The Six-Area Checklist for M&A Economic Security Due Diligence | Buyer and Seller Playbook After the Makino Milling Case [2026 Edition]

Hello, this is Hamamoto from TIMEWELL.

On April 22, 2026, the Japanese government issued an order halting MBK Partners' proposed acquisition of Makino Milling Machine. This is the first time a stop order has been issued against inbound foreign direct investment since the 2017 amendment to the Foreign Exchange and Foreign Trade Act (FEFTA). The rationale centered on the concern that the company's high-performance machine tools could be diverted to military use, and that procurement and sales information contained sensitive content.

This single case has changed M&A practice significantly. The assumption that a deal will proceed as long as financial and legal DD are completed is gone. We have entered an era in which a transaction can collapse on the eve of closing if it fails "security-type DD." Buyers need to prepare, and so do sellers. Without understanding in advance how their own technology and customer information will be evaluated from an economic security perspective, sellers may find themselves unable to even reach the negotiating table.

What practitioners have been rapidly calling "economic security due diligence" in 2026 deserves a structured read. Here I lay out how it differs from traditional DD, the six domains that must be reviewed, and the practical priorities for buyers and sellers.

What Is Economic Security DD? The Decisive Difference From Conventional M&A DD

Economic security due diligence (hereafter "security DD") is the set of procedures used to assess whether the target company's technology, customers, suppliers, personnel, and licenses come into conflict with national security regulations across jurisdictions. Traditional DD centers on six areas — financial, legal, tax, business, HR, and IT. Security DD is now added as a seventh.

The critical point is that security DD looks at the deal through a fundamentally different lens. Legal DD evaluates risk under corporate law and contract law. Security DD evaluates risk created by inter-state regulation. Even if the target company has done nothing unlawful, it may still be non-compliant under export controls, or the fact that the buyer is a foreign investor may itself trigger a FEFTA notification requirement. The distinguishing feature is that risks surface independently of the target's own intent.

The contrasts between conventional DD and security DD can be summarized as follows.

• Evaluation axis: Legal DD asks about "breach of contract or hidden liabilities"; security DD asks about "export suspension or deal-block risk"
• Enforcing party: Legal DD looks at counterparties or litigants; security DD looks at the Japanese government, the US BIS, MOFCOM, and similar regulators
• Timing of exposure: Legal DD surfaces issues at signing or in later audits; security DD surfaces issues during closing review or end-user screening at shipment
• Scope of review: Legal DD focuses on contracts and minutes; security DD covers technical specifications, customer lists, and personnel nationality and background
• Severity of sanctions: Legal DD leads to monetary damages; security DD can lead to export suspension, deal blocks, and criminal liability for executives

If you treat security DD as a mere extension of legal DD without grasping these differences, your counsel will end up reviewing contracts alone and will miss the actual condition of technology management and customer screening. The reason the Makino Milling deal passed the reviews of both the US and China and was ultimately halted by Japanese FEFTA review is that Japan assessed the "sensitivity of procurement and sales information" on its own terms. Because every jurisdiction has its own evaluation axis, confirming legality in a single country is no longer sufficient.

Across the acquisitions I have supported, acquiring a company that handles machine tools, semiconductor manufacturing equipment, optical instruments, specialty materials, or telecommunications equipment almost always requires prior notification under FEFTA's core-business regime. Even non-manufacturers may fall under US EAR if they handle AI or cloud services, and the classification alone can take two to three weeks. The new standard in 2026 is not to defer security DD but to finish identifying the key issues before signing the LOI.

The Six Domains You Must Review: Technology, Customers, Suppliers, Personnel, Licenses, and Regulation

Security DD covers six domains. Missing any one of them creates a structural risk of failure at closing review, so initial evaluation before the LOI should at least cover the following framework.

First, technology. You identify whether the target's products, design data, and in-development technologies are listed on Appendix 1 of Japan's Export Trade Control Order and how they are classified under US EAR ECCN numbers. As of 2026, particular caution is required around AI-related technology, advanced semiconductor manufacturing equipment, quantum technology, and bio-related fields. The US, EU, and Japan are moving in concert to tighten controls in these four areas. For machine tool companies like Makino Milling, five-axis machining centers and precision grinders are typical sensitive items.

Second, customers. You compile a list of transactions over the past three years and check them against the US Entity List, Unverified List, Denied Persons List, Japan's Foreign End User List, and EU sanctions lists. In February 2026, MOFCOM added 40 Japanese companies to its export control list and watchlist, so companies with high revenue exposure to China must also evaluate risk in the opposite direction.

Third, suppliers. If the target relies heavily on China for critical minerals or rare earths in its parts or raw materials, it may fall outside US or European procurement criteria. If the target is embedded in the supply chain of Tesla, Apple, or a US defense prime, there may be contractual triggers that remove them from the supply chain depending on the buyer's nationality.

Fourth, personnel. You check whether the R&D organization employs nationals from countries of concern — China, Russia, North Korea, Iran — and whether they have access to sensitive technology. Under FEFTA's "deemed export" concept, providing technology domestically to foreign nationals is treated the same as exporting it, making the design of internal access rights a subject of regulatory review.

Fifth, licenses. You verify the current scope of general bulk licenses, special general bulk licenses, and specific bulk licenses, the status of internal compliance program (CP) approvals, and whether any of these will lapse following post-closing organizational changes. When the buyer is foreign-controlled, licenses often need to be re-obtained, and the six-month to one-year waiting period can directly impact revenue.

Sixth, regulation. You run an end-to-end check covering FEFTA prior notification requirements, CFIUS filing requirements, China's antitrust notification thresholds, the EU FDI Regulation, and — for e-commerce companies — GDPR compliance. In March 2026, a FEFTA amendment bill often called "Japan's CFIUS" was submitted to the Diet. Indirect acquisitions are expected to fall within the scope of review within one year of promulgation.

Which of the six domains deserves the most emphasis depends on the target's industry, but technology and customers are mandatory for every deal. Even when those two come up clean, we are seeing more cases caught on personnel nationality composition or license lapse risk, so I recommend covering all six in the initial screen rather than cutting corners.

The Buyer's Playbook: Verifying EAR/ECCN Classifications and Entity List Exposure

The buyer's security DD revolves around two axes: not inheriting a liability the target has built up, and proving to regulators that the buyer itself is the kind of party that can pass closing review. Get the order wrong and even a clean target will not save you — your own issues will stop the deal.

Starting with the target-side review, the first task is verifying ECCN self-classifications. For every product manufactured by the target, check whether an ECCN number based on the US Commerce Control List has been assigned and whether the underlying technical specifications are organized. If there are any products with undetermined ECCN numbers, confirm whether a formal classification request has been filed with the Bureau of Industry and Security (BIS); if not, examine whether the rationale for skipping the filing is reasonable.

Next, review the track record of Entity List screening. Check whether the target has transacted with any Entity List-designated company within the past three years, and where such transactions did occur, trace the listing status at the time, the response after listing (shipment suspension, contract termination, notifications to METI or BIS), and the timeliness of the response. In the wake of the Makino Milling case, the Japanese government is weighing this information more heavily in its reviews, and the adequacy of prior violation responses now feeds directly into the post-acquisition structural assessment.

Once the target has been evaluated, the buyer turns the mirror on itself. The following points should be inventoried on the buyer side.

• Presence of US subsidiaries and the US-dollar funding path for the acquisition
• Any EAR violations, fines, and remedial actions in the past five years
• Nationality composition of the buyer's board and capital ties to countries of concern
• Governance design for post-closing officers accessing the target's sensitive technology
• Post-closing export control structure (CP integration, internal audit cadence, training programs)

By attaching these materials to the DD report, you can show reviewers under FEFTA, CFIUS, or China's antitrust process that "this buyer can manage the sensitive technology appropriately." In the MBK Partners-Makino Milling case, reporting suggests that the nationality composition of the fund's managers and the structure of its investors were treated as concerns — an indication that buyer-side transparency is being tested more severely than ever.

In practice, the standard flow is to run a 30-item checklist before signing the LOI as an initial screen, and then expand to a deeper review of 100+ items during the detailed DD phase after exclusivity is granted. Skip the initial screen and you risk discovering three months into detailed DD that the deal simply cannot clear FEFTA at all. I have seen multiple cases in which advisory fees in the tens of millions of yen were wasted because this initial judgment was neglected.

The Seller's Playbook: Carving Out Sensitive Technology and Designing the Disclosure Envelope

Security DD for sellers is built on a fundamentally different logic from the buyer side. Where the buyer focuses on not inheriting liabilities, the seller has to design phased disclosure: how to protect valuable technology while still revealing enough for the deal to move forward.

The first step is carving out sensitive technology. Even in a whole-company sale, there are cases where certain technologies or business lines must be excluded from the sale for economic security reasons. Specifically, projects for the Japanese Ministry of Defense, product lines listed on the military control list, and businesses operating under bulk licenses for exports to countries of concern should be evaluated for separation depending on the buyer's nationality. In carve-out M&A, splitting the triad of technology assets, personnel, and contracts is intrinsically difficult, and the interdependence with IT systems and the transferability of license agreements add further complication.

The second step is designing the disclosure envelope. Without a pre-built mechanism for phased release, confidential information can leak while multiple bidders are still in the picture, and sensitive technology may reach competitors by the time the auction concludes. The common phasing is: phase one, information memorandum (IM) level with product families and revenue composition; phase two, detailed financials and the industries of major customers after bid prices are submitted; phase three, technical specifications and customer names via VDR after exclusivity is granted.

Information partitioning inside the VDR is equally important. When adopting a clean-team arrangement, the buyer's officers and employees are walled off from specific categories of information, and only outside counsel and the financial advisor retained by the buyer can access those folders. For companies in FEFTA core-business sectors, allowing a foreign buyer to access non-public technical information before filing prior notification can itself constitute a violation, so legal and export control teams must co-design the clean-team structure.

One factor sellers often overlook is key-person retention. If researchers or designers who own the sensitive technology leave during the acquisition, the post-closing business continuity itself is at risk. Retention bonuses, refusal rights over overseas assignment, and renewed confidentiality obligations should all be locked in as conditions for staying. If the seller fails to arrange this, the buyer's valuation drops.

Looking back at Makino Milling in April 2026, what stands out is that the halt order was issued while the target's board was already supporting the TOB. At the point the seller chose its white knight, it likely had a scenario for clearing the US and Chinese reviews but could not fully anticipate what would become contentious under Japan's FEFTA review. The lesson is that sellers must independently assess "can this buyer pass Japanese government review?" from the very start of buyer selection. Seller-side security DD has become a task to embed into the buyer selection process, not to append afterwards.

Streamlining Export Control Checks in M&A DD With TRAFEED

The biggest bottleneck in security DD is the sheer time required for classification and screening of technology and customers. Traditionally, in-house export control staff had to cross-reference product catalogs against Appendix 1 of the Export Trade Control Order and screen customer lists against each country's sanctions lists one by one — often thousands of entries at a time. In an M&A process, this work must fit the normal DD schedule, and absurd requests such as "screen 10,000 customer records in two weeks" are routine.

This is where TRAFEED (formerly ZEROCK ExCHECK) earns its place. TRAFEED is the world's first production-grade export control AI agent. It delivers end-to-end automation of METI-aligned classification decisions and cross-list customer screening that covers the US Entity List, EU Sanctions List, UN sanctions lists, and Japan's Foreign End User List. Its greatest strength is absorbing the surge in screening requests during DD without adding headcount.

There are three main use cases in M&A DD. First, bulk upload of the target's product catalog to automate ECCN and Export Trade Control Order classification — even with product lines that span thousands of SKUs, initial classifications are ready in a few days. Second, ingesting the target's customer data to run five years of transaction history against each country's sanctions lists in a single pass — multilingual support makes it possible to identify counterparties accurately even when their names are in Chinese or Korean. Third, running a gap analysis between the buyer's and the target's compliance programs ahead of post-closing integration.

Because TRAFEED runs on domestic AWS infrastructure inside Japan, the sensitive information handled during DD stays within the Japanese jurisdiction. When the target handles defense-related work or advanced technology, putting information on US or Chinese clouds is often not an option, and in-country operation becomes a practical requirement.

At TIMEWELL, we also offer short-term plans scoped specifically to the DD period. Once closing is complete, the buyer can switch to regular operation — many customers move from a DD-focused sprint plan into ongoing use. The ability to quantify the kind of block-order risk seen in the Makino Milling case, in advance, is finally available at an accessible price point.

Summary: A 2026 M&A Preparation Checklist

From 2026 onward, standard M&A practice runs security DD in parallel with the conventional six-discipline DD. To close, here is a checklist of items that both buyers and sellers should complete before the LOI.

• Run ECCN and Export Trade Control Order Appendix 1 classifications for all of the target's products
• Screen three years of customer history against each country's sanctions lists and map any hits over time
• Inventory the nationality composition of R&D personnel and their access rights to sensitive technology
• Summarize FEFTA core-business applicability, CFIUS filing requirements, and China antitrust thresholds in a single register
• Prepare disclosure of the buyer's five-year record of export control violations, fines, and remedial actions
• Decide whether to carve out sensitive technology and design the clean-team arrangement inside the VDR
• Plan the post-closing integration of export control systems, assess CP transfer, and quantify license lapse risk

The April 22, 2026 halt on Makino Milling drove home a simple fact: in Japanese M&A practice, deals really do get stopped by security review. The sequence — clear US, clear China, and then stop at home — demonstrates that each jurisdiction's review runs on an independent axis, and that confirming legality in a single country is not enough.

Economic security DD is no longer a concern reserved for mega-deals or cross-border transactions. Any M&A involving a target with sensitive technology is in scope, regardless of size. Start by inventorying your own technology and customers and completing classification. Then evaluate in advance whether your buyer candidates, including the nationality of their capital and management, can pass regulatory review. With these two steps in place, the risk of a deal collapsing at the eleventh hour drops sharply.

For deeper background, see the related articles below.

• What Does the Halt on Makino Milling's Acquisition Mean? The First-Ever Use of FEFTA and the Strength of Japan's Machine Tool Industry (2026 Update)
• China Adds 40 Japanese Companies to Its Export Control List | Latest Developments in Japan-China Export Controls and Practical Response

If you would like to discuss DD efficiency gains with TRAFEED, or the integration of export control systems after closing, please reach out via the contact form.

References

• Nikkei, "Government Orders Halt to Makino Milling Acquisition by Asian MBK on National Security Concerns," April 22, 2026
• Nikkei, "Machine Tools and the Lesson of Toshiba-COCOM: Blocking Technology Leaks in the Makino Milling Halt Order," April 23, 2026
• Nikkei xTECH, "Halt Order on the Makino Milling Tender Offer: Sensitive Information in Procurement and Sales," April 23, 2026
• Bloomberg, "Government Orders Halt to MBK's Makino Milling Acquisition on National Security Concerns," April 22, 2026
• Baker McKenzie, "Japan: Foreign Direct Investment Regulations Anticipated to be Amended to Include CFIUS-like Framework," April 1, 2026
• Freshfields, "Japan's Foreign Investment Regime Gets Sharper Teeth," 2026
• The Japan Times, "Government Adopts Bill to Establish CFIUS-like Body in Japan," March 17, 2026
• METI, "Investment Management"
• JETRO, "China Lists 40 Japanese Companies and Organizations on Export Control and Watch Lists," February 2026
• CISTEC, "Introduction to US Re-Export Controls"