1. Background

While the U.K. has a mature approach to protecting national security overall, the government lacks effective statutory powers in relation to the ownership and control of businesses and other entities that could be used to undermine national security. Successive recent governments have lamented its deficient intervention powers in relation to foreign U.K. takeovers. In 2016, the then May Conservative government publically acknowledged that the intervention mechanisms maintained within the EA 2002 were not sufficient to meet national security challenges created by the ownership and control of critical U.K. assets by overseas parties. This resulted in the publication of a Green Paper in 2017 (following an initial public consultation), which scrutinized the government's existing powers under the EA 2002 and also proposed both short term and long term solutions to fixing the perceived legislative deficit.

The Green Paper determined that a voluntary investment screening mechanism, with expanded government call-in powers, would be the most appropriate long-term solution, and recommended that the government develop such proposals further. This culminated in the publication in 2018 of a comprehensive White Paper, which articulated in detail the creation of a voluntary screening mechanism that would review acquisitions of U.K. entities and assets in any sector on national security grounds, regardless of turnover or market share. Since those publications, the new Johnson government has further considered what powers are necessary. Finally, in December 2019 the government announced its intentions to bring the National Security and Investment Bill ("Bill") to Parliament in 2020 in its maiden  Queen's Speech, with publication occurring on November 11, 2020. As the Bill progressed through Parliament, the Johnson government resisted amendments despite lengthy debates in both the House of Commons and House of Lords. The Act was granted Royal Assent on April 29, 2021, with the most—and, arguably, only—significant amendment being that the threshold for mandatory notification was raised from 15 percent or more to more than 25 percent.

2. The National Security and Investment Bill

i. Policy Intent

The stated policy objective of the NSI Act is to strengthen the government's powers to scrutinize and intervene in business transactions in instances where it is necessary to protect national security, while providing businesses and investors with both the certainty and transparency they need to conduct business in the U.K. 

In many respects the NSI Act operates as framework legislation under which the government can introduce regulations and policy statements to help define further what activities should be caught and screened for national security risks. This is intentional, as the government wishes to futureproof the legislation to ensure that it can react quickly to the ever-changing risks to national security, without the need to introduce new primary legislation each time. 

The cornerstone of the NSI Act is the creation of an independent investment screening mechanism, which is triggered by the notification by parties involved in transactions, or otherwise the government's ability to call-in transactions, that could give rise to national security concerns. In a marked change to the 2018 White Paper, the NSI Act introduces a mandatory notification requirement for certain transactions in specified sectors of the economy that pose greater national security risks. This mandatory notification system is complemented by a voluntary notification process for transactions in other non-listed sectors and for transactions involving sensitive assets. In addition, the NSI Act also includes enhanced powers for the government to unilaterally 'call in' any transactions that it deems to be a potential national security risk. 

ii. Notification Procedures

a. Mandatory Notification

The NSI Act will require the person making a 'notifiable acquisition' (i.e. the acquirer) to submit a mandatory notification to the Secretary of State for Business, Energy and Industrial Strategy (hereafter referred to as the 'government' for ease) before they either gain control or acquire a right of interest in a 'qualifying entity' of a specified description.1A notifiable acquisition that is completed without government approval is void.2

i. Qualifying Entities

A 'qualifying entity' for the purposes of a notifiable acquisition is defined as any entity, whether or not a legal person, that is not an individual, and includes a company, a limited liability partnership, any other body corporate, a partnership, an unincorporated association and a trust.3 It also includes entities that are formed or recognized under the law of a country or territory outside the U.K. if it: (i) carries on activities in the U.K.; or (ii) supplies goods or services to persons in the U.K.4

The NSI Act anticipates the introduction of secondary legislation (referred to as the 'notifiable acquisition regulations'), which will provide more detail on what qualifying entities of a specified description will be subject to the mandatory notification regime.5 The government has consulted on the scope of activities within 17 specific sectors will result in a mandatory notification and, on March 1, 2021, published definitions for the following sensitive sectors (which may still be further refined following engagement with stakeholders): civil nuclear, communications, data infrastructure, defence, energy, transport, artificial intelligence, advanced robotics, computing hardware, cryptographic authentication, advanced materials, quantum technologies, synthetic biology, critical suppliers to government, critical suppliers to the emergency services, military or dual-use technologies, and satellite and space technologies. The NSI Act provides the notifiable acquisition regulations with the power to amend the circumstances in which a notifiable acquisition takes place.6 This includes, in particular, the provision for exemptions by reference to the characteristics of persons seeking to control qualifying entities.7 It also indicates that control of certain 'qualifying assets' may also result in a notifiable acquisition.8

ii. Control of Qualifying Entities

The NSI Act sets out a number of instances as to how a person can gain control of a qualifying entity. In relation to shareholding or voting rights, a person can gain control of a qualifying entity in the following instances: 9

  1. The acquisition of more than 25 percent of the shares or votes in an entity.
  2. The acquisition of more than 50 percent of the shares or votes in an entity.
  3. The acquisition of 75 percent or more of the shares or votes in an entity.
  4. The acquisition of voting rights in an entity that (whether alone or together with other voting rights held by the person) enable the person to secure or prevent the passage of any class of resolution governing the affairs of the entity.

The result is that most material changes in shareholding or voting rights in a qualifying entity will result in gaining control. Where the entity has share capital, then the reference to the holding a percentage of shares is to mean the issued shared capital of the entity at a nominal value (in aggregate) of that percentage of share capital.10In the case of a Limited Liability Partnership (LLP), the percentage of shares is to mean the percentage of any surplus assets of the LLP on winding up.11 If the entity has no share capital nor is an LLP, then the percentage should be read as the percentage of the capital or profit entitlement of the entity.12

b. Voluntary Notification

In circumstances where the thresholds for a notifiable acquisition are not met, then the NSI Act provides for a voluntary notification process for investments that might still give rise to national security concerns.13In such circumstances, the seller, acquirer or qualifying entity itself may give notice to the government stating that a 'trigger event' either has taken place or is being contemplated in relation to a qualifying entity.14 Aside from capturing novel national security risks that occur outside those envisaged by the mandatory notification provisions, this also allows for persons other than the acquirer to notify a trigger event that should be subject to mandatory notification by the acquirer.

A voluntary notification can also be made in relation to a 'trigger event' concerning a 'qualifying asset', which is defined as an asset of any of the following types: (i) land (including land located outside of the U.K. if used in connection with activities conducted in the U.K.); (ii) tangible movable property; or (iii) ideas, information or techniques which have industrial, commercial or other economic value (for example, trade secrets, databases, intellectual property rights and software).15

For the purposes of a qualifying entity, a 'trigger event' occurs when a person gains control of the qualifying entity as set out above (under ii. Control of Qualifying Entities) in respect of notifiable acquisitions requiring mandatory notification.16 In addition, the NSI Act states that, under the voluntary regime, control can also be established through the acquisition of a material influence over an entity's policy.17This operates as a 'catch-all' provision to ensure that the wider involvement and influence of persons in a particular corporate group or sector are caught. In relation to 'qualifying assets', the trigger event occurs when a person gains control of the qualifying asset and is thus able to use it or direct its use (including prior to acquisition).18Persons will not be considered as gaining control of assets if the purpose for the asset's acquisition is outside of the person's trade or business.19However, this exemption does not apply to land or items listed on the U.K.'s consolidated list of strategic military and dual-use items that require export authorization.20

c. Government Call-in

The NSI Act provides the government with the power to issue a call-in notice unilaterally if the government reasonably suspects that a trigger event has taken place, or that arrangements are in process or contemplation, and the event has given rise or may give rise to a risk to national security.21 This power applies to the U.K. economy as a whole (i.e. the government is not restricted to specific sectors). If the government decides to issue a call-in notice, then it must be provided to: (i) the acquirer; (ii) the qualifying entity (if applicable); and (iii) any other such persons the government deems appropriate.22 The call-in notice must include a description of the trigger event and state the names of the persons to whom the notice is provided. 

iii. Initial Screening and 'Trigger Event' Assessment

a. Initial Screening

On receipt of either a mandatory or a voluntary notice, the government must first decide whether to accept or reject the notice.23 Rejection is likely to occur if the notice does not meet the applicable requirements or does not contain sufficient information from which the government can determine whether to issue a call-in notice.24

If the notice is accepted, then the government will notify the issuer of the notice as well as any other persons the government deems appropriate. This government action will then start a 30-working-day review period.25 The NSI Act requires the government to have regard to a statement of policy intent ("Statement of Policy Intent") when exercising the call-in power, but does not limit the government's ability to use the call in power.26The Statement of Policy Intent will set out the factors the government should consider when determining whether a trigger event creates a material national security risk.27During this review period, the government can request the relevant parties to submit information or provide in-person evidence.28

Having conducted its initial screening, the government must either: (i) give a call-in notice in relation to the proposed acquisition to the acquirer; or (ii) inform the relevant parties that the government intends to take no further action.29 The government's 2018 White Paper indicated that it expected around 200 notifications a year, half of which would progress to a full assessment. The government has now revised these figures in its Impact Assessment, indicating that it expects between 1,000-1,830 initial notifications, with approximately 70-95 being called-in for a full national security assessment.30

b. 'Trigger Event' Assessment

The government published a  draft Statement of Policy Intent alongside the Bill (and a final version is expected to be published prior to the NSI Act's commencement), which states that the government must consider the following factors when determining whether to exercise its call-in power as a result of becoming aware of a trigger event.

  1. The target risk: The nature of the target and whether it is in an area of the economy where the government considers risks more likely to arise. The government determines that the economy, generally, can be split into three levels of risk:
    1. Core areas: These are the main sectors in which national security risks are more likely to arise and where mandatory notification will apply for some types of trigger events. These are the national infrastructure sectors defined by the Centre for the Protection of National Infrastructure, advanced technology, military and dual-use technologies, and direct suppliers to government and the emergency services.
    2. Core activities: The government will identify in regulations the specific activities within the core areas where risks are most likely to arise and where the call-in power is therefore most likely to be used. Acquisitions of entities involved in these activities will be subject to mandatory notification. While asset acquisitions will not be subject to mandatory notification, where assets are closely related to those activities, their acquisition is more likely to be called in than other assets.
    3. The wider economy: The government generally considers that trigger events occurring in the remaining areas of the economy are unlikely to pose risks to national security, so such transactions are only expected to be called in on an exceptional basis.
  2. The trigger event risk: The type and level of control being acquired and how this could be used in practice to undermine national security. This includes, for example, the disruption of a critical supply chain, the unauthorized surveillance of sensitive information or inappropriate leverage with a view to influencing U.K. policy. 
  3. The acquirer risk: The extent to which the acquirer raises national security concerns. Factors that the government will consider when deciding whether to exercise the call-in power will include: the ultimate owner of the acquiring entity, the track record of the acquirer (including criminal offenses) and the acquirer's affiliations with hostile parties.

The government must review the Statement Policy of Intent at least once every five years.31 In addition, the government can amend or replace the Statement Policy of Intent at any time.32

iv. 'Call-in' Assessment Period

If the government decides to issue a call-in notice to the acquirer, then this starts a 30–working-day 'initial period', which can be extended by a 45-working-day 'additional period'.33 If further time is required, then the government and the acquirer can agree a further 'voluntary period' to determine the potential national security risk of the transaction.34

During the call-in assessment period, the government may make an interim order to either prevent or reverse any action that might prejudice the government's review of the proposed transaction.35The NSI Act affords the government broad discretion as to what it is permitted to instruct as part of any interim order, allowing for the imposition of any remedies considered necessary to protect national security.

v. Potential Outcomes

Before the end of the call-in assessment period, the government must decide to either make a final order, or give a final notification that no further action is to be taken.

In the event that the government determines (on the balance of probabilities), that a particular acquisition raises material national security concerns, then it can impose any steps necessary to protect, remedy or mitigate the national security risks.36 In practice, this is likely to result in one of three outcomes: (i) imposing conditions of approval for the deal to proceed; (ii) blocking the deal; or (iii) unwinding the deal in situations where the relevant trigger event has already occurred.

While the government expects to engage with the concerned parties throughout the process, the final decision on the form and detail of any remedy will be the government's alone. We expect that conditions will typically be imposed on the acquirer and/or the asset or entity being acquired, but under the NSI Act the government would have the power to impose conditions on any party.37 The 2018 White Paper stated that an exhaustive list of conditions would "unacceptably limit" the government's ability to protect national security. Once the government determines that a transaction can proceed subject to certain conditions, the final order will be published with high-level details about any conditions attached to that approval.38

The NSI Act affords the right to appeal any decisions taken by the government via judicial review, provided that the claim is filed within 28 days from the date upon which grounds for any claim first arose.39

vi. Retroactive Effect

The government has a five-year retrospective power to call-in transactions that were not notified but may raise national security concerns.40Once the government becomes aware of the transaction, it has six months to decide whether to call in the transaction.41

Transactions that occur from November 12, 2020, onwards will be in scope of this five-year look back.42 However, if the parties subject to a transaction make the government aware of it prior to the NSI Act coming into force, then the government will only have six months from the Act's entry into force to call in the transaction.43The government's existing national security powers under the EA 2002 will continue to apply until the NSI Act becomes law, but any transaction which completes prior to the Act's commencement and reviewed under the EA 2002 will not be subject to a call-in notice under the Act (i.e. there will be no "double jeopardy").44

3. Enforcement

The NSI Act provides for a range of offenses, including the completion of a notifiable acquisition without approval, failing to comply with an order and offenses relating to the failure to comply with an information notice or attendance notice.45

Penalties for non-compliance include fines of up to five percent of worldwide turnover or 10 million pounds sterling (whichever is greater),46 and imprisonment of up to five years.47When determining a monetary penalty, the government will take into consideration the seriousness of the offense, the desirability of deterring both the person subject to the penalty and others, and any mitigating steps taken by the person in question. 

Transactions that are covered by mandatory notification and which take place without clearance will be void and have no legal effect.48 However, the NSI Act does provide a mechanism through which a person can apply for retrospective validation of a notifiable acquisition.49A notifiable acquisition is also void where it has been completed in manner that is different to the stipulations of a final order.50

4. Key Takeaways

  • The NSI Act replaces the government's ability to scrutinize mergers that give rise to a national security consideration under the EA 2002. Whilst it will often be the case that both market dominance and national security reviews will run in parallel, the NSI Act separates both reviews, in that, national security assessments will occur when the relevant competition review thresholds are not met, given that entity and asset acquisitions could trigger national security concerns in any sector, regardless of turnover or market share. 
  • The NSI Act is likely to affect a wide range of investment activity and could impact a range of firms that count foreign nationals and foreign governmental entities among their investors. It will therefore be critical for these players to treat the NSI Act as a gating issue when planning investment activity within sensitive areas of the U.K. economy going forward. This is particularly the case for any investment activity that would trigger a mandatory notification under the NSI Act, which would be at an increased risk of a call in due to the government's five-year retrospective look back power.
  • As the NSI Act targets the acquisition of tangible and intangible assets, it will also be critical for businesses to be aware of its impact on every day commercial transactions. This is especially the case where sensitive assets or business segments are sold or when intellectual property rights are transferred or licensed to foreign parties (on either a temporary or a permanent basis).
  • The NSI Act received Royal Assent on April 29, 2021, but is not expected to come into force until Autumn 2021 or, at the latest, prior to year-end (once all of the required statutory instruments, including the Notifiable Acquisition Regulations, have completed their passage through Parliament, which is expected to take longer than usual given also the many Covid- and Brexit-related instruments in progress). Ahead of commencement, the government will be working with an expert panel to draft guidance to assist businesses, investors and advisors in understanding and meeting the requirements of the regime. The first sets of guidance are expected to be published from July, with further guidance to be published ahead of the regime's commencement later in the year.


1 National Security and Investment Act 2021 (NSI Act), Section 14(1).

2 NSI Act, S. 13(1).

3 NSI Act, S. 7(2).

4 NSI Act, S. 7(3).

5 NSI Act, S. 6(1).

6 NSI Act, S. 6(5) (a).

7 NSI Act, S. 6(5) (b).

8 NSI Act, S. 6(6).

9 NSI Act, S. 6(2).

10 NSI Act, S. 8(3) (a).

11 NSI Act, S. 8(3) (c).

12 NSI Act, S. 8(3) (b).

13 NSI Act, S. 18(2).

14 NSI Act, S. 18(2).

15 NSI Act, S. 7(4).

16 NSI Act, S. 5(1) (a) as pertaining to S. 8.

17 NSI Act, S. 8(8).

18 NSI Act, S. 5(1) (b) as pertaining to S. 9.

19 NSI Act, S. 11(1).

20 NSI Act, S. 11(2).

21 NSI Act, S. 1(1).

22 NSI Act, S. 1(4).

23 NSI Act, S. 14(5) and S. 18(5).

24 NSI Act, S. 14(6) and S. 18(6).

25 NSI Act, S. 14(9) and S. 18(9).

26 NSI Act, S. 1(7).

27 NSI Act, S. 3(3).

28 NSI Act, S. 19 and S. 20.

29 NSI Act, S. 14(8) and S. 18(8).

30 Impact Assessment: National Security and Investment Bill 9 November 2020 (Impact Assessment), page 22.

31 NSI Act, S. 3(4).

32 NSI Act, S. 3(5).

33 NSI Act, S. 23(3) (a) – (b).

34 NSI Act, S. 23(3) (c).

35 NSI Act, S. 25.

36 NSI Act, S. 26(5).

37 NSI Act, S. 26(5).

38 NSI Act, S. 29(1).

39 NSI Act, S. 49.

40 NSI Act, S. 2(2) (b).

41 NSI Act, S. 2(2) (a).

42 NSI Act, S. 2(4).

43 NSI Act, S. 2(4).

44 NSI Act, S. 62.

45 NSI Act, Ss. 32, 33, 34, and 35.

46 NSI Act, S. 41(1) (a).

47 NSI Act, S. 39(1).

48 NSI Act, S. 13(1).

49 NSI Act, S. 16.

50 NSI Act, S. 13(3).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.