Global menu

Our global pages


UK Government gets CFIUS: new National Security regime moves one step closer

  • United Kingdom
  • Competition, EU and Trade
  • Competition, EU and Trade - Foreign investment regimes



On 29 April 2021, the UK Government’s long-awaited National Security and Investment Bill received Royal Assent. The new regime is due to take effect later this year. The National Security and Investment Act 2021 (“NSI Act”) provides for a new, standalone regime enabling the UK Government to scrutinise and intervene in acquisitions and investments to protect national security in the UK. Unlike similar regimes already in force in other jurisdictions especially in the EU, the UK regime will apply to investors from any country.

Certain types of transactions in 17 key sectors will be subject to mandatory notification to the new Investment Security Unit (“ISU”) within the Department of Business, Energy and Industrial Strategy (“BEIS”) to protect national security. Failure to notify such a transaction could result in severe penalties including criminal sanctions.

The new regime has retroactive effect meaning that investments made and M&A transactions undertaken after 12 November 2020 could potentially be investigated (after the deal has been completed) once the new regime comes into effect later this year. Businesses undertaking M&A transactions and investments, therefore, need to be aware of the new regime and its implications on current and recent deals.

The background to the NSI Act and its content can be found in our previous briefing here.

Parliamentary changes made to the NSI Act

The NSI Act was introduced in Parliament on 11 November 2020. During its Parliamentary passage, two significant changes were made.

The first change relates to one of the events triggering a mandatory notification. Under the NSI Act, an acquisition will be subject to mandatory notification if the percentage of shares or voting rights in an entity active in one of the 17 key sectors increases from 25% or more (previously 15% or more)1. However, BEIS will still be able to “call in” for review acquisitions falling below the 25% threshold where material influence is acquired. In addition, the acquisition of voting rights in a relevant entity that (whether alone or together with other voting rights held by it) enables it to secure or prevent the passing of any corporate resolution governing the affairs of the entity will still require mandatory notification. As such, the acquisition of shareholding/voting rights of less than 25% could still trigger a mandatory notification. In particular, the acquisition of special veto rights of any corporate resolution could trigger a mandatory filing regardless of the percentage of shares/votes acquired.

Second, the House of Lords extended the content of the annual report which BEIS is required to publish at the end of each financial year to include: the number of voluntary notices accepted, the average number of working days from receipt of a mandatory or voluntary notice to (a) notification of a decision to accept such notice or (b) giving written reasons for a decision to reject such notice, and the number of final orders varied and revoked. These changes are welcomed and should result in more transparency around the regime.

Severe penalties remain in place

It is important to highlight that the Parliamentary process has not resulted in the penalties for breaching the new regime being changed. Non-compliance could result in fines of up to 5% of worldwide turnover or £10 million (whichever is the greater) and/or imprisonment for individuals of up to five years.

In addition, transactions that are covered by the mandatory notification requirement, but which proceed without obtaining clearance, will be legally void.

Amendments to sector definitions

The definitions of the 17 key sectors, regarded as being the most sensitive areas of the economy, which will fall within the mandatory notification regime are broad. The sectors are: advanced materials; advanced robotics; artificial intelligence (“AI”); civil nuclear; communications; computing hardware; critical suppliers to Government; critical suppliers to the emergency services; cryptographic authentication; data infrastructure; defence; energy; engineering biology; military and dual use; quantum technologies; satellite and space technologies, and transport.

Having consulted on the proposed definitions, on 2 March 2021 the UK Government published its response to its consultation. It took onboard some of the feedback received from various stakeholders, and refined and narrowed some of the sector definitions to assist parties to determine if their transaction requires mandatory notification.

For example, the definition of “advanced robotics” was amended to detail the types of products which are excluded from the scope of the mandatory notification regime including: “machines containing robotic systems that are readily available for purchase by consumers” such as robotic toys, smart domestic appliances, vacuum cleaning robots and consumer drones; complete robotic systems acquired to perform given tasks which the acquirer cannot alter or combine with other systems to perform wholly new advanced robotics systems; and devices which are not independently mobile such as smart speakers.

Many of the changes recommended by stakeholders were, however, rejected. For example, the UK Government rejected calls to remove AI and “critical suppliers to Government” as sectors. Although it acknowledged that the definition of AI captures entities that identify as AI companies as well as companies in other industries which develop their own AI applications, the UK Government’s view is that AI technologies are inherently dual-use. The UK Government did, however, narrow the definition of AI to focus on specific applications which it considers are of higher risk and redrafted the definition of AI to align with that used by the OECD and the EU.

In relation to “critical suppliers to Government”, the UK Government made a number of changes to the definition so that it now focuses on:

  • contracts which relate to the handling of classified information or estates and their protection;
  • contracts relating to the security of UK Government networks and information systems; and
  • the provision of manned guarding services.

The UK Government also removed subcontractors from scope, and references to Government property, fuel and energy suppliers, and personal identifiable information.

The original “computing hardware” definition contained a number of obscure terms, such as “functional capability” and “provides support”, which have been removed. Furthermore, due to the potential confusion between “computer processing unit” and “central processing unit” (“CPU”), the UK Government included a new list of six sub-terms under the definition of “computer processing unit”, which includes CPU. Like with AI, however, the UK Government did not remove consumer products or their supply chains from the computing hardware definition due to the unforeseen “dual-use” applications of computing hardware products. It also rejected calls to make reference to the end-product hardware itself or CPU wafers, as the UK Government considers that the definition should focus on preventing the loss of IP within the supply chain to hostile actors.

The final sector definitions will need to be adopted in secondary legislation and the UK Government has expressly stated that it will continue to engage with industry on the definitions.

Next steps

According to the ISU’s website, the new national security regime is expected to be operational by the end of 2021. Before then, a number of statutory instruments will need to be implemented covering:

-      the form and content of a mandatory notification and of a voluntary notice;

-      the form and content of a retrospective validation application. Any person who has been materially affected by the voiding of a notifiable acquisition will be able to apply to the ISU for a validation notice, which has the effect of treating the acquisition as having been completed with the ISU’s approval and, therefore, means that the acquisition is no longer void;

-      the calculation of turnover for the purposes of civil penalties;

-      the procedure for serving notices; and

-      a policy statement regarding call-in which is intended to provide additional predictability and transparency in relation to the BEIS’ expected use of its call-in power.

The UK Government intends to consult on the draft policy statement. The other statutory instruments will not be subject to a formal consultation, but the UK Government intends to undertake targeted engagement with businesses to gather feedback. In addition, the UK Government is expected to publish guidance on the new national security regime including on its extraterritorial scope.


We welcome the amendments made by the UK Government to both the NSI Act and the sector definitions to reduce the scope of the new national security regime. Nevertheless, the regime remains broad in part because, unlike similar regimes adopted in other jurisdictions (see, for example, our briefing on the EU regime here), it is not limited to foreign ownership. The UK regime will impact a wide range of deals across multiple sectors and it will be important that the ISU is given sufficient resources to be able to deal with the anticipated high level of notifications.

Although the new regime is scheduled to be implemented later this year, the UK Government’s “call in” power has retrospective effect from 12 November 2020. Whilst this undoubtedly creates significant uncertainty, the UK Government has introduced a mechanism whereby transactions which take place within this interim period can be discussed on an informal basis with the ISU. Based on our experience, both the ISU and companies alike are keen to engage in this process, as it enables parties to obtain insight into, and potentially some informal comfort on, the ISU’s intentions regarding their particular transaction once the regime becomes operational.

1. The other two triggering events remain unchanged