The European Commission seeks stakeholders’ feedback until 18 November on its proposal to define cross-border projects in the field of renewable energy generation that would be eligible to receive EU funding under Connecting European Facility instrument.

In July 2021, the European Union adopted its Connecting Europe Facility (CEF) program for the period 2021-2027 worth EUR 33.71 billion to fund the development of high-performing infrastructures in the transport, energy and digital sectors.

Out of the CEF program devoted to energy (EUR 5.83 billion), 15% (EUR 875 million) is earmarked for a new category of eligible projects, namely ‘cross-border projects in the field of renewable energy’, including for instance the generation of renewable energy from on- and offshore wind, solar energy, sustainable biomass, ocean energy, geothermal energy, or combinations thereof, their connection to the grid and additional elements such as storage or conversion facilities.

The Commission is now consulting stakeholders on its draft delegated act aiming at laying down the specific selection criteria and selection procedure of cross-border projects in the field of renewable energy. The consultation closes on 18 November, at midnight.

The proposed procedure may be seen as a fastidious process without guarantee for promoters that their selected projects will be funded under the CEF. In this respect, the Commission stresses that a promoter may wish to apply for the status of cross-border project in the field of renewable energy but not for CEF funding. That status must indeed be seen as a ‘quality label’ of a project, allowing promoters to obtain appropriate financing on the market, or from Member States. In this context, the CINEA (European Climate, Infrastructure and Environment Executive Agency) has already launched a call for proposals open until 30 November 2021 and making available EUR 1 million to support preparatory studies for projects before they are included in the Union list of cross-border renewable energy projects.

Companies who plan to develop cross-border projects in the field of renewable energy within the EU may wish to give their views to the Commission on the selection criteria and the selection process. They may also envisage applying for grants for their studies to identify and develop such projects.

Covington has a dedicated team with significant experience to help you structure your EU energy projects, from an early stage. We can help you draft a response to the consultation – something we do frequently on a range of issues – and later, design your project and its funding under CEF, EU State aid law, energy regulation, public contracting, project finance. Our team includes Carole Maczkovics, who has cutting-edge expertise in State aid law, regulation and public contracts, particularly in the energy sector, and Cándido García Molyneux, who has deep knowledge of EU requirements on renewable energies and helps clients influence EU legislation and guidance. Visit our website to learn more about our Energy and Project Development and Finance teams.

On November 5, 2021, an Editorial Note was added to the Federal Register stating “An agency letter requesting withdrawal of this document was received after placement on public inspection. The document will remain on public inspection through close of business November 4, 2021. A copy of the agency’s withdrawal letter is available for inspection at the Office of the Federal Register.”   The reason for the Department of Defense withdrawal of the unpublished Advanced Notice of Proposed Rulemaking was not provided.

On Thursday, November 4, 2021, the Department of Defense (DoD) filed an Advanced Notice of Proposed Rulemaking (ANPRM) on Version 2.0 of the Cybersecurity Maturity Model Certification (CMMC).  The notice will published in the Federal Register on November 5, 2021.  DoD also provided a release regarding the enhanced CMMC 2.0.  We have discussed previous versions of the CMMC in earlier blog posts, and the changes discussed in this ANPRM represent a significant departure from those versions.

DoD’s announcement explains “the way forward” for the latest version of the CMMC.  The previous version, CMMC Version 1.0, was designed to protect the defense industry from malicious cyber actors threatening the security of federal contract information and controlled unclassified information (CUI).  CMMC Version 1.0 measured cybersecurity maturity at one of five levels, and required compliance with both “practices” (i.e., technical controls) and “processes” (i.e., measures of implementation).  CMMC Version 1.0 also included third-party certification requirements to ensure that defense contractors adopted these mandatory processes and practices, including those sufficient to protect CUI at Level 3 and above.  DoD had previously taken the position that compliance with the CMMC model represented effective safeguarding measures to protect information crucial to the Department’s mission and priorities.

Although CMMC 2.0 will remain generally consistent with DoD’s previously stated information safeguarding priorities, the ANPRM indicates that DoD will conduct two rulemakings—one in title 32 CFR (National Defense) and the other in title 48 CFR (the Federal Acquisition Regulation and agency supplements, including the Defense Federal Acquisition Regulation Supplement)—to implement a series of changes in the CMMC framework.  DoD has suspended the CMMC piloting efforts that began in December 2020 and will not approve inclusion of a CMMC requirement in DoD solicitations until rulemakings relating to CMMC 2.0 are effective.

The new CMMC Version 2.0 will include several modifications relative to the prior version.  According to Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, these modifications “establish[] a more collaborative relationship with industry,” and “will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.” Modifications include:

  • Elimination of Levels 2 and 4 of the prior model. DoD has previously only referred to Level 2 as a step-stone to Level 3 and has grouped Levels 4 and 5 together as means to protect particularly sensitive information that may be the subject of advanced persistent threats.  Elimination of these Levels leaves contractors with only three levels of compliance, depending on the sensitivity of the information and the nature of the work that they perform:  Level 1 (the minimum necessary to protect Federal Contract Information), Level 3 (the minimum necessary to protect CUI), and Level 5 (the minimum necessary to protect CUI that may be the target of advanced persistent threats).
  • Bifurcation of Level 3 requirements to require independent assessment only for “prioritized acquisitions” and self-assessments for other procurements, and allowing for self-assessments for all contracts at Level 1. These are particularly notable changes, as DoD had previously required third party assessment at all certification levels.  Given the limited number of authorized third party assessors to date, this change will likely allow DoD to be significantly less constrained by the availability of assessors as CMMC is rolled out.
  • Development of a time-bound, enforceable Plan of Action and Milestone process (“POA&M”) and development of a time-bound waiver process. These changes are also notable, as DoD previously indicated that a significant driver of its shift to the CMMC model was to move contractors away from reliance on POA&Ms and to require contractors to achieve full implementation of required security controls in order to perform work on DoD contracts involving sensitive information.  As DoD did not elaborate on exactly how reliance on POA&Ms and a potential waiver process would function, further development of regulations in this area are likely to be of keen interest to contractors.  But it seems clear that DoD will want insight into contractors’ progress against their POA&Ms.
  • Elimination of “CMMC-unique practices and all maturity processes from the CMMC Model.” Although it is unclear what DoD considers to be “CMMC-unique” practices, this change could signal a shift, at least at the Level 3 and Level 5 certification levels, to remove those controls that were incorporated into the prior version of the CMMC model that were not included in the 110 security controls in NIST SP 800-171 (Level 3), NIST SP 800-53 (Level 5), or NIST SP 800-172 (Enhanced Security Requirements for Protecting CUI).  Additionally, removal of the maturity processes requirement could significantly simplify the requirements to achieve certification, shifting the focus away from documentation and towards technical implementation of required controls.

Overall, the proposed changes are a notable simplification of the CMMC model relative to Version 1.0 and represent a model that is much closer to existing requirements that contractors must comply with.  Given the significance of the changes, and questions that remain unanswered about how CMMC Version 2.0 will operate in practice, DoD contractors should consider whether to participate in the rulemakings that will accompany CMMC 2.0.  DoD explained that it would solicit public comments in connection with its title 32 CFR rulemaking establishing the CMMC 2.0 program and the subsequent title 48 CFR rulemaking establishing contractual requirements consistent with the new model.

If there is a silver lining to most crises, the accelerated move toward digitized commerce globally and in Africa may be one positive outcome of the COVID-enforced lockdown. It is welcome news there that the South African Minister of Communications and Digital Technologies (“Minister”) published the Draft National Data and Cloud Policy (in Government Gazette no. 44389) (“Draft Policy”) for public comment. The Draft Policy seeks to create an enabling environment for the provision of data and cloud services in an effort to move “towards a data intensive and data driven South Africa” that ensures social and economic development and inclusivity. The Draft Policy affects a few key areas, which we briefly highlight below.

The objectives of the Draft Policy are to:

  • Encourage universal access to broadband connectivity, along with access to data and cloud services;
  • Eliminate regulatory barriers and enable competition in the data and cloud sector;
  • Implement effective measures to ensure the security of cloud infrastructure;
  • Create institutional mechanisms to govern data and cloud services;
  • Support the development of small, medium, and micro enterprises (“SMMEs”);
  • Promote research, innovation, and technological developments in relation to cloud;
  • Increase the government’s capacity to deliver relevant data and cloud-based services to the public;
  • Promote data sovereignty and security with respect to South African data; and
  • Encourage alignment with the Fourth Industrial Revolution (“4IR”), the OECD Framework and standards adopted by the European Union.

Draft Policy proposal relating to digital infrastructure

The Draft Policy recognizes that digital transformation in South Africa relies upon further developing electronic communication networks, mobile communication networks, and cloud and data infrastructure services in the country.

In relation to universal access and service delivery obligations, the Draft Policy recommends a government-backed digital platform and for all South African citizens to be provided with an online identity in order to receive services more easily.

The Draft Policy discusses the need for a Wireless Open Access Network (“WOAN”) “to extend the digital infrastructure footprint and services” across the country. The Draft Policy also refers to various measures to ensure the deployment of electronic communication infrastructure, which will help to bridge the digital divide by ensuring universal access to cloud and data infrastructure services for all South Africans.

The Draft Policy also proposes that existing networks of state-owned enterprises, such as Sentech and Broadband Infraco, be consolidated to form a State Digital Infrastructure Company (“SDIC”), which will provide network connectivity for the State.

Draft Policy proposal relating to cloud computing infrastructure

The Draft Policy also highlights the need to process data using cloud computing infrastructure and makes provision for pliable data storage architecture and the purchase of capacity from cloud service providers.

The Draft Policy highlights the importance of cloud services and their ability to enhance the potential of 4IR technologies (e.g. blockchain, the Internet of Things (“IoT”) and artificial intelligence (“AI”).

In order to leverage the full potential of the South African economy through digital technologies, the Draft Policy proposes that a Digital Transformation Centre (“DTC”) act “as a catalyst to lead Digital South Africa”.

In addition, the Draft Policy proposes the establishment of a High-Performance Computing and Data Processing Centre (“HPCDPC”) for the purpose of managing cloud computing capacity for the State and its functionaries, universities, research centers and South African registered business, and to provide user-on-demand cloud services for the State and its functionaries .

The Draft Policy specifically provides that investment in data centres will be centralised in large metropolitan areas in South Africa, like Gauteng, KwaZulu-Natal and the Western Cape. Further, the Draft Policy proposes supporting local and foreign investment in data and cloud infrastructure and services by establishing a digital or ICT ‘Special Economic Zone’ (“SEZ”).

Draft Policy proposal on data protection, data localization and cross border data transfers

The Draft Policy states that the processing of personal data or personal information, specifically metadata (for example, IP addresses), must be compliant with applicable laws like the Protection of Personal Information Act 4 of 2013 (“POPIA”), the Promotion of Access to Information Act 2 of 2000 (“PAIA”), and international best practice (such as the General Data Protection Regulation (“GDPR”) in the European Union).

There are currently no data localization requirements in South Africa (under POPIA or otherwise). However, the Draft Policy seeks to impose data localization requirements and defines data localization as the “…requirements for the physical storage of data within a country’s national boundaries, although it is sometimes used more broadly to mean any restrictions on cross border data flows”.

On the issue of data localization, the Draft Policy provides inter alia that:

  • Data generated in South Africa shall be the property of South Africa, regardless of where the technology company is domiciled.
  • Ownership and control of personal information and data shall be in line with the POPIA.
  • The Department of Trade, Industry and Competition through the Companies and Intellectual Property Commission (“CIPC”) and the National Intellectual Property Management Office (“NIPMO”) shall develop a policy framework on data generated from intellectual activities including sharing and use of such data.

Draft Policy proposal on cybersecurity measures

The Draft Policy proposes that the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”) be reviewed to align with cybersecurity policy and legislation.

Interestingly, the Draft Policy does not mention the Cybercrimes Act 19 of 2020, which is now an official Act of Parliament. The Cybercrimes Act aims to established a comprehensive cybersecurity framework and provides for the criminalisation of a broad range of cyber-related crimes. The date on which the Cybercrimes Act comes into force is yet to be announced.

Nevertheless, the Draft Policy proposes the establishment of a National Cybersecurity Policy Framework (“NCPF”) which, together with other policies, legislation and international best practice, will provide guidance as to cybersecurity initiatives and measures, and will be reviewed from time to time to ensure that the NCPF is responsive to cybersecurity threats and risks.

In addition, the Draft Policy proposes that the government develop and implement cybersecurity awareness initiatives to educate the public.

Next steps

Upon finalization of the Draft Policy, it will apply to all levels of government (i.e. national, provincial and local authorities); state-owned entities, the private sector (i.e., multi-national entities seeking to invest in the digital infrastructure of South Africa); and the general public.

For further information, please reach out to Witney Schneidman at, Deon Govender at, Dan Cooper at, Mosa Mkhize at or Shivani Naidoo at

This post can also be found on CovAfrica, the firm’s blog on legal, regulatory, political and economic developments in Africa.

  •  On September 30, 2021, President Andrés Manuel López Obrador presented to Congress a constitutional reform of the electricity sector which modifies three articles of the Mexican Constitution (25, 27 and 28), reversing key parts of the 2014 energy reform that opened the sector to private investment. The congressional debate and vote on the reform are scheduled to take place as early as mid-November.
  • If it passes in its current form, the reform would have serious implications for companies with investments in Mexico’s electricity sector. Foreign investors in this sector should assess options they may have under Mexico’s trade and investment treaties to seek potential remedies for adverse impacts.
  • Recent preliminary analysis by the U.S. Department of Energy concludes that implementation of the reform in its current form would increase Mexico’s greenhouse gas emissions and result in higher generation costs, making Mexico a less competitive jurisdiction for investment.[1]
  • Politically, the President’s move could also have implications beyond the energy sector by dividing the opposition coalition in the run-up to the 2024 elections.

Since the beginning of his administration, President López Obrador has sought to strengthen the role of the sate-owned Comisión Federal de Electricidad (CFE) in providing electricity and regulating the market.  Earlier in 2021, the Mexican Congress approved reforms to the Electricity Industry Law, but implementation was blocked by the courts.  The constitutional reform is designed to skirt similar judicial intervention and would imply a major change in the medium and long term outlook for the sector.

The proposed constitutional reform is intended to: maintain CFE’s participation in the market at 54%  by limiting private generators to 46%; change the current dispatch regime in favor of CFE instead of the lowest-cost power generators (often private actors); cancel electric generation permits, power purchase agreements, self-supply contracts and Clean Energy Certificates for private and public electricity generators; eliminate the country’s independent energy regulatory agencies (the Comisión Nacional de Hidrocarburos or CNH and Comisión Reguladora de Energía or CRE); and have the National Center for Energy Control (CENACE) be absorbed by the CFE.

The Constitutional reform would also impact the production of lithium from Mexican deposits, requiring the minerals’ future production and exploitation be reserved for the State.


  • Passing the constitutional reform will be an uphill, but not impossible, battle for the President. His legislative coalition falls short of the two-thirds majority needed in the Mexican House and Senate to pass constitutional amendments.
  • In the House, Morena and its allies need 334[2] votes for the qualified majority necessary to pass the reform, assuming all legislators are present. The Green Party (PVEM), one of Morena’s key allies in the house, to date has not shown a clear position toward the electricity reform.
  • In the opposition bloc, the center-right PAN, the center-left PRD, and Movimiento Ciudadano have adamantly opposed the reform. The PRI however may be partly in play, even though the PRI introduced and passed the 2014 energy reform that opened the sector to private investment.  PRI leadership has not publicly rejected Morena’s effort and instead is proposing to convene experts to analyze the details of the proposed reform.  Those opposed to the reform fear that the PRI could separate themselves from the opposition bloc, increasing the chances that some form of the bill could pass.
  • In Mexico’s Senate, where the President’s party also lacks a qualified majority, the path looks more difficult. The PRI holds 13 votes out of 128 total in the Senate, of which 85[3] are needed to enact the reform, assuming all senators are present at the time of the vote.  A few PRI senators have publicly rejected the reform in its current form.  However, on September 27, five Senators (three from the President’s coalition) banded together to create a new group, and they could make the difference if they align on this reform.
  • The congressional debate and vote for the reform are scheduled to take place as early as mid-November, after the discussion and vote for the 2022 federal budget takes place.
  • The Constitutional reform would also need to be approved by a majority (50%+1) of state legislatures (e., 17 states). President López Obrador’s coalition controls 20 of the country’s 32 State legislatures and holds the governor’s office in 16 states.


Political Implications in Mexico

  • The outcome of the political debate on this constitutional reform will set an important precedent for other reforms planned by President López Obrador and his party. These other reforms may encompass fundamental changes to the electoral system, including opening debate on the autonomy of the country’s widely respected electoral institution and changes to Mexico’s security institutions, including further strengthening the role of the uniformed military over Mexico’s security structure.
  • The future of the opposition bloc going into the 2024 presidential election likely depends on their united position toward the electricity bill. Divisions over the bill could fracture the opposition alliance heading into those elections and key state races that will be decided concurrently.


  • Should the reform be implemented, Mexico could face challenges from foreign investors under its international trade and investment treaties that allow investors to initiate arbitration directly against the government. For example, recourse to arbitration is available to investors of ten countries that are party to the Comprehensive and Progressive Trans-Pacific Partnership (“CPTPP”).
  • Similarly, U.S. investors could potentially file arbitration claims under the S.-Mexico-Canada Agreement (“USMCA”), which provides enhanced protections for certain investors in the “power generation” sector. Potential claims could also be made by U.S. and Canadian investors under the North American Free Trade Agreement (“NAFTA”), which—although superseded by the USMCA—retains the option for investors to initiate arbitration proceedings for qualifying “legacy” investments until July 1, 2023. NAFTA contains exceptions specific to the energy sector that are not contained in the USMCA that may affect such claims.
  • Foreign investors in the Mexican electricity sector should assess whether they may pursue arbitral remedies under Mexico’s investment treaties and how potential domestic litigation in Mexico may affect access to those remedies.
  • In addition to investment arbitration, Mexico could also be subject to treaty challenges by other countries, which could claim that the reform violates other obligations, including—for example—provisions in the USMCA or CPTPP regarding state-owned enterprises.
  • By eliminating Clean Energy Certificates, the reform would eliminate Mexico’s most important mechanism for the reduction of greenhouse gas emission at the domestic level; this mechanism was included within the nationally determined contribution under the Paris Agreement. According to recent preliminary analysis by the U.S. Department of Energy, Mexico’s greenhouse emissions could increase by as much as 65 percent as well as raising costs for the generation of electricity. Both impacts would make Mexico a less competitive jurisdiction for foreign investment.


[2] Considering that there are 500 legislators in the House, 334 votes are required to reach a qualified majority – or a smaller number, depending on the total number of attendees at the session.

[3] Or a smaller number depending on the senators present in the plenary session.

On 27 October 2021, the U.S. Food and Drug Administration (“FDA”), Health Canada, and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (“MHRA”) (together the “Regulators”) jointly published 10 guiding principles to inform the development of Good Machine Learning Practice (“GMLP”) for medical devices that use artificial intelligence and machine learning (“AI/ML”).


AI and ML have the “potential to transform health care” through their ability to analyse vast amounts of data and learn from real-world use.  However, these technologies also pose unique challenges, given their complexity and the constantly evolving, data-driven nature of their development.  The Regulators formed the guiding principles to “help promote safe, effective, and high-quality medical devices that use . . . AI/ML” and to “cultivate future growth” in this fast paced field.

The Regulators predict that the guiding principles could be used to: (i) adopt good practices from other sectors; (ii) tailor these practices to the medical technology/healthcare sector; and (iii) create new practices specific to the medical technology/healthcare sector.  The Regulators expect these joint principles to inform broader international engagements as well.

The 10 Guiding Principles

 The guidance published by the Regulators set out the 10 principles in full; however, in short, they recommend:

  1. Leveraging multi-disciplinary expertise throughout the total product life cycle
  2. Implementing good software engineering and security practices
  3. Ensuring clinical study participants and data sets are representative of the intended patient population
  4. Making training data sets independent of test sets
  5. Basing selected reference datasets upon best available methods
  6. Tailoring the model design to the available data and ensuring it reflects the intended use of the device
  7. Placing focus on the performance of the human-AI team
  8. Ensuring testing demonstrates device performance during clinically relevant conditions
  9. Providing users with clear, essential information
  10. Monitoring deployed models for performance and managing re-training risks

These principles cover the entire life cycle of devices with the aim of ensuring safety and efficacy.  The Regulators have focused on use of appropriate datasets and carrying out sufficient testing before marketing AI/ML-based devices.  These guiding principles set out an ongoing recommendation to manage risks, which will involve monitoring and potentially re-training AI/ML-based devices after deployment.

These principles are merely a starting point.  The Regulators stated, “[a]s the AI/ML medical device field evolves, so too must GMLP best practice and consensus standards.”

Possible Impact & International Considerations

AI and ML are clearly top priorities from a global health regulatory perspective.  The Regulators expect this collaboration to lead to further and broader international collaborative work.  As noted above, the Regulators expect these guidelines to evolve and emphasize the importance of “strong partnerships with [their] international public health partners.”

As one example, the guiding principles identify areas of possible collaboration for the International Medical Device Regulators Forum (“IMDRF”), international standards organizations, and other collaborative bodies.  These areas include “research, creating educational tools and resources, international harmonization, and consensus standards.”

This collaboration is important as it follows on from the individual work each agency has been doing in this space.  For example, MHRA has consulted on the future regulation of medical devices in the UK, including by developing a Work Programme for Software and AI-based Medical Devices (which we previously discussed in our blog post).  FDA has also been active in the AI/ML space, and several more FDA digital health developments are on the horizon for 2022.  Through this international regulatory collaboration it appears the Regulators are working towards a united front through close alignment on best practice and international regimes.  It also shows, for example, that the UK is considering international regimes broadly, rather than simply aligning with the European Union.

In sum, it appears there is an appetite for further international regulatory collaboration, so watch this space for the potential development of more detailed and sector specific international standards and practices for AI/ML-based technologies.

Our Africa Anti-Corruption Practice has previously outlined key considerations for handling internal investigations and remediation of compliance issues in Africa.  Here, we take a closer look at a particular aspect of remediation, the root cause analysis.  After the dust settles on an investigation identifying misconduct, a root cause analysis can serve as the most effective tool to determine why the misconduct occurred and what can be done to prevent it in the future.  Drawing on a longer article we recently published in Global Investigations Review’s 2021 Europe, Middle East, and Africa Investigations Review, we describe below strategies and methodologies for conducting root cause analyses, focusing on specific considerations for companies operating in Africa.

Key Takeaways:

  • Companies should promptly conduct root cause analyses following investigations that identify misconduct, in order to meet enforcement authority expectations and pinpoint all the underlying causes of misconduct.
  • There is no “one size fits all” approach to conducting a root cause analysis, and companies should consider adapting root cause analysis methodologies developed in other contexts.
  • Building on their risk assessments, companies investigating misconduct in Africa should consider whether specific challenges of operating on the continent may serve as the root causes underlying compliance issues.


Done properly, a root cause analysis is distinct from an investigation, which is focused on identifying misconduct and its immediate causes, or the resultant remedial actions (e.g., employee discipline), which seek to address and correct the control failures and employee actions identified through an investigation.  Rather, a root cause analysis is designed to explore deeper systemic and cultural issues that have allowed or encouraged the misconduct to occur in the first place.  By identifying those root causes, a company can develop strategies to prevent the reoccurrence of misconduct and address any underlying compliance issues and control failures that may present broader risks.

In the last five years, United States enforcement agencies, particularly the U.S. Department of Justice (“DOJ”), have made clear their expectation that companies conduct root cause analyses in the face of misconduct.  In fact, DOJ has noted that the ability to “conduct a thoughtful root cause analysis of misconduct” is a hallmark of an effective compliance program.[1]  Further evidencing this expectation, in the context of U.S. Foreign Corrupt Practices Act enforcement actions, DOJ may require a company to demonstrate that it has conducted a root cause analysis in order to earn credit for appropriate remediation, and is increasingly including a root cause analysis requirement in deferred prosecution agreements.[2]  This trend extends beyond the United States — for example, in 2018 the Agence Francaise Anticorruption referred to root cause analyses in the context of guidance on auditing anti-corruption compliance programs.[3]

While enforcement agencies increasingly expect companies to perform root cause analyses, they have offered limited guidance on how to conduct such exercises.  Thus, when considering methodologies for conducting an effective root cause analysis, companies may be well-served by drawing on existing processes and methodologies that have been developed in other contexts, including in response to safety failures, security incidents, or product defects.  Some of the most commonly used root cause analysis methodologies include:

  • Five Whys Method: After a problem is identified, ask “why” five or more times in order to get at the core of an issue.
  • Ishikawa or Fishbone Method: Create a visual cause-and-effect model with the problem as the head of a fish, the primary causes as the bones of the fish, and the underlying root causes as sub-branches supporting each bone.
  • Logic Tree Method: Visually set out the events in a hierarchical structure leading to the problem. For each event, include a node noting the cause and/or effect of that event.
  • Fault Tree Analysis: Start with the problem and list the possible causes in a hierarchical format. For each cause, continue to identify the underlying events or issues until a “tree” is developed with various root causes.

Regardless of the methodology used, it is critical that a root case analysis consider broader underlying causes of the misconduct, including business pressures, misalignment of incentives, cultural issues, personnel issues, and/or the capacity of the compliance function to address misconduct and root cases.  An effective root cause analysis should also develop a structured, replicable process and produce written work product.

At the outset of a root cause analysis, a company should consider the appropriate team for the exercise.  As discussed further in our article, a multifunctional team, including individuals from compliance and other control functions along with members of relevant business lines, can be particularly effective.  Companies should also consider whether to involve counsel in the exercise and whether they intend to claim the protection of the attorney-client privilege or work product doctrine over the exercise.

Companies operating in Africa may have an important set of cultural, regulatory, and capacity factors that they should consider when conducting root cause analyses.  While these factors are by no means unique to Africa, and may be present to some degree in many emerging markets, they may present more acutely in Africa and in combinations that tend to compound compliance risks.  For example:

  • Geographic and operational isolation: In our experience, geographic and cultural distance between subsidiary operations in Africa and headquarters in the U.S. or Europe can pose a range of challenges. These can include the pure logistical challenges of headquarters personnel visiting the subsidiary, as well as challenges achieving local management buy-in to compliance policies that are perceived as unworkable on the ground and not tailored to the challenges of operating in Africa.
  • New market entry and integration issues: In cases where expansion was accomplished via acquisition of a business already operating in Africa, inadequate integration and failure to implement and train employees on a compliance program can result in significant compliance and controls challenges.
  • Security issues: Physical security risks may result in necessary engagement with police or government security forces, which can raise corruption and compliance risks.
  • Regulatory issues, local ownership, and local content: Underdeveloped local regulations coupled with individual discretion can result in systemic corruption. Further, local shareholder and content regulations can create compliance risks, as they allow for channeling money, business, or other things of value to government officials or their affiliates.

This article was prepared by Covington attorneys qualified to practice law in the United States.  It does not constitute legal advice.  If you have further questions about your compliance programs, how to conduct due diligence on a local partner, or Covington’s anti-corruption work in Africa, please contact Ben Haley at, Jennifer Saperstein at, Noam Kutler at, or Ishita Kala at


[1] U.S. Dep’t of Justice, “Evaluation of a Corporate Compliance Program,” June 2020, 17,; U.S. Dep’t of Justice and U.S. Sec. and Exchange Comm., “A Resource Guide to the U.S. Foreign Corrupt Practices Act: Second Edition,” July 2020, 67,

[2] U.S. Dep’t of Justice, “FCPA Corporate Enforcement Policy,” March 2019, 3,; see, e.g.United States v. Herbalife Nutrition Ltd., Deferred Prosecution Agreement, C-9 (August 28, 2020), States v. Beam Suntory Inc., Deferred Prosecution Agreement, C-9 (October 23, 2020),

[3] Agence Francaise Anticorruption, Guidelines to help private and public sector entities prevent and detect corruption, influence peddling, extortion by public officials, unlawful taking of interest, misappropriation of public funds and favouritism (2018),

This post can also be found on CovAfrica, the firm’s blog on legal, regulatory, political and economic developments in Africa.


Federal government contractors face many uncertainties as they implement President Biden’s COVID-19 vaccine mandate. This includes the distinct possibility of civil lawsuits arising out of their implementation of the mandate, including potential allegations of invasion of privacy, wrongful termination, lost wages, discrimination, personal injury or other common law claims or statutory violations. At least one such lawsuit already has been filed. In that suit, dozens of aggrieved employees allege that the contractor’s vaccine mandate violates state law, and they seek an injunction and other relief. Other lawsuits are sure to follow.

But there is good news for contractors: Established legal doctrines should provide contractors some degree of protection—and perhaps complete immunity—against such lawsuits. In addition to the statutory protections afforded to contractors under the PREP Act, contractors may be protected from civil liability based on federal-law-based defenses that have been recognized and applied in analogous government contracting settings. In the coming weeks, as contractors navigate the many challenges associated with the vaccine mandate, they should carefully consider the risk of civil litigation, and, in order to minimize potential exposure in such lawsuits, proactively implement practices that maximize the likelihood that these doctrines and defenses will be applicable, as discussed below.

Immunity From Suit Under Yearsley

Among the possible defenses to any employee or third-party lawsuit based on the vaccine mandate, the doctrine perhaps best suited to shield contractors from suit is “Yearsley immunity.” Sometimes referred to as “derivative sovereign immunity,” the doctrine gets its name from a decades-old Supreme Court case, Yearsley v. W.A. Ross Construction Co., 309 U.S. 18, 20-21 (1940). In Yearsley, the Supreme Court established the basic principle that the government’s immunity may be extended to contractors in instances where: (1) the government authorized the challenged conduct; and (2) the government’s authorization was “validly conferred.” Yearsley v. W.A. Ross Construction Co., 309 U.S. 18, 20-21 (1940). More recently, the Supreme Court reiterated the continued vitality of Yearsley immunity, and explained that this immunity is sufficiently broad that it can shield a contractor against allegations that the contractor violated a federal statute. Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663, 672 (2016).

In the past several years, appellate courts have further clarified and broadened the scope of Yearsley immunity. In Cunningham v. GDIT, the Fourth Circuit held that a contractor was immune from suit and exempt from claims alleging violations of the Telecommunications Consumer Protection Act. And in Taylor Energy Co. v. Luttrell, the Fifth Circuit relied on Yearsley immunity to affirm the dismissal of claims that sought tort damages and alleged the contractor failed to adequately remediate an oil spill.

As Cunningham and Taylor Energy illustrate, suits involving Yearsley immunity have arisen in disparate settings and involved a broad range of state and federal-law-based allegations. At their core, however, these decisions recognized that contractors should not face suit as a result of the contractor’s implementation of, and compliance with, a valid federal government directive. In the current environment, the vaccine mandate is precisely that: a valid federal government directive. Thus, contractors facing suit for carrying out that directive may be able successfully to assert Yearsley immunity.

The Political Question Doctrine

Lawsuits arising out of the federal vaccine mandate may also run afoul of the political question doctrine. Numerous courts have recognized that suits against contractors implicate the political question doctrine, and are therefore barred by separation of powers principles, when the litigation would require courts to scrutinize and second guess decisions that are exclusively delegated to the political branches. Seee.g.In re: KBR, Inc., 893 F.3d 241, 264 (4th Cir. 2018) (holding claims against contractor barred when suit challenged “de facto military decisions”).

The hallmark of the political question doctrine in recent jurisprudence concerning contractor activities is the existence of some degree of government control over the challenged conduct. Seee.g.Carmichael v. Kellogg, Brown & Root Servs., Inc., 572 F.3d 1271, 1295 (11th Cir. 2009) (“it would be impossible to determine that [the contractor’s conduct] alone was the sole cause of the accident or to possibly apportion blame without ruling out the potential causal role played by pivotal military judgments”). Likewise, courts have emphasized that suits against contractors are barred when they seek a judicial pronouncement that would interfere with a policy matter committed to the Executive Branch. Seee.g.Spectrum Stores v. Citgo Petro. Corp., 632 F.3d 938, 956 (5th Cir. 2011) (“Any ruling on the merits of this case would, by its core essence, impermissibly interfere with the Executive Branch’s longstanding policy…”).

The rationale underlying this jurisprudence may well have application in the context of the vaccine mandate that was enacted by Executive Order (which was based on prior federal legislation), and that inherently involves sensitive policy-making decisions. Indeed, longstanding Supreme Court precedent recognizes that while there is a Constitutional question to whether the federal government has the power to mandate vaccines in any given instance, where that power does exist then decisions regarding the particular details of any given vaccine mandate are properly vested in the political branches. Jacobson v. Commonwealth of Massachusetts, 197 U.S. 11, 30, 25 S. Ct. 358, 363, 49 L. Ed. 643 (1905) (“It is no part of the function of a court or a jury to determine which one of two modes was likely to be the most effective for the protection of the public against disease. That was for the legislative department to determine in the light of all the information it had or could obtain.”).

The Government Contractor Defense

As first set forth in Boyle v. United Techs. Corp., 487 U.S. 500 (1988), the Government Contractor Defense is a common law defense that begins from the foundational point that state tort lawsuits are barred where there is a significant conflict between uniquely federal interests and the operation of state law. Under the three-part Boyle test, a lawsuit is barred if: (1) the government meaningfully reviewed and approved reasonably precise specifications for the product or service at issue; (2) the equipment or service conformed with the government’s requirement; and (3) the contractor warned the government of hazards actually known to the contractor but not the government.

Following Boyle, there has been extensive litigation concerning the contours and application of the Government Contractor Defense. Among the issues most litigated is what constitutes sufficient “approval” of a contractor’s product or service. In general, courts have held that mere “rubber stamping” by the government is insufficient to trigger the defense, whereas courts have applied the defense in situations in which the contractor engages in a substantive “back and forth” dialogue with the government. Seee.g., Trevino v. Gen. Dynamics Corp., 865 F.2d 1474, 1480 (5th Cir. 1989) (“A rubber stamp is not a discretionary function; therefore, a rubber stamp is not ‘approval’ under Boyle.”).

The Government Contractor Defense may apply to defeat lawsuits challenging a contractor’s implementation of the vaccine mandate. The defense seems especially well-suited to defeat claims that seek to impose a duty under state law that would conflict with the federal mandate and related federal requirements, which constitute reasonably precise specifications for performance under the contract. See Boyle, 487 U.S. at 507 (explaining state laws are displaced where “the application of state law would frustrate specific objectives of federal legislation”) (quotations and citations omitted); see also Gartrell Const. Inc. v. Aubry, 940 F.2d 437, 441 (9th Cir. 1991) (holding state licensing requirements could not apply to contractor’s federal contract work because “[t]o hold otherwise would…frustrate the federal policy”). Those types of claims may arise, for example, in states that have enacted vaccine mandate prohibitions. Notably, the recently-filed lawsuit cited above—which may be a preview of future lawsuits challenging vaccine mandate programs—alleges that the contractor violated state law and state public policy.

Other Potential Federal Defenses and Contractual Remedies

In addition to the defenses outlined above, contractors working under “rated order” contracts may also benefit from an independent immunity from suit and liability based on the Defense Production Act (“DPA”), 50 U.S.C.A. § 4557. In pertinent part, the DPA states: “No person shall be held liable for damages or penalties for any act…resulting directly or indirectly from compliance with…[an] order issued pursuant to this chapter.” Citing this language, the U.S. Supreme Court has explained the DPA “plainly provides immunity” to contractors by “expressly providing a defense to liability” for compliance with contract directives. See Hercules Inc. v. United States, 516 U.S. 417, 429-30 (1996); Martin v. Halliburton, 601 F.3d 381, 385 (5th Cir. 2010) (noting “immunity under…the DPA…provides a defense to liability” for contractors).

Finally, depending on the specific contract at issue, contractors may have other rights and remedies vis-à-vis the government in the event they are sued for implementing the vaccine mandate. In particular, contractors performing under cost-reimbursement contracts may be able to seek reimbursement and indemnification from the government, as most cost-type federal contract incorporate FAR 52.228-7, Insurance-Liability to Third Persons, under which the government must reimburse a contractor for liabilities, including litigation and settlement expenses, to the extent not covered by insurance.

Contractors Should Proactively “Build In” Practices to Mitigate the Risk of Civil Liability

The landscape surrounding the federal vaccine mandate is fast evolving, and contractors have plenty of challenges in front of them in the days ahead. As they navigate these challenges, contractors should be careful not to unnecessarily expose themselves to potential civil liability. The threat of lawsuits in the current environment is real, but there are a number of legal doctrines and defenses that may apply to protect contractors against such lawsuits. Rather than waiting to defend those suits after they are filed, contractors would be wise to think now about how best to position their activities to minimize risk.

In particular, contractors should evaluate the potential application of the defenses outlined above to their circumstances, and begin to build a record that could be used to support the elements of the defenses. For example, contractors may consider taking the following actions:

  • Establish record-keeping practices that memorialize key government directives and that capture, in real time, the government’s determinations that the contractor’s actions adhere to federal directives. This type of documentation could prove especially important for any aspects of the vaccine mandate that may allow for some degree of contractor discretion, such as the granting of waivers for religious or medical reasons.
  • Develop protocols that proactively trigger government review and approval, and thereby memorialize that the contractor’s actions were taken in adherence with government requirements. Such documentation can reduce or eliminate the potential argument that some action taken by the contractor in furtherance of the vaccine mandate was the product of the contractor’s sole discretion.
  • Consider whether there are any risks associated with the vaccine mandate that are known to the contractor and which, under Boyle and related precedents, contractors should document that they have warned the government.
  • Review the relevant contracts to determine whether there are potential rights or remedies to invoke against the government in the event of lawsuits, and ensure any notice or other related requirements are met.

The fragility of Northern Ireland politics continues to prove problematic in dealing with Brexit. The on-going efforts of the UK government to redefine the Northern Ireland Protocol agreed with the EU last December is testament to that. Such efforts may be politically appealing in advance of UK local elections next May, but they too are proving problematic.

In terms of trading, generally under half of UK exports are to the EU with over half of UK imports coming from the EU. On-going and additional uncertainties don’t help that trading relationship. In terms of relationships, EU politicians are increasingly critical of the UK engagement and are impatient to finalise Brexit arrangements in light of other significant priorities. In terms of peace, the Northern Ireland peace agreement has held for the past 23 years however not without difficulty as both sides of the political spectrum there continue to struggle with each other. While no divorce is easy, this one is proving particularly troublesome.

Winston Churchill, the British Prime Minister who drove Britain’s wartime strategy, put forward the idea of a United States of Europe in Zurich in 1946 after the end of the Second World War. The history of the UK involvement from Churchill to Cameron is a topic of its own and the full impact of Brexit on the EU has yet to unfold. Suffice to say that the European Union envisioned by Churchill, has, since its inception systematically tackled the issues that had destabilised democracy within Europe in the decades prior to the World Wars. It helped maintain peace in a war torn Europe, as Churchill and the other architects of the European Union had hoped. Despite not being a signatory to the 1998 Good Friday Northern Ireland peace agreement, reached between the governments of the UK and Ireland, the European Union has demonstrated a steady commitment to peace in the region, most recently in the Brexit negotiations.

The formal Brexit negotiations began in March 2017, over four and a half years ago. The aim was to agree an orderly withdrawal of the UK from the EU. Included in those negotiations were a number of Protocols to deal with specific issues relating to Cyprus, Gibraltar and Northern Ireland and new trading arrangements between the UK and the EU post Brexit. The protocol on Northern Ireland has been the trickiest, with the key sticking point being the land border between the UK and the EU in Ireland. A border down the Irish Sea rather than border posts over the 200+ small roads between Northern Ireland and the rest of Ireland, was the eventual compromise. The Irish Sea became to de facto EU/UK border. This gave Northern Ireland the unique advantage of being a trading part of the EU and the UK. While welcomed by Northern Irish business and farming organisations, it is seen by unionists as a threat to their position within the UK.

The transition period for the UK withdrawal from the EU was agreed under the Withdrawal Agreement between the EU and UK last December. The Northern Ireland Protocol then came into force on January 1 2021. Since then there have been supply chain difficulties between Great Britain and Northern Ireland as goods coming from the UK are subject to EU checks to ensure they comply with EU requirements. Increased checks, paperwork and delivery delays have stressed suppliers and customers both sides of the Irish Sea, with imports of medicines and chilled products attracting particular controversy. UK authorised medicines coming into Northern Ireland would have to meet EU requirements. This adds expense for manufacturers, particularly of generic medicines more common in the UK, in supplying the relatively small Northern Ireland market of less than 2 million people. 910 medicines are reported by the Northern Ireland Department of Health as planned for withdrawal from Northern Ireland in consequence.

There have been attempts to address these implementation problems. Last June the EU announced a package of measures to alleviate the difficulties. Despite no longer being aligned to EU rules, the movement of UK only authorized medicines to Northern Ireland was allowed provided those medicines stayed within Northern Ireland and were not distributed further to the EU market. Easier movement of cattle from Great Britain to Northern Ireland was facilitated by the relaxation of retagging requirements. Also the movement of chilled meats from Great Britain to Northern Ireland was, subject to having health certificates and appropriate labelling, allowed by extending the existing grace period by three months to the end of September 2021.

Under UK pressure to deliver more, the latest proposals this month from the EU give further flexibilities. According to the EU, this creates of an “Express Lane” for goods from Great Britain to Northern Ireland, subject to “robust monitoring and enforcement” by the UK authorities.

The proposals include:

  • simpler certification requirements and further removal of checks on a range of retail goods. This is anticipated to reduce goods checks by 80%.
  • expanding the scope of ‘goods not at risk’ of entering the EU.
  • halving the customs formalities so that only basic information of invoice value and parties will be required by the customs authorities
  • pharmaceutical companies in Great Britain can keep all their regulatory functions where currently located, when supplying the Northern Irish market with UK authorized medicines.
  • placing medicines centrally approved in the EU, on the Northern Ireland market without any further formalities. If the UK regulatory authority, approves a drug quicker than the EMA, the supply gap may be bridged for individual patients under the direct responsibility of a doctor, under compassionate use exemptions. This happened recently in the supply of vaccine to Northern Irish patients pending EU approval.
  • greater dialogue between Northern Ireland stakeholders and the Commission “to discuss relevant aspects of Union measures that are important for the implementation of the Protocol”.

The EU has ruled out revising the oversight role of the European Court of Justice on the Protocol.

The UK and the EU will now discuss these new proposals.

On 19 October, alongside a number of other important strategy documents (over 2,000 pages in total), the UK Government published its ‘Net-Zero Strategy’ (NZS) which will help achieve the UK’s interim five yearly carbon targets leading up to net-zero by 2050.

The NZS focuses on eight key areas with priorities and policies set out under each area:

1) The Power Sector

The NZS sets out the UK Government’s ambition that the power sector will be fully decarbonised by 2035 (with the caveat that this will be subject to security of supply). The focus is on domestically-generated renewable electricity to create a power system based on a mix of renewables, new nuclear power stations, flexible storage, gas with CCS and hydrogen.

Specifically, the NZS undertakes to:

  • Secure FID on a large-scale nuclear plant by the end of this Parliament;
  • Launch a new £120 million Future Nuclear Enabling Fund.
  • Create 40GW of offshore wind by 2030.
  • Create up to one of floating offshore wind by 2030 .
  • Deploy new measures to help smooth out future price spikes.

2) Fuel Supply & Hydrogen

The NZS re-states the ambition that the UK will deliver 5 GW of hydrogen production capacity by 2030.  The UK will at the same time halve emissions from oil and gas and increase the production of biofuels.

Specifically, the NZS undertakes to:

  • Provide up to £140 million to establish the Industrial Decarbonisation and Hydrogen Revenue Support (IDHRS) scheme, with a target of creating up to 250MW of green hydrogen production capacity in 2023.
  • Introduce a climate compatibility checkpoint for future licensing on the UK Continental Shelf.
  • Regulate the oil and gas sector in a way that minimises greenhouse gases through the revised Oil and Gas Authority Strategy.

3) Industry

The NZS commits the UK to creating four carbon capture usage and storage (CCUS) clusters by 2030.  The UK will support a ‘deep decarbonisation of industry’ through carbon pricing and the creation of low carbon industry clusters, which would have access to Government support under the CCS Infrastructure Fund and revenue support mechanisms.

Specifically, the NZS undertakes to:

  • Accelerate the development of the Hynet and East Coast Clusters to capture 20-30 MtCO2 per year by 2030.
  • Create a ‘reserve cluster’ of Teesside and the Humber, Merseyside, North Wales and the North East of Scotland.
  • Use the Industrial Energy Transformation Fund to future-proof industrial sectors.
  • Consult on a net zero consistent UK ETS cap to incentivise cost-effective abatement in industry.

4) Heat and Buildings

The NZS creates a pathway to ensuring that from 2035 all new heating appliances in homes and workplaces are low carbon and sets 2026 as the date for a decision on the role of Hydrogen in heating. The Government will seek to reduce electricity costs and to rebalance energy levies (such as RO and FiTs) and obligations (such ECO) away from electricity to gas.

Specifically, the NZS undertakes to:

  • Prevent the sale of new gas boilers beyond 2035.
  • A Boiler Upgrade Scheme will incentivize the swap-out of domestic gas boilers.
  • Create a new Heat Pump Ready programme to provide funding for heat pump technologies with a target of 600,000 installations a year by 2028.
  • Rebalance policy costs from electricity bills to gas bills.
  • Fund the Social Housing Decarbonisation Scheme and Home Upgrade Grants and decarbonise public sector buildings by 75% by 2037.
  • Launch a Hydrogen Village trial to inform a decision on the role of hydrogen in the heating system by 2026.
  • Consider mandatory disclosure requirements for mortgage lenders on the energy performance of homes in their portfolios (UK housing stock generates a 20% of carbon dioxide emissions). Continue Reading The UK’s Net Zero Strategy

On October 11, 2021, the Covington Brussels office hosted a Webcast: “Fighting Inequality: Empowering Women and Girls” in honor of International Day of the Girl Child. London Partner Louise Nash moderated the impressive panel of women, comprising of Waris Dirie, founder of Desert Flower Foundation, and Kiera Chaplin, the President of Desert Flower Foundation France. Waris and Kiera were joined by Eva Gerhards, Deputy Head of Cabinet to European Commissioner for Equality Helena Dalli, and Beatrice Vos, Deputy General Counsel of Elanco.

The Desert Flower Foundation has been fighting against female genital mutilation (FGM) around the world since its creation in 2002. Its primary focus is on empowering women and girls by offering them an education. The Desert Flower Foundation is a pro bono client of the firm, and Covington is proud to assist them on EU Public Policy matters pro bono since 2019.

The panelists engaged in a frank and sobering discussion on the social and policy changes needed to assure equality for women and girls. They shared their own experiences of facing discrimination against women in work and in life. Waris and Kiera acknowledged the significant decrease in FGM since Desert Flower Foundation launched its efforts twenty years ago, demonstrating the power of education to promote gender equality. Beatrice shared her personal story of how inflexible working environments hinder primarily women in their professional growth. Eva gave an overview of her Commissioner’s efforts to mainstream equality into European Commission policymaking. These include the EU Gender Equality Strategy 2020-2025, work to address the persistent gender pay gap and pension gap, and a proposed EU Directive on violence against women to set minimum standards for the protection and support of victims of gender-based and domestic violence. The panel agreed that women should not have to ask for equal treatment, opportunities and pay, but should expect these as of right.

You can watch the inspiring Webcast here and learn more about the work of the Desert Flower Foundation on their website.