EUROPEAN COMMISSION DG Competition

Only the English text is available and authentic.

REGULATION (EC) No 139/2004 MERGER PROCEDURE

Article 6(1)(b) NON-OPPOSITION Date: 30/10/2019

In electronic form on the EUR-Lex website under document number 32019M9538

EUROPEAN COMMISSION

Brussels, 30.10.2019 C(2019) 7960 final

PUBLIC VERSION

In the published version of this decision, some information has been omitted pursuant to Article 17(2) of Council Regulation (EC) No 139/2004 concerning non-disclosure of business secrets and other confidential information. The omissions are shown thus […]. Where possible the information omitted has been replaced by ranges of figures or a general description.

To the notifying party

Dear Sir or Madam,

1.(1) On 26 September 2019, the European Commission received notification of a proposed concentration pursuant to Article 4 of the Merger Regulation by which Broadcom Inc. (“Broadcom” or the “Notifying Party”, United States of America) acquires within the meaning of Article 3(1)(b) of the Merger Regulation sole control of parts of Symantec Corporation (“Symantec”, United States of America) (the “Transaction”). The Transaction only concerns Symantec’s Enterprise Security Business (“SESB” or “Target Business”). Broadcom and Symantec are collectively referred to as the “Parties”.

1OJ L 24, 29.1.2004, p. 1 (the “Merger Regulation”). With effect from 1 December 2009, the Treaty on the Functioning of the European Union (the “TFEU”) has introduced certain changes, such as the replacement of “Community” by “Union” and “common market” by “internal market”. The terminology of the TFEU will be used throughout this decision.

2OJ L 1, 3.1.1994, p. 3 (the “EEA Agreement”).

3Publication in the Official Journal of the European Union No C 333, 4.10.2019, p. 18.

Commission européenne, DG COMP MERGER REGISTRY, 1049 Bruxelles, BELGIQUE Europese Commissie, DG COMP MERGER REGISTRY, 1049 Brussel, BELGIË

Tel: +32 229-91111. Fax: +32 229-64301. E-mail: COMP-MERGER-REGISTRY@ec.europa.eu.

1. THE PARTIES

(2) Broadcom, headquartered in San José, California, United States of America, is a technology company that designs, develops, and supplies a broad range of semiconductors as well as infrastructure software solutions that enable customers to plan, develop, automate, manage and secure applications across mobile, cloud, distributed and mainframe platforms.

(3) Symantec, headquartered in Mountain View, California, United States of America, designs, manufactures, and provides security software, storage, and systems management solutions to consumers and enterprises.

(4) SESB offers a mix of products, services, and solutions, unifying cloud and on-premises security elements, to provide enterprises with advanced threat protection and information protection across their endpoints, networks, email, and cloud applications.

2. THE CONCENTRATION

5.(5) The Transaction consists of the acquisition of sole control of SESB by Broadcom, on the terms, and subject to the conditions, of an asset purchase agreement (“APA”) entered into between Broadcom and Symantec on 8 August 2019. The acquisition concerns Symantec’s business, operations and activities reported as the “Enterprise Security” segment, which includes making, marketing, selling and providing the related products and services. The APA includes a detailed list of assets, such as employees, products and services, customer contracts, property rights and technologies belonging to SESB. After the Transaction, SESB will be wholly owned by Broadcom.

(6) The Transaction does not include Symantec’s Consumer Cyber Safety business unit, over which Symantec will continue to exercise sole control.

(7) The Transaction therefore constitutes a concentration pursuant to Article 3(1)(b) of the Merger Regulation.

3. UNION DIMENSION

(8) The undertakings concerned have a combined aggregate world-wide turnover of more than EUR 5 000 million (Broadcom: EUR 21 185 million, SESB: EUR 2 006 million). Each of them has an EU-wide turnover in excess of EUR 250 million (Broadcom: EUR […], SESB: EUR […]), but they do not achieve more than two-thirds of their aggregate EU-wide turnover within one and the same Member State.

4Endpoints are remote computing devices, such as laptops, tablets or smart phones, that connect to a network and communicate with the network. Short Form CO, footnote 21.

5The Transaction does not include Symantec’s LifeLock ID Analytics business unit (providing identity theft protection solutions), which is currently reported as part of the enterprise security segment. Short Form CO, paragraphs 6 and 32.

6Short Form CO, Annex 3.1.1 (Asset Purchase Agreement).

7Turnover calculated in accordance with Article 5 of the Merger Regulation.

The notified operation therefore has a Union dimension pursuant to Article 1(2) of the Merger Regulation.

4. RELEVANT MARKETS

4.1. Introduction

(9) Both Parties are active in the supply of software. The relevant market(s) will be examined in section 4.2. In line with previous decisions relating to the software industry, in order to identify the narrowest possible product markets, the Commission relied on market segmentations set by the market intelligence company Gartner Inc. (“Gartner”). Gartner is a well-known market intelligence source for software markets and provides very granular sub-segmentations and corresponding market share information.

(10) Broadcom is also active in the supply of a broad range of semiconductor products. As there is no plausible relationship between Broadcom’s activities in the market for the supply of semiconductors (or any potential sub-markets thereof) and SESB’s activities in the market for the supply of software (or any potential sub-markets thereof), the Transaction does not give rise to a significant impact on any other markets. Therefore, for the purpose of the present decision, the Commission will not discuss further Broadcom’s activities in the market (or any potential sub-markets) for the supply of semiconductors.

4.2. Software supply

(11) The Transaction concerns the market for the supply of software. More specifically, the Parties are both active in the supply of infrastructure software, which refers to a wide category of software products that: (i) provide the infrastructure for applications to run on a server; (ii) can be accessed from a variety of clients over a network; and (iii) are capable of connecting to a variety of information sources.

(12) Within infrastructure software, the Parties’ activities only overlap in the supply of (i) enterprise security software; and (ii) IT operations management (“ITOM”) software for enterprise use (as illustrated in Table 1 of section 5.1). Therefore, for the purpose of the present decision, the Commission will focus on these two areas within infrastructure software.

(13) Furthermore, the Commission considered whether the Transaction could give rise to a significant impact on any other enterprise software markets in which Broadcom has a market share above 30%, i.e. the potential markets for ITOM mainframe tools and for application development mainframe tools. Therefore, the Commission will also examine these two areas.

4.2.1. Product market definition

(14) The Commission has in the past classified software products on the basis of functionality, the end-user (enterprise software vs. consumer software) and the specific sector in which the software is used (e.g. healthcare software).

line as well as Broadcom’s corresponding software development kit (“SDK”) suite) for McAfee’s network security platform (“NSP”) product offering. While McAfee stressed the importance of ensuring interoperability going forward, McAfee did not observe any merger-specific impact resulting from the Transaction (Reply of McAfee to questionnaire Q1 to competitors and customers, questions 7.1 and 8.1; McAfee’s email response of 16 October 2019). Indeed, the Notifying Party confirms that McAfee’s NSP does not compete with any SESB products and belongs to Gartner’s overall data center systems market segment and that it is technically impossible to integrate such software directly in IP/Ethernet switches/routers as they run at different layers of the OSI Model (i.e. the reference model for how applications communicate over a network, breaking down data transmission into seven layers). Notifying Party’s reply of 13 October 2019 to RFI 3, question 8; Notifying Party’s reply of 22 October 2019 to RFI 6, question 1. Therefore, there is also no theoretical vertical relationship between SESB and Broadcom’s activities in the supply of ASSPs used in IP/Ethernet switches/routers. In any event, according to the Notifying Party, there is no potential for a degradation of interoperability. Broadcom’s SDK suite is provided to all customers purchasing Broadcom’s devices and any degradation of the SDK provided to Broadcom’s customers would impair the ability of the IP/Ethernet switch/router to operate for any purpose (not simply with respect to McAfee’s NSP product). Notifying Party’s reply of 13 October 2019 to RFI 3, questions 7-9. The merged entity will therefore have no ability or incentive to deteriorate or stop providing access to interoperability information to McAfee.

Commission decision of 29 April 2008 in case M.5080 – Oracle/Bea, paragraph 8 and Commission decision of 8 March 2017 in case M.8223 – Micro Focus/HPE Software Business, paragraph 16.

The segmentation by sector in which the software is used is not relevant in the context of the Transaction. Both Parties supply their enterprise software to a wide range of sectors and do not focus on sector-specific software solutions (Short Form CO, Annexes 5.3.25 and 5.3.26). Therefore, the Commission will not discuss further a potential segmentation by sector for the purpose of the present decision.

(15) In relation to functionality, in previous cases, the Commission classified software products into: (i) infrastructure software; (ii) middleware (i.e. integration platforms); (iii) application software and office software; and (iv) operating/browser software.

(16) Within infrastructure software, the Commission has considered the following additional sub-segmentation: (i) security software; (ii) ITOM software; (iii) application development software; and (iv) storage management software.

(17) Enterprise security software seeks to reduce the risk of unauthorised access to the data and IT systems of organisations. It is designed to improve the security of enterprise network infrastructures through security management, access control, authentication, encryption, data loss prevention, intrusion detection and prevention, vulnerability assessment, and perimeter defence, among others.

(18) The overall enterprise security software category is divided by Gartner into the following nine sub-segments: (i) application security testing (dynamic and static); (ii) data loss prevention; (iii) enterprise endpoint protection; (iv) identity governance and administration; (v) secure e-mail gateways; (vi) secure web gateways; (vii) security information and event management; (viii) (web) access management; and (ix) other security software.

(19) ITOM software for enterprise use monitors and controls the manner a company’s IT department approaches IT services, deployment, and support to ensure consistency, reliability, and quality. It represents all tools necessary to manage the provisioning, capacity, performance, and availability of the computing, networking and application environment.

(20) Gartner delineates the overall ITOM software segment into the following sub-segments: (i) delivery automation, which is further subdivided into (a) general and (b) application release orchestration; (ii) experience management, which is further subdivided into (a) IT Services Management (“ITSM”) and (b) software asset management (“SAM”), IT asset management (“ITAM”), and IT Financial Management (“ITFM”); (iii) performance analysis, which is further subdivided into (a) artificial intelligence for operations, IT infrastructure monitoring and other monitoring tools, (b) application performance management, and (c) network performance monitoring and diagnosis; and (iv) other ITOM software not specifically covered within the above-named categories, including (a) ITOM mainframe tools and (b) other ITOM.

Commission decision of 20 June 2011 in case M.6237 – Computer Sciences Corporation/iSoft Group, paragraphs 22-25 and Commission decision of 8 March 2017 in case M.8223 – Micro Focus/HPE Software Business, paragraph 17.

Commission decision of 20 June 2011 in case M.6237 – Computer Sciences Corporation/iSoft Group, paragraph 23; Commission decision of 15 December 2014 in case M.7458 – IBM/INF Business of Deutsche Lufthansa, paragraph 35; and Commission decision of 8 March 2017 in case M.8223 – Micro Focus/HPE Software Business, paragraph 18.

Commission decision of 8 March 2017 in case M.8223 – Micro Focus/HPE Software Business, paragraph 19.

(21) Application development (“AD”) software for enterprise use includes tools that represent each phase of the software development life cycle (including planning, creating and verification). Within this category, Gartner’s sub-segmentation for AD mainframe tools covers specialised AD tools used to develop and maintain applications that run on mainframe computers.

(22) The Commission has not examined AD mainframe tools in prior decisions, but it has reviewed the broader category of AD software and considered whether different types of AD software constitute separate product markets, ultimately leaving the exact market definition open. In line with Gartner’s segmentation, a possible product market for AD mainframe tools can be identified.

(23) The Notifying Party agrees with the Commission precedents that differentiate between software according to functionality and end-user. Consequently, the Notifying Party considers that the relevant product markets for the purpose of the Transaction are security software, ITOM software and AD software for enterprise use.

(24) The Commission has not identified any reasons in this case to deviate from its precedents in which it defines the software industry market by reference to functionality and end-users as well as identifies the narrowest possible product markets. Among existing market intelligence reports which have been provided by the Notifying Party and have been used by the Commission in prior decisions, Gartner provides the most granular segmentations and will therefore be used in this decision. The potential markets for security software, ITOM software and AD software for enterprise end use may thus be further segmented on that basis, as described in paragraphs (18) to (21). Finally, the market investigation did not suggest alternative product market definitions.

(25) The Commission considers that, in any event, for the purposes of this decision, the exact product market definition with regard to the supply of infrastructure software can be left open, as the Transaction does not raise serious doubts as to its compatibility with the internal market or the functioning of the EEA Agreement under the narrowest possible product market definition, for which market share data is available, based on the Gartner segmentation.

4.2.2. Geographic market definition

(26) In previous cases, the Commission concluded that the geographic market for infrastructure software (as well as any potential segmentations of that market) was worldwide or at least EEA-wide in scope, since customers consider offers from vendors from all parts of the world, there are no technological barriers that restrict vendors from supplying customers globally, and infrastructure software are broadly identical across different countries.

(27) The Notifying Party agrees with the Commission’s precedents defining a worldwide market, arguing that, from a supply-side perspective, suppliers participate in projects regardless of the project’s location. In particular, by removing the physical presence of the software in a company premises, it is possible to supply companies located across the world through cloud computing. From a demand-side perspective, the Notifying Party submits that companies compare the effectiveness of different global manufacturers and source their infrastructure software products globally. Nevertheless, the Notifying Party also provided EEA-wide market shares.

(28) In any event, for the purposes of this decision, the exact geographic market definition with regard to the supply of infrastructure software (as well as any potential segmentations of that market) can be left open, as the Transaction does not raise serious doubts as to its compatibility with the internal market or the functioning of the EEA Agreement under any plausible geographic market definition.

5. COMPETITIVE ASSESSMENT

5.1. Affected markets

5.1.1. Horizontally affected markets

(29) As stated above, the Parties’ product portfolios only overlap with regard to the possible markets for enterprise security software and ITOM software for enterprise use and certain potential segmentations of that market. In line with the approach set out in paragraph (25), the narrowest possible markets in this regard correspond to the sub-segmentations provided by Gartner.

Commission decision of 29 April 2008 in case M.5080 – Oracle/Bea, paragraphs 14-15; Commission decision of 21 October 2010 in case M.5529 – Oracle/Sun Microsystems, paragraphs 767-769 and Commission decision of 8 March 2017 in case M.8223 – Micro Focus/HPE Software Business, paragraph 36.

Short Form CO, paragraph 55.

(34) Broadcom has a market share above 30% in two Gartner sub-segments: (i) ITOM mainframe tools, where Broadcom has a [20-30]% market share in the EEA and [30-40]% worldwide and (ii) AD mainframe tools, where Broadcom has a [30-40]% market share in the EEA and [40-50]% worldwide.

(35) However, neither ITOM mainframe tools nor AD mainframe tools are closely related to SESB’s activities. First, the Parties indicate that SESB software products cannot be used on mainframe computer systems where Broadcom’s ITOM mainframe tools and its AD mainframe tools are used. Second, even if there are customers that purchase both Broadcom’s and SESB’s products, these purchases are intended for different purposes, as Broadcom’s products are used for mainframe computers and SESB’s products are used for other types of systems within the company or the company’s network as a whole. Accordingly, such customers do not qualify as common customers for the “same end use”, within the meaning of paragraph 91 of the Non-Horizontal Merger Guidelines. Third, even for overlapping customers, the two sets of products are not susceptible to bundling or tying practices, given that the products are not sold together to the same division within a customer organisation, or on the same timetables. While respondents to the market investigation mentioned Broadcom’s general tendency to employ bundling or tying strategies, no concerns were voiced as regards a possible bundling of Broadcom’s ITOM mainframe tools and/or AD mainframe tools with SESB’s software solutions. Moreover, all respondents confirmed that there are sufficient credible alternative suppliers to Broadcom in these two market segments. Likewise, all respondents, including competing suppliers of enterprise security software, indicated that they do not require access to Broadcom’s ITOM mainframe tools and/or AD mainframe tools in order to ensure interoperability.

(36) This general view conforms to Broadcom’s internal documents assessing the Transaction, which do not envisage Broadcom’s ITOM mainframe tools or its AD mainframe tools or any conglomerate strategy in relation to these products.

5.2. Horizontal non-coordinated effects

5.2.1. The Notifying Party’s view

(37) According to the Notifying Party, the Transaction will not raise any competition concerns in the (potential) market for the supply of data loss prevention software.

As explained in footnote 10, there is no conglomerate relationship either between SESB and Broadcom’s activities in the supply of certain semiconductor products (i.e. ASSPs for residential gateway units and set-top boxes).

ITOM mainframe tools include tools for managing and monitoring mainframe implementations, including application performance monitoring, monitoring, database management, systems management, automation, workload automation and IT process automation. Short Form CO, paragraph 44, footnote 31.

AD mainframe tools include tools that represent each phase of the software development life cycle (including planning, creating and verification). AD mainframe tools are specialised AD tools used to develop and maintain applications that run on mainframe computers, which differ from standard PCs in several ways (such as using different processor instruction sets). Notifying Party’s reply of 22 October 2019 to RFI 5, question 1.

Short Form CO, paragraphs 109-110.

Short Form CO, paragraphs 109-111.

Replies to questionnaire Q1 to competitors and customers, questions 3-5 and 9-11.

Short Form CO, Annexes 5.3.1-5.3.24.

(41) The Commission also notes that the Transaction will not have a significant effect on the market structure in the EEA or worldwide for the supply of data loss prevention software. As shown in Table 2, the market share increment brought about by the Transaction is very limited (below [0-5]% worldwide and in the EEA throughout the last three years).

(42) Furthermore, there is a large number of alternative suppliers of data loss prevention software active both worldwide and in the EEA. All of these suppliers, including McAfee, Digital Guardian, Fidelis Cybersecurity and Venustech, as well as Forcepoint and RSA, will continue to compete effectively with the merged entity post-Transaction.

(43) Finally, the evidence on file suggests that the Parties are not particularly close competitors in this market. While SESB is the market leader, Broadcom is a small player on this market and its “CA Data Protection” product is a legacy solution, […]. Therefore, Broadcom currently does not seem to constitute an important competitive constraint in this market.

(44) Further, the Commission notes that similar arguments equally apply to the potentially broader market for enterprise security software. In any event, the Parties’ combined market share for 2018 was [5-10]% worldwide and [5-10]% in the EEA, which is well below 20%.

5.2.2.1. Conclusion

(45) In light of the foregoing, the Commission concludes that the Transaction does not raise serious doubts as to its compatibility with the internal market or the functioning of the EEA Agreement in the (potential) market for the supply of data loss prevention software or the broader market for enterprise security software, in the EEA or worldwide.

6. CONCLUSION

(46) For the above reasons, the European Commission has decided not to oppose the notified operation and to declare it compatible with the internal market and with the EEA Agreement. This decision is adopted in application of Article 6(1)(b) of the Merger Regulation and Article 57 of the EEA Agreement.

For the Commission

(Signed) Margrethe VESTAGER Member of the Commission

Short Form CO, paragraph 73.

11