Thales and Gemalto just announced they were granted regulatory clearance by European Commission for the proposed acquisition of Gemalto by Thales. However, this clearance comes with a condition that Thales divests its nShield general purpose hardware security modules (GP HSM) business globally to a suitable purchaser. This condition is no surprise as Thales and Gemalto were already identified as the two largest manufacturers of general purpose HSMs, both in the European Economic Area (EEA) and at global level.
The European Commission, following Thales activities organization, establishes a clear separation between “General Purpose HSM” and “Payment HSM.” The GP HSM, an activity the company acquired from nCipher in 2008, targets applications such as identity and IoT. According to Thales, it generated around EUR 90 million in sales in 2017. The European Commission considers alternatives such as cloud-based HSMs do not constitute a suitable alternative to traditional GP HSMs.
On the other hand, the “Payment HSM” activity delivers HSM compliant with EMVCo and other payment standards, that are used to generate keys to secure payment systems: cards, applications, POS terminals, ATMS, … According to the European Commission, Gemalto has a more limited role in this market.
The remedies defined by the European Commission specify that “Thales [will] divest its global general purpose HSM business, marketed under the nShield brand, to a suitable purchaser, who will continue to develop the product. The purchase should have significant experience in a field closely related to HSMs and a good reputation among EEA customers.”
Transparency Market Research published a report on the Global Hardware Security Module (HSM) Market earlier this year that identified leading manufacturers on this market: Thales, Gemalto, Hewlett Packard Enterprise, Swift, Utimaco, IBM, Atos, Ultra Electronics, Futurex and Yubico. Transparency Market Research anticipates the total market for HSMs will reach US$ 5,932.4 million (EUR 5,220 million) by 2026, recording a CAGR of 11.5%.
Gemalto and Thales have now obtained nine out of the required fourteen security clearances. Besides the European Commission, the project is already approved by authorities of China and the CFIUS in the US, among others. Gemalto and Thales still need to receive a green light from authorities in Australia, Mexico, Russia and in the United States, as well as a clearance relating to foreign investments from the competent authority in Russia. Both companies expect to have completed this regulatory clearance marathon in Q1/2019, and to execute the merger project shortly afterwards.