5 Regulatory Issues to Consider When Acquiring a Business in the EU or UK

4 minute read | January.23.2023

Companies considering an acquisition in Europe must navigate a regulatory and enforcement environment that can seem like a minefield. Here are five things they should consider amid unfolding legislative change and growing scrutiny and enforcement, especially in the digital economy.

1. Many countries screen foreign direct investments.

European countries review or plan to start reviewing foreign direct investments for national security implications. That can add a layer of complexity to mergers and acquisitions, with the possibility of closings delayed until regulators provide clearance. Acquiring businesses should determine early on if they need clearance for a deal – and how long that may take.

France, Germany and the UK are among countries that look at foreign direct investment through a national security prism. They deploy regimes like those of the Committee on Foreign Investment in the United States, or CFIUS.
Other European countries plan to begin screening foreign direct investments.
Individual EU member states decide whether a transaction raises national security concerns. An EU system helps them report and share information.
Only a few transactions raise national security concerns.
Companies face straightforward application processes for most transactions. Achieving clearance often is a formality.

2. Well-established merger control principles prevail in Europe.

In contrast to foreign direct investment screening practices, Europe has well-established merger control principles and regimes. That creates a degree of legal certainty over filing requirements, but a couple of areas are in flux.

The European Commission sometimes investigates transactions even though they fall below EU and national thresholds for review. This creates uncertainty. Acquiring companies need only seek review of deals below EU and/or national thresholds if regulators ask. As a practical matter, the Commission investigates few transactions that fall under the thresholds.
In the UK, companies do not need approval from the Competition and Markets Authority (CMA) to close transactions, but the CMA informally reviews hundreds of transactions a year.
- This can happen after parties submit a “briefing paper.” Or the CMA may ask for information before or after closing. If the parties don’t respond, the CMA could threaten an order preventing global integration.
- Companies should consider responding to the CMA’s standard request in advance given the tight timeframes for response.

Companies should determine if they need to submit merger filings for a transaction and incorporate such requirements into the deal timetable. Most companies do this before or during the due diligence stage. The risk and disruption of EU or UK intervention should not be overstated, but a detailed pre-signing assessment can help a company evaluate risk.

3. The EU and UK enforce strict data protection laws.

The EU and UK enforce some of the world’s most stringent laws on data protection and cybersecurity. Fines for serious breaches range as high as 4 percent of a company’s global revenue. In addition, privacy advocates regularly make complaints.

Companies acquiring a European business should conduct data and cybersecurity due diligence to:

Understand the target’s compliance posture and ensure its data and data-processing operations provide as much value as expected.
Determine whether a target carries regulatory or litigation risks that could trigger penalties or damage claims.

Acquiring companies should understand the full scope of a target’s commercial activities, including the countries where it operates, the type of data it processes, how it uses and transfers data, and the extent of its privacy compliance. This is especially true for B2C targets but also applies to B2B companies.

4. Companies must comply with financial services regulations.

To ensure successful integration, an acquiring company should make sure its target has the licences and permissions required by national and EU financial regulations. In some cases, the acquiring company may need those licenses and permissions, too.

Since the UK left the EU – Brexit – UK firms aren’t always permitted to provide services in the EU and vice versa.
Companies should evaluate regulatory restrictions on the target that could prevent replicating the acquirer’s business model in the EU or UK, especially if the acquiring company plans to market products to retail customers.
Regulators often must consent for a company to complete the share acquisition of an entity licensed to provide certain financial services.

To avoid delays to closing it may be possible to structure a transaction with two closings or to use options, so that the consent is only required prior to the second closing or the conversion of the options.

5. Don’t forget about sanctions.

Acquiring companies should verify that targets comply with sanctions on other countries and people.

The EU and UK have imposed and regularly update sanctions on a variety of targets, including Russia after it invaded Ukraine.

Penalties for violations vary by country. They can be severe. An additional EU penalty may apply if an organization tries to hide the infringement by a "circumvention scheme.”

Authors

Patrick Hubert Partner, Antitrust & Competition, Strategic Advisory & Government Enforcement (SAGE)

Paris

See my bio

D:+33 1 5353 7500
E: [email protected]

Practice:

Antitrust & Competition
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Patrick Hubert Partner

Paris

This breadth of experience has allowed him to become a leading authority in the field of antitrust, but his background helps him borrow ideas from anywhere – finding imaginative solutions for the legal and business challenges his clients face.

Patrick has long been a trailblazer in his field. For example, years before private compliance programs became commonplace, Patrick persuaded his clients to dedicate resources to compliance policies, thus being one of the first to encourage proactive rather than strictly reactive actions. In France, he was one of the first to launch antitrust recovery claims and to work on a private standalone claim, without any precedent from the regulator. Acting on the plaintiff side, he obtained what was at that time the highest fine ever imposed on a dominant company (350 M€).

He is currently handling private claims totaling more than 5 billion euro, advising global tech companies and other multinationals in French and EU competition matters, including merger control filings, cartel and abuse of dominance investigations, state aid and compliance work, as well as private damages actions before the French courts. In addition, he serves as vice chairman of the competition commission of the International Chamber of Commerce and chairs its merger control working party.

Guy Stevenson Senior Associate, Global Compliance & Regulatory, Fintech

London

See my bio

D:+442078624600
E: [email protected]

Practice:

Technology & Innovation Sector
Global Compliance & Regulatory
Fintech
Blockchain and Virtual Currency
Funds
Responsible Business

vCard

See full bio

Guy Stevenson Senior Associate

London

In addition to advising established financial services firms, Guy advises new innovative Fintech businesses on UK regulation including whether their activities will require authorisation and how best to launch their business in the UK. He has significant experience advising firms on regulatory issues connected to the selling of financial services products through apps and online journeys.

Guy frequently advises clients on financial crime issues, including AML controls, reporting obligations, failure to prevent offences, anti-corruption and market abuse.

He has a deep knowledge of consumer credit law and excels in providing practical advice on how the law/regulation should be interpreted and applied.

He also advises on contentious matters including regulatory investigations and conduct issues.