Are there any regulatory approvals required for the acquisition, and could they introduce delays or costs?
Short answer:
The news release does not spell out any specific regulatory approvals that OneSpan (OSPN) must obtain for its acquisition of NokâŻNokâŻLabs. However, in a crossâborder technology and securityâsoftware dealâespecially one that expands authentication capabilitiesâthere are several typical regulatory touchâpoints that could require formal clearance, and those clearances can indeed add time and expense to the transaction.
1. Why regulatory approvals are usually needed in a deal like this
| Regulatory Area | What it covers | Typical relevance to a OneSpanâNokâŻNok Labs deal |
|---|---|---|
| Antitrust / Competition | Review of whether the combined entity would have excessive market power or reduce competition. | Both companies operate in the digitalâidentity and authentication space. If the acquisition would give OneSpan a dominant share of FIDO2âpasswordâless solutions, competition authorities (e.g., the U.S. FTC, the European Commissionâs Competition Directorate, or other national competition agencies) may need to sign off. |
| ExportâControl / DualâUse Technology | Controls on the transfer of software, encryption, or securityâcritical technology to foreign parties. | FIDO2 authentication software often incorporates cryptographic components that can be subject to U.S. Export Administration Regulations (EAR) or similar regimes in the EU, UK, Canada, etc. Moving the codebase or IP across borders may trigger licensing requirements. |
| DataâPrivacy & CyberâSecurity | Rules governing the handling of personal data, especially biometric or authentication data. | If NokâŻNok Labs processes biometric identifiers or other sensitive authentication data, the acquisition may need to satisfy GDPR (EU), CCPA/CPRA (California), or other sectorâspecific privacy statutes. |
| Foreign Investment Review | Oversight of inbound/outbound investments that could affect national security. | Some jurisdictions (e.g., the U.S. Committee on Foreign Investment in the United States â CFIUS, or similar bodies in Canada, Australia, Singapore) review deals involving âcritical technologyâ or âcritical infrastructure.â Authentication software can be deemed critical, prompting a review. |
| SectorâSpecific Licences | Certain industries (e.g., financialâservices, healthâtech) have extra layers of oversight. | If either party provides authentication solutions to regulated sectors (banks, insurers, government), regulators of those sectors may need to be notified. |
2. Potential regulatory pathways and timelines
| Regulator | Typical review window | Possible outcomes |
|---|---|---|
| U.S. FTC / Department of Justice (Antitrust) | 30â90âŻdays for âHartâScottâRodinoâ (HSR) filing; additional 30â60âŻdays if a âsecondârequestâ is issued. | Clearance, conditional clearance (e.g., divestitures), or a ânoâactionâ letter. |
| European Commission (Competition) | 30âŻdays for a âsimpleâ merger; up to 150âŻdays if a âscreeningâ is triggered. | Approval, or requirement to modify the deal (e.g., surrender of certain product lines). |
| CFIUS (U.S. foreignâinvestment) | 45âŻdays for a âstandardâ review; up to 120âŻdays if a âmitigatedâriskâ filing is needed. | Clearance, mitigation agreement, or a âblockedâ transaction. |
| ExportâControl Agencies (EAR, BIS) | 15â30âŻdays for a license request; can be longer if a âredâflagâ is raised. | Export license granted, denied, or conditional. |
| DataâPrivacy Regulators (e.g., EU DPAs, California Attorney General) | Varies; often tied to the completion of the transaction and postâmerger integration. | Requirement to conduct DPIAs, adopt privacyâbyâdesign measures, or in rare cases, block the transfer of data. |
Bottom line: Even if OneSpanâs acquisition is âsmallâ in dollar terms, the technologyâintensity and securityâcritical nature of the assets can trigger a broader set of reviews than a typical software purchase.
3. How these approvals could translate into delays or extra costs
| Potential delay source | Typical cost impact |
|---|---|
| Legal counsel & filing fees â preparing HSR filings, antitrust questionnaires, exportâcontrol license applications, and CFIUS reports can run $250âŻkâ$1âŻM for a midâsize deal. | |
| Regulatory consulting â privacyâimpact assessments, dataâmapping, and securityârisk analyses often cost $100âŻkâ$500âŻk. | |
| Mitigation measures â if a regulator demands divestitures, firewalls, or postâmerger compliance programs, implementation can add $5âŻMâ$15âŻM (e.g., building separate dataâprocessing environments). | |
| Extended timeline â a 30âday antitrust review is âbusiness as usual,â but a 150âday EU screening or a 120âday CFIUS review can push the close date out by 3â5âŻmonths. This can affect: ⢠Integration planning (e.g., productâroadmap alignment) ⢠Revenue forecasts (delayed crossâsell) ⢠Workingâcapital needs (longer financing). |
|
| Potential fines or penalties â if the acquisition proceeds without the required licences (e.g., exportâcontrol violations), penalties can be $10âŻMâ$30âŻM per breach, plus reputational damage. |
4. What the news tells us (and what it doesnât)
- What we know: The press release highlights the strategic rationaleâadding FIDO2 passwordâless authentication via NokâŻNok Labs. It does not mention any pending regulatory filings, approvals, or expected hurdles.
- What we can infer: Because the acquisition is framed as a âtargeted, technologyâdrivenâ move, OneSpan likely has already performed a preâclosing dueâdiligence assessment of the regulatory landscape. Companies in this space typically secure the necessary clearances before publicly announcing the deal, precisely to avoid surprise market reactions.
- What remains uncertain: The release does not disclose the size of the transaction, the jurisdictions of the parties, or whether any foreignâinvestment or exportâcontrol filings have already been submitted. Those details determine the depth of the regulatory review.
5. Practical takeâaways for stakeholders
| Stakeholder | Key considerations |
|---|---|
| Investors / Analysts | Expect a modest âregulatory risk premiumâ baked into the dealâs valuation. If the acquisition is under $500âŻM, antitrust scrutiny is usually light, but watch for exportâcontrol or CFIUS flags that could surface later. |
| Management | Ensure that all required licences (EAR, GDPRâcompliant dataâtransfer agreements, etc.) are in place before integrating the two product lines. Build a âregulatory firewallâ to keep authentication data separate if required by law. |
| Customers (especially in regulated sectors) | Look for any postâmerger communications about dataâprivacy or securityâpolicy changes. A wellâmanaged acquisition should preserve existing certifications (e.g., ISOâŻ27001, SOCâŻ2) and may even broaden compliance coverage. |
| Employees | Be aware that a âregulatory integrationâ team (legal, compliance, security) may be created, potentially requiring crossâfunctional collaboration and new reporting structures. |
6. Bottomâline answer to the question
Yes, regulatory approvals are typically required for a transaction that expands authentication capabilities through a technology acquisition. While the news release does not list any specific approvals, OneSpan will almost certainly need to:
- File antitrust/competition notices (e.g., HSR in the U.S., possible EU screening).
- Secure exportâcontrol licences for any cryptographic software that will be transferred across borders.
- Address dataâprivacy and security compliance (GDPR, CCPA, sectorâspecific rules) if personal or biometric data is involved.
- Potentially obtain foreignâinvestment clearance (e.g., CFIUS) if the deal is viewed as involving âcritical technology.â
These approvals can introduce both timeârelated delays (from a few weeks to several months) and tangible costs (legal, consulting, possible mitigation measures, and compliance program upgrades). The exact magnitude of the impact will depend on the transaction size, the jurisdictions of the parties, and the specific dataâhandling practices of NokâŻNok Labsâ authentication platform.
In practice, most midâsize tech acquisitions in this space are cleared within a 2â4âmonth window, but any unexpected regulator âredâflagââespecially around exportâcontrol or foreignâinvestmentâcould stretch the timeline and add $0.5âŻMâ$2âŻM (or more) in direct expenses. Proactive planning and early engagement with the relevant agencies are the best ways to mitigate those risks.
Other Questions About This News
How will the acquisition of NokâŻNok Labs affect OneSpan's revenue growth and margins in the upcoming quarters?
Will the acquisition affect OneSpan's current guidance or lead to any revision of its 2025 outlook?
Will OneSpan provide any guidance on earnings per share (EPS) and revenue targets for the rest of fiscal 2025 and 2026?
How has the stock historically reacted to M&A announcements in this sectorâwhat shortâterm price move can be anticipated?
What is the expected dilution, if any, from the acquisitionâare there new equity issuances or debt financing involved?
What is the expected impact of the acquisition on OneSpan's cash flow and capital expenditure plans?
What synergies and cost savings are expected from the NokâŻNok Labs acquisition, and when will they be realized?
How does the market price of OneSpan (OSPN) compare to its peers in the cyberâsecurity and authentication space?
Will the FIDO2 passwordless authentication products generate incremental recurring revenue, and what is the projected TAM for this technology?
What is the current shortâinterest and institutional ownership for OSPN, and how might that influence price volatility after the news?
How might the acquisition influence OneSpan's positioning in the broader identityâverification market and its competitive moat?
What is the expected impact on OneSpan's valuation multiples (P/E, EV/EBITDA) postâacquisition?
How does this acquisition compare to recent acquisitions by major competitors such as Duo, Okta, or Ping Identity?
What are the key risks and integration challenges associated with the NokâŻNok Labs acquisition (e.g., technology integration, customer retention, cultural fit)?