Commissioner Margrethe Vestager, in charge of competition policy, said: “The importance of data security solutions to protect critical social, commercial or personal information is increasing. Today's decision allows the creation of a strong European player in this market, while still ensuring that the merger will not prevent customers from continuing to enjoy fair prices and innovative products. This is because we have approved the deal subject to Thales' offer of a strong remedy that will fully preserve competition on this important market.”
Today's decision follows an in-depth investigation of the proposed acquisition of Gemalto by Thales. The proposed transaction would combine the activities of Thales and Gemalto in general purpose hardware security modules (HSMs). These data security products are dedicated hardware appliances running on encryption software to generate, protect, and manage encryption keys used to protect data in a secure tamper-resistant module.
Thales and Gemalto are the two largest manufacturers of general purpose HSMs, both in the European Economic Area (EEA) and at global level.
The Commission's investigation
The Commission's in-depth investigation looked into:
- the extent to which the companies are close competitors;
- the potential response of the merged entity's competitors; and
- the ability of software-based solutions to reach the same security level as HSMs, and therefore compete with the latter.
During its in-depth investigation, the Commission gathered extensive information and received feedback from customers and competitors of Thales and Gemalto, as well as from other stakeholders.
Following the in-depth investigation, the Commission found that there are distinct product markets for (i) general purpose HSMs and (ii) payment HSMs, which are used to secure payment processing operations. The two products have different hardware and software requirements and are generally used to secure different types of operations.
As regards general purpose HSMs, the Commission found that the proposed merger would lead to very high combined market shares and would eliminate the competitive constraints that Thales and Gemalto currently exercise on each other. The Commission also found that cloud service providers offering cloud-based HSMs do not provide a strong competitive constraint on the market today and are not expected to do so in the near future. As a result, by reducing the number of players in the general purpose HSM market and by lowering the merged entity's incentives to compete effectively, the transaction as notified was likely to lead to higher prices, less choice for customers and less innovation.
As regards payment HSMs, the Commission concluded that the proposed merger was unlikely to have an impact on the level of service or prices because Gemalto has a more limited role in the market. The Commission also found that the merged entity will continue to face significant competition from other players active in that market.
The proposed remedies
To address the Commission's competition concerns, Thales offered to divest its global general purpose HSM business, marketed under the nShield brand, to a suitable purchaser, who will continue to develop the product. The purchase should have significant experience in a field closely related to HSMs and a good reputation among EEA customers.
The commitments fully remove the overlap between Thales' and Gemalto's activities on the market for general purpose HSMswhere the Commission had identified competition concerns.
Therefore, the Commission concluded that the proposed transaction, as modified by the commitments, would no longer raise competition concerns. The Commission's decision is conditional upon full compliance with the commitments.
Throughout its investigation, the Commission closely cooperated with other national competition authorities, in particular the US Department of Justice.
Companies and products
Thales, based in France, is a global group that designs and builds electrical systems and is active in aeronautics, space, ground transportation, defence and security systems.
Gemalto, based in the Netherlands, is an international digital security company active, among others, in mobile embedded software & products, smart cards, machine to machine communication (Internet of Things) and enterprise security.
Merger control rules and procedures
The transaction was notified to the Commission on 18 June 2018.
The Commission has the duty to assess mergers and acquisitions involving companies with a turnover above certain thresholds (see Article 1 of the Merger Regulation), and to prevent concentrations that would significantly impede effective competition in the EEA or any substantial part of it.
The vast majority of notified mergers do not pose competition problems and are cleared after a routine review. From the moment a transaction is notified, the Commission generally has 25 working days to decide whether to grant approval (Phase I) or to start an in-depth investigation (Phase II).
There are currently seven on-going phase II merger investigations: the proposed acquisition of VDM by Aperam, the proposed acquisition of Embraco, Whirlpool's refrigeration compressor business, by Nidec, the proposed acquisition of certain Liberty Global assets by Vodafone, the proposed creation of a joint venture by Tata Steel and ThyssenKrupp, the proposed acquisition of Aurubis Rolled Products and Schwermetall by Wieland, the proposed acquisition of Alstom by Siemens and the proposed acquisition of Solvay's nylon business by BASF.