Austria - Market Insights

Defence M&A in Austria: managing regulatory complexity and transaction risk

Introduction: Defence as a strategic investment priority

Europe’s approach to defence has undergone a fundamental transformation. Russia’s invasion of Ukraine, the shifting strategic focus of the United States towards the Indo-Pacific — coupled with calls for greater European commitment to the NATO partnership — have elevated European “strategic autonomy” from a political aspiration to an operational imperative, with the EU Member States raising their defence and defence-related spending substantially. In March 2025, European Commission President Ursula von der Leyen proposed a plan to mobilise nearly EUR 800 billion for defence investments, stating that “Europe faces a clear and present danger on a scale that none of us have seen in our adult lifetime… we are in an era of rearmament, and Europe is ready to massively boost its defence spending”.

To facilitate this investment surge, the European Commission published the Defence Readiness Omnibus on 17 June 2025 — a comprehensive legislative package aimed at establishing a defence-readiness mindset across the European Union and facilitating up to EUR 800 billion in defence investments over the next four years. The Omnibus aims to unlock defence investment by improving access to EU funding, reducing administrative and procedural burdens to get funding for defence projects under the European Defence Fund, and facilitating coordination among Member States in joint procurement of equipment and services. Fast-track permitting regimes for certain defence projects will be introduced, with clearances to be issued within 60 days.

For M&A practitioners, this political and legislative commitment creates both opportunity and complexity: more capital is flowing into defence, but transactions are subject to a dense regulatory framework designed to protect national security, ensure supply chain resilience, and maintain technological sovereignty. Defence M&A is fundamentally different from traditional corporate transactions — deals are shaped not only by commercial considerations but by state interests in security, control, and continuity of supply.

The core regulatory regimes

Defence transactions in Austria (and in the EU generally) are subject to a multi-layered regulatory framework. Four regimes dominate:

• foreign direct investment screening;
• export controls and sanctions;
• merger control; as well as
• public procurement.

Foreign Direct Investment (FDI) screening: the Austrian Investment Control Act

Austria’s Investment Control Act, which implements EU Regulation 2019/452, is the principal gatekeeper for non-EU investors. It applies to “foreign persons” — investors from outside the EU, EEA, or Switzerland — acquiring “direct investments” in Austrian companies operating in sensitive sectors. “Direct investment” includes acquisitions of voting rights, shares, assets, or any other means of effective participation in management or control of an Austrian target company. It captures both direct and indirect acquisitions: a foreign investor acquiring an EU holding company that controls an Austrian defence asset may trigger review under the Austrian Investment Control Act even if the principal transaction occurs outside Austria.

Foreign investments regarding highly sensitive sectors — including defence, critical infrastructure, and certain dual-use technologies — trigger approval requirements with the highest levels of scrutiny. The authorities may run a geopolitical assessment of the transaction and may investigate certain risks triggered or increased in sensitive areas like national security, supply chain resilience and technological sovereignty. National authorities may impose stringent remedies in clearance decisions to mitigate such risks, including by way of ring-fencing sensitive operations or excluding certain investors from decision-making roles.

The Austrian FDI regime under the Investment Control Act applies when certain minimum voting rights thresholds are reached or exceeded, or upon acquisition of effective control. Following filing, transactions are subject to an EU cooperation mechanism phase of 35 to 40 days before national review can conclude. In the case of multijurisdictional deals, investors should know that they must file for clearance in many EU Member States with overlapping national review regimes and varying procedural timeframes.

The consequences of non-compliance with the Austrian FDI regime under the Investment Control Act are severe. Transactions completed without required approval are null and void. Intentional violations constitute a criminal offence, exposing individuals to prosecution. Negligent breaches trigger administrative fines.

Practical experience shows that an early legal assessment of the jurisdictions in which FDI clearances are required, alongside proactive early engagement with the national authorities where sensitive assets are located, is essential for managing both the legal risk of unexpected remedies and realistic timeline expectations for FDI proceedings.

Export controls and sanctions compliance

Austria’s export control regime comprises international laws, the EU Dual-Use Regulation 2021/821 and, on a domestic level, the Austrian Foreign Trade Act and the Austrian War Material Act, creating compliance obligations that significantly affect defence-related M&A transactions. The Austrian Foreign Trade Act regulates the export, transit and brokering of defence and dual-use goods, software and technology as well as the provision of technical support for military end use. The Dual-Use Regulation regulates goods, software, and technology that can be used for both civilian and military purposes. Violations of export control laws in the conduct of business are subject to criminal and administrative penalties. Austria is currently digitalising and streamlining its export licensing processes to meet the Defence Readiness Omnibus.

Export controls impact M&A in three critical ways. First, early-stage due diligence should identify the export sensitive technologies as well as contracts, and map the full export footprint of the target (including not only tangible asset exports but also intangible transfers and multinational research and development (R&D) partnerships) to evaluate whether the target has fully complied with (internal) security audit and (external) export licence requirements. Second, existing export licences may be affected by a change of control in the licence holder’s ownership structure (typically, export licences have a fixed term and are non-transferable). In this respect, investors should also analyse the continuation of the business post-closing — new export registrations and security audits may be required. Third, granting employees of foreign parent companies access to controlled technical data or personnel may require prior authorisation or comprehensive clean team regimes. A corporate governance structure to manage such domestic technical data or personnel in the purchaser’s group must be developed.

Merger control and the Article 346 of the Treaty on the Functioning of the European Union (TFEU) Exemption

EU merger control applies to defence transactions meeting certain turnover thresholds (as is the case with any other transaction). However, Article 346 of the TFEU has been and will be — in light of the rising strategic importance of defence and security assets — used to carve out the military aspects of defence-sector transactions from EU merger control where the production of, or trade in, arms, munitions, or war material is essential to national security.

Public procurement and change-of-control provisions

EU Directive 2009/81/EC on defence and security procurement is implemented in Austria through the Federal Procurement Act for Defence and Security, amended under the Defence Readiness Omnibus to incentivise defence sector investments (by doubling procurement thresholds and extending the maximum term of framework agreements). On top, Member States may increasingly invoke the Article 346 TFEU Exemption from public procurement proceedings for urgent defence acquisitions.

For M&A purposes, the critical issue with respect to existing public procurement contracts are change-of-control clauses. Government defence contracts often contain provisions requiring authority consent to change of ownership or granting the authority the right to terminate contracts upon change of control. Where a target derives substantial revenue from government contracts (which is highly likely in the defence sector), the risk that the contracting authority withholds consent — or exercises a termination right — must be carefully assessed. Due diligence should identify all contracts with change-of-control clauses, quantify the revenue and Earnings Before Interest, Taxes, Depreciation, and Amortization (EBITDA) at risk, and develop a government consent strategy that runs parallel to the Austrian FDI filing process.

Key transaction risks in defence M&A

Beyond formal regulatory compliance, defence M&A transactions present operational and structural risks that distinguish them from traditional M&A transactions.

Clean teams and information security. Defence targets often hold classified information or technology subject to export controls. A standard “green/red” data room and clean team regime would not work for a due diligence into this information or technology. Instead, security-cleared clean teams with limited access to sensitive materials are required. These regimes must address not only data protection or competition law concerns but also export control restrictions on access to sensitive assets (including to sensitive technology or R&D departments) and must remain in place throughout the (often lengthy) signing-to-closing period.

Government contracts and change of control. As discussed above, change-of-control provisions in government contracts can be deal-critical. If a target derives substantial revenue from government contracts, the risk that the contracting authority withholds consent must be carefully assessed and reflected in transaction structuring, conditionality, and pricing.

Technology transfer and integration restrictions. Integrating acquired domestic defence businesses into global operations may trigger domestic export control requirements if the controlled sensitive assets (including technology and R&D departments) shall be transferred to unauthorised persons or locations. This risk is particularly acute for non-EU acquirers. Staged integration plans or ring-fencing sensitive assets in the target acquired are common mitigation strategies to overcome domestic export control restrictions.

Timing uncertainty and political risk. Defence transactions are politically sensitive, with approval timelines often extending beyond those typical in other M&A transactions.

Contractual tools for managing risk

Effective transaction agreements in defence M&A address regulatory risk clearly and provide mechanisms to manage timing uncertainty and compliance obligations. In particular, the following contractual tools are available to practitioners:

• Special warranty and indemnity structures. Defence M&A requires extended warranty and indemnity clauses with respect to security audits/compliance (if the export control regime is relevant for the business of the target), compliance/sanctions, data handling, licensing, cybersecurity and technology.
• Material Adverse Change (MAC) clauses. MAC clauses in defence transactions must account for regulatory and geopolitical risk. Parties may consider carving out changes in law, regulations, or geopolitical conditions that affect the defence sector generally, whilst preserving protection against target-specific adverse changes.
• Conditions precedent and regulatory clearances. FDI clearances, export control authorisations, merger control clearances, and customer (government) consents for change of control should be explicit conditions precedent. Parties should specify acceptable remedies (including governance restrictions, ring-fencing regimes and/or forced divestiture). Early engagement with the competent authorities through pre-filing consultations can reduce risk and improve predictability. Strategic sequencing of pre-filing consultations and filings with FDI, merger control and export control authorities is essential for confidentiality purposes and to mitigate conditionality risk.
• Price-adjustment clauses. Price-adjustment clauses may be required to reflect regulatory outcomes, ensuring that non-cleared parts of the transaction remain with the seller or are otherwise disposed of, and to address the potential loss of key (including governmental) counterparties resulting from the exercise of change of control or early termination rights.
• Long-stop dates and extensions; staggered closing. Given the regulatory complexity of defence transactions, signing-to-closing periods of 18 to 24 months are not uncommon. Agreements can include mechanisms for automatic extension of long-stop dates if regulatory filings have been made and the buyer is following its obligations. These extended timelines must also be reflected in the interim operating covenants governing the period between signing and closing. Further, staggered closing mechanisms may also be introduced in the agreements to isolate regulated assets pending approval.

Conclusion: defence M&A as regulatory strategy

The rising strategic importance of defence and security assets in the European defence sector creates significant M&A opportunities. However, this influx of capital occurs within a framework of intensifying regulatory scrutiny. European governments seek more defence investment, but under greater state control.

Successful defence M&A in Europe requires treating regulatory compliance not as an obstacle to be overcome but as a fundamental component of transaction architecture. Early regulatory engagement, security-cleared advisory teams, realistic timelines, and carefully drafted transaction agreements are prerequisites for deal certainty. As regulatory frameworks evolve and EU initiatives create new cross-border opportunities, the ability to navigate regulatory complexity will increasingly distinguish successful transactions from failed ones. Defence M&A across the EU demands a blend of regulatory expertise, strategic foresight, and operational pragmatism that sets it apart from traditional corporate M&A.