CFIUS and National Security in Data Center Deals

Introduction

The data center buildout needs more capital than the domestic private market can supply, and much of the marginal money is foreign: Gulf sovereign wealth funds, Asian pension plans, and global infrastructure investors. That collides with a hard reality. Data centers are exactly the kind of asset that draws national-security scrutiny, and the Committee on Foreign Investment in the United States (CFIUS) has become a gating consideration on many of the sector's largest deals. A banker advising on data center transactions now has to think about national security as early as price, because a deal that cannot clear CFIUS is not a deal at all.

A data center is not an obvious defense asset, but it touches national security on several fronts at once, and any one of them can pull a transaction into review.

CFIUS

The Committee on Foreign Investment in the United States, an interagency committee chaired by the Treasury Department that reviews foreign investments in US businesses and certain real estate for national-security risk. It can clear, impose conditions on, or recommend the President block a transaction.

The grounds are specific. Data centers frequently host sensitive personal data, support government or defense customers, carry foreign-origin technology, or handle cross-border data flows, each of which is a recognized national-security hook. On top of that, CFIUS has a distinct real estate jurisdiction: it can review the purchase, lease, or concession by a foreign person of US real estate located near ports or within certain proximity of identified military installations, a list that was expanded in 2024. A data center sited next to a military base can therefore draw scrutiny purely on location, independent of its tenants.

The sovereign-wealth angle sharpens the issue. Under CFIUS rules, sovereign wealth funds are treated as foreign-government entities, and a deal in which a foreign government acquires a "substantial interest" in a US business involved in critical technology, critical infrastructure, or sensitive personal data can trigger a mandatory filing, followed by a 45-day review and a possible 45-day investigation. Since the largest data center deals increasingly involve exactly these sovereign investors, profiled in the discussion of in-house teams at sovereigns and pensions, CFIUS filings have become routine rather than exceptional.

The central tension is that the trillions of dollars the AI buildout requires cannot be raised domestically alone, yet the most eager foreign buyers are the ones most likely to draw review. The clearest example is MGX, the Abu Dhabi vehicle chaired by the UAE's national security adviser, which is part of the consortium acquiring Aligned Data Centers for roughly $40 billion, a transaction expected to close in 2026 subject to regulatory approvals. A deal of that size, involving a Gulf state entity buying critical US digital infrastructure, sits squarely in CFIUS territory.

Policy has shifted to manage that tension rather than resolve it. The America First Investment Policy, issued in early 2025, pushes CFIUS toward categorical restriction of capital from adversarial countries while creating a faster track for investment from allied nations, which is why a Gulf or allied-nation buyer may clear more smoothly than a Chinese one even on a similar asset. CFIUS has shown it will act, imposing tens of millions of dollars in penalties and blocking or delaying numerous transactions in recent years, so the review is not a formality. These dynamics overlap heavily with the broader cross-border framework covered in cross-border real estate deals, FIRPTA, and CFIUS, and with the foreign capital flowing into the private data center platforms.

The practical implication is that CFIUS belongs in the deal plan from day one. Identifying the buyer's government links, the asset's proximity to sensitive sites, its tenant base, and its data exposure determines whether a filing is mandatory, how long the timeline runs, and whether mitigation or a different buyer is needed. Data centers draw this scrutiny because they combine sensitive data, critical infrastructure, and sometimes sensitive locations; sovereign buyers face mandatory review as government entities; and the sector lives with a permanent tension between the foreign capital it needs and the security review that capital invites.