Slow to conduct foreign influence screening, Europe jumps to intervening. On October 13, The Netherlands invoked the never before used relic from the cold war – the 1952 Goods Availability Act to place Nexperia, a Chinese-owned chipmaker based in the Netherlands, under ministerial oversight. Citing serious governance shortcomings and risk of “knowledge loss” court measures also sidelined Wingtech’s chair from Nexperia roles and handed decisive control to a Dutch-appointed director. The Dutch government deems the extraordinary steps necessary to ensure availability of Nexperia’s chips vital to Europe’s auto industry in the event of an emergency.
When Chinese firm Wingtech Technology acquired Nexperia from Philips in 2018, the Netherlands did not have a formal foreign investment screening mechanism. The VIFO Act of 2023 introduced a mandatory screening regime for investments, mergers and acquisitions that could pose risks to national security. Since then, Nexperia’s Chinese influence has come under increasing scrutiny, especially in the growing trade war on semiconductor chips between China, the US, and now Europe.
The UK already set a precedent when it forced Nexperia to divest Nexperia’s Newport Wafer Fab in 2022 and this operationalizes the same playbook inside the EU, setting a template for future state action when IP flight or supply risk is suspected. The UK’s Newport decision showed the path; the Dutch move operationalizes it inside the EU. A playbook Brussels is likely to formalize.
The EU’s 2023 Economic Security Strategy already defines IP protection, technological leakage, and dual-use dependencies as core resilience priorities. The Dutch move translates that doctrine into action, creating a template for direct intervention inside the EU. It’s not an isolated case: France’s AI-chip export controls and Germany’s blocked semiconductor acquisitions show a continent-wide tightening of oversight over strategic tech assets.
What it means for risk leaders and CISOs
- Chips supply is now an economic and geopolitical risk. Semiconductor chips are critical to military defense systems, infrastructure resilience, and AI leadership. This move by the Dutch government to ensure uninterrupted access to Nexperia’s chip supply underscores how foreign ownership of even less-advanced chips can inflict economic pain of entire industries and become a national security risk.
- Suspected IP flight or governance failures can cost you control. If your company falls under government interest for IP flight or governance concerns, you may lose operational control and managerial oversight.
- Sovereignty beats neutrality. Expect more EU use of crisis or screening powers when governance lapses imply IP flight or export-control evasion. This is unlikely to be a one-off.
- IP flight is now a board-level cyber risk. When governments fear “knowledge leaks,” they will intervene. Your IP controls, JV ring-fencing, and insider threat programs are part of national-security risk calculus.
- Screening is not ‘one and done”; sanctions adjacency matters. Sanctions screening is often considered a one-time due diligence requirement. However, treating it as a check-box exercise rather than part of the third-party risk reevaluation process misses important changes such as new ownership, M&A activity, or updates to sanctions lists. Additionally, it’s not enough to screen third-party entities – you must include parent companies and other beneficial ownership structures to make sure you’re your third party is truly “clean.” Treat it like an elevated-risk third party.
- Continuity isn’t guaranteed by “production continues.” Legal freezes can stop capital moves, hiring, or tech transfer, degrading roadmap reliability even as lines run.
What to do now
- Map exposure. Pull your (S)BOM and inventory all critical suppliers and components, not just first-tier. Identify single source points and qualify alternates. Long certification cycles are operational debt; start diversification early. For parts with 6-18 month cycles, delays risk production impact by Q2 2026.
- Re-score risk models.Expand your supplier schema to log parent-level sanctions, trustee oversight, and government vetoes. Automate ingestion from sanctions APIs (Dow Jones, Kharon, OFAC XML). Trigger re-sourcing reviews when a supplier or parent is listed or placed under control. Governance instability now outweighs balance-sheet health.
- Contract for intervention events.Update contracts with explicit government-control clauses. Include termination rights and escrowed transfer of design and test documentation within ten days. Use a neutral escrow agent to automate releases on intervention.
- Ring-fence IP.Block suppliers tied to sanctioned or state-supervised parents from direct access to design files or source code. Use black-box testing, segregated tenants, and time-limited admin rights. Audit for technology-transfer activity quarterly.
- Scenario planning.Model concurrent disruption and export retaliations on critical items such as rare earths. Run cascading-failure and revenue-loss scenarios at 90, 180, and 360 day intervals to prioritize alternate sourcing and inventory buffers.
- Strengthen insider-risk telemetry.Apply DLP across code, mask sets, and artifacts. Use just-enough-privilege access with automatic expiry. Flag abnormal download volumes, after-hours access, or credential sharing; correlate with staff departures and joint venture activity.
- Board-level reporting.Consolidate geopolitical, legal, and IP-risk metrics into one dashboard. Track single-source components, second-source progress, IP-control maturity, and sanction exposure across tiers. Refresh quarterly to steer funding toward diversification and IP-protection measures.
Europe has crossed from passive screening to active control to keep IP and capacity in-region. Treat this as the baseline, not the outlier. Your supply-chain, IP protection, and sanctions governance must be designed for political intervention as a normal operating condition, not an exception. This is no longer just a governance exercise in IP flight; export-control circumvention, and insider-risk telemetry have become part of the national-security risk calculus. Boards should treat these metrics as strategic indicators, not compliance afterthoughts.
