EUROPEAN COMMISSION DG Competition

Only the English text is available and authentic.

REGULATION (EC) No 139/2004 MERGER PROCEDURE

Article 6(1)(b) NON-OPPOSITION Date: 13/03/2024

In electronic form on the EUR-Lex website under document number 32024M11320

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111

EUROPEAN COMMISSION

Brussels, 13.3.2024 C(2024) 1778 final

PUBLIC VERSION

In the published version of this decision, some information has been omitted pursuant to Article 17(2) of Council Regulation (EC) No 139/2004 concerning non-disclosure of business secrets and other confidential information. The omissions are shown thus […]. Where possible the information omitted has been replaced by ranges of figures or a general description.

Cisco Systems, Inc 170 West Tasman Dr. San Jose, CA 95134 United States of America

Dear Sir or Madam,

(1) On 7 February 2024, the European Commission (“Commission”) received notification of a proposed concentration pursuant to Article 4 of the Merger Regulation by which Cisco Systems, Inc. (“Cisco” or “Notifying Party”, USA) will acquire sole control of Splunk Inc. (“Splunk”, USA) within the meaning of 3Article 3(1)(b) of the Merger Regulation (the “Transaction”). Cisco and Splunk are collectively referred to as the “Parties”.

1. THE PARTIES

(2) Cisco develops, manufactures, and sells a broad range of hardware and software products and technologies deployed by businesses globally, including networking,

1 OJ L 24, 29.1.2004, p. 1 (the ‘Merger Regulation’). With effect from 1 December 2009, the Treaty on the Functioning of the European Union (‘TFEU’) has introduced certain changes, such as the replacement of ‘Community’ by ‘Union’ and ‘common market’ by ‘internal market’. The terminology of the TFEU will be used throughout this decision.

2 OJ L 1, 3.1.1994, p. 3 (the ‘EEA Agreement’).

3 OJ C, C/2024/1597, 15.02.2024.

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111

security, collaboration, applications, and cloud-based offerings (e.g., cloud-based applications and services). The company is listed on the Nasdaq Stock Market.

(3) Splunk is a software vendor that helps organisations monitor the performance of their digital systems and keep them secure. Splunk’s enterprise security and observability solutions allow its customers to simplify detection, investigation, and response of security and performance issues. The company is listed on the Nasdaq Stock Market.

2. THE OPERATION AND CONCENTRATION

(4) The Transaction consists in the acquisition of sole control by Cisco over Splunk, pursuant to an Agreement and Plan of Merger dated 20 September 2023, according to which Spirit Merger Corp. (a wholly owned subsidiary of Cisco) will merge with and into Splunk, with Splunk surviving the merger. Upon closing of the Transaction, Splunk will be a wholly owned subsidiary of Cisco. Closing is conditional on obtaining the necessary regulatory approvals.

(5) Therefore, the Transaction constitutes a concentration within the meaning of Article 3(1)(b) of the Merger Regulation.

3. UNION DIMENSION

(6) The undertakings concerned have a combined aggregate world-wide turnover of more than EUR 5 000 million(Cisco: EUR 54,085.39 million; Splunk: EUR 3,484.22 million). Each of them has a Union-wide turnover in excess of EUR 250 million (Cisco: [Cisco Union-wide turnover] EUR million; Splunk: EUR [Splunk Union-wide turnover] million) and they do not achieve more than two-thirds of their aggregate Union-wide turnover within one and the same Member State.

(7) Therefore, the notified operation has a Union dimension pursuant to Article 1(2) of the Merger Regulation.

4. RELEVANT MARKETS

4.1. Introduction

4.1.1. Approach to market definition

(8) Cisco and Splunk are both active in IT software for enterprise customers. The Parties’ software activities overlap in a number of plausible markets or market segments. Further, Splunk’s SIEM software and Cisco’s observability software are closely related products.

(9) In determining the relevant markets, where possible, the Notifying Party provided its views on the product and geographic market definitions on the basis of previous Commission decisions. The Notifying Party also relied on the segmentation adopted by the market intelligence companies International Data Corporation

4 Turnover calculated in accordance with Article 5 of the Merger Regulation.

5 (“IDC”) and/or Gartner, Inc. (“Gartner”)in order to identify the narrowest plausible product markets on which the Parties are active.

(10) As set out in further detail in Sections 4.2.1.1 and 4.4.1.1, the Commission has followed IDC and/or Gartner segmentation in past decisions.

(11) For the purposes of the present Decision, the Commission carried out its competitive assessment on the basis of all the potential product market segments identified by the Notifying Party in accordance with IDC and/or Gartner segmentations for which market share data is available and which were affected on the basis of 2022market shares data.

(12) The Transaction only gives rise to limited horizontal overlaps, with the exception of two Gartner and IDC market segments which are affected at the worldwide or EEA level, namely: (i) Application Performance Management & Observability (“APM&O”) software(Gartner terminology) and (ii) a hypothetical market for IT operations analytics (“ITOA”) software(IDC terminology).

(13) The Transaction also gives rise to a conglomerate relationship between Splunk’s Security Information and Event Management (“SIEM”) software and Cisco’s observability software.

4.1.2. Gartner terminology

(14) Gartner categorizes the software industry intro three levels: (i) macro markets, (ii) sub-segments, and for some sub-segments, (iii) categories.

(15) Gartner identifies the macro markets for: (i) IT Operations Management (“ITOM”) software; (ii) Security software; and (iii) Application Infrastructure and Middleware.

5 IDC and Gartner classifications are not directly comparable with each other. This Decision refers to the segments as indicated by the Notifying Party in the Form CO.

6 Market share estimates for calendar year 2023 are currently not available. See paragraph 39 of Parties’ response to RFI 6.

7 The Notifying Party invokes the flexibility clause in point 8 of the Notice on Simplified Procedure stating that under all plausible market definitions, (i) the Parties’ combined market share is 20% or higher but remains below 25% on any relevant market where the Parties’ activities overlap, and (ii) none of the special circumstances described in section II.C of the Notice on the Simplified Procedure are present. The Commission considers that the applicability of the flexibility clause is unclear, given the uncertainty regarding the market definition for log management (as explained in section 4.3) and Splunk’s market share of over 30% in SIEM, which is potentially a neighbouring market to other security and observability segments where Cisco is active. Annex 1 to the Implementing Regulation (Section F, paragraph 25 (g)) defines an affected market as follows: “[a]ffected markets are all relevant product and geographic markets, as well as plausible alternative relevant product and geographic markets, where the parties’ activities overlap horizontally or are vertically related and which do not meet the conditions for review under point 5 of the Notice on Simplified Procedure and do not benefit from the flexibility clauses of point 8 of the Notice on Simplified Procedure.” Therefore, in the present case, a combined market share between 20 and 25% gives rise to a horizontally affected market.

8 The Notifying Party submits that Cisco is not active in log management because it does not offer a stand-alone log management solution. However, as explained in Section 4.3, IDC attributes revenues to Cisco in log management, giving rise to an affected market in ITOA software. For completeness, the Commission will assess ITOA software as a potential horizontally affected market.

9 All other Gartner and/or IDC markets and sub-markets where there is a horizontal overlap do not give rise to affected markets.

4.1.3. IDC terminology

(19) IDC categorizes the software industry into four levels: (i) primary markets; (ii) secondary markets; (iii) functional markets; and (iv) sub-markets.

(20) IDC identifies the primary markets for (i) Applications; (ii) Application Development & Deployment; and (iii) System infrastructure software.

(21) IDC sub-segments the primary market for System infrastructure software into the secondary markets for (i) System and service management software; (ii) Network, (iii) Security, (iv) Storage, (v) Endpoint management, and (vi) Physical and virtual computing.

(22) IDC sub-segments the secondary market for System and service management software into the functional markets for: (i) IT Operations Management software ,(ii) IT automation and configuration management, and (iii) IT service management.

(23) IDC includes ITOA in the definition of IT Operations Management software: “solutions that monitor, collect, normalize, correlate, report, and automate the analysis and response of systems and applications to non-scheduled events. It incorporates software and SaaS [Software-as-a-Service ] monitoring and analytics solutions focused on application performance management (APM), infrastructure monitoring and reporting, IT operations analytics, application

performance business impact analysis, predictive analytics and computing, and application capacity optimization. Included are console automation products, global event management applications, event correlation and root cause analysis software, event action engines, log management, and log analytics. Cloud cost transparency solutions to manage and optimize cloud spending are included (also called FinOps).”IT Operations Management software is not further divided into any sub-markets in IDC’s standard taxonomy.

(24) Nonetheless, in September 2022, IDC published an ad hoc report on ITOA software which refers to ITOA as a market.

4.2. Market for APM&O

4.2.1. Product market definition

(25) According to Gartner, APM&O tools collect and analyze the performance and behavior of end-user interactions with applications by discovering applications and their relationships.APM&O solutions provide real-time monitoring and tracking of software applications, allowing for detection of performance issues and anomalies.

(26) Cisco’s APM&O solution is “AppDynamics” which enables the observation and visualisation of a company’s technology stack, with a focus on traditional application monitoring. While APM&O remains the core business of AppDynamics, Cisco’s AppDynamics business unit has in recent years expanded its capabilities and now also facilitates the monitoring of (i) business performance, (ii) user experiences, (iii) on-premises, hybrid and cloud-native environments, (iv) networks, and (v) application security.

(27) Splunk's APM&O solution is “Splunk Application Performance Monitoring”, which supports detection and troubleshooting of application performance issues. “Splunk Application Performance Monitoring” offers visibility across a customer’s IT environment with service mapping and tracing, and code-level visibility. Customers can use this solution to configure alerts based on various thresholds, for more efficient alerting.

4.2.1.1. Commission’s precedents

(28) In previous decisions, the Commission considered a classification of software products based on functionality, the end user (enterprise software vs. consumer software), and the specific sector in which they are used (e.g., healthcare software). As regards functionality, the Commission considered a division based

on: (a) infrastructure software, (b) middleware, (c) application software and office software; and (d) operating system/browser software.

(29) Within infrastructure software, the Commission considered the following additional sub-segmentations based on the taxonomy set by Gartner: (a) security software; (b) ITOM software; (c) application development software; and (d) storage management software.

(30) In Broadcom/Symantec , the Commission considered that within the ITOM software segment, Gartner included the following sub-segments: (a) Delivery automation (b) Experience management (currently Gartner refers to Experience management as Value management), (c) Performance Analysis (currently Gartner refers to Performance Analysis as H&PA), and (d) other ITOM software not specifically covered within the above-named categories. H&PA was further subdivided into (i) Artificial Intelligence for Operations (“AIOps”), IT infrastructure monitoring (“ITIM”) and other monitoring tools; (ii) Application Performance Management (currently Gartner refers to APM&O); and (iii) Network Performance Monitoring (“NPM”) and Diagnosis.

(31) In its previous decisions, the Commission ultimately left the market definition open and carried out its assessment based on the narrowest plausible market.

4.2.1.2. The Notifying Party’s views

(32) The Notifying Party considers that the observability space is nascent and continuously evolving. While the segmentations used by Gartner do not in all instances align fully with how the Parties market their products, the Gartner taxonomy for ITOM software and H&PA is commonly relied on by industry participants and the sub-categories of the observability space identified by Gartner broadly correspond to the use cases for which enterprise customers purchase observability tools. The Notifying Party therefore agrees that Gartner generally provides a useful taxonomy for assessing competitive dynamics in the observability space.

(33) The Notifying Party considers that there is a relevant market for APM&O in which competition takes place. [Splunk's confidential assessment of Gartner's estimates of Splunk's APM&O revenues].

(34) Notwithstanding, the Notifying Party considers that market definition can be left open as the Transaction does not give rise to competition concerns under any plausible segmentation of the relevant markets.

4.2.1.3. The Commission’s assessment

(35) The Commission has not identified any reasons in this case to deviate from its precedents in which it defines the software industry market by reference to functionality and end-users, and identifies the narrowest plausible product markets set out by existing market intelligence reports which have been provided by the Notifying Party, notably reports adopted by Gartner and/or IDC.

(36) As mentioned above in Section 4.1.2, currently Gartner considers ITOM software, Security software and Application Infrastructure and Middleware as macro-markets. Gartner segments the macro market for ITOM software into the markets for (i) Delivery Automation; (ii) H&PA, (iii) Value Management, (iv) ITOM Mainframe Tools and (v) Other ITOM. Within H&PA, Gartner identifies the categories: (i) APM&O, (ii) AIOps, (iii) Digital Experience Monitoring, (iv) ITIM; and (v) Other Monitoring Tools.The potential market for ITOM software may thus be further segmented on that basis.

(37) The market investigation did not suggest alternative product market definition.

4.2.2. Geographic market definition

4.2.2.1. Commission’s precedents

(40) In previous decisions, the Commission left the geographic market for infrastructure software (as well as any potential segmentations thereof) open, but considered that it was worldwide or at least EEA-wide in scope, since customers consider offers from vendors from all parts of the world, there are no technological barriers that restrict vendors from supplying customers globally, and infrastructure software are broadly identical across different countries.

4.2.2.2. The Notifying Party’s views

(41) The Notifying Party agrees with the Commission precedents and considers that the market definition can be left open.

4.2.2.3. The Commission’s assessment

(42) In the market investigation, the vast majority of respondents expressing an opinion considered that competition in the APM&O software market takes place at a worldwide level.Respondents explained that “procurement is done worldwide” and “it is a global market, and the larger companies in the market are global companies with customers all across the globe”.

(43) In any event, the Commission considers that, for the purposes of this Decision, the exact geographic market definition with regard to the supply of ITOM software (as well as any potential segmentation of that market) can be left open, as the Transaction does not raise serious doubts as to its compatibility with the internal market irrespective of whether a worldwide or EEA-wide market is considered.

4.3. Market for ITOA

4.3.1. Product market definition

(45) According to IDC, ITOA builds on big data processing capabilities to provide IT log management, log search and analysis, and related historical and predictive performance and capacity and root cause analysis. The key objective is to optimize IT operational service levels in near real time for production application and infrastructure computing environments.

(46) Splunk’s on-premises log management tool is “Splunk Enterprise” (also called “Splunk Cloud Platform” when offered as a Software-as-a-Service) which enables customers to collect, store, identify and correlate the various logs (i.e., automatically produced and time-stamped documentations of events) generated by their internal IT systems or software applications.

(47) Following its acquisition of Dashbase, Cisco has limited log management capabilities, which have been integrated into Cisco's observability offering, but it does not offer a standalone log management tool.

4.3.1.1. Commission’s precedents

(48) The Commission has not previously considered a potential product market for log management tools.

(49) In previous decisions, the Commission considered a classification of software products based on functionality, the end user (enterprise software vs. consumer software), and the specific sector in which they are used (e.g., healthcare software). As regards functionality, the Commission considered a division based on: (a) infrastructure software, (b) middleware, (c) application software and office software; and (d) operating system/browser software.Within infrastructure software, the Commission considered the following additional sub-segmentations based on the taxonomy set by Gartner: (a) security software; (b) IT Operations Management software; (c) application development software; and (d) storage management software.

(50) Gartner does not identify a separate segment for log management, but rather considers log management to be part of multiple segments within Gartner's ITOM software category and security software category, which reflects the various observability and security use cases for which customers apply log management capabilities.

(51) In IBM/Red Hat , the Commission considered that within System Infrastructure software, IDC included the secondary markets for (i) Storage; (ii) Physical and Virtual Computing software; (iii) Network and (iv) Operating Systems.

(52) Currently IDC subdivides the primary market for Systems Infrastructure software into the following secondary markets: (i) System and Service Management software, (ii) Network software, (iii) Security software; (iv) Storage software; (v) Endpoint Management software; and (vi) Physical and Virtual Computing software. IDC segments the secondary market for System and Service Management software into functional markets for: (i) IT Automation and Configuration Management software, and (ii) IT Operations Management software. IT Operations Management software is itself not further divided into any sub-markets in IDC's standard taxonomy.

(53) Nonetheless, in September 2022, IDC published an ad hoc report on ITOA which refers to ITOA as a market.

(54) In the aforementioned cases, the Commission ultimately left the market definition open and carried out its assessment based on the narrowest market level that either Gartner or IDC identify.

4.3.1.2. The Notifying Party’s views

(55) The Notifying Party considers that log management tools are part of the observability or security software markets according to the customer’s use case. Depending on the customer's needs, log management tools can serve different observability and enterprise security use cases. Because log management tools can serve these different use cases, and consistent with Gartner’s taxonomy, the Notifying Party considers that there is no separate market for log management tools. The Notifying Party [Confidential evidence showing that Cisco does not consider there to be a separate market for log management tools].

(56) Notwithstanding, the Notifying Party considers that market definition can be left open as the Transaction does not give rise to competition concerns under any plausible segmentation of the relevant markets.

4.3.1.3. The Commission’s assessment

(57) The Commission has not identified any reasons in this case to deviate from its precedents in which it defines the software industry market by reference to functionality and end-users, and identifies the narrowest plausible product markets set out by existing market intelligence reports which have been provided by the Notifying Party, notably reports adopted by Gartner and/or IDC.

(58) In the market investigation, the majority of respondents expressing an opinion indicated that, in their ordinary course of business, they do not allocate log management revenues under its own separate (ITOA) segment. Instead, log management revenues are allocated under both ITOM software market and security software market depending on the use case (which is aligned with Gartner’s methodology).

(59) As mentioned above in Sections 4.1.3 and 4.3.1.1, currently IDC identifies a primary market for Systems Infrastructure software, a secondary market for System and Service Management software and a functional market for IT Operations Management software (within Service Management software). Although IT Operations Management software is not subdivided in IDC’s standard taxonomy, ITOA software has been referred to as a market in an IDC ad hoc report. The potential market for System Infrastructure software may thus be further segmented on that basis.

(60) The Commission considers that, for the purposes of this Decision, the exact product market definition with regard to the supply of System infrastructure software can be left open, as the Transaction does not raise serious doubts as to its compatibility with the internal market even under the narrowest plausible product market definition, for which market share data is available, based on the IDC segmentation.

(61) In Section 5.5.4, the Commission carries out an assessment on the basis of a plausible IDC market for ITOA software.

4.3.2. Geographic market definition

4.3.2.1. Commission’s precedents

(62) The Commission has not previously considered a potential geographic market for log management tools.

(63) In IBM/Red Hat, the Commission considered that the relevant geographic market for Storage software was worldwide or at least EEA-wide but ultimately left the relevant geographic market open.

4.3.2.2. The Notifying Party’s views

(64) The Notifying Party agrees with the Commission precedents and considers that the market definition can be left open.

4.3.2.3. The Commission’s assessment

(65) In the market investigation, the vast majority of respondents expressing an opinion considered that competition in ITOA software takes place at a worldwide level. Respondents explained that “from a supply-side perspective, ITOA providers supply companies located around the world through cloud-based solutions, and there are no different sourcing patterns or requirements in the EEA compared with the rest of the world. From a demand-side perspective, customers can procure their software products globally”.

(66) The Commission considers that, for the purposes of this Decision, the exact geographic market definition with regard to the supply of System Infrastructure software, or any segment thereof, can be left open, as the Transaction would not raise serious doubts as to its compatibility with the internal market irrespective of whether a worldwide or EEA-wide market is considered.

(67) In Section 5.5.4, the Commission carries out an assessment on the basis of both worldwide and EEA-wide markets.

51 Commission decision of 27 June 2019 in case M.9205 – IBM / Red Hat, paragraphs 110 and 118.

52 Form CO, paragraph 309.

53 Replies to Q1 – Questionnaire to competitors and customers, question C.C.11.

54 Replies to Q1 – Questionnaire to competitors and customers, question C.C.12.

11

4.4. Market for SIEM

4.4.1. Product market definition

(68) SIEM software supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyse log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards and reporting).

(69) Splunk offers “Splunk Enterprise Security” which is a solution that enables customers to identify and investigate security incidents based on data it draws from Splunk Enterprise.

(70) Cisco does not offer a SIEM solution.

4.4.1.1. Commission’s precedents

(71) In previous decisions, the Commission considered a classification of software products based on functionality, the end user (enterprise software vs. consumer software), and the specific sector in which they are used. As regards functionality, the Commission considered a division based on: (a) infrastructure software, (b) middleware, (c) application software and office software; and (d) operating system/browser software. Within infrastructure software the Commission considered the following additional sub-segmentations based on the taxonomy set by Gartner: (a) security software; (b) ITOM software; (c) application development software; and (d) storage management software.

60(72) In Broadcom/Symantec, the Commission considered that within the security software segment, Gartner included the following sub-segments: (i) application security testing (dynamic and static); (ii) data loss prevention; (iii) enterprise endpoint protection; (iv) identity governance and administration; (v) secure e-mail gateways; (vi) secure web gateways; (vii) SIEM; (viii) (web) access management; and (ix) other security software.

(73) In the previous decisions mentioned above, the Commission ultimately left the market definition open and carried out its assessment based on the narrowest plausible market.

4.4.1.2. The Notifying Party’s views

(74) The Notifying Party considers that the Gartner taxonomy for enterprise security software is commonly relied on by industry participants and the Notifying Party agrees that it generally provides a useful framework for assessing competitive dynamics in the enterprise security space.

(75) The Notifying Party considers that there is a relevant market for SIEM software in which competition takes place. [Gartner's allocation of Splunk's product revenues into the SIEM sub-segment within its taxonomy].

(76) Notwithstanding, the Notifying Party considers that market definition can be left open as the Transaction does not give rise to competition concerns under any plausible segmentation of the relevant markets.

4.4.1.3. The Commission’s assessment

(77) The Commission has not identified any reasons in this case to deviate from its precedents in which it defines the software industry market by reference to functionality and end-users, and identifies the narrowest plausible product markets set out by existing market intelligence reports which have been provided by the Notifying Party, notably reports adopted by Gartner and/or IDC.

(78) As mentioned above in Section 4.1.2, currently Gartner divides the macro-market Security software in the following sub-segments: (i) Access Management, (ii) Application Security Testing, (iii) Cloud Access Security Brokers, (iv) Cloud Workload Protection Platforms, (v) Consumer Security Software, (vi) Endpoint Protection Platform, (vii) Enterprise Data Loss Prevention Products, (viii) Identity Governance and Administration, (ix) Other Security Software; (x) Secure E-mail Gateway; (xi) Secure Web Gateway; and (xii) SIEM. The potential market for Security software may thus be further segmented on that basis.

(79) Finally, the market investigation did not suggest alternative product market definition.

61 Gartner’s taxonomy has changed and currently Gartner divides the macro-market Security software in the following sub-segments: (i) Access Management, (ii) Application Security Testing, (iii) Cloud Access Security Brokers, (iv) Cloud Workload Protection Platforms, (v) Consumer Security software, (vi) Endpoint Protection Platform, (vii) Enterprise Data Loss Prevention Products, (viii) Identity Governance and Administration, (ix) Other Security software; (x) Secure E-mail Gateway; (xi) Secure Web Gateway; and (xii) SIEM.

62 Commission decision of 26 June 2011 in case M.6237 – Computer Science Corporation / iSOFT Group, paragraph 32; Commission decision of 30 October 2019 in case M.9538 – Broadcom/Symantec Enterprise Security Business, paragraphs 24 and 25.

63 Form CO, paragraph 276.

64 Form CO, paragraph 277.

65 Form CO, paragraph 277.

12

(80) Therefore, the Commission considers that, for the purposes of this Decision, the exact product market definition with regard to the supply of Security software can be left open, as the Transaction would not raise serious doubts as to its compatibility with the internal market even under the narrowest plausible product market definition, for which market share data is available, based on the Gartner segmentation.

(81) In Section 5.6, the Commission carries out an assessment on the basis of Gartner’s SIEM market.

4.4.2. Geographic market definition

4.4.2.1. Commission’s precedents

(82) In previous decisions, the Commission left the geographic market for infrastructure software (as well as any potential segmentations thereof) open, but considered that it was worldwide or at least EEA-wide in scope, since customers consider offers from vendors from all parts of the world, there are no technological barriers that restrict vendors from supplying customers globally, and infrastructure software are broadly identical across different countries.

4.4.2.2. The Notifying Party’s views

(83) The Notifying Party agrees with the Commission precedents and considers that the market definition can be left open.

4.4.2.3. The Commission’s assessment

(84) In the market investigation, the vast majority of respondents expressing an opinion considered that competition in the SIEM software market takes place at a worldwide level. Respondents explained that “procurement is worldwide” and that “most vendors in this space operate in all major markets.”

(85) In any event, the Commission considers that, for the purposes of this Decision, the exact geographic market definition with regard to the supply of Security software (and possible segmentation thereof) can be left open, as the Transaction would not raise serious doubts as to its compatibility with the internal market irrespective of whether a worldwide or EEA-wide market is considered.

(86) In Section 5.6 the Commission carries out an assessment on the basis of both worldwide and EEA-wide markets.

5. COMPETITIVE ASSESSMENT

5.1. Introduction

(87) The Parties’ activities are largely complementary. With regards to observability, while both Parties are active in the APM&O category, Cisco’s other activities fall largely within the NPM and DEM categories, whereas Splunk’s activities are in AIOps and ITIM. As for security software, Splunk is active in SIEM and Security orchestration, automation and response whereas Cisco has a focus on Enterprise endpoint protection, Access management, Secure Email gateway, Secure Web gateway, Cloud Workload Protection Platforms, Cloud Access Security Brokers, and Extended detection and response solutions.

5.2. Horizontally Affected Markets

(88) Section 5.5 assesses horizontal relationships between the Parties’ activities in two affected markets or market segments: the APM&O software market at EEA level and the ITOA software market at worldwide and EEA level.

5.3. Conglomerate Markets

(89) Splunk’s SIEM software and Cisco’s observability software are closely related products in the sense that customers that purchase SIEM from Splunk may also purchase Cisco’s observability software. Therefore, there is a conglomerate relationship between the activities of the Parties. Section 5.6 assesses whether the merged entity could, as a result of the Transaction, start bundling Splunk’s SIEM software with Cisco’s observability software.

71 See Section 4.1.1 above: based on 2022 market share data included in section 5.4, we have identified these two Gartner and/or IDC markets or market segments with market shares exceeding 20%.

72 The Commission also assessed a potential conglomerate relationship between Cisco’s hardware (namely its networking hardware, unified communications and network security offerings) and Splunk’s observability and security solutions. The Commission concluded that such potential relationship is not relevant for the following reasons. First, with regards to interoperability between the hardware products of Cisco (or its rivals) and Splunk’s observability and security software solutions, it should be noted that these do not communicate directly to exchange information. Consequently, the merged entity would have no technical ability to degrade data flows from its hardware products to the observability and security solutions of rivals or to degrade the ingest of data generated by Cisco’s rival suppliers of hardware into Splunk’s observability and security solutions. This is because although hardware generates telemetry data (typically logs) which flows to observability and enterprise security solutions, customers have complete control over the type and volume of data which is sent, as well as where the data is sent (by determining the IP address to which data must be sent) and the manufacturer of hardware has no visibility into this. Second, in its response to RFI 6, the Notifying Party submits that there are alternative suppliers in each of the hardware markets where Cisco is active. During the market investigation, one customer explained that it “considers that Cisco is a big player in the network market but does not offer a ‘must have’ product as there are other viable solutions, such as Palo Alto Networks” (see agreed minutes of call with a customer on 26 January 2024, paragraph 4). Similarly, as explained in further detail in Section 5.6, Splunk has no market power in any of the markets for the supply of observability and security software. With regards to the potential bundling of Cisco’s hardware products with any of Splunk’s software (so as to foreclose Splunk’s rivals in observability and security software or Cisco’s rivals in hardware), the merged entity would not have the ability to pursue such strategy as there would not be sufficient customer demand for such bundled solutions. This is because (i) customers apply a best-of-breed purchasing strategy for observability and security solutions, (ii) the purchasing of hardware on one hand and observability and security software on the other hand tend to be carried out by separate procurement teams, (iii) hardware products and observability and security solutions have different use cases, lifespans and purchase cycles; and (iv) Cisco already offers hardware products and observability and security solutions and does not offer a bundle of the two.

5.4. Market shares

(90) According to the Guidelines on the assessment of horizontal mergers (“Horizontal Merger Guidelines”) and the Guidelines on the assessment of non-horizontal mergers (“Non-Horizontal Merger Guidelines”), in the assessment of the effects of a merger, market shares constitute a useful first indication of the structure of the markets at stake and of the competitive importance of the relevant market players.

(91) In the following tables, the Commission presents the market shares of the Parties for all relevant markets to the extent such data is available.

5.4.1. APM&O software (Gartner terminology)

(92) Table 1 provides an overview of the Parties and their main competitors’ market shares for 2020, 2021 and 2022 for the APM&O software market, extracted from Gartner, Market Share: IT Operations Management Software, Worldwide, 2022 (“Gartner ITOM Report 2022”) and Gartner, Market Share: IT Operations Management Software, Worldwide, 2021 (“Gartner ITOM Report 2021”).

cases, lifespans and purchase cycles; and (iv) Cisco already offers hardware products and observability and security solutions and does not offer a bundle of the two.

73 Horizontal Merger Guidelines, paragraph 14; Non-Horizontal Merger Guidelines, paragraph 24.

74 Market shares estimates for calendar year 2023 are currently not available. See paragraph 39 of the Parties’ response to RFI 6.

16

(98) The Transaction also results in overlaps for a number of other markets. However, none of these overlaps give rise to affected markets as a result of the application of the Commission Implementing Regulation (“Implementing Regulation”). Therefore, these overlaps will not be discussed in this decision.

5.5. Horizontal effects

5.5.1. Introduction

(99) The Transaction gives rise to the following horizontally affected markets: (i) the EEA-wide APM&O software market (Section 5.5.3); and (ii) a worldwide and EEA-wide hypothetical market for ITOA software (Section 5.5.4).

5.5.2. Legal framework

(100) The Horizontal Merger Guidelines describe two main ways in which horizontal mergers may significantly impede effective competition. In particular, the proposed concentration might be creating or strengthening a dominant position: (i) by eliminating important competitive constraints on one or more firms, which consequently would have increased market power, without resorting to coordinated behaviour (non-coordinated effects); and (ii) by changing the nature of competition in such a way that firms that previously were not coordinating their behaviour, are significantly more likely to coordinate and raise prices or otherwise harm effective competition (coordinated effects).

(101) A merger giving rise to horizontal non-coordinated effects might significantly impede effective competition by creating or strengthening the dominant position of a single firm, one which, typically, would have an appreciably larger market share than the next competitor post-merger. Moreover, also mergers that do not lead to the creation of or the strengthening of a single firm’s dominant position may create competition concerns under the substantive test set out in Article 2(2) and Article 2(3) of the Merger Regulation. Regarding mergers in oligopolistic markets, the Merger Regulation clarifies that “under certain circumstances, concentrations involving the elimination of important competitive constraints that the merging parties exerted upon each other, as well as a reduction of competitive pressure on the remaining competitors, may, even in the absence of a likelihood of coordination between the members of the oligopoly, result in a significant impediment to effective competition.”

(102) The Horizontal Merger Guidelines list a number of factors which may influence whether or not significant horizontal non-coordinated effects are likely to result from a merger, such as the large market shares of the merging firms, the fact that the merging firms are close competitors, the limited possibilities for customers to switch suppliers, or the fact that the merger would eliminate an important competitive force. Not all those factors need to be present to make significant non-coordinated effects likely and it is not an exhaustive list.

5.5.3. APM&O software

5.5.3.1. The Notifying Party’s views

(103) The Notifying Party considers that the Transaction will not give rise to competition concerns in the market for APM&O software for the following reasons.

(104) First, the Notifying Party submits that the combined market share of the Parties in the APM&O software market is moderate (Cisco and Splunk have a market share of [10-20]% and [0-5]% respectively at EEA level).

(105) Second, the Notifying Party submits that the APM&O software market is fragmented and there are large and well-funded rivals, such as Dynatrace (with a market share of [10-20]% in the EEA), New Relic (with a market share of [10-20]% in the EEA) and Datadog (with a market share of [5-10]% in the EEA). IBM (with a market share of [0-5]% in the EEA) and Microsoft (with a market share of [0-5]% in the EEA) are also active in these markets.

(106) Finally, the Notifying Party considers that Cisco and Splunk are not close competitors in the APM&O software market as Cisco’s APM&O solution is mainly an on-premises offering, whereas Splunk’s APM&O tool is offered as a Software as a Service solution. This is supported by the Parties’ internal win/loss data which shows that [Assessment of Parties' internal win/loss data].

5.5.3.2. The Commission’s assessment

(107) The Commission considers that the Transaction is unlikely to raise serious doubts as to its compatibility with the internal market as a result of horizontal effects in the market for APM&O software at EEA level.

(108) First, the Parties’ combined 2022 market shares in a narrowly defined APM&O software market will remain moderate: [20-30]% in the EEA.

(109) Second, Splunk’s offering in APM&O software will only increase modestly Cisco’s position in these markets. The increment contributed by Splunk in the market for APM&O software amounts to [0-5]% in the EEA.

(110) Third, the merged entity will continue to compete with a large number of other suppliers in the market for APM&O software. The Parties will continue to face competition at the EEA level from a number of established players such as Dynatrace ([10-20]% market share), New Relic ([10-20]% market share) and Datadog ([5-10]% market share).

(111) In the market investigation, all the respondents expressing an opinion considered that several companies supply product(s) that compete with Cisco’s “AppDynamics” products. Such suppliers include Datadog, Dynatrace, IBM, Microsoft and New Relic, which are also active at the EEA level.

(112) The majority of respondents expressing an opinion also considered that several companies supply product(s) that compete with “Splunk Application Performance monitoring” products. Such suppliers include Datadog, Dynatrace, Elastic, IBM, Microsoft and New Relic, which are also active at the EEA level.

(113) Fourth, even though the Parties’ products compete closely, customers have several alternative APM&O suppliers to switch to.

(114) The majority of respondents that expressed an opinion considered that Cisco’s and Splunk’s products (identified above, in the present Section) compete closely. Respondents explained that “both products are covering the full APM&O area in terms of functionality” and “there are similar capabilities from both AppDynamics product and the Splunk Observability product both measuring Application Performance Monitoring in order to support the operations of the applications”.

(115) Notwithstanding, as mentioned above in the present Section, several companies supply product(s) that compete with Cisco’s and Splunk’s APM&O products. The majority of respondents expressing an opinion considered that even if customers have chosen an APM&O software supplier, in practice, customers do switch between different APM&O software suppliers. Further, the majority of respondents expressing an opinion also considered that although switching from one APM&O software supplier to another is technically complex and needs some time, it is a real option.

(116) Fifth, the vast majority of market respondents expressing an opinion considered that the impact of the transaction in the market for APM&O software would be positive or neutral.

(117) For all the above reasons, the Commission concludes that the Transaction would not raise serious doubts as to its compatibility with the internal market as a result of horizontal effects in the market for APM&O software at EEA level.

5.5.4. ITOA software

5.5.4.1. The Notifying Party’s views

(118) The Notifying Party considers that the Transaction will not give rise to competition concerns in the putative market for ITOA software at worldwide or EEA level for the following reasons.

(119) First, the Notifying Party submits that the Transaction would not lead to competition concerns given that in a hypothetical ITOA software market, the combined market share of the Parties is moderate (Cisco and Splunk have a market share of [0-5]% and [20-30]% respectively at a worldwide level in 2021, and market shares at EEA level are likely similar).

(120) Second, the Notifying Party considers that Cisco and Splunk are not close competitors in a hypothetical ITOA software market given that Cisco’s log management capabilities are integrated with Cisco’s observability products and are not marketed as a standalone product. Customers therefore do not view these limited log management capabilities integrated within Cisco’s observability products to be effective substitutes for log management solutions offered by Splunk.

(121) Lastly, the Notifying Party submits that the hypothetical ITOA software market is fragmented and there are large and well-funded rivals such as Elastic (offering Logstash), Sumo Logic, Graylog, Datadog, Mezmo (formerly LogDNA, which is integrated with, for example, IBM solutions) SolarWinds (offering Loggly), LogRhythm, and IBM (offering QRadar Log Insights).

5.5.4.2. The Commission’s assessment

(122) The Commission considers that the Transaction is unlikely to raise serious doubts as to its compatibility with the internal market as a result of horizontal effects in a market for ITOA software, at a worldwide or EEA level.

(123) First, the Parties’ combined 2021 market shares in a hypothetical and narrowly defined ITOA software market will remain moderate: [20-30]% worldwide. According to the Notifying Party, there is no reason to believe that the Parties’ and their competitors’ EEA market shares for 2019, 2020 and 2021 in the ITOA segment would be significantly different from the worldwide combined market shares.

(124) Second, Splunk’s offering in ITOA software will only increase modestly Cisco’s position in these markets. The increment contributed by Cisco in the market for ITOA software amounts to [0-5]% worldwide and in the EEA.

(125) Third, the merged entity will continue to compete with a large number of other suppliers. The Parties will continue to face competition at the worldwide level and in the EEA from a number of established players such as VMware ([10-20]% market share), ServiceNow ([5-10]% market share) and IBM ([5-10]% market share).

(126) In the market investigation, the vast majority of respondents expressing an opinion considered that several companies supply product(s) that compete with “Splunk Enterprise” and/or “Splunk Cloud Platform” products at a worldwide level. Such suppliers include Datadog, Dynatrace, Elastic, IBM and Microsoft, which also have a presence at the EEA level.

(127) The majority of respondents expressing an opinion also considered that even if customers have chosen an ITOA software supplier, in practice, customers do switch between different ITOA software suppliers. Further, the vast majority of respondents expressing an opinion considered that although switching from one ITOA software supplier to another is technically complex and needs some time, it is a real option.

(128) Fourth, the Commission considers that the Parties do not appear to compete closely.

(129) Cisco offers log management capabilities in its “AppDynamics” products (i.e. its observability tool) but does not offer a standalone log management solution. The majority of respondents expressing an opinion considered that observability tools (e.g. APM&O) with integrated log management functions are partially (i.e. only for some use cases) substitutes to standalone log management tools, based on product characteristics, price, and intended use. One respondent explained that “log management tools need to collect, store and process massive amounts of data, but APM tools are not designed for mass data processing. As such, APM tools with integrated log management cannot function as substitutes to standalone log management tools.” Another respondent explained that “there may be specific, limited use cases where integrated log management may substitute for stand-alone log management tools, but most purchasers follow a complementary "best of breed" approach, utilizing observability tools that focus on specific applications, such as security observability/management versus application observability/management. For example, where a product utilizes traces, which identify the systems involved in a particular issue and point a user to where an issue may have occurred, this can be differentiated from log analytics tools, which ingest large volumes of log data from targeted cloud-based applications and then perform analytic functions and thus allow customers to create custom queries and alerts in order to monitor, diagnose, and remediate problems. These capabilities (traces and log analytics) are often thought of as complements, rather than substitutes.”

(130) Further, the majority of respondents expressing an opinion considered that Cisco’s products with log management capabilities (“AppDynamics”) and Splunk’s products (“Splunk Enterprise” and/or “Splunk Cloud Platform”) focus on different customer needs. For instance, one respondent explained that “AppDynamics focuses on real-time Application Performance Monitoring (APM), while Splunk specializes in log analytics and broader data analysis capabilities.”

(131) For all the above reasons, the Commission concludes that the Transaction would not raise serious doubts as to its compatibility with the internal market as a result of horizontal effects on a hypothetical market for ITOA software, at a worldwide or EEA level.

5.5.5. Conclusion

(132) In light of the above, the Commission concludes that the Transaction does not raise serious doubts as to its compatibility with the internal market as a result of a horizontal overlap between the Parties’ activities on the markets for the supply of (i) APM&O software; and (ii) ITOA software.

5.6. Conglomerate effects

5.6.1. Introduction

(133) The Transaction gives rise to a conglomerate relationship between Splunk’s SIEM software and Cisco’s observability software. This Decision assesses whether the merged entity could engage in commercial tying or bundling strategies, whereby Splunk’s SIEM solution would be offered together with Cisco’s observability software.

5.6.2. Legal framework

(134) According to the Non-Horizontal Guidelines, in the majority of circumstances, conglomerate mergers will not lead to any competition problems.

(135) However, foreclosure effects may arise when the combination of products in related markets may confer on the merged entity the ability and incentive to leverage a strong market position from one market to another closely related market by means of tying or bundling or other exclusionary practices. While tying and bundling have often no anticompetitive consequences, in certain circumstances such practices may lead to a reduction in actual or potential competitors' ability or incentive to compete. This may reduce the competitive pressure on the merged entity allowing it to increase prices.

(136) In assessing the likelihood of such a scenario, the Commission examines, first, whether the merged firm would have the ability to foreclose its competitors, second, whether it would have the economic incentive to do so and, third, whether a foreclosure strategy would have a significant detrimental effect on competition, thus causing harm to consumers. These factors are cumulative and often examined together as they are closely intertwined.

(137) In order to be able to foreclose competitors, the merged entity must have a significant degree of market power, which does not necessarily amount to dominance, in one of the markets concerned. The effects of bundling or tying can only be expected to be substantial when at least one of the merging parties’ products is viewed by many customers as particularly important and there are few alternatives available.

114 The Parties would not be able to engage in technical tying as there is no interoperability between SIEM solutions on the one hand and observability software on the other.

115 Non-Horizontal Guidelines, paragraph 92.

116 Non-Horizontal Guidelines, paragraphs 91 and 93.

117 Non-Horizontal Guidelines, paragraphs 95-104.

118 Non-Horizontal Guidelines, paragraphs 105-110.

119 Non-Horizontal Guidelines, paragraphs 111-118.

25

120 relevant alternatives for that product.Further, for foreclosure to be a potential concern, it must be the case that there is a large common pool of customers, which

121 is more likely to be the case when the products are complementary.Finally, bundling is less likely to lead to foreclosure if rival firms are able to deploy effective and timely counter-strategies, such as single-product companies

122 combining their offers.

(138) The incentive to foreclose competitors through bundling or tying depends on the

123 degree to which this strategy is profitable.Bundling and tying may entail losses

124 or foregone revenues for the merged entity.However, they may also allow the merged entity to increase profits by gaining market power in the tied goods market,

125 protecting market power in the tying good market, or a combination of the two.

(139) It is only when a sufficiently large fraction of market output is affected by foreclosure resulting from the concentration that the concentration may

126 significantly impede effective competition. If there remain effective single-product players in either market, competition is unlikely to deteriorate following a

127 conglomerate concentration.The effect on competition needs to be assessed in light of countervailing factors such as the presence of countervailing buyer power or the likelihood that entry would maintain effective competition in the upstream or

128 downstream markets.

5.6.3. Bundling of Splunk’s SIEM software with Cisco’s observability software

5.6.3.1. The Notifying Party’s views

5.6.3.1.1. Ability to foreclose

(140) The Notifying Party submits that the merged entity would not have the ability to foreclose competing observability software providers by engaging in the commercial bundling of Splunk’s SIEM software with Cisco’s observability software because Splunk does not have market power in a market for SIEM software. It faces effective competition from established vendors including IBM (with a market share of [10-20]% worldwide) and Microsoft (with a market share of [10-20]% worldwide) that have extensive portfolios which they can and do

128 include in bundles.

5.6.3.1.2. Incentive to foreclose

(141) The Notifying Party considers that the merged entity would not have any incentive to engage in a bundling strategy because many customers have a preference for a best-of-breed purchasing strategy for observability solutions and even more so for security solutions, as a result of which there would not be sufficient customer demand for bundles of Splunk’s SIEM solution and Cisco’s observability solutions.

120 Non-Horizontal Guidelines, paragraph 99.

121 Non-Horizontal Guidelines, paragraph 100.

122 Non-Horizontal Guidelines, paragraph 103.

123 Non-Horizontal Guidelines, paragraph 105.

124 Non-Horizontal Guidelines, paragraph 106.

125 Non-Horizontal Guidelines, paragraph 108.

126 Non-Horizontal Guidelines, paragraph 113.

127 Non-Horizontal Guidelines, paragraph 114.

128 Form CO, paragraph 403.

26

This is evidenced by the fact that Splunk currently does not bundle its SIEM solution with its Splunk Observability Cloud solutions (APM&O, ITIM and DEM) and [Proportion of customers that purchase both sets of solutions] buy both sets of

129 solutions together.

5.6.3.1.3. Impact on effective competition

(142) Finally, a bundling strategy of Splunk’s SIEM solution and Cisco’s observability solutions would not be capable of generating anti-competitive effects. Given that Splunk’s SIEM solution is not a must-have product, the merged entity would not be able to win sufficient customers from observability rivals. Rivals in the observability market typically have a product range comparable to what the merged entity would offer and could therefore respond by employing a bundling strategy equivalent to that of the combined entity. Such rivals include IBM, Microsoft,

130 Micro Focus, ManageEngine and Elastic.

5.6.3.2. The Commission’s assessment

(143) For the reasons set out below and based on the results of the market investigation, the Commission considers that the merged entity would not have the ability to bundle SIEM software with Cisco’s observability software. Therefore, given that

131 the conditions under the Non-Horizontal Guidelines are cumulative , the Commission does not need to take a position of whether the two other conditions are satisfied.

5.6.3.2.1. Ability to foreclose

(144) For the reasons set out below, the Commission considers that the merged entity would not have the ability to engage in a strategy of bundling Splunk’s SIEM software with Cisco’s observability software.

(145) First, for the purposes of this Decision, the Commission considers that Splunk does not have market power in the EEA or worldwide market for SIEM software.

(146) As mentioned in Section 5.4.3 above, in 2022, Splunk had a worldwide market share of [30-40]%, followed closely by IBM with a worldwide market share of [10-20]%, and Microsoft, with a worldwide market share of [10-20]%.

(147) In the market investigation, the vast majority of respondents expressing an opinion considered that several companies supply product(s) that compete with Splunk’s

132 “Splunk Enterprise Security” products.Such suppliers include Microsoft, IBM,

133 Log Rhythm, Elastic, and Micro Focus which are also active at the EEA level.

(148) While a slight majority of respondents expressing an opinion considered that once customers have chosen a SIEM software supplier, in practice, they do not switch

134 between different SIEM software suppliers , they also explained that “technically

129 Form CO, paragraph 404.

130 Form CO, paragraph 405.

131 Non-Horizontal Guidelines, paragraphs 93-118.

132 Replies to Q1 – Questionnaire to competitors and customers, question C.B.1.

133 Form CO, Annex 6.17, Table 6 and Annex 7.6.

134 Replies to Q1 – Questionnaire to competitors and customers, question C.B.9.

27

135 it is possible but need some migration time and cost”.Indeed, the majority of respondents expressing an opinion considered that although switching from one SIEM software supplier to another is technically very complex and needs some

136 time, it is a real option.

(149) Second, SIEM and observability solutions have different purchasing patterns. In the market investigation, market participants confirmed that customers typically buy these products separately, as a result of which there would not be sufficient customer demand for bundles of Splunk’s SIEM solution and Cisco’s observability

137 solutions.One customer explained that it has “separate procurement processes for observability and security solutions (handled by IT Operations and IT Security

138 respectively). Typically, these products are purchased individually”.In light of the above, the Commission considers that the merged entity would not have the ability to engage in a strategy of bundling its SIEM solution with Cisco’s observability software.

5.6.3.3. Conclusion

(150) In view of the above considerations and in light of the results of the market investigation and the evidence and information available to it, the Commission concludes that the Transaction would not raise serious doubts as to its compatibility with the internal market as a result of conglomerate effects, notably by bundling Splunk’s SIEM software and Cisco’s observability software, considering that the merged entity would not have the ability to engage in such strategy.

6. CONCLUSION

(151) For the above reasons, the European Commission has decided not to oppose the notified operation and to declare it compatible with the internal market and with the EEA Agreement. This decision is adopted in application of Article 6(1)(b) of the Merger Regulation and Article 57 of the EEA Agreement.

For the Commission

(Signed) Margrethe VESTAGER Executive Vice-President

135 Replies to Q1 – Questionnaire to competitors and customers, question C.B.10.

136 Replies to Q1 – Questionnaire to competitors and customers, question C.B.11.

137 Agreed minutes of call with a competitor on 25 January 2024, paragraph 13; agreed minutes of call with a customer on 26 January 2024, paragraph 11.

138 Agreed minutes of call with Mercedes-Benz on 26 January 2024, paragraph 11.

28