EU third country subsidy regulation: This applies to M&A transactions

Since October 12, 2023, companies have new reporting requirements. The European Commission has armed the EU Third Country Subsidies Regulation (DSVO).

State aid law already prohibits EU member states from granting preferential treatment to individual companies, thereby giving them a potential competitive advantage. The goal: free and undistorted competition on the European internal market. With the GDPR, the EU Commission is now also targeting subsidies from third countries and checking whether these distort the internal market. In this way, a “level playing field” is to be created. This means a level playing field for companies active in the EU single market.

This is what the EU Third Country Subsidies Regulation means for companies

As of now, parties to an M&A transaction above a certain size must have it notified to and cleared by the Commission prior to its consummation. This notification regime joins the old familiar EU merger control.

There is also a reporting requirement for companies participating in a major public procurement process for third party grants.

The EU Commission said in an online event on October 10, 2023 that it had held informal discussions with companies from a total of 17 M&A transactions so far in advance of a possible GDPR notification. In all these cases, informal preliminary talks were or are underway at the same time with a view to “conventional” EU merger control.

In these cases, the GDPR merger control takes effect

Mergers must always be notified when

• at least one of the merging companies, the acquired company (in particular in the case of an acquisition) or the joint venture (in the case of a joint venture formation) is established in the EU, and
• has achieved total sales in the EU (in the last financial year) of at least 500 million euros , and
• the companies involved have cumulatively received financial contributions totaling more than EUR 50 million from third countries in the last three years.

Such mergers may not be consummated until cleared by the European Commission.

In addition, the EU Commission can require ex officio notification for mergers that do not meet these criteria and are therefore not subject to original notification. In this regard, it is sufficient for the Commission to assume that the undertakings concerned may have received third-country subsidies in the three years preceding the merger. Even then, an execution ban applies until the M&A transaction is cleared by the EU Commission.

What are the penalties for violations?

Violations of the obligation to notify or of the ban on enforcement (“gun jumping”) can have serious consequences: The EU Commission has the option of imposing a fine of up to 10 percent of total Group-wide sales in the previous fiscal year on the companies involved. There is also a threat of the (pending) invalidity of the closing acts with respect to the M&A Transaction.

Here’s how companies should act now

For companies operating in the EU’s internal market, these new requirements give rise to an immediate need for action:

In particular, when planning and managing larger company acquisitions, sales or joint venture formations, the examination of a possible obligation to register with the EU Commission for GDPR merger control should be planned for.

If such a notification obligation exists, a notification procedure must be carried out with the Commission. The M&A transaction may then only be completed after review and approval by the EU Commission. This must also be taken into account on the timeline.

From a compliance perspective, it is crucial for internationally active companies to now quickly establish internal company processes and determine responsibilities in order to record financial contributions received from third countries. It must also be ensured that those units within the company that oversee M&A transactions or public procurement procedures are informed of the amount and category of third-country contributions received. Because only then can the risk be limited that a notification obligation to the EU Commission under the GDPR could be overlooked.

Defining and implementing the necessary compliance processes in the company is a challenge and requires specialists who have the necessary experience in implementing large compliance projects.