5 Regulatory Issues to Consider When Acquiring a Business in the EU or UK

4 minute read | January.23.2023

Companies considering an acquisition in Europe must navigate a regulatory and enforcement environment that can seem like a minefield. Here are five things they should consider amid unfolding legislative change and growing scrutiny and enforcement, especially in the digital economy.

1. Many countries screen foreign direct investments.

European countries review or plan to start reviewing foreign direct investments for national security implications. That can add a layer of complexity to mergers and acquisitions, with the possibility of closings delayed until regulators provide clearance. Acquiring businesses should determine early on if they need clearance for a deal – and how long that may take.

France, Germany and the UK are among countries that look at foreign direct investment through a national security prism. They deploy regimes like those of the Committee on Foreign Investment in the United States, or CFIUS.
Other European countries plan to begin screening foreign direct investments.
Individual EU member states decide whether a transaction raises national security concerns. An EU system helps them report and share information.
Only a few transactions raise national security concerns.
Companies face straightforward application processes for most transactions. Achieving clearance often is a formality.

2. Well-established merger control principles prevail in Europe.

In contrast to foreign direct investment screening practices, Europe has well-established merger control principles and regimes. That creates a degree of legal certainty over filing requirements, but a couple of areas are in flux.

The European Commission sometimes investigates transactions even though they fall below EU and national thresholds for review. This creates uncertainty. Acquiring companies need only seek review of deals below EU and/or national thresholds if regulators ask. As a practical matter, the Commission investigates few transactions that fall under the thresholds.
In the UK, companies do not need approval from the Competition and Markets Authority (CMA) to close transactions, but the CMA informally reviews hundreds of transactions a year.
- This can happen after parties submit a “briefing paper.” Or the CMA may ask for information before or after closing. If the parties don’t respond, the CMA could threaten an order preventing global integration.
- Companies should consider responding to the CMA’s standard request in advance given the tight timeframes for response.

Companies should determine if they need to submit merger filings for a transaction and incorporate such requirements into the deal timetable. Most companies do this before or during the due diligence stage. The risk and disruption of EU or UK intervention should not be overstated, but a detailed pre-signing assessment can help a company evaluate risk.

3. The EU and UK enforce strict data protection laws.

The EU and UK enforce some of the world’s most stringent laws on data protection and cybersecurity. Fines for serious breaches range as high as 4 percent of a company’s global revenue. In addition, privacy advocates regularly make complaints.

Companies acquiring a European business should conduct data and cybersecurity due diligence to:

Understand the target’s compliance posture and ensure its data and data-processing operations provide as much value as expected.
Determine whether a target carries regulatory or litigation risks that could trigger penalties or damage claims.

Acquiring companies should understand the full scope of a target’s commercial activities, including the countries where it operates, the type of data it processes, how it uses and transfers data, and the extent of its privacy compliance. This is especially true for B2C targets but also applies to B2B companies.

4. Companies must comply with financial services regulations.

To ensure successful integration, an acquiring company should make sure its target has the licences and permissions required by national and EU financial regulations. In some cases, the acquiring company may need those licenses and permissions, too.

Since the UK left the EU – Brexit – UK firms aren’t always permitted to provide services in the EU and vice versa.
Companies should evaluate regulatory restrictions on the target that could prevent replicating the acquirer’s business model in the EU or UK, especially if the acquiring company plans to market products to retail customers.
Regulators often must consent for a company to complete the share acquisition of an entity licensed to provide certain financial services.

To avoid delays to closing it may be possible to structure a transaction with two closings or to use options, so that the consent is only required prior to the second closing or the conversion of the options.

5. Don’t forget about sanctions.

Acquiring companies should verify that targets comply with sanctions on other countries and people.

The EU and UK have imposed and regularly update sanctions on a variety of targets, including Russia after it invaded Ukraine.

Penalties for violations vary by country. They can be severe. An additional EU penalty may apply if an organization tries to hide the infringement by a "circumvention scheme.”

Authors

Partner, Antitrust & Competition, Strategic Advisory & Government Enforcement (SAGE)

Paris

See my bio

D:+33 1 5353 7500
E: [email protected]

Practice:

Antitrust & Competition
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Partner

Paris

Depuis qu’il est avocat, Patrick conseille des entreprises du secteur Tech, ainsi que des multinationales et des sociétés françaises de tous secteurs, sur les aspects de droit français et européen de la concurrence et sur les questions de conformité du droit français au droit européen. En parallèle, Patrick est vice-président de la Commission Droit de la concurrence de la Chambre de Commerce Internationale et préside en particulier le groupe de travail relatif au Contrôle des concentrations.

Classé en Band 2 par Chambers & Partners et Legal 500, Patrick est également l’auteur de Day to Day competition law, un livre pratique sur le droit de la concurrence.

Avant de rejoindre Orrick, Patrick était l’associé en charge du département Europe et concurrence de Clifford Chance pendant 10 ans. Ancien conseiller d’Etat, il a été directeur adjoint puis directeur du cabinet du Ministre de la justice (1995 à 1997 et 2002 à 2004) et Rapporteur Général du Conseil de la concurrence (de 1999 à 2002).

Kelly Hagedorn Partner, Cyber, Privacy & Data Innovation, Conformité & Règlementation

Londres

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Conformité & Règlementation
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn Partner

Londres

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Guy Stevenson Senior Associate, Conformité & Règlementation, Fintech

Londres

See my bio

D:+442078624600
E: [email protected]

Practice:

Technology & Innovation Sector
Conformité & Règlementation
Fintech
Blockchain and Virtual Currency
Funds
Environmental, Social & Corporate Governance (ESG)

vCard

See full bio

Guy Stevenson Senior Associate

Londres

In addition to advising established financial services firms, Guy advises new innovative Fintech businesses on UK regulation including whether their activities will require authorisation and how best to launch their business in the UK. He has significant experience advising firms on regulatory issues connected to the selling of financial services products through apps and online journeys.

Guy frequently advises clients on financial crime issues, including AML controls, reporting obligations, failure to prevent offences, anti-corruption and market abuse.

He has a deep knowledge of consumer credit law and excels in providing practical advice on how the law/regulation should be interpreted and applied.

He also advises on contentious matters including regulatory investigations and conduct issues.