United Kingdom: The Scope of the National Security And Investment Act in Practice

This is an Insight article, written by a selected partner as part of GCR's co-published content. Read more on Insight

Overview: a new regime takes shape

The National Security and Investment Act 2021 (NSI Act) established a dedicated regime to review transactions on national security grounds. Prior to this, the United Kingdom’s government was only able to formally intervene in transactions on national security grounds via the UK merger regime.[2] As part of a fundamental overhaul of the United Kingdom’s regulatory arsenal, the NSI Act introduced a stand-alone regime empowering the secretary of state to review acquisitions of entities and assets for UK national security purposes (the NSI regime).

The NSI regime comprises a mandatory notification requirement for qualifying transactions in specified sectors completing on or after 4 January 2022. Other relevant acquisitions of ‘control’, including those that had already completed on or after 12 November 2020, may be called-in for review by the secretary of state.[3] A voluntary notification regime exists in parallel to the mandatory regime, enabling parties to a transaction to proactively bring transactions to the attention of the secretary of state.

The NSI regime is administered by the Investment and Security Unit (ISU) (which is currently part of the Cabinet Office).[4]

This chapter sets out the functional aspects of the NSI regime and early trends emerging from the first 18 months of its operation.

Scope

The NSI regime is not limited to specific sectors nor foreign investors but allows the secretary of state to review almost any transaction (see ‘Jurisdiction and notification requirements’, below) that he or she considers may give rise to a risk to UK national security.[5] The NSI Act makes additional provision, however, for mandatory notification of certain transactions concerning target businesses that have activities within one or more of 17 sectors specified in the notifiable acquisition regulations (NARs).[6]

Jurisdiction and notification requirements

Transactions will be within the scope of the NSI regime whenever a ‘trigger event’ occurs in respect of a ‘qualifying entity’ or ‘qualifying asset’. For this purpose:

  • a ‘qualifying entity’ means, broadly, any entity that is not an individual and (1) is formed or recognised within the United Kingdom, or (2) is formed or recognised outside of the United Kingdom and either carries on activities in the United Kingdom, or supplies goods or services to persons in the United Kingdom;[7]
  • a ‘qualifying asset’ means land, tangible moveable property or ideas, information or techniques that have industrial, commercial or other economic value, provided that the asset is (1) situated within the United Kingdom (in the case of land or moveable property only), or (2) situated outside of the United Kingdom and used in connection with activities carried on in the United Kingdom, or (3) situated outside of the United Kingdom and used in connection with the supply of goods or services to persons in the United Kingdom;[8] and
  • a ‘trigger event’ includes any of the following (which are considered in the NSI Act to constitute acquisitions of control):[9]
    • in respect of a qualifying entity:
      • an increase in the percentage of shares or voting rights held by the acquirer from (1) 25 per cent or less to more than 25 per cent, (2) 50 per cent or less to more than 50 per cent, or (3) less than 75 per cent to 75 per cent or more;
      • an acquisition of voting rights in the entity that, whether alone or in aggregate with voting rights already held, enable the acquirer to secure or to veto any class of resolution governing the affairs of the qualifying entity; or
      • an acquisition of rights or interests that, whether alone or in aggregate with rights or interests already held, enable the acquirer to materially influence the policy of the qualifying entity (unless the acquirer already held interests or rights that enabled it to do so). The government interprets this concept of ‘material influence’ in light of the approach taken under the UK merger control regime (but having regard to the context of the NSI Act).[10] As such, acquisitions of a 15 per cent stake or less have, in particular circumstances, been sufficient to bring a transaction within the scope of the NSI regime;[11]
    • in respect of a qualifying asset, an acquisition of rights or interests in relation to the asset that enable the acquirer to:
      • use the asset, or use it to a greater extent than prior to the acquisition; or
      • direct or control how the asset is used, or to do so to a greater extent than prior to the acquisition.

Importantly, this means acquisitions of minority interests could constitute trigger events, and parties considering such steps should always check whether they may be within the scope of the NSI Act.

Application of the NSI regime to intra-group reorganisations

It is also notable that intra-group reorganisations are within the scope of the NSI regime. Any transaction in which an immediate controlling interest over an entity or asset changes hands might be reviewable, or even trigger a mandatory filing requirement, even if the transaction is entirely intra-group and does not result in any change in the ultimate ownership of the entity or asset. ISU guidance recognises, however, that it is rare in practice that such transactions will raise substantive national security risks.[12] This is an unusual position, differing in particular from the approach taken under UK merger control rules as well as a number of other foreign direct investment regimes.

When the NSI Act first took effect, there were concerns that this would lead to a significant number of technical filings. However, government guidance has since clarified that when a qualifying acquisition involves the internal restructuring of an entity or corporate group which contains multiple qualifying entities or assets, and there are no new shareholders from outside the corporate group acquiring control of shares or voting rights, this can be notified to the government in a single notification.[13] The same principle applies where a qualifying acquisition involves multiple qualifying entities or assets being acquired by a single acquirer from a single seller. This is a welcome clarification that should avoid the burden of having to make multiple notifications for the same overall transaction.

Mandatory notification regime

Mandatory notification will be required when a transaction involves an acquisition of ‘control’ (as defined above in the context of a trigger event but excluding the ‘material influence’ limb) over a qualifying entity (i.e., not a qualifying asset) that carries on specified activities in the United Kingdom in one or more sectors of the economy specified in the NARs (each a ‘specified activity’).[14] Intra-group reorganisations can also be caught by the mandatory regime, with a change in ownership or reporting line from one group company to another in essence being regarded as an acquisition of control for these purposes.[15] These transactions must be notified to the ISU and clearance obtained prior to completion.

Under the NARs,[16] the relevant sectors are:

  • advanced materials;
  • advanced robotics;
  • artificial intelligence;
  • civil nuclear;
  • communications;
  • computing hardware;
  • critical suppliers to government;
  • cryptographic authentication;
  • data infrastructure;
  • defence;
  • energy;
  • military and dual-use;
  • quantum technologies;
  • satellite and space technology;
  • suppliers to the emergency services;
  • synthetic biology; and
  • transport.

The NARs provide detailed lists and definitions of each specified activity within these sectors. The ISU has published guidance to assist parties in assessing whether any of the specified activities is engaged,[17] while also stating that parties may contact the ISU to seek informal guidance where there is ‘significant uncertainty’ about whether an acquisition is notifiable.[18] Any view expressed by the ISU is not binding and in practice ‘significant uncertainty’ can be a high threshold, but the ISU has publicly stated its willingness to engage with parties where there is genuine uncertainty.

Given the detailed nature of the sector definitions in the NARs, assessing whether a target’s activities fall within the scope of one of the specified activities generally requires active cooperation from the target. This inevitably adds a degree of uncertainty for potential buyers in less obvious cases, particularly in the case of an uncooperative target or when the opportunity for pre-bid due diligence is limited.

Voluntary notification is available for transactions that comprise trigger events in relation to (1) qualifying entities that do not carry on specified activities (i.e., they carry on activities outside of the mandatory sector definitions), (2) transactions within the mandatory sectors where the 25 per cent ‘control’ threshold is not crossed (e.g., an acquisition of material influence), and (3) asset acquisitions. Submission of a voluntary notice reduces to 30 working days (from six months or longer) the period in which the secretary of state can decide to call-in a transaction for review.

‘Call-in’ power

The secretary of state has the power to issue a ‘call-in notice’ to call-in for review any transaction in which a trigger event has taken place (or will take place) where the secretary of state reasonably considers that this may give rise to a risk to national security. This power is exercisable at any time up to six months after the secretary of state becomes aware of the transaction, provided this is also within five years of the relevant trigger event.[19]

Where a transaction is notified to the ISU (on a voluntary or mandatory basis), however, the secretary of state must decide whether to issue a call-in notice within 30 working days of the notification being accepted by the secretary of state.

In addition, the NSI Act grants the ISU extensive information gathering powers, enabling it to request any information necessary to inform an assessment of the national security risks of a transaction. This may include requesting information in circumstances where no notification has been submitted to enable the secretary of state to determine whether to exercise the call-in power. The ISU actively monitors markets for non-notified transactions that may give rise to national security concerns, making use of both open source materials (including news reports, internet sites, public records, and blogs and social networking sites) as well as third-party service providers.[20] The ISU may also be made aware of transactions by way of cooperation arrangements with the UK CMA (with whom the ISU has signed a memorandum of understanding) or FDI authorities in allied jurisdictions, in particular the United States and other Five Eyes Alliance[21] jurisdictions (with which cooperation is more informal).

In practice, the ISU is increasingly issuing information requests in relation to non-notified transactions and between 1 April 2022 and 31 March 2023 (i.e., the period covered by the ISU’s most recent annual report), the secretary of state called-in 10 non-notified transactions for review (representing approximately 15 per cent of the total number of call-ins).[22] When assessing an acquisition, the ISU may also request information from the parties, or third parties relevant to the acquisition, by issuing information notices or attendance notices. The latter requires the recipient to attend meetings (physically or remotely) with the ISU.[23]

The ability to call-in a transaction applies to any transaction that completed on or after 12 November 2020. When the secretary of state became aware of a transaction, prior to the NSI regime coming into force on 4 January 2022, the six-month period within which that transaction could be called in was deemed to have started when the NSI Act was enacted, and has therefore now expired. The mandatory notification requirement does not apply to transactions completed before the NSI regime came into force.

In accordance with Section 3 of the NSI Act, the secretary of state has published a statement of policy intent (known as the Section 3 Statement) on the scope and proposed use of the call-in power.[24]

Types of investors

The NSI regime is not explicitly targeted at specific categories of investor but applies, in principle, equally to domestic and foreign investors of any kind. It is not dependent on an investor’s nationality or domicile, nor the existence of trade relationships between the United Kingdom and any other country. In practice, concerns around ownership of UK businesses or assets by overseas entities will be taken into account by the secretary of state when deciding whether to call in a transaction and in any substantive national security assessment. Potential concerns may not always be in the public domain and will ultimately depend on prevailing views within the government.

During the development of the NSI regime, the government indicated that its focus would be on acquirers who are likely to be directly hostile to the interests of the UK’s national security or owe allegiance to others who are hostile. The government has stated that it is affiliation to hostile parties, rather than foreign ownership itself, that would be problematic. State-owned enterprises, sovereign wealth funds and similar entities, for example, are not regarded as inherently more likely to pose a security risk, particularly if they have a history of passive or long-term investments or pursue long-term investment strategies.[25] Conversely, although transactions involving foreign acquirers may still be more likely to be called-in than those involving UK acquirers, transactions involving UK acquirers will be subject to mandatory notification requirements and may be called-in.

The ISU’s second annual report on the NSI regime (covering the first full financial year of its operation from 1 April 2022 to 31 March 2023), suggests that transactions involving acquirers associated with China are most likely to be called-in (42 per cent of call-ins in the relevant period),[26] followed by the United Kingdom (32 per cent) and the United States (20 per cent).[27] This is despite China accounting for only 4 per cent of accepted notifications, while UK and US investors represent 58 per cent and 25 per cent of accepted notifications respectively. Moreover, the majority of the conditional clearances issued under the NSI Act during the relevant period relate to Chinese-linked acquirers (who account for more than half of these), and Chinese-linked investments account for all but one of the prohibition/divestment decisions. It is too early in the NSI regime to discern long-term trends, but these statistics show that – at the least – there is scrutiny of Chinese investments in the United Kingdom. The same scrutiny appears to apply to domestic investors and investors from allied nations - the majority of call-ins have related to UK investors and investors from the United Nations and other G7 nations.[28]

Extraterritoriality

The NSI regime captures acquisitions outside the United Kingdom if the target meets the criteria of a qualifying entity or qualifying asset. These criteria require a connection to the United Kingdom but do not require there to be any physical presence in the United Kingdom. Transactions involving wholly non-UK entities may therefore still be in scope of the NSI regime where the target provides goods or services to customers located in the United Kingdom. Asset acquisitions involving non-UK acquirers, sellers or target assets may also be in scope if these assets are used ‘in connection with’ activities carried on in the United Kingdom or the supply of goods or services to persons in the United Kingdom). Remedies orders, where relevant, may apply to a person’s conduct outside the United Kingdom if they are a UK national, an individual ordinarily resident in the United Kingdom, a body incorporated or constituted under the law of any part of the United Kingdom, or carrying on business in the United Kingdom.[29]

The government considers that acquisitions of entities or assets outside the United Kingdom are generally less likely to give rise to national security risks than those located within the United Kingdom and are therefore less likely to be called in. The level of national security risk will generally be linked to the strength of the connection of the asset or entity to the United Kingdom.[30]

The government has also published guidance intended to assist parties in assessing whether overseas transactions will fall within the scope of the NSI Act.[31] The guidance addresses topics such as the circumstances in which the presence of staff or the transport of products into the United Kingdom will bring a business within the scope of the NSI regime, as well as how the government anticipates engaging with overseas parties. It also notes that, although the government may bring enforcement action against parties or transactions outside the United Kingdom, in some cases formal enforcement might not be plausible or desirable, and that, in such cases, the government might instead pursue alternative means of protecting UK national security, such as cutting out specified parties from its supply chains.

Commentary

In practice, deciding whether to make a voluntary notification is likely to depend largely on an assessment of the likelihood of the transaction being called in for review. When there is a potential risk to national security or potential for the government to perceive that there is such a risk, it may be advisable to notify the transaction voluntarily in the interests of legal certainty, given the length of time during which the secretary of state’s call-in power could potentially be exercised.

The government has chosen not to detail the circumstances in which national security is, or may be, considered at risk; the intention is to ensure that the NSI regime is ‘sufficiently flexible to protect the nation’, while also stressing that the NSI regime will not be used arbitrarily, reflecting the UK’s standing as an economy that is open to investment.[32] This is understandable given the inherent sensitivity and secrecy of national security interests and is similar to the position in many other FDI regimes. It does, however, leave the door open for the concept of ‘national security’ to be expanded beyond its traditional scope (which has historically tended to be limited to military or military adjacent products and/or services).

In its Section 3 Statement, the government indicates that the 17 sectors within which the NARs define specified activities are also sectors that it considers to be generally more sensitive as regards national security. As such, even when mandatory filings are not triggered (e.g., because the control thresholds are not met, or the target does not carry out specified activities), transactions in these sectors and related sectors are more likely to be called-in for review.[33] The ISU’s second annual report shows that the most common sectors in which mandatory notifications were made were defence, critical suppliers to the government, data infrastructure, military and dual use, and artificial intelligence.[34] Defence stands out as the sector with the most mandatory notifications received: at 47 per cent this is more than double that of the next largest sector for mandatory notifications, critical suppliers to the government (22 per cent).[35] The most common areas of the economy subject to voluntary notifications were advanced materials, defence, military and dual use, energy, as well as academic research and development in higher education.[36] This list may reflect the breadth of the specified activities for these sectors set out in the NARs and/or the potential uncertainty as to their application in a specific case.

The Section 3 Statement also identifies the following key risk factors for the assessment of the likelihood of a risk to national security:[37]

  • Target risk: the nature of the target and whether it is being used, or could be used, in a way that poses a risk to national security. The government indicates that this is most likely to arise in transactions in or closely linked to the specified activities set out in the NARs.
  • Acquirer risk: characteristics of the acquirer such as the sector(s) of activity, technological capabilities and whether it has links to entities that may seek to undermine or threaten the interests of the United Kingdom. This would include having regard to the persons with ultimate control of the acquirer, any other interests already owned by them and any links to criminal or other illicit activities.
  • Control risk: the amount of control the acquirer gains of an entity’s operational business or future strategy, or control or use of an asset. It is noted that the secretary of state is ‘less likely’ to have concerns based solely on the degree of control acquired.

As regards asset acquisitions, the secretary of state expects to call-in only rarely acquisitions of assets that are not in areas linked to the specified activities and in any case much less frequently than acquisitions of entities.[38]

Notwithstanding the above, there remains relatively little guidance, and limited decisional practice by which parties may assess the call-in risk for any given transaction (compared to the UK merger regime, for example). Under the NSI Act, the ISU is required only to make public the fact of a final order (i.e., a final decision imposing remedies or prohibiting a deal) and there is no obligation for the secretary of state to make a public statement when a transaction is called-in for review (or where the secretary of state has decided not to call-in a transaction). While there have been certain cases where the government has opted to make a public statement confirming it has issued a call-in,[39] its policy is not to do so as a matter of routine.[40] Where the government has done so, the announcements reveal no details as to the reasons for calling in the transaction. As such, there remains a limited body of decisional practice in relation to transactions called-in but cleared unconditionally.

The Section 3 Statement also raises a number of issues that may need to be addressed in the future, including:

  • the secretary of state’s position that high levels of control ‘may enable parties to reduce the diversity of a market, or influence the market’s behaviour, in a way that may give rise to a risk to national security’. This appears to conflate the notion of control over an enterprise with that of market power;
  • the extent to which a single risk factor could be sufficient to prompt the issue of a call-in notice (the Section 3 Statement indicates that ‘[t]he secretary of state expects that, when calling in an acquisition, all three risk factors will be present, but does not rule out calling in an acquisition based on fewer risk factors’);[41] and
  • a general need for greater clarity as to how the regime might be applied in specific circumstances or to specific categories of transaction (e.g., acquisitions of land, financing transactions or equity underwriting).[42]

To date, the ISU has published a range of guidance on the application of the NSI regime in certain sectors/types of transactions, including (1) higher education and research-intensive sectors,[43] (2) energy,[44] and (3) indirect acquisitions of control, where the appointment of liquidators or administrators may constitute a qualifying acquisition, and (4) advice for acquisitions involving parties who are suffering material financial distress.[45]

The UK government’s National Protective Security Authority also publishes ‘Informed Investment’ guidance, aimed at assisting businesses to manage potential national security risks associated with investments in UK companies.[46]

The review process

Where a mandatory notification is required under the NSI regime, this must be submitted to the ISU before the relevant acquisition of control has occurred. Voluntary notifications may be submitted from the point at which arrangements are in progress or contemplation which, if carried into effect, would result in a trigger event taking place in relation to a qualifying entity or qualifying asset (i.e., they need not be submitted prior to completion). Mandatory notifications must be made by the notifying party, while voluntary notifications may be made by any party. The ISU generally considers it appropriate for a notification to be made where there is a ‘good faith intention’ to proceed with the transaction, which may be evidenced by:

  • the existence of heads of terms;
  • financing arrangements being in place;
  • board level consideration of the acquisition; or
  • if it is a public bid, a public announcement of a firm intention to make an offer or the announcement of a possible offer.[47]

The notification forms are public and set out the information requirements for a notification.[48] The ISU has also published guidance on completing and registering a notification form.[49] In view of the fairly high-level nature of the information required by the form, additional information may be required by the ISU in practice during the course of its review (though transactions may also be subject to review without any information requests from the ISU).[50] The ISU may reject notifications on certain grounds specified in the NSI Act and, therefore, in practice a short period of informal pre-notification contact may be required to ensure that some notifications are accepted.[51] The second annual report of the ISU shows that a total of 22 mandatory notifications and 19 voluntary notifications were rejected, out of a total of 664 mandatory notifications and 171 voluntary notifications received.[52] Reasons given for rejection include (1) submission of a mandatory notification where a voluntary notification should have been submitted (and vice versa); (2) submission of a mandatory notification after the transaction had completed (i.e., where the parties should instead have applied for retrospective validation); (3) failure to provide sufficient information; and (4) notifications covering multiple acquisitions, which should instead have been submitted as multiple notifications.[53]

Once the ISU formally accepts a notification, the secretary of state has 30 working days within which to decide whether to issue a call-in notice or to clear the transaction. If a transaction has not been notified, the secretary of state may issue a call-in notice at any time up to six months after the ISU became aware of the transaction, provided that this is also within five years of the relevant trigger event.[54] Neither the NSI Act, the Section 3 Statement nor any published guidance indicate when the secretary of state may be taken to have become aware of a transaction for this purpose.[55]

The secretary of state has a further 30 working days from the issue of a call-in notice in which to review the transaction,[56] extendable by up to 45 working days (or longer with the agreement of the purchaser). This period will usually be used to assess what, if any, remedies are appropriate and to seek representations from the parties.[57] If the secretary of state considers that a transaction gives rise to national security risks and that it is necessary and proportionate to make a final order for the purpose of preventing, remedying or mitigating that risk, they may issue a final order for this purpose (and a further extension of the review period may be agreed with the notifying party if the secretary of state is considering whether to make a final order, or its terms). The review period may also be paused if the ISU issues an information request.[58]

At present, there are no formal proposals for an NSI equivalent to the ‘undertakings in lieu’ process available in merger cases. The NSI Act does not make provision for such a process and given the time limits for calling in a transaction (especially when parties have submitted a notification), the process might not be feasible in any event. Transactions that raise apparent concerns, therefore, appear more likely to be called-in for detailed assessment than would be the case in an equivalent merger review. The extent to which it is possible to engage in meaningful dialogue with the ISU in relation to potential remedies tends to vary from case-to-case depending on the specific issues for the relevant transaction and the extent to which identified national security risks can be identified by multiple potential remedies.

The government considers that the process under the new regime is inherently more efficient than under the PIIN regime, as the 30 working day period to call-in a transaction is much shorter than the four months allowed for intervention under the PIIN regime. The ISU’s second annual report provides statistics on the ISU’s timing (as required by the NSI Act), it indicates that:

  • the average time to inform parties that a notification has been accepted as complete was four working days;
  • the average time to decide whether to call-in a transaction was 28 working days in the case of mandatory notifications, and 27 working days in the case of voluntary notifications; and
  • the average time between the issue of a call-in notice and the issue of a final notification (i.e., a final decision clearing the transaction without remedies) was 25 working days.[59]

These figures are slightly higher than those reported in the first three months of the regime, but still below the statutory maximum. Thirteen transactions required the use of the extended 45 working day period before a final notification was issued, of which two were extended even further with the agreement of the purchaser, which is likely a reflection of the specific complexities of those transactions.

Sanctions for non-compliance

A transaction completed in breach of the mandatory notification and clearance requirement will be void,[60] though in certain circumstances retrospective validation may be obtained (however, the transaction is regarded as void until such retrospective validation is obtained).[61] Fifteen retrospective validation applications were received from 1 April 2022 to 31 March 2023,[62] potentially due to more companies becoming aware of the potential retrospective application of the call-in power to transactions which were completed prior to the entry into force of the regime.[63]

Completion in breach of the standstill obligation, or failure to comply with an interim or final order, can additionally result in fines of up to 5 per cent of worldwide turnover or £10 million (whichever is the greater), imprisonment of individuals for up to five years, and disqualification of directors for up to 15 years.[64] The government has also published guidance on its compliance and enforcement objectives, which provide a steer on the circumstances where the secretary of state may consider enforcement action is necessary to ensure compliance with the NSI Act.[65]

In the case of voluntary notifications, or transactions called-in without any notification being made, the secretary of state has the ability to impose an interim order while the review is being conducted. Interim orders and final orders are enforceable by way of court order.[66] While the scope of an interim order may be similar, these are not imposed with the same regularity as initial enforcement orders (IEOs) imposed by the CMA when investigating the potential effects of a merger on competition.[67]

Substantive assessment process and main evaluation criteria

The ISU will assess whether the transaction has given rise, or may give rise, to a risk to national security. In practice, the ISU takes a cross-governmental approach to its reviews and will consult with government departments relevant to the transaction (e.g., in a defence-related transaction, it may consult with the Ministry of Defence). In other words, the ISU process is not limited to engagement only with the secretary of state responsible for taking decisions under the NSI Act (the secretary of state in the Cabinet Office). The government has not yet issued any guidance as to how it expects the substantive test to be applied under the NSI Act,[68] and although the Section 3 Statement is informative to a degree, it is unlikely to provide enough detail for parties to assess the risk in a given transaction. Matters affecting national security may not be known publicly and, therefore, it may be difficult for investors to rule out a risk that national security concerns might be identified and, thus, guidance in this regard is clearly desirable.

Whereas meaningful examples of published decisions under the PIIN regime were relatively sparse, as of 27 September 2023 there have already been 17 final orders published under the NSI Act. These cases provide an early indication of the types of concerns that the government is likely to seek to remedy, which include:

  • protection of sensitive information (including personal data) and technology from unauthorised access[69] or hostile actors;[70]
  • preventing transfers of intellectual property that could be used to build defence or technological capabilities that may present a national security risk to the United Kingdom;[71]
  • preventing transfers of capabilities that could be exploited to introduce features into dual-use technologies, including automatically and/or without the knowledge of the user;[72]
  • preserving the security of important UK infrastructure assets,[73] and ensuring the continued effective operation of critical national infrastructure;[74] and
  • preserving continued supply to the UK government of strategic capabilities.[75]

While these provide an early insight into the government’s security priorities, it should be noted that decisions published by the ISU contain only high-level information on the nature of the national security risk and relevant remedies to address these. ISU decisions do not include details on the rationale for the remedies imposed or a detailed explanation of the national security risk identified (or why it was identified). This is in contrast with decisions published under the PIIN regime which, despite remaining generally high level, provided additional context not currently found in ISU decisions.

The ISU works closely with its international partners (in particular the FDI authorities in Five Eyes countries) and in practice may engage informally with these authorities where a transaction is notified in parallel under other FDI regimes.

Outcomes

The secretary of state has the power to clear a transaction, prohibit it or approve it subject to conditions. The lawfulness of these decisions will be appealable on judicial review grounds. To date, there have been no judgments concerning judicial review of NSI Act decisions. However, Nexperia is reported to have filed a judicial review of the ISU’s decision requiring it to divest Newport Wafer Fab[76] (a semi-conductor facility of which it announced the acquisition in July 2021, retrospectively called-in by the ISU in May 2022).[77] LetterOne is also reported to have filed a judicial review of the government’s December 2022 decision requiring it to divest UK-based fibre network provider Upp Corporation (formerly Fibre Me), which was acquired by LetterOne in January 2021.[78]

The final orders published to date give an initial insight into the types of remedies that may be imposed under the NSI regime, and have included the following:

  • a requirement to implement enhanced controls to protect sensitive information and technology from unauthorised access, and to provide rights of access to premises and information so that relevant agencies are able to audit compliance with the security measures;[79]
  • prohibition of a transfer of intellectual property;[80]
  • prohibition of an acquisition of an entity engaged in the development of electronic design automation products used in the building of cutting-edge integrated circuits;[81]
  • unspecified measures designed to mitigate the risk to national security;[82]
  • a requirement for the purchaser to acquire UK government approval for appointment of a power offtake operator, together with restrictions on the sharing of information from the operator to the acquirer;[83]
  • a requirement to have controls to protect information from unauthorised access, and to assure that strategic capabilities continue to be provided to the UK government;[84]
  • conditions restricting the sharing of information from the target to the acquirer, and restricting the influence of the acquirer over appointments of some staff members within the target;[85]
  • the removal of representatives of the purchaser from the board of the target, as well as a requirement to notify the transfer of assets out of the target;[86]
  • a requirement to carry out due diligence checks on all new customers wanting to purchase the qualifying asset and to report to the UK government details of all new customers of the qualifying asset on an annual basis;[87]
  • a requirement to appoint a chief information security officer approved by the secretary of state, as well as to carry out a security audit by a UK government-approved auditor to produce a report setting out any new security measures;[88]
  • a requirement to place a UK government-appointed board observer on the board of the target,[89] as well as to establish a steering committee of the target board to provide oversight of compliance with security requirements and protection of sensitive information;[90] and
  • a requirement to keep the target’s research, development and manufacturing capabilities in relation to certain technologies within the United Kingdom.[91]

The UK government’s National Security and Investment White Paper (2018) – prepared as part of the NSI Act legislative process – also noted that conditions imposed to address national security concerns are likely to focus on access to sensitive sites, access to confidential information, supply chains, intellectual property transfer, compliance, monitoring and personnel. The paper listed the following examples as potential remedies, many of which are reflected in the remedies imposed to date under the NSI regime:

  • Access condition: limiting access to a particular site operated by the acquired entity to certain named individuals.
  • Information/operations condition: only personnel with appropriate UK security clearances have access to confidential information or that only those personnel should be part of the operational management of the business.
  • Supply chain condition: a new acquirer retains an acquired entity’s existing supply chain for a set period.
  • Intellectual property condition: restricting the transfer or sale of intellectual property rights (to be tailored to the individual circumstances of the case and the national security risks identified).
  • Access condition: requiring that access to dual-use technologies and information about their design, materials, uses or supply chains be restricted to certain named individuals within the investor company or a third party associated with them.
  • Compliance condition: imposing supervisory measures, periodic reporting or other actions (to be decided case by case) that should be taken to ensure compliance with UK regulatory regimes.
  • Monitoring condition: requiring that a senior minister (or their representative) be given access to information on the company’s activities.
  • Personnel condition: requiring the acquirer to secure a senior minister’s approval for the appointment of any directors and other key personnel.
  • Structural condition: requiring the retention of UK staff in key roles at a particular sensitive site.
  • Proximity condition: requiring the relevant person (most likely a person with title, control or interest over the proximate site) to maintain such measures as a senior minister may specify (e.g., physical or personnel security, or restrictions on access).

Commentary

Businesses should not assume that it will always be possible to agree remedies, nor that a proposal of remedies will avoid a full investigation, and the government will have the power to block (and potentially unwind) transactions as a last resort. Indeed, it is already clear that the government is prepared to use its powers to block or unwind transactions – it has done so five times as of September 2023.[92] By contrast, no transactions were prohibited on national security grounds under the PIIN regime (although there were a number of examples of parties agreeing to terminate their transactions).

In its impact assessment of the proposed measures, the UK government indicated that it anticipated between 1,000 and 1,830 notifications to be made each year under the new regime,[93] with around 70 to 95 detailed national security assessments being undertaken each year. The government also expected to impose remedies in around 10 transactions per year.[94]

The ISU’s annual report for 2022-23 shows that it received 866 notifications between 1 April 2022 and 31 March 2023,[95] slightly fewer than anticipated. Of these, 72 of these were called in for a national security review, of which 15 (21 per cent) resulted in the imposition of final orders or conditions (including five divestments/prohibitions). This indicates a slightly higher rate of intervention than previously anticipated, and it remains to be seen what the longer-term average intervention rate will be.

It is also notable that around one in five notifications in that same period were made on a voluntary basis, perhaps suggesting that while businesses do take a cautionary approach to filing, this is not unduly so when compared to the overall number of notifications.

Practical insights and strategic guidance for investors

Until the introduction of the NSI regime, there was no formal notification process for foreign investments with the potential to raise national security concerns in the United Kingdom, beyond a merger notification. With the introduction of the NSI regime and, in particular, the secretary of state’s call-in powers, investors now need to make mandatory filings in certain transactions, and in others decide whether to take the risk of completing without clearance or to proactively make a voluntary notification. Early experience of the NSI regime has made clear that the government is willing to make use of the NSI review mechanisms and associated remedies options, including its ability ultimately to prohibit transactions that it considers give rise to national security risks (having done so formally five times in the first 18 months of the regime). It is also clear that reviews, and remedial measures, are much more frequent than had been the case under the PIIN regime.

The NSI regime carries significant sanctions for non-compliance, and – as the regime is still in its infancy – there remains uncertainty regarding the precise ambit of the activities covered by the mandatory sectors. It is therefore important that investors (and targets) consider at an early stage whether a target’s activities might be seen as ‘closely linked’ to a specified activity such that a voluntary notification would be prudent. It is clear that the Section 3 Statement affords the secretary of state significant discretion in determining when to use their call-in powers, while allowing room for practice to develop over time. There is marginally greater clarity as to the exercise of this discretion following the publication of the ISU’s first full annual report (which includes statistics on call-ins by sector, among other things). However, uncertainty remains and parties continue to take a cautious approach to voluntary filings – particularly in relation to internal reorganisations and acquisitions of minority stakes where material influence cannot be excluded. A practical implication of this is that many transactions are made conditional on obtaining clearance under the NSI Act (in particular where other regulatory clearances are required, such that there is already a ‘gap’ between signing and completion which can be utilised to obtain certainty on the NSI regime).

The ISU’s annual reports will continue to provide valuable insight into the operation of the regime and a measure of its success as what the government is touting as a ‘light-touch, proportionate regime that offers companies and investors the certainty they need to do business’.[96] Notably, in its second annual report, the ISU published additional data which goes beyond the statutory requirements of the NSI Act, including information relating to the origin of investments, reasons for the rejection of notifications, and the number of non-notified transactions called-in for review. This is a welcome development and will go some way to addressing criticisms of the regime’s perceived lack of transparency.

Reform proposals

The introduction of the NSI Act marks the culmination of a government policy that has been developing for a number of years. Although it presents a significant change to the UK’s mechanisms for addressing foreign investments, arguably it does no more than bring the United Kingdom into line with other jurisdictions that have had these regimes for some time.[97] Although the government has sought feedback from the public on the operation of the Act and will likely continue to issue periodic market guidance,[98] there are currently no anticipated reforms to the nascent NSI regime.[99]


Notes

1 Veronica Roberts is a partner, Sean Giles is a senior associate and Louis Austin is a junior associate at Herbert Smith Freehills LLP.

2 The secretary of state has a power under the Enterprise Act 2002 (EA02) to issue an intervention notice in respect of any transaction meeting certain thresholds (reflecting, for the most part, the thresholds used to determine whether the UK’s Competition and Markets Authority (CMA) has jurisdiction to review the transaction for merger control purposes) on the grounds specified in EA02, Section 58 (the public interest or ‘PIIN’ regime). Until 4 January 2022, one of these grounds was national security, although as discussed later in this chapter this power was very seldom used. From 4 January 2022, the NSI Act replaced the PIIN regime in respect of national security, although the regime remains for the other grounds specified in EA02, Section 58 (including media plurality, stability of the financial system or public health).

3 NSI Act, Section 2(4).

4 The ISU was initially part of the Department for Business, Energy and Industrial Strategy (BEIS). Due to a restructuring of BEIS in 2023, the ISU was transferred to the Cabinet Office and the secretary of state in the Cabinet Office became the relevant decision maker (rather than the secretary of state for BEIS).

5 id., Section 1(1).

6 Under NSI Act, Section 6(1).

7 id., Sections 5(1)(a), 7(2) and 7(3).

8 id., Sections 5(1)(b) and 7(4)-(6).

9 id., Sections 8 to 12. Further information on how to assess whether a trigger event has occurred is provided in Schedule 1 to the NSI Act.

10 See Cabinet Office, ‘Check if you need to tell the government about an acquisition that could harm the UK’s national security’ (as updated on 31 May 2023), available at https://www.gov.uk/guidance/national-security-and-investment-act-guidance-on-acquisitions.

11 See, for example, the government’s announcement that a call-in notice was issued in respect of the proposed acquisition by Altice of 5.9 per cent of shares in BT which, if completed, would bring Altice’s total shareholding to 18 per cent (see https://www.gov.uk/government/news/bt-acquisition-called-in-for-national-security-assessment). The government subsequently announced no further action would be taken in relation to this transaction (see https://www.gov.uk/government/news/government-to-take-no-further-action-under-national-security-and-investment-act-on-bt-share-acquisition).

14 NSI Act, Sections 6(2), 13 and 14(1).

16 See the National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021, available at www.legislation.gov.uk/ukdsi/2021/9780348226935.

18 Id.

19 In relation to a transaction for which the mandatory notification requirement was triggered but no filing was made, the five-year time limit does not apply.

21 United States, the United Kingdom, Canada, Australia and New Zealand.

22 See Cabinet Office, National Security and Investment Act 2021: annual report 2022-23, available at: https://www.gov.uk/government/publications/national-security-and-investment-act-2021-annual-report-2023.

25 See, for example, Section 3 Statement.

26 The figure rises to 45 per cent including Hong Kong.

27 See Cabinet Office, National Security and Investment Act 2021: annual report 2022-23, available at: https://www.gov.uk/government/publications/national-security-and-investment-act-2021-annual-report-2023.

28 Canada, France, Germany, Italy, Japan, the United Kingdom and the United States.

29 NSI Act, Section 26(6).

30 Section 3 Statement, Paragraph 39.

32 Section 3 Statement, Paragraphs 4–6.

33 id., Paragraph 11–12.

34 See BEIS, National Security and Investment Act 2021: annual report 2022, available at https://www.gov.uk/government/publications/national-security-and-investment-act-2021-annual-report-2022.

35 Section 3 Statement , Paragraphs 4–6.

36 id.

37 id., Paragraphs 19–32.

38 id., Paragraphs 35–38.

39 See the announcements of call-in notices having been issued in respect of the acquisition by Nexperia of Newport Water Fab (25 May 2022; see https://www.gov.uk/government/news/newport-wafer-fab-acquisition-called-in-for-national-security-assessment) and the acquisition by Altice of 5.9 per cent of shares in BT (26 May 2022, see https://www.gov.uk/government/news/bt-acquisition-called-in-for-national-security-assessment).

41 Section 3 Statement, paragraph 21.

42 The government has issued guidance on the circumstances where the granting of security over shares may constitute a notifiable acquisition subject to mandatory notification, see https://www.gov.uk/guidance/national-security-and-investment-act-guidance-on-acquisitions#the-granting-of-security-over-shares.

46 See https://www.npsa.gov.uk/informed-investment. The government also publishes specific guidance on transactions involving China (see https://digitalandtechchina.campaign.gov.uk) covering NSI Act (among other) issues.

50 The notification form currently only lists information in the following categories: (1) parties’ contact details and related notifications; (2) details of the transaction; (3) details of the target and its activities; (4) details of the acquirer and its group; and (5) any other information that the notifying parties consider may be relevant to the government’s consideration of the transaction.

51 NSI Act, Section 18.

52 See Cabinet Office, National Security and Investment Act 2021: annual report 2022-23, available at: https://www.gov.uk/government/publications/national-security-and-investment-act-2021-annual-report-2023.

53 See BEIS, National Security and Investment Act 2021: annual report 2022, available at https://www.gov.uk/government/publications/national-security-and-investment-act-2021-annual-report-2022.

54 NSI Act, Section 2.

55 In contrast, for merger control purposes, the EA02 specifies that the four-month time limit for making a Phase II reference commences either when notice of material facts about the arrangements in question is given to the Competition and Markets Authority, or the facts have been so publicised as to be generally known or readily ascertainable.

56 NSI Act, Section 14(9).

58 id., Section 24.

59 See Cabinet Office, National Security and Investment Act 2021: annual report 2022-23, available at: https://www.gov.uk/government/publications/national-security-and-investment-act-2021-annual-report-2023.

60 NSI Act, Section 13.

61 id., Section 15-17.

62 See Cabinet Office, National Security and Investment Act 2021: annual report 2022-23, available at: https://www.gov.uk/government/publications/national-security-and-investment-act-2021-annual-report-2023.

63 Of the 15 applications received, 12 were accepted, two were rejected, and one was called-in for in-depth investigation.

64 id., Sections 39 and 41. The government has issued guidance on its approach to compliance and enforcement, including as to the basis on which penalties may be imposed – see https://www.gov.uk/government/publications/national-security-and-investment-act-2021-guidance-on-compliance-and-enforcement/national-security-and-investment-act-2021-guidance-on-compliance-and-enforcement.

66 id., Section 33.

67 Note also that the ISU’s guidance on compliance and enforcement indicates that interim orders will not routinely be made public, in contrast with the merger control regime under which IEOs are routinely published (see https://www.gov.uk/government/publications/national-security-and-investment-act-2021-guidance-on-compliance-and-enforcement/national-security-and-investment-act-2021-guidance-on-compliance-and-enforcement#demonstrating-compliance).

68 Guidance issued in respect of the higher education and energy sectors, for example, is limited to assisting parties in identifying whether their transaction is within the scope of the NSI Act.

69 See, for example, final order in respect of the acquisition of Sepura Ltd by Epiris LLP (14 July 2022).

70 See, for example, final order in respect of the acquisition of shares in Reaction Engines Limited by Tawazun Strategic Development Fund LLC (2 September 2022); final order in respect of the acquisition of the assets and subsidiaries of Truphone Limited by TP Global Operations Limited (5 December 2022).

71 See, for example, final order in respect of the acquisition of know-how related to SCAMP-5 and SCAMP-7 vision sensing technology by Beijing Infinite Vision Technology Company Ltd (20 July 2022), in which such transfer was prohibited; see also Final in respect of the acquisition of assets belonging to the University of Southampton by Voyis Imaging Inc (8 June 2023).

72 See, for example, final order in respect of the acquisition of Pulsic Ltd by Super Orange HK Holding Ltd (17 August 2022).

73 See, for example, final order in respect of the acquisition of Electricity North West Limited by Redrock Investment Limited (29 September 2022), and final order in respect of the acquisition of the Stonehill project asset development rights by Stonehill Energy Storage Ltd (14 September 2022).

74 See, for example, final order in respect of the acquisition of CPI Intermediate Holdings, Inc by Iceman Acquisition Corporation (29 September 2022); final order in respect of the acquisition of the assets and subsidiaries of Truphone Limited by TP Global Operations Limited (5 December 2022).

75 See, for example, final order in respect of the acquisition of Connect Topco Limited by Viasat Inc (16 September 2022); final order in respect of the acquisition of David Brown Santasalo SARL by Stellex Capital Management LLC (22 February 2023).

79 See final order in respect of the acquisition of Sepura Ltd by Epiris LLP (14 July 2022).

80 See final order in respect of the acquisition of know-how related to SCAMP-5 and SCAMP-7 vision sensing technology by Beijing Infinite Vision Technology Company Ltd (20 July 2022).

81 See final order in respect of the acquisition of Pulsic Ltd by Super Orange HK Holding Ltd (17 August 2022).

82 See final order in respect of the acquisition of shares in Reaction Engines Limited by Tawazun Strategic Development Fund LLC (2 September 2022).

83 See final order in respect of the acquisition of the Stonehill project asset development rights by Stonehill Energy Storage Ltd (14 September 2022).

84 See final order in respect of the acquisition of Connect Topco Limited by Viasat Inc (16 September 2022); see also final order in respect of the acquisition of David Brown Santasalo SARL by Stellex Capital Management LLC (22 February 2023).

85 See final order in respect of the acquisition of Electricity North West Limited by Redrock Investment Limited (29 September 2022).

86 See final order in respect of the acquisition of Ligeance Aerospace Technology Co. Ltd by Sichuan Development Holding Co. Ltd (10 October 2022.

87 See final order in respect of the acquisition of assets belonging to the University of Southampton by Voyis Imaging Inc (8 June 2023).

88 See final order in respect of the acquisition of the assets and subsidiaries of Truphone Limited by TP Global Operations Limited (5 December 2022).

89 See final order in respect of the acquisition of Ligeance Aerospace Technology Co. Ltd by Sichuan Development Holding Co. Ltd (10 October 2022); see also final order in respect of the acquisition of GE Oil & Gas Marine & Industrial UK Ltd and GE Steam Power Ltd by EDF Energy Holdings Ltd (7 August 2023).

90 See final order in respect of the acquisition of GE Oil & Gas Marine & Industrial UK Ltd and GE Steam Power Ltd by EDF Energy Holdings Ltd (7 August 2023).

91 See final order in respect of the acquisition of CPI Intermediate Holdings, Inc by Iceman Acquisition Corporation (29 September 2022).

92 See final order in respect of the acquisition of know-how related to SCAMP-5 and SCAMP-7 vision sensing technology by Beijing Infinite Vision Technology Company Ltd (20 July 2022); final order in respect of the acquisition of Pulsic Ltd by Super Orange HK Holding Ltd (17 August 2022); final order in respect of the acquisition of Newport Wafer Fab by Nexperia BV (16 November 2022); final order in respect of the acquisition of HiLight Research Limited by SiLight (Shanghai) Semiconductors Limited (19 December 2022); final order in respect of the acquisition of Upp Corporation Ltd by L1T FM Holdings UK Ltd (19 December 2022).

93 It is noted that these figures were premised on the control threshold for mandatory notification being set at 15 per cent, rather than the 25 per cent provided for under the NSI Act.

94 National Security and Investment Bill Impact Assessment (9 November 2011), available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/934276/nsi-impact-assessment-beis.pdf.

95 Including 671 mandatory notifications, 180 voluntary notifications, and 15 retrospective validation application. The government notes that it has in ‘rare’ cases accepted a single notification to cover multiple acquisitions.

96 See Cabinet Office, National Security and Investment Act 2021: annual report 2022-23, available at: https://www.gov.uk/government/publications/national-security-and-investment-act-2021-annual-report-2023.

97 The government has indicated that it will keep the scope of the regime under active review.

99 It is understood that the government may choose to narrow the definitions of the activities which currently fall under the NARs, however this is not confirmed to date.

Unlock unlimited access to all Global Competition Review content