The UK National Security and Investment Act comes into force: a transformative step in the regulation of UK acquisitions

United KingdomScotland

The UK’s National Security and Investment Act 2021 (the Act) has at last come into force, heralding the biggest shake up of the UK’s national security investment screening powers for 20 years. The UK now operates a regime that allows the Government to screen a wide variety of transactions for national security purposes.

Responsibility for the regime’s operation lies with the Investment Security Unit (ISU) within the Department for Business, Energy and Industrial Strategy (BEIS). It consists of both a mandatory notification regime for specified transactions and a voluntary notification regime backed up by the ability of the Secretary of State for BEIS (SoS) to ‘call-in’ transactions that fall outside the mandatory notification regime but are still judged by the SoS to pose a potential risk to national security.

Now that it is time for transacting parties to start to focus on the detail of the regime and the lodging of filings, we recap on its key features alongside our preliminary observations of how it is likely to work in practice.

The mandatory notification regime

A series of thresholds are set out in legislation which are intended to act as a ‘bright line’ in determining whether an acquirer will need to lodge a mandatory pre-completion notification with the ISU. Before the robustness of the legislation has been tested in the ISU’s day-to-day case work, there will be some uncertainty on the meaning of the definitions.

The ISU do generally tend to make themselves available for informal consultation on points of definition or whether a notification is required, but any guidance given is not binding. For now, the most prudent course of action if there is any doubt as to whether a transaction is captured by the legislation, is to file a precautionary notification. There are three key questions to address as part of any assessment of whether to file:

1. Is the target a ‘qualifying entity’?

  • This broadly covers entities of any description, but not asset acquisitions.
  • Foreign entities can be caught if they carry on activities in the UK or supply goods or services to persons in the UK.

2. As a result of the transaction, will the acquirer gain control of the qualifying entity (is there a ‘trigger event’?)

  • There are broadly four “gates” through which a transaction can comprise a trigger event:
    • The first three are an increase in percentage of shares or voting rights held by the acquirer to more than 25%, more than 50%, or 75% or more.
    • The fourth is an acquisition of voting rights to secure or prevent the passage of any class of resolution.
  • These appear on their face as bright line tests. However, the Act contains complex provisions about indirect interests down the chain including by means of “dominant influence” as well as corporate control. The Act also contains provisions about common interests which could see the stakes of minority shareholders aggregated in certain circumstances in order to find a trigger event. Careful analysis is required.
  • An acquirer may need to make sequential filings if they move through more than one of these gates in a staged transaction. For example, by moving from a less than 25% share to more than 25% and then further to more than 50%.

3. Does the target undertake activities within a ‘high-risk’ sector of the economy?

  • The centrepiece of the new legislation, in addition to the introduction of a mandatory filing system in itself, is the extension of national security screening to a wide range of sectors going well beyond those typically considered under the previous regime.
  • There are 17 sensitive sectors within which acquisitions of entities may require a mandatory pre-completion notification under the Act (Mandatory Sectors). The definitions are fine-grained and sometimes complex. In some cases, they have changed considerably since draft definitions were published in early 2021. The level of detail required means that it may not always be possible for an acquirer to determine from a desk-top analysis whether a target in fact has operations in a Mandatory Sector. This makes it advisable to push sellers for access for more detailed due diligence, earlier in the transaction process, than would be required for a commercial review alone.
  • Previously-permitted ‘public interest’ interventions by the SoS on grounds which need not include a national security element (plurality of the media, the stability of the financial system, and public health emergencies) remain possible as part of the separate UK merger control regime.

The voluntary notification regime

The Act is a hybrid regime. Alongside the mandatory notification system, the SoS can on its own account call in a wider set of transactions. There are a number of aspects to this.

First, timing issues including transitional measures. The SoS is able to ‘call in’ any unnotified transaction which has completed since 12 November 2020 for a retrospective review. In practice, the SoS must ‘call in’ a deal within six months of becoming aware of the transaction or 6 months from 4 January 2022 if it became aware prior to that date (provided that it completed within the previous five years).

Second, what is the ambit of non-mandatory deals that are exposed to potential call in? Put another way, how widely is the voluntary regime net drawn? The short answer is it goes beyond the mandatory regime by encompassing (i) assets; (ii) material influence; and (ii) in theory any sector, i.e. it can go beyond the Mandatory Sectors. In more detail, there are two tests in order to determine whether a transaction is subject to the voluntary regime:

1. Is the target a ‘qualifying entity’ or ‘qualifying asset’?

  • The voluntary regime covers qualifying entities as per the mandatory regime.
  • In addition, it covers qualifying assets. This may include land, tangible moveable property, ideas, information or techniques which have industrial, commercial or other economic value, and which are used in connection with either activities carried on in the UK, or the supply of goods or services to persons in the UK. For example, this includes trade secrets, databases, source code, algorithms, formulae, designs, plans, drawings, specifications, and software.
  • A foreign asset may be in scope if it is used by someone in the UK, by someone outside the UK to supply goods or services to the UK or to generate energy or materials that are used in the UK. For this latter category BEIS has given an example of an offshore wind farm located outside the UK which supplies electricity to the UK. It is unclear if this principle would extend to any power generating asset which supplies the UK via the growing array of sub-sea interconnectors.

2. As a result of the transaction, will the acquirer gain control of the qualifying entity (is there a ‘trigger event’)?

  • Passing the same trigger event gates as apply under the mandatory regime triggers the voluntary regime in relation to any sector – although in practice most transactions falling within the 17 Mandatory Sectors will tend to require mandatory notifications.
  • The acquisition of ‘material influence’ over policy relevant to behaviour of the target entity in the marketplace – but falling short of acquiring a blocking vote – is sufficient to engage the voluntary regime. Note that this threshold was removed from the scope of the mandatory regime after initial consultations.This is a concept very familiar from UK merger control. There is no bright line test, but there are years of decisional practice.
  • So far as assets are concerned, the voluntary regime will be triggered by the acquisition of a right or interest in (or in relation to) an asset which gives the acquirer the ability to either:
    • use the asset, or use it to a greater extent than prior to the acquisition; or
    • direct or control how the asset is used, or direct or control how the asset is used to a greater extent than prior to the acquisition.

Third, if the voluntary, but not mandatory, regime is engaged, when should parties notify? This is a segue to the next section, but where possible national security risks do arise parties are likely to wish to manage this risk down. This can be achieved by way of lodging a voluntary filing with BEIS, which also has the effect of putting BEIS on notice and therefore ensuring the call-in deadline is 6 months (instead of 5 years) and starts to run.

Which transactions are likely to be ‘called in’ for review by the SoS?

The SoS may exercise its power to ‘call in’ a transaction for a detailed review. This applies to both the mandatory and voluntary regimes. The threshold question is whether there may be a potential for immediate or future harm to UK national security. Each transaction will be reviewed on a case-by-case basis and the UK Government has made clear that the Act intentionally does not set out the circumstances under which national security is or may be at risk. This reflects long-standing Government policy to ensure that national security powers are sufficiently flexible to manage future as-yet unforeseen threats.

The Government has however published a high-level Statement of Policy Intent. This makes clear that “the call-in power will be used solely to safeguard the UK’s national security and not to promote any other objectives”.

Within those parameters, the Statement sets out three broadly-cast categories which it intends to use to assess national security risk. While the SoS would usually expect all three risk factors to be present in order to ‘call in’ a transaction the SoS says that it “does not rule out calling in an acquisition on the basis of fewer risk factors”. This breadth means that the review is able to encompass not only immediate national security concerns but also more holistic questions with respect to protecting the integrity of the UK economy. The three categories of risk are as follows:

  • Target risk: could the acquired entity/asset be used in a way that risks national security? This may be particularly relevant if the target has access to sensitive security assets or infrastructure, military information, or would be able to constrain supply to critical military inputs post-transaction. It may also be important to identify whether any infrastructure to be acquired is located near to sensitive sites. Another factor could be the possibility of acquiring significant quantities of data that could be used to compromise Government individuals – perhaps putting the acquisition of social networks well within the scope of the Act.
  • Acquirer risk: does the acquirer possess characteristics that suggest there is, or may be, a risk to national security from it having control of the target? In practice, this is the risk that is likely to receive most attention.
    • BEIS has indicated that characteristics such as the acquirer’s industry sector, technological capabilities and any links to entities which may seek to undermine or threaten the national security of the UK are likely to be considered.
    • If the acquirer can readily be exploited by hostile forces, poses risks due to its existing operations, or is linked to criminal or other illicit activities, these would be red flags.
    • The acquirer’s ties or allegiance to a state or organisation that is hostile to the UK’s interests will be considered.
    • Characteristics such as a history of passive long-term investments may indicate low or no risk. BEIS has stressed that the SoS does not regard state-owned entities, sovereign wealth funds or other such vehicles as being inherently more likely to pose a national security risk.
  • Control risk: does the type and level of control being acquired allow it to pose a risk? The more strategic influence the acquirer has, the greater the risk of the target being used in a way that harms national security post-transaction.

The UK Government has sought to provide reassurance that the paucity of guidance on the way that national security will be assessed should not be regarded as increasing transaction risk. In an open letter to businesses dated 20 December 2021, Lord Callanan, Minister for Business, Energy and Corporate Responsibility, stated that the vast majority of acquisitions will be unaffected by these powers and that only a small minority of acquisitions are likely to be considered to pose a potential risk to the UK. Similarly, in an appearance at a December legal conference, Jacqui Ward, the Director of National Security at BEIS stressed that she hoped that the “vast majority” of merger activity would “go on as it is now”.

It is notable, however, that unlike for merger control the Government will not be publicising its case decisions. Consequently, the degree of guidance on the UK government’s approach that will build through decisional practice is more limited or it may take longer to establish. Individual cases will likely attract the attention of the press. An annual report on enforcement trends must also be published in the middle of each calendar year. This means that we can expect an initial read-out of how the regime has operated in the period between January and March at some point over the summer. The Act also has provisions for the SoS to review the guidance produced in six months.

There is clearly a degree of tension in the UK Government ostensibly seeking to limit foreign acquisitions of UK companies and assets, yet at the same time projecting an open economy that welcomes investment post-Brexit – the most telling example of this being the establishment of a new Office for Investment within the Department for International Trade, with Lord Grimstone as its minister, three days prior to announcing the NS&I Bill in November 2020. Jacqui Ward has indicated that the rules are designed to introduce more certainty so as to increase, not decrease, foreign investment, but the direction of travel towards a more interventionist policy in recent years and now with this new Act, is clear.

These factors mean that it becomes particularly important for merging parties to fully scope the UK Government’s likely views on a transaction, taking account of current UK and global market conditions and the geo-political backdrop at an early stage, in order to better anticipate how long a transaction might take to achieve clearance.

The review process and potential remedies

BEIS has published a template notification form with respect to each of the mandatory and voluntary notification routes. Once BEIS indicates that it considers the notification complete, a 30-day period commences during which BEIS will indicate whether or not it intends to ‘call in’ the transaction for a detailed review. While there are template forms, clearly the process needs to be managed strategically by parties in order to achieve their commercial objectives, and businesses would be well advised to consider their submissions and engagement in this light.

If a transaction is called in (following the initial period) the review timescale is up to a further 30 working days, which may be extended by a (yet) further 45 working days or if more time needed, by agreement between parties. In practice, the circumstances where ‘more time’ is needed could include a period for discussing potential remedies given that - unlike for merger control - there is no time specifically allocated for this in the statutory process.

If a national security risk is identified, the SoS will consider representations on remedies before making a final order. The SoS has wide powers to impose any necessary and proportionate remedies to prevent, remedy or mitigate the risk including covenants over ownership, governance or in some circumstances prohibiting the transaction including unwinding it. Again, the UK Government has been tight-lipped as to precisely what form of remedies it may require, and these are likely to be heavily tailored to the relevant transaction.

It should be expected that the range of potential remedies will include less intrusive ‘conduct’ solutions such as access remedies for key sites, the imposition of information barriers between any sensitive activities of the target and the acquirer group, or ‘notify’ or ‘consult’ remedies regarding change of ownership (something familiar from UK utility regulation and also used informally by BEIS in utility transactions prior to the NS&I Act).

For cases where this is warranted, interim remedies powers exist to prevent or reverse pre-emptive action, something all too familiar from UK merger control.


A notifiable acquisition (i.e. where the mandatory regime applies) completed without being approved by the Secretary of State will be void and of no legal effect. This is a dramatic sanction the consequences of which will be for the Courts to sort out if it is ever engaged.

There are also many potential offences under the Act including: completing a notifiable transaction without approval, breaching an order of the SoS or failure to comply with an information request.

Potential criminal penalties include up to five years’ imprisonment and potential civil penalties include fines for individuals of up to £10 million or for businesses up to the greater of £10 million or 5% of the acquirer’s total worldwide turnover. Potential exposure of individuals to criminal offences, subject to imprisonment and personal fines, is particularly likely to concentrate the mind.


This Act is the most dramatic upheaval in national security screening for the last 20 years, and potentially that the UK has ever seen. Unusually in the world, the UK has a voluntary system of merger control rather than a mandatory one. The Act has clearly drawn heavily from UK merger control in several design respects, but compulsory notification will change the risk calculus in deals where previously there was a choice. Sellers will no longer be able to force buyers to take the whole risk. In a sign of intent, the Act gives the SoS power to direct the CMA’s conduct where required for national security purposes.

Contrary to some commentary, the Act is aimed at foreign investment. It is true that legally this is not required but in our view that is an anti-avoidance design feature. There is, however, a lot of subtlety involved, and careful analysis will be required. The foreign element can and often will be indirect, and parties will need to look behind immediate acquirers to ownership further up the corporate structure. Concerns may also arise from exposure to countries that are perceived as hostile in ways other than through ownership - for example via sales, supply contracts or asset dependence.

As to the nature of concerns that will arise, while some guidance can be gleaned from recent interventions under the current Enterprise Act national security provisions, the Act which replaces them opens up such a broader canvas of potential grounds for intervention that businesses would be well advised to approach the issue afresh.

Sellers and buyers alike should now regularly consider the Act as a workstream alongside UK merger control in examining risk and strategy upfront in any relevant merger. The need for early analysis and engagement is common to both. And, as with merger control, early multi-jurisdictional assessments and co-ordination between the international filings required will be key.