Quickguides

UK national security and investment control regime

UK national security and investment control regime

    This Quickguide provides an overview of the UK national security and investment control regime, introduced by the National Security & Investment Act 2021, which became fully effective on 4 January 2022. 

    1.  A new national security regime

    The National Security & Investment Act 2021 (the Act) entered into force on 4 January 2022.  The Act establishes a new statutory regime for the UK Government to scrutinise investments and acquisitions on national security grounds.  The new regime is not a foreign investment regime, in that it applies equally to UK and non-UK investors. The Act allows the Government to intervene in any transaction with a UK nexus which could pose a national security risk.  

    The Act has significantly strengthened the Government's powers to investigate and potentially prohibit transactions on national security grounds.  It contains a mandatory notification regime, backed up by criminal sanctions, for transactions in sectors thought most likely to raise national security concerns, and a voluntary notification process (underpinned by a "call-in" power) for other transactions that may affect UK national security interests. 

    The regime has been designed with a wide scope.  In its National Security and Investment Act Annual Report 2023 (published in July 2023) the Government stated that it received 866 notifications between 1 April 2022 and 31 March 2023.  This compares to only a handful of transactions scrutinised each year under the previous regime.  However, of the 766 notifications reviewed in the same period only 65 were called-in for a detailed assessment, with only 15 deals being subject to remedies or prohibited.  

    2.  Key implications

    The Government has presented the Act as a measured response to the increased national security risks the UK faces, noting that similar measures have been adopted in many other countries.  Many countries have recently strengthened, or are in the process of strengthening, their national security/foreign investment regimes.  For example, following the enactment of the EU Screening Regulation,1 most EU Member States which did not previously have foreign investment screening regimes have introduced or are planning to introduce such regimes. 

    The new UK regime involves a sea-change in the UK's approach to national security assessments and will result in:

    • a very significant increase both in the number of transactions being assessed for national security concerns and potentially those being the subject of remedies;
    • serious consequences (criminal and civil penalties) for completing a transaction subject to the mandatory regime without clearance;
    • potentially significant impacts on deal timetables; and
    • a potential reduction in deal certainty and an increase in overall execution risk.

    It is therefore important to determine whether the proposed transaction falls within the mandatory notification regime at an early stage in a transaction.  If so, this may have a significant impact on the overall deal timetable and appropriate risk allocation provisions will need to be included in the deal documentation.

    3.  Key features of regime

    Notification and enforcement 

    The Act establishes a new statutory regime for Government scrutiny of, and intervention in, investments and acquisitions for the purpose of protecting national security.  It makes provision for: 

    • a mandatory notification system for transactions involving the acquisition of a right or interest (typically a holding of more than 25%) in a qualifying legal entity (i.e. excluding "asset deals") in 17 key sectors, where clearance must be obtained before closing;
    • a call-in power enabling the Government to call-in transactions for a detailed national security assessment. Transactions which completed on or after 12 November 2020 may be called in;
    • a regime with no or very limited thresholds. The range of transactions that are potentially caught is very extensive, including target businesses with very limited activities in the 17 key sectors and those which are highly unlikely to raise substantive national security concerns;
    • sanctions, including imprisonment (of up to five years) and fines (of up to 5% of worldwide turnover or GBP 10 million – whichever is greater) for non-compliance with the mandatory notification requirement, together with the transaction being void;
    • voluntary notifications from parties to transactions not caught by the mandatory regime who consider that their transaction may raise national security concerns;
    • a power to adopt interim "hold separate" orders in relation to completed transactions to prevent or reverse pre-emptive action through integration of the merging businesses;
    • a wide range of remedies to address risks to national security; and
    • a mechanism for legal challenge, which will be by way of judicial review rather than a full merits challenge.

    What types of transactions are caught?

    National security is not defined in the Act but the Government has identified 17 sectors (see further below) which it considers to be particularly sensitive and which will be subject to mandatory notification. 

    Review timetable 

    Most reviews will be completed within 30 working days from acceptance of the notification.  If the transaction is called in for a detailed national security assessment, the assessment will last up to a further 30 working days, extendable by a further 45 working days (with scope for further extensions). 

    To whom does the regime apply?

    The regime applies to UK and foreign acquirers/investors from any country.  This is consistent with the approach under the previous UK national security regime.  It also applies to "foreign-to-foreign" transactions where there is a change of control over a business that carries on activities in the UK or supplies goods or services to persons in the UK. 

    The Government has published guidance on the Act for overseas companies (available here) which confirms that the qualifying entity needs to be sufficiently involved in the activities carried out in the UK.  An entity is not likely to be considered a qualifying entity solely on the basis that its shares are listed in the UK or it has owners or investors based in the UK. 

    The guidance for overseas companies was updated on 21 May 2024. It now highlights that in certain situations outward direct investment (ODI) may constitute an acquisition under the Act: for example, where it involves the transfer of technology, intellectual property and expertise as part of the investment or when forming joint ventures overseas. Mandatory notification regime for "notifiable acquisitions".

    4.  Mandatory notification regime for "notifiable acquisitions" 

    What is a notifiable acquisition?

    The Act provides for a mandatory notification requirement for entities involved in specific transactions (referred to as notifiable acquisitions).  A notifiable acquisition takes place, broadly, where a person gains control of a qualifying entity of a specified description.  There are generally no minimum turnover, value or volume thresholds which must be met for a transaction to be a notifiable acquisition. 

    Control is generally defined as acquiring more than 25% of the relevant shares or voting rights of a qualifying entity.  Any pre-existing stake in the qualifying entity will count towards the required 25%.  A fresh acquisition of control (and therefore a further notifiable acquisition) will arise where the investor moves through the 50% and 75% share ownership/voting thresholds.  

    Control is also defined to include an acquisition of voting rights that enable the acquirer to secure or prevent the passage of any class of resolution governing the affairs of the entity.  The intended scope of this provision is a little unclear.  However, it is unlikely that veto rights over a limited set of specific matters will be caught. 

    A qualifying entity is defined broadly as any entity that is not an individual (i.e. including companies and partnerships).  Qualifying entities do not need to be UK entities: it suffices that the entity carries on activities in the UK.  No minimum level of UK activity is required.  

    Assets in themselves do not constitute qualifying entities and therefore "asset deals" are not subject to mandatory notification. 

    The Government has identified the following 17 sectors as potentially raising particular national security concerns: 

    • Advanced materials
    • Advanced robotics
    • Artificial intelligence
    • Civil nuclear
    • Communications
    • Computing hardware
    • Critical suppliers to Government
    • Cryptographic authentication
    • Data infrastructure
    • Defence
    • Energy
    • Military and dual-use
    • Quantum technologies
    • Satellite and space technologies
    • Suppliers to the emergency services
    • Synthetic biology
    • Transport

    Not all acquisitions of control of entities falling within these sectors will be caught by the mandatory notification regime: it only applies to those falling within the specific descriptions in the Notifiable Acquisitions Regulations.2  Moreover, the entity's relevant activities will typically need to be carried on in the UK (sales of relevant products into the UK will generally not suffice). 

    Some of the definitions are relatively narrow (e.g. transport) but other are relatively broad (e.g. energy).  Some but not all definitions include size thresholds and some of the definitions are very technical (e.g. advanced materials).  The Government published updated guidance on notifiable acquisitions on 6 February 2024 (available here).

    Power to amend the scope

    The Secretary of State may amend the scope of what may be considered a notifiable acquisition to enable the regime to remain current as the nature of national security threats to the UK evolves.  This may include: 

    • exempting acquisitions from the mandatory notification regime on the basis of the characteristics of the acquirer; or
    • adding or removing specific types of transaction to/from the mandatory notification regime.

    Suspensory regime

    The acquirer must notify the Secretary of State of notifiable acquisitions before they take place in order to obtain clearance to close the transaction.  In practice, notifications are made to the Investment Security Unit (ISU), a unit within the Cabinet Office . A notifiable acquisition that is completed before being approved by the Secretary of State has no legal effect and will be void.  The Secretary of State may retrospectively validate a notifiable acquisition following a notification by the person who acquired control. 

    The acquirer may also be subject to criminal sanctions (imprisonment of up to five years) and civil penalties (of up to 5% of worldwide turnover or GBP 10 million – whichever is greater) for completing the acquisition without clearance.  

    5.  Voluntary notification and "call-in" regime for "trigger events"

    Transactions which do not fall within the definition of notifiable acquisitions can be carried out without prior notification or approval.  However, the Secretary of State has the power to issue a call-in notice to review a closed transaction for up to five years after the event and parties may therefore wish to consider a voluntary notification. 

    Voluntary notification regime

    Parties to transactions that do not meet the criteria for mandatory notification may submit a voluntary notification to the Secretary of State if they consider that their acquisition may constitute a trigger event that could raise national security concerns.  A voluntary notification may be made by the acquirer, seller or qualifying entity.  

    To help inform this assessment, as required by the Act, on 2 November 2021 the Secretary of State published a statement on how the call-in power is expected to be used (available here) (the Statement).  The Statement also provides guidance on the substantive assessment of transactions caught by the mandatory regime.  On 21 May 2024, the Government published an updated Statement (available here). 

    The Statement notes that it is intentional that the Act does not set out the circumstances in which national security is or may be considered at risk because this reflects "longstanding government policy to ensure that national security powers are sufficiently flexible to protect the nation".  

    For legal certainty, parties should consider whether it would be appropriate to approach the ISU on an informal basis or make a voluntary notification.  This is perhaps particularly important for transactions which fall just below the control thresholds for mandatory notification in the 17 key sectors, which involve activities that are closely related to the specified mandatory sectors, or which would involve a mandatory notification if they had been structured as a share deal rather than an asset deal.  

    Informing the ISU of the transaction (whether informally or through a notification) will also have the benefit of reducing the potential call-in period from five years to six months.  

    Call-in regime

    The Secretary of State may review specific acquisitions of control of legal entities and assets by issuing "call-in notices".  The transactions which are within the scope of this function are collectively known as "trigger events". 

    A call-in notice may:

    • be issued up to five years after a trigger event has taken place (or five years after the commencement of the new regime if the trigger event took place between 12 November 2020 and 3 January 2022);
    • not be issued more than six months after the day on which the Secretary of State became aware of the trigger event, in practice via email or other direct communication from the parties.

    Trigger events relating to qualifying entities

    For these purposes, a qualifying entity does not need to be of a "specified description". In other words, its activities do not need to fall within the scope of the 17 sectors of the mandatory regime.

    A trigger event will take place when a person gains control (as defined above) or the ability to materially influence the policy of a qualifying entity. The concept of acquiring material influence over an entity's policy has been drawn from the UK merger control regime and so the ISU takes the same fact-sensitive approach as the Competition and Markets Authority (CMA) under the UK merger control rules (see our Quickguide on UK Merger Control).

    Trigger events relating to qualifying assets

    A person is defined as gaining control of a qualifying asset if he/she acquires a right or interest in relation to it and is able to use it, or direct or control its use, to a greater extent than prior to its acquisition.  

    A "qualifying asset" is defined broadly to include land; tangible moveable property; and ideas, information or techniques which have industrial, commercial or other economic value.  Examples of assets in the latter category set out in the Act include trade secrets, databases, source code, algorithms, formulae, designs, specifications and software. 6. National security assessment

    6.  National security assessment

    Notification process

    Notifications are made to, and the process is managed by, the ISU.  Notifications are made via an online portal.  The notification forms and guidance on completing and registering notifications are available here.  At a high level, notifications should provide information on: the shareholders/affiliates of the acquirer, the activities of the target (including whether the target is, or has been in the last five years, a supplier to the Government in key areas), the control thresholds being met and the (proposed) completion date.  

    Where the parties (generally, the acquirer) notify a transaction (either under the mandatory regime, or voluntarily), the ISU will first assess whether the notification is complete.  If the notification does not comply with the regulations or does not contain sufficient information, the ISU can reject it, giving reasons, following which the parties will need to re-submit. 

    Providing misleading information can lead to decisions by the Secretary of State being revoked or varied.  The Secretary of State also has the power to impose civil and criminal sanctions for providing misleading information. 

    Who can notify a transaction?

    Mandatory notifications must be made by the acquirer.  A voluntary notification may be made by the acquirer, seller or qualifying entity. 

    Fees

    There is no fee payable for submitting a notification under the Act.  

    How long does the review process take?

    Following acceptance of a notification, the Secretary of State has up to 30 working days to decide whether to issue a call-in notice.  If he/she decides that the transaction does not need to be subject to an in-depth national security assessment, the notifying parties will be informed that no further action will be taken.  If a transaction is called in for a detailed national security assessment, the initial assessment period is 30 working days from the date of the call-in notice.  This is extendable by an additional 45 working days at the discretion of the Secretary of State if he/she reasonably believes that further time is needed to assess the transaction.  The Secretary of State may also agree further extensions with the parties.

    Where the Secretary of State issues an information notice following the issuance of a call-in notice, the clock will stop.  See "Information gathering powers" below for further details. 

    What are the assessment criteria?

    The Secretary of State may issue a call-in notice, whether following a mandatory or voluntary notification or otherwise, if he/she reasonably suspects that a trigger event has taken place or is in progress/contemplation in relation to a qualifying entity or asset and the event has given or may give rise to a risk to national security.

    If a call-in notice is issued, the Secretary of State must then decide whether a relevant trigger event has in fact occurred or is in progress/contemplation and does in fact give rise to a risk to national security. If the Secretary of State so considers, he/she will decide what measures (i.e. remedies) are necessary and proportionate for the purpose of preventing, remedying or mitigating that risk.

    When is the Government likely to call in transactions on national security grounds?

    As noted above, the Secretary of State has published a Statement which explains that he expects to take into account the following risk factors in exercising the call-in power.  It is expected that similar considerations will be taken into account in deciding whether a national security risk actually arises following issuance of a call-in notice. 

    Target risk. The Secretary of State will consider:

    • what the target does, is used for, or could be used for and
    • whether that has given rise to, or may give rise to, a risk to the UK's national security.

    The Statement sets out that the Government may call in acquisitions involving the incorporation of a new entity, if the incorporation involves a change of control of an existing asset or entity: for example, the transfer of intellectual property in certain joint ventures or control of certain assets in new build energy infrastructure.

    The Secretary of State considers that qualifying entities which undertake activities in the 17 specified sectors or have closely linked activities are more likely to raise target risk.

    Acquirer risk. The Secretary of State will consider whether the acquirer, including its ultimate controllers, may seek to use the entity or asset to undermine national security. In particular, the Secretary of State has indicated he will consider:

    • the acquirer's past behaviour;
    • the intent of the acquisition;
    • the sectors in which the acquirer operates and its existing capabilities;
    • whether the acquirer has made cumulative acquisitions across a sector or linked sectors;
    • any ties or allegiances to a state or organisation which is hostile to the UK;
    • whether intelligence agencies in the country of origin can compel organisations and individuals to carry out work on their behalf, share data and provide support, assistance and cooperation; and
    • whether the acquirer is, or has been, subject to UK or foreign sanctions in connection with activity that may indicate a risk to national security.

    The Statement indicates that a history of passive or long-term investments may indicate low or no acquirer risk.  The Statement also notes that the Secretary of State does not regard all state-owned entities, sovereign wealth funds or other entities affiliated with foreign states, as being inherently more likely to pose a national security risk.  The Secretary of State will not make judgements based solely on an acquirer’s country of origin.  However, an acquirer’s ties or allegiance to a state or organisation which is hostile to the UK will be considered when assessing whether their acquisition has given, or may give, rise to a risk to the UK’s national security.  No specific hostile states are named in the Statement.  

    Control risk. The Secretary of State will consider the amount of control the acquirer gains of an entity's activities or strategy or the amount of control over an asset (including using it or controlling/directing its use).  A greater degree of control may increase the possibility of a target being used to harm national security. 

    Some characteristics (such as a history of passive or long-term investments, or voting rights being held by passive investors) may indicate lower control risk. The Government may also consider the amount of control that an acquirer could gain through exercising financial instruments, such as loans, conditional acquisitions, futures and options that affect the control of an entity: for example, debt-to-equity swaps.

    The control risk is assessed alongside the target and acquirer risk because when the target and/or acquirer risk is low, the level of control acquired is less likely to give rise to national security concerns.

    Target risk / activities that are more likely to raise national security concerns 

    Noting that deals will be assessed on a case-by-case basis, the Secretary of State highlights two types of transactions, in addition to those subject to mandatory notification, which are more likely to be called in: 

    • acquisitions of control through material influence of qualifying entities active in the 17 sectors set out above; and
    • qualifying acquisitions of entities which undertake activities closely linked to the activities in the 17 sectors (e.g. activities related to transport but which do not fall within the definition of transport in the Notifiable Acquisitions Regulations).

    In practice, most acquisitions falling within the above categories (as well as most acquisitions falling within the Notifiable Acquisitions Regulations) are unlikely to be called in for a detailed assessment. 

    The Secretary of State also expects to intervene very rarely in asset transactions.  However, where assets are or could be used in connection with the activities set out in the Notifiable Acquisitions Regulations or closely linked activities or there is an acquisition of land in a sensitive location, their acquisition is more likely to be called in.  

    Information gathering powers

    The Secretary of State also has wide-ranging information gathering powers, including the ability to issue information notices and to require persons to give evidence, to facilitate assessment of the acquisition.  As set out above, an information notice issued following a call-in notice will stop the clock, meaning that the days between the information notice being issued and the response being provided will not count towards the assessment period.  The clock will restart the day after the Secretary of State confirms that sufficient information has been provided or (if earlier) the deadline for responding has passed. 

    There are safeguards on the use and disclosure of such information.  The Secretary of State has the power to impose monetary penalties if a party fails to comply with information requests (without reasonable excuse) or provides misleading information. 

    Interim powers

    While a notifiable acquisition or trigger event is being assessed, the Secretary of State is able to impose interim measures in order to ensure that the effectiveness of the national security assessment or subsequent remedies is not prejudiced by action taken by the parties.  For example, in the case of a call-in notice where the deal has completed, the Secretary of State could prohibit activities which would result in the integration of two businesses, or act to safeguard assets, until the national security assessment has been completed.  It is anticipated that these powers will only be used on rare occasions.

    Remedial powers

    At the end of the national security assessment, the Secretary of State will either:

    • issue a final notification, on the basis that there is no national security risk posed by the transaction; or
    • issue a final order, finding that there is a national security risk and containing remedial provisions to address the identified risk.

    If national security concerns are identified, the Secretary of State has the power to impose remedies.  Since the regime entered into force, a total of 22 final orders have been issued (as at 24 May 2024).  Remedies have included: 

    • corporate governance requirements, including UK Security Vetting clearance, board observers and appointing Chief Information Security Officers;
    • access conditions (e.g. limiting access to a particular site or dual-use technology to named individuals and implementing visitor protocols);
    • information / operation conditions, requiring that only persons with appropriate UK security clearance have access to confidential information or may be part of operational management;
    • conditions requiring certain activities to be retained in the UK and the retention of UK staff in key roles at particular sensitive sites;
    • notifying the Government in advance of proposed sales, transfers and granting licences and requiring certain information to be reported to the Government annually; and
    • prohibiting the transaction or requiring the transaction to be unwound.

    What are the consequences of not obtaining clearance?

    If a transaction is a notifiable acquisition and therefore falls within the scope of the mandatory regime, the parties cannot close the transaction until clearance is received.  Any notifiable acquisition completed without Secretary of State approval is void (although retrospective validation is possible).  

    In addition, there are civil and criminal sanctions for any person who completes a notifiable acquisition without approval (only the acquirer is under a duty to notify a notifiable acquisition), or who fails to comply with an interim or a final order, including:

    • imprisonment of up to five years and/or
    • fixed penalties and daily rate penalties (of up to 5% of worldwide turnover or GBP 10 million – whichever is greater).

    Can parties challenge decisions?

    There is an appeal process in the High Court (or the Court of Session in Scotland) for civil penalties and requirements to pay associated costs under the Act.  This is a full merits appeal process. 

    Pursuant to section 49 of the Act, all other decisions of the Secretary of State under the Act may only be challenged by way of judicial review.  In other words, the court is primarily concerned with the legality of the decision-making process, rather than evaluating the merits of the decision.  Judicial review is a lengthy and costly process and if a claimant is unsuccessful any legal costs of the ISU may have to be covered.  The Government will be able to apply for a closed material procedure to protect sensitive information in proceedings.

    Any application for judicial review or appeal against a penalty must be filed within four weeks of the decision having been notified to the parties or published.  

    What is the degree of transparency and confidentiality?

    Information provided as part of a notification will be kept confidential and will not be available to the public. 

    As the regime only entered into force on 4 January 2022, it is not yet known in practice how much transparency the parties (and third parties) to transactions that are reviewed under the Act will have and how much scope they will have to comment during the initial review process and assessment period.  However, as the Act relates to national security issues, there are bound to be sensitivities.  

    The Act provides that the Secretary of State is required to publish a notice of a final order, including a summary of the order, its effect and the reasons for it.  The Act does not provide for the publication of full decisions (even after the removal of confidential or sensitive information) or for the publication of final notifications (i.e. clearances). 

    Role of the UK merger control regime

    The National Security and Investment regime under the Act is separate from the processes and practice of the CMA's merger control framework under the Enterprise Act 2002 (see our Quickguide on UK Merger Control).  From 4 January 2022, the merger control framework only applies to competition, media plurality, financial stability and public health emergency considerations.  All national security considerations will be assessed within the new legal framework introduced by the Act.  The lower thresholds introduced into the Enterprise Act in recent years for certain sectors raising potential national security concerns have been removed. 

    The CMA has a duty to assist the Secretary of State and to provide any information in its possession to enable the Secretary of State to fulfil his/her functions under the Act.  In practice this means that any information provided to the CMA during its merger control review may be made available to the Secretary of State. 

    Appendix 1

    UK National Security and Investment Act (NSIA)

    Notification Process

    UK national security and invetment control regime


    1. Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019.
    2. The National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021 (SI 2021/1264).

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.