Navigating the new EU FDI Screening Regulation in Norwegian M&A

On 8 June 2026, the Council of the EU formally adopted a revised FDI screening regulation after approximately two years of negotiations. The regulation will enter into force 20 days after publication in the Official Journal of the EU, and Member States will then have 18 months to adapt their national regimes before the new rules apply.

The reform does not create an EU-level investment screening authority with final decision-making power, as screening decisions will remain with the Member State in which the investment is made. However, the cooperation mechanism between the Member State and the European Commission will become more structured and more influential.

The practical effect is therefore harmonisation without full uniformity: the EU will set a common floor, but Member States will remain able to maintain broader national regimes.

Mandatory screening mechanisms in all Member States

While the current EU framework encouraged Member States to screen foreign investments, the new EU FDI Regulation requires all Member States to establish and maintain pre-closing screening mechanisms for foreign investments in at least the sectors covered by the common minimum scope. In practice, the immediate institutional impact may be limited because all 27 Member States, including Cyprus, which introduced its national regime in April this year, have now adopted some form of screening regime.

Although this obligation does not apply directly to Norway, Norwegian authorities are likely to move broadly in the same direction, or at least remain closely aligned, given the stated political objective of cooperation with the EU in this area.

Common minimum scope for sensitive sectors

For the first time, the EU has adopted a common minimum list of sectors and activities that must be subject to prior authorisation across the Member States. Based on that list, investments in the following sectors may trigger a mandatory filing requirement:

• Military equipment and dual-use items
• Certain semiconductor, quantum and AI technologies
• Strategic raw materials
• Critical entities in energy, transport, and digital infrastructure, identified through risk-based assessments by the Member States
• Electoral infrastructure, such as voting systems and voter registration databases
• A limited set of financial market entities, including central counterparties, central securities depositories, operators of regulated markets and payment systems, etc.

Member States may still go beyond that minimum list, which means that national differences in scope, thresholds and local nexus requirements will continue to be an important point to be carefully assessed in every transaction. This is also relevant to the design of the Norwegian FDI Regime.

As Norway is outside the EU, it has somewhat greater flexibility to define the sectors that should be subject to mandatory filing. For comparison, a 2023 Norwegian government-appointed committee, which unanimously proposed introducing a new investment control regime in Norway, recommended mandatory notification for investments in companies active in the following security-sensitive sectors:

• Companies supplying critical societal functions, such as internet, defence, water, food and power supply
• Companies producing or controlling critical technology, such as command systems, underwater and materials technology, artificial intelligence, biotechnology and dual-use items
• Companies producing or controlling certain critical raw materials, such as products with few or no substitutes, or strategically important products with significant supply risk

Whether this list will be retained in the final regime remains to be seen. Wiersholm understands that government-level discussions are also ongoing on whether the filing obligation should extend to, for example, strategically important real estate, or companies that process or hold significant volumes of personal data or geolocation data, as is already the case in regimes such as Sweden’s.

Intra-EU structures controlled by non-EU investors

The new EU FDI Regulation brings into scope investments made through EU-incorporated entities that are ultimately controlled by non-EU investors, thereby closing the gap that had allowed certain investments routed through EU-based entities to avoid scrutiny in some jurisdictions. This change is particularly relevant for private equity, fund and holding company structures, including structures where the acquisition vehicle is established in the EU but the ultimate control chain points outside the EU.

As such, investors can no longer assume that an EU acquisition vehicle removes FDI risk where control ultimately sits with a non-EU person or entity.

Harmonised Phase 1 timeline, but no fixed Phase 2 deadline

The new EU FDI Regulation requires national screening regimes to include a two-phase review process. Phase 1 must be completed within 45 calendar days of receipt of a complete notification. If the authority opens an in-depth Phase 2 review, the regulation does not prescribe a fixed EU-level deadline.

Harmonised timelines give parties more predictability for straightforward cases, but sensitive or politically difficult transactions may still face materially longer and less predictable review periods.

The current Norwegian FDI Regime is already structured, in effect, around a two-phase review process. Under the current rules, the initial review period is 60 days, but no statutory deadline applies if the case is referred to the King in Council. To align the Norwegian FDI Regime with the EU FDI Regulation, the Phase 1 review period would therefore need to be shortened.

Substantive assessment criteria and remedies

The new EU FDI Regulation codifies criteria for assessing whether an investment may affect security or public order, and therefore the circumstances in which transactions may be prohibited or made subject to conditions. Relevant criteria include the security and functioning of critical entities, protection of sensitive information, availability of critical technologies, media freedom and pluralism, public health, and continuity of supply critical inputs.

While FDI screening is increasingly asset-led, investor-related risk will remain a key driver of the analysis, including ownership-chain transparency, links to foreign governments, sanctions exposure, prior problematic FDI history and potential third-country policy objectives.

As noted above, possibly required FDI clearances will have to be considered and assessed for almost any transaction. It needs to be considered from the outset of the due diligence process and then reflected appropriately in the transaction documents.

This requires a robust FDI strategy, particularly in cross-border deals where the target has assets, activities or information that may be critical or security-sensitive. Targets with government customers, critical supply chain roles, sensitive technology or links to public functions may trigger intensive regulatory scrutiny, even where the investor itself appears low-risk.

FDI screening should not be viewed simply as merger control in a different form. While merger control is primarily focused on the competitive impact of a transaction, FDI review addresses a different set of concerns, including national security, public order, supply chain resilience and control over strategic assets.

This distinction matters in both procedure and assessment. In a competition law context, a modest revenue line or limited market overlap may carry little significance. In an FDI context, however, a single sensitive contract, technology, license or dataset may be enough to change the overall risk assessment of the transaction.

How FDI risk should be reflected in transaction documents

Once the target’s geographic presence, sensitive assets, government customers, supply chain role and links to public functions have been mapped, FDI risk should be built into the transaction documents.

If FDI clearances are required in several jurisdictions, timelines may vary and be difficult to predict. The SPA should therefore include a realistic long-stop date and identify each required FDI clearance as a condition to closing.

However, assessments and regulations in the transaction documents should not stop there. FDI clearances processes trigger multi-layered questions, all of which need to be considered and possibly regulated in the transaction documents. Depending on the risk profile of the transaction, the parties should also consider what happens if a regulator calls in the transaction on its own initiative in a jurisdiction where no mandatory filing has been made.

Because FDI filings often require detailed information on the seller, buyer and the target, balanced cooperation and information-sharing obligations are key. They reduce the risk of incomplete notifications and avoidable delays to the transaction timetable. For highly confidential or competitively sensitive information, counsel-to-counsel and regulatory-only disclosure mechanisms may be appropriate. In addition, timelines need to be assessed carefully. Parties need to think through and potentially regulate what happens if processes drag-out, consider how this affects the business, and provide for clear guidelines for how the business subject to the transaction is run in the meantime.

Finally, both the buyer and the seller should take an early view on which remedies, commitments or conditions to FDI clearance they are commercially prepared to accept. FDI remedies can affect governance, information access, technology transfer, supply arrangements, data flows and management involvement, or the exclusion of certain shareholders or limited partners. Also here, there are various key differences compared to the typical remedies considered in merger control processes under competition law. In some deals, «hell or high water» clauses may be appropriate. In others, the parties will need a more tailored risk allocation, including by reference to the buyer’s planned post-closing integration.

Looking ahead, there is little doubt that FDI will continue to affect M&A processes globally. Although the text of the new EU FDI Regulation has been adopted, there remains significant room for variation between Member States. Deal teams will therefore still need to assess FDI risk on a transaction-by-transaction basis, although precedent from comparable completed cross-border transactions should become increasingly useful.

From a Norwegian perspective, it remains to be seen whether Norway will take a formal political position on the new EU FDI Regulation, and how this may translate into Norwegian law. What is clear is that Norway is following EU developments closely. The new regulation may therefore have both direct and indirect implications for Norwegian M&A processes and cross-border transactions involving Norwegian assets.

In parallel, several legislative processes are ongoing in Norway, including changes to the current National Security Act and a potential new Investment Screening Act. Further developments are expected in the near term.

Wiersholm has extensive experience advising on FDI issues in Norwegian and cross-border deals, regularly leading complex transactions, carrying out multi-jurisdictional filing assessments and notification processes. Wiersholm continues to monitor developments closely.