report and share information.
  • Only a few transactions raise national security concerns.
  • Companies face straightforward application processes for most transactions. Achieving clearance often is a formality.

2. Well-established merger control principles prevail in Europe.

In contrast to foreign direct investment screening practices, Europe has well-established merger control principles and regimes. That creates a degree of legal certainty over filing requirements, but a couple of areas are in flux. 

  • The European Commission sometimes investigates transactions even though they fall below EU and national thresholds for review. This creates uncertainty. Acquiring companies need only seek review of deals below EU and/or national thresholds if regulators ask. As a practical matter, the Commission investigates few transactions that fall under the thresholds.
  • In the UK, companies do not need approval from the Competition and Markets Authority (CMA) to close transactions, but the CMA informally reviews hundreds of transactions a year.

    • This can happen after parties submit a “briefing paper.” Or the CMA may ask for information before or after closing. If the parties don’t respond, the CMA could threaten an order preventing global integration.
    • Companies should consider responding to the CMA’s standard request in advance given the tight timeframes for response.

 Companies should determine if they need to submit merger filings for a transaction and incorporate such requirements into the deal timetable. Most companies do this before or during the due diligence stage. The risk and disruption of EU or UK intervention should not be overstated, but a detailed pre-signing assessment can help a company evaluate risk.

3. The EU and UK enforce strict data protection laws.

The EU and UK enforce some of the world’s most stringent laws on data protection and cybersecurity. Fines for serious breaches range as high as 4 percent of a company’s global revenue. In addition, privacy advocates regularly make complaints.

Companies acquiring a European business should conduct data and cybersecurity due diligence to:

  • Understand the target’s compliance posture and ensure its data and data-processing operations provide as much value as expected.
  • Determine whether a target carries regulatory or litigation risks that could trigger penalties or damage claims.

Acquiring companies should understand the full scope of a target’s commercial activities, including the countries where it operates, the type of data it processes, how it uses and transfers data, and the extent of its privacy compliance. This is especially true for B2C targets but also applies to B2B companies.

4. Companies must comply with financial services regulations.

To ensure successful integration, an acquiring company should make sure its target has the licences and permissions required by national and EU financial regulations. In some cases, the acquiring company may need those licenses and permissions, too.

  • Since the UK left the EU – Brexit – UK firms aren’t always permitted to provide services in the EU and vice versa.
  • Companies should evaluate regulatory restrictions on the target that could prevent replicating the acquirer’s business model in the EU or UK, especially if the acquiring company plans to market products to retail customers.
  • Regulators often must consent for a company to complete the share acquisition of an entity licensed to provide certain financial services.

To avoid delays to closing it may be possible to structure a transaction with two closings or to use options, so that the consent is only required prior to the second closing or the conversion of the options.

5. Don’t forget about sanctions.

Acquiring companies should verify that targets comply with sanctions on other countries and people.

The EU and UK have imposed and regularly update sanctions on a variety of targets, including Russia after it invaded Ukraine.

Penalties for violations vary by country. They can be severe. An additional EU penalty may apply if an organization tries to hide the infringement by a "circumvention scheme.”