The National Security And Investment Act (NSIA) Received Royal Assent On 29 April 2021

It will usher in a new stand-alone national security vetting regime that will replace existing powers to scrutinise mergers on national security grounds. The Secretary of State for Business, Energy & Industrial Strategy (BEIS) will be the key decision maker, with significantly expanded powers to scrutinise and, where necessary, impose remedies on certain acquisitions and investments that have national security implications. The new regime will apply to investments/acquisitions by investors from any country, including the UK, and without any form of minimum turnover threshold or market share safe harbour.

The new regime will operate in full from 4 January 2022, when secondary legislation brings the NSIA fully into effect.  Once operative, however, the NSIA may be applied retrospectively to certain transactions completed between 12 November 2020 (when the Bill was introduced to the House of Commons) and the commencement date. 


The NSIA, as enacted, is in much the same form as it commenced as the Bill. This is despite disquiet from stakeholders over the retrospective call-in power and the breadth of its application which, it was thought, might diminish the UK's attractiveness to prospective investors. 

One key change is that the lowest threshold for mandatory notification has been raised from 15% to 25%. However, the Secretary of State will still be able to call in acquisitions of shareholdings and voting rights that give the acquirer "material influence" over the target.  BEIS refers to the definition of material influence which the CMA uses under the Enterprise Act 2002 for merger control.  Material influence can arise out of shareholdings that are considerably lower than 25%, if combined with other interests such as a significant loan agreement between acquirer and target.  

The other main substantive development is that, following consultation, the government has published a new statutory instrument setting out  revised definitions of the seventeen sensitive sectors for which mandatory notification will be required. The revisions reflect calls from stakeholders for greater clarity in the definitions and for a more limited application of the legislation in certain sectors. Some sub-sectors have been removed entirely (e.g. subcontractors have been removed from the category of critical suppliers to government). Other definitions have been refined (the transport sector has been amended to only include those entities that pose the greatest potential risk to national security) or narrowed (the communications sector definition now focuses on public communications networks, and artificial intelligence now focuses on three higher risk applications: the identification of objects, people, and events; advanced robotics and cyber security, services and associated facilities). These definitions have been approved in regulations and are now set to take effect from 4 January 2022. Importantly, they will continue to be regularly reviewed by the Secretary of State. We expect some refinements to the exact areas that are of interest within each sector to emerge during 2022 with the potential for additional mandatory sectors to be declared if omissions are noted.

What does the NSIA do?

Mandatory Notification For The Most Sensitive Transactions

Proposed acquirers of certain shares or voting rights in entities in the most sensitive areas of the economy will be required to pre-notify and obtain prior clearance for their acquisitions from the Secretary of State ("notifiable acquisitions"). Notifications are to be made to a dedicated government unit – the Investment Security Unit (ISU) – through a digital portal. 

A notifiable acquisition can occur with the acquisition of 25% or more of the shareholding or voting rights in an entity The following will also be caught:

  • increases in shareholding or voting rights from less than 25% to more than 25%; from less than 50% to more than 50%; and from less than 75% to more than 75%
  • the acquisition of voting rights allowing the acquirer to pass or block a corporate resolution governing the entity's affairs.

The seventeen sensitive sectors where the mandatory notification regime will apply are: advanced materials, advanced robotics, artificial intelligence, civil nuclear, communications, computing hardware, critical suppliers to government, cryptographic authentication, data infrastructure, defence, energy, military and dual use goods/technologies, quantum technologies, satellite and space technologies, suppliers to the emergency services, synthetic biology and transport.

A notifiable acquisition that is completed before being cleared by the Secretary of State will be void and the acquirer may be subject to criminal or civil penalties for completing the acquisition without clearance.

Powers To Call In Transactions For Full Assessment

The Secretary of State will have the power to "call in" acquisitions of control over qualifying entities or assets (“trigger events”) which give rise, or may give rise, to a national security risk, in order to undertake a full national security assessment. The call-in power may be exercised in respect of notified and non-notified transactions.

Trigger events occur where a person gains control of a qualifying entity or asset:

  • Qualifying entities include, for example, companies, limited liability partnerships, other bodies corporate, partnerships, unincorporated associations and trusts, but not individuals. An investor gains control where it:
    • increases its shareholding or voting rights in the entity to more than 25%, 50% or 75%; or
    • acquires the ability to pass or block a corporate resolution governing the entity's affairs; or
    • acquires the ability to materially influence the policy of the entity.
  • Qualifying assets cover land, tangible or moveable property, and ideas, information or techniques which have industrial, commercial or other economic value such as trade secrets, databases, algorithms, designs, software.  An acquirer gains control of an asset where it acquires the ability to use the asset, or to direct or control how it is used (or to do these things to a greater extent than previously). Asset acquisitions are not subject to mandatory notification, but may be called in.
    • The call-in power may be exercised during the five years following the trigger event (acquisition of control), but subject to a limit of 6 months from the time the Secretary of State became aware of the trigger event (and 4 January 2022, whichever is the later). The call-in power may also be used retrospectively, once the secondary legislation has brought the NSIA fully into effect, in order to call in trigger events that took place after 12 November 2020 (when the Bill was introduced), even if they took place before the new regime commences. The long-stop date for these retrospective call-ins is five years from the commencement date, but this can be reduced to six months by informing BEIS of the transaction prior to that date.  In practice, this is already leading many of our clients to inform the ISU about deals with any kind of national security implication.
    • According to the draft Statement of Policy Intent, when exercising the call-in power the Secretary of State will consider the following risks:
  • Target risk – the nature of the target and whether it is in an area of the economy where the government considers risks are more likely to arise. The economy is split for these purposes into three levels of risk:
    • core areas – the seventeen sensitive sectors where national security risks are more likely to arise (and mandatory notification applies for some types of trigger event);
    • core activities – primarily within the core areas, with regulations to identify specific activities where risks are most likely to arise and the call-in power most likely to be used; acquisitions of entities (not assets) involved in these activities will be subject to mandatory notification, but acquisitions of assets that are closely related to those activities are more likely to be called in than other asset acquisitions;
    • the wider economy – trigger events in the rest of the economy are considered unlikely to pose national security risks and are only expected to be called in on an exceptional basis.
  • Trigger event risk – the type and level of control being acquired and how this could be used in practice, for example whether it might involve:
    • gaining control of a crucial supply chain
    • obtaining access to sensitive sites
    • potential for disruptive or destructive actions, espionage, inappropriate leverage.
  • Acquirer risk – the extent to which the acquirer raises national security concerns; will be assessed on a case by case basis covering factors such as:
    • who is in ultimate control of acquirer
    • track record of acquirer in relation to other acquisitions/holdings 
    • whether acquirer is in control of other entities within a sector or owns significant holdings within a core area (as this increases their potential leverage)
    • any relevant criminal offences or known affiliations of any parties directly involved in the transaction.
Voluntary Notifications

There will be a voluntary notification system for acquisitions which fall outside the mandatory regime, to encourage notifications from parties who consider that their trigger event may raise national security concerns.  

Assessment Process

Where a mandatory or voluntary notification is made the Secretary of State will have 30 days to call it in for full assessment, once it has accepted the notification as complete.

Where a call-in notice is given (on a notified or non-notified transaction) there will be an additional 30 working day assessment period for deciding whether to impose remedies or take no further action. The ISU may extend that period by a further 45 working days if more time is required (i.e. the time period can extend up to 105 working days in total) and any additional period that may be agreed between the Secretary of State and the acquirer.

The assessment may result in:

  • notification that no further action will be taken; or
  • final orders to prevent, remedy or mitigate the national security risk – these could encompass behavioural or structural remedies, or in the more extreme cases (such as where the target represents a crown jewel in the UK's national security infrastructure) the blocking of transactions or full unwinding and 'put back' to the seller.

There will be a process for appealing the Secretary of State's decision to the High Court on the basis of judicial review.

Fines of up to the higher of 5% of worldwide turnover or £10 million, and/or imprisonment of up to five years, may be imposed for failure to comply with the new regime.


The Government’s Impact Assessment predicts 1,000 -1,830 notifications under the NSIA each year, with around 70 to 95 detailed national security assessments, resulting in around 8 – 10 remedies decisions although a range of industry participants have raised concerns that the broad nature of the mandatory sectors and the legislation as drafted will lead to far more notifications than anticipated.  

The vast majority of transactions will be able to proceed as planned, without intervention by the Secretary of State. There will, however, be a significant number where the parties are required, or elect, to notify. The consequences of failing to notify where required to are severe – the transaction will be void (incurring risk for both purchaser and seller) and the purchaser may face civil and criminal sanctions for failing to obtain clearance. Our recent experience has raised a number of challenges including:

  • The position taken by BEIS in its guidance to date that the regime will catch movement through the thresholds even where the change in control is intra-group (reflecting a difference in approach to merger control);
  • The practical risks arising from failure to notify a transaction in a mandatory sector (and the impact on wider practical, financial and legal arrangements in the transaction); and
  • Lenders seeking to satisfy themselves as to whether a transaction they are financing, such as a property purchase or a company acquisition, could trigger a review. Taking security over shares or assets would not normally trigger application of the NSIA, but it may become relevant in the event that the lender enforces the security.  More importantly, the risk of a transaction being "void" for failure to make a mandatory notification may push lenders to take a more prudent view than is the case under merger control.

Businesses and investors should already be factoring the new regime into their deal plans, and including appropriate conditions in their agreements. This is especially important where the transaction concerns one of seventeen defined sectors. The acquirer should consider informing the ISU if a transaction may be at risk of retrospective call-in after the new regime comes into effect, in order to shorten the period in which the call-in power could be exercised. This will need to be coordinated closely with any merger control strategy.

Key Contacts

Al Mangan

Al Mangan

Partner, Competition & Regulation

View profile
Rona Bar-Isaac

Rona Bar-Isaac

Partner, Head of Competition, Co-Head of Retail & Consumer Sector
London, UK

View profile