National Security and Investment Act 2021 – impact on Real Estate and Data Centres

United Kingdom


The new regulatory landscape born from the UK’s National Security and Investment Act 2021 (the Act) shows a substantial increase in national security investment screening powers. Enforced retrospectively for deals that completed on or after 12 November 2020, the regime is set to have a significant effect on UK transactions, with new notification requirements for corporate and asset acquisitions and new governmental powers.

The Government has created a new division within the Department for Business, Energy and Industrial Strategy (BEIS), the Investment Security Unit (ISU), which will bear the responsibility for the new regime’s operation. This will involve:

  • the new mandatory notification process, applicable to certain corporate transactions within specified sectors, which will require qualifying transactions to be notified for approval before completion; and
  • the new voluntary notification process, applicable to certain corporate and asset transactions that potentially give rise to national security concerns, which permits parties to put transactions forward for approval and to pre-empt the call as mentioned below.

In addition to this, the Secretary of State (SoS)can ‘call in’ a transaction for review which should, or could, have been notified under either route.

One of the key features of the new regime is the broad range in types of transactions that can be investigated, intervened, or blocked all together by the Government where they fall within a particular sector or there is a potential risk to national security. Deals involving real estate assets have the potential to trigger either a mandatory or a voluntary notification, depending on circumstances of the transaction. Mergers and acquisitions are not the only transactions affected; 17 sensitive sectors have been identified as requiring mandatory notifications in certain instances. Among the 17 is Data Infrastructure, sparking particular interest in the data centre investor and operational sphere (who raised notable concerns during the Bill’s initial consultation).

This article discusses the new regime with particular focus on the implications it has for real estate investment and data infrastructure. For a broader consideration of the key features along with our preliminary observations in relation to how it is likely to work in practice, please see The UK National Security and Investment Act comes into force: a transformative step in the regulation of UK acquisitions ( .

New regime

The two separate notification processes are triggered in different circumstances and operate in different ways and will therefore be addressed separately.

Mandatory Notification Process

In assessing if a mandatory notification is required, there are three questions that need to be considered:

  1. ‘Qualifying Entity’ – The mandatory notification relates to certain corporate transactions affecting a qualifying entity. This essentially covers any entity such as a corporate entity, partnership, unincorporated association or trust and extends to foreign entities if they supply goods or services to the UK or carry out activities in the UK.
  2. ‘Trigger Event’ – The second question is whether the entity will gain a requisite level of control due to the transaction? The threshold for this is the gain of more than 25%, more than 50% or 75% or more of percentage of shares or voting rights, or the gain of enough voting rights to be able to secure or prevent the passage of any class of resolution.
  3. ‘Sensitive Sector’ – The third question is whether the target entity carries out activities within one of the 17 sensitive sectors identified in the Act? Despite providing definitions of each sector, whether the activity falls within one of the 17 mandatory sectors may not always be readily apparent, which should encourage more stringent preliminary due diligence and, where in doubt, filing of a precautionary notification. To prevent unnecessary notification, the Act requires the target to carry out activities within a sensitive sector. In the data infrastructure sector this can include if the target owns or operates relevant data infrastructure or manages facilities where relevant data infrastructure is located such as a data centre – “relevant data infrastructure” includes infrastructure which stores, processes or transmits data used in connection with the administration or operation of a public sector entity, or is used by public communications providers, or connects any international cabling routes. This is intended to capture entities whose business activities yield access to relevant data or relevant data infrastructure, but to exclude landowners and leaseholders where the land is merely where physical infrastructure is housed, but who are not involved in its ownership, operation or management.

If all the above questions are answered affirmatively, mandatory notification is required. The Government have stated that they will attempt to clear most notifications within 6 weeks from application. The consequence of failing to notify a transaction falling within the mandatory process is that the transaction is void and there are also potential serious criminal penalties for a breach of the Act.

Voluntary Notification Process

As the SoS has powers to call in un-notified transaction from the 12 November 2020 (subject to completing within five years prior) it may be necessary to consider whether a voluntary filing would be advisable for those transactions which do not trigger a mandatory notification. Parties have the option of voluntarily requesting a national security risk assessment for a transaction to avoid the potential ramifications of a ‘call in’ later down the line. 

The voluntary scheme, including the non-mandatory notification transactions that could potentially be called in, circumscribes a far broader range of deal types than the mandatory process. It can relate to asset or corporate transactions, material influence, and any sector and can extend to foreign assets which are supplied to the UK. 

There is the equivalent threshold ‘Trigger Event’ of the type mentioned in relation to Mandatory notifications, for corporate transactions, with the addition that it is possible to voluntarily notify a transaction when mere ‘material influence’ over the strategic decision-making of the target is acquired. This could potentially attach to the acquisition of shareholdings as low as 15%. The key additional factor that is considered in deciding whether to make a voluntary notification is whether the relevant transaction presents a potential risk to national security.

Call in Powers

One stipulation of the SoS’s power to ‘call in’ transactions which have completed within the last 5-year period is that they must do so within 6 months of becoming aware of the transaction. Or, in the case of transactions which completed before the Act came into force on 4 January 2022 and on or after 12 November 2020, 6 months from the 4 January 2022.

In reviewing transactions, the SoS will consider whether there is potentially an immediate or future risk to UK national security. The Act specifically omits from defining what is meant by risk to national security to allow for adaptability for evolving national security concerns. The ISU have, however, provided a statement which details how the power should be used as well as providing an assurance that the power is only to be used in the protection of national security interests and not in pursuance of any other interests (the Statement).

Real estate

In the context of real estate, either notification process may be applicable in certain circumstances. This may be due to a purchaser acquiring control above the relevant threshold of an entity in the relevant sector which owns land via a corporate transaction, or where the asset or corporate transaction presents a risk to national security.

Potential mandatory notification obligations

There are several transactions involving a real estate asset which may fall within the mandatory notification process, some examples may be where corporate entities (subject of the transaction satisfying the relevant threshold) carry out activities, or are involved in acquisitions relating to:

  • Energy infrastructure, such as petroleum terminals and pipelines or gas processing facilities.
  • Communications infrastructure, where infrastructure critical to public communications network or service is made available. This would include situations where landowners ‘make available’ associated facilities such as buildings, or entries to buildings, whose main purpose is to host an active network element. Not included, however, are situations where landowners merely own the land on which the infrastructure is located.
  • Relevant data infrastructure, or the managing facilities where data infrastructure is located. This is defined to include infrastructure which stores, processes, or transmits data used in connection to an administration or operation of public sector entity; is used by public communication providers; or connects any international cabling routes. This is intended to target entities whose business activities yield access to relevant data or data infrastructures, but not to include landowners or leaseholders of land which houses the physical infrastructure but who are not involved in its ownership, operation or management.

Concerns of what ‘access’ encompasses in relation to data infrastructure were initially raised by investors due to the potential for landowners with land housing infrastructure, but with no real access to the data facilities, to be obligated under the mandatory process. However, the Government have clarified in their Guidance on Notifiable Acquisitions that the mandatory requirement only applies where the landowner has permission or the ability to modify relevant data infrastructure, defining it as ‘administrative access’.

Mandatory notification may also be required where there is a purchase of shares in a business that owns a property let to or otherwise used by a Government department. The parties should consider whether the entity would be considered a “Critical Supplier to Government”, i.e., whether it holds a public contract with the Government which includes any of the following features:

  • processing and/or storing SECRET or TOP SECRET material;
  • a requirement to have list X accreditation;
  • a requirement for employees to be vetted at or above Security Check (SC) level.

Where voluntary notification should be considered

Whilst many real estate transactions fall outside the scope of the mandatory process, the wide scope of the voluntary thresholds makes it extremely important to establish whether there is any potential risk to national security due to the risk of a call in down the line and there are certain risks that need consideration.

  • Target risk – Is the land: a) in a sensitive location; b) proximate to a sensitive location; or c) integral to activities of a business operating in a specified sector covered by the mandatory process (e.g. energy, communications, or data infrastructure)? Both ‘sensitive location’ and ‘proximate to sensitive location’ have been left undefined in the Act which could cause difficulties in practice. Though it is possible that this may require parties to a transaction to extend the scope of their due diligence to neighbouring premises and land, the confidential nature of sensitive sites may make it difficult for acquirers to determine site sensitivity.
  • Trigger event risk – both the type and level of control being acquired and how it may be used in practice, for example, will the acquirer gain access or control over a sensitive site?
  • Acquirer risk - the extent to which the identity of the acquirer raises national security concern. The Act draws particular focus to parties from ‘hostile states’ despite providing no specific examples of what this may include. In these cases, consideration and enhanced due diligence will be pertinent in determining whether there is a risk of being exploited by hostile forces.

Although there is no legal obligation if the transaction does not fall within the mandatory process, the risk of potentially holding up a deal due to making a voluntary notification may be more attractive than the potential risk of later call-in by the SoS. Critics anticipate that voluntary notification will be popular due to the guidance lacking detail specifically related to land transactions. A large portion of land transactions will involve senior secured lending who aim to exclude risk as much as they can. With the risk of a ‘call-in’ conceivably eventuating in the sale of land being unwound, will secured lenders start imposing voluntary notification as a condition to debt facilitation if there is any risk identified in the transaction?

Data centres

The risk of the effects of holding up a transaction's timeline in the case of data centre investment, however, may be greater than that of other investment types. Data centres have become an extremely attractive investment with services such as cloud storage no longer being a convenient desire but a necessity in everyday life. With such hyperconnectivity, and rising value of data, comes a greater risk of security breaches and exploitation. It is, therefore, no surprise that the Act has accounted for the potential national security threats in acquisitions involving data infrastructure.

As previously discussed, the Act attempts to appease concerns from those within the data infrastructure community by not obliging investors and landowners who have no knowledge of or access to the data/infrastructure their land houses to make a mandatory notification. However, timelines for the development and construction of data centres tend to be a quicker process – mostly attributable to the rising demand for cloud storage solutions and growing competition within the market. In light of this, a delay of 6 weeks or more when new investors are brought into the process could have a considerable impact.


The Act is clearly wide-ranging and may have significant impact on data centre transactions, including both past and future transactions, whether corporate or asset.

General commentary on the Act and data centres highlights that the UK Government may be inundated with voluntary notifications and this may result in the Government providing further guidance on when such notifications should be made.

Crucially, parties and legal counsel should be mindful that from 4 January 2022, they must take into consideration the introduction of the Act and its processes in order to protect their transactions and parties from potential criminal liability.

As things stand, there remains a lot of detail to be clarified. Since the ISU does not intend to publish its decisions, it will be necessary to take particular account of additional guidance as and when it is published.