UK’s National Security and Investment Act Takes Effect | JD Supra


For more than two decades, the United Kingdom’s (U.K.) foreign direct investment regime remained fairly untouched. Then, in mid-2021, amidst pressure from its allies, particularly the United States, the U.K. overhauled and revamped its regime by passing the National Security and Investment Act 2021 (NSI Act). The NSI Act came into effect on Jan. 4, 2022 (with certain provisions applying retroactively to transactions completed on or after Nov. 11, 2020, when the law passed), and relies on mechanisms familiar to those involved in mergers and acquisitions (M&A) and investment transactions involving U.S. companies.

Unlike its predecessor – the Enterprise Act 2002, which authorized reviews only for narrowly defined public interest reasons (e.g., transactions that resulted in the termination of newspapers and broadcasting enterprises) – the NSI Act triggers review of foreign investments on perceived threats to the U.K.’s “national security,” a clear reference to the long-standing test of the Committee on Foreign Investment in the United States (CFIUS) for reviewing foreign acquisitions, delineates sectors of specific sensitivity, applies extraterritorially under specific circumstances, establishes penalties for noncompliance and provides for both mandatory and voluntary notification requirements. Each of the NSI Act’s updates corresponds to the U.S. foreign direct investment regime, particularly as amended by the U.S. Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA).1

The similarities between the NSI Act and FIRRMA, however, are not coincidental; the NSI Act’s passage was most certainly prompted at least in part by CFIUS designation of the U.K. as an “Excepted Foreign State,” allowing investors from the U.K. certain preferential treatment and the corresponding mandate that all “Excepted Foreign States” conform their regimes to that of the United States or risk losing special status.2 Unlike Australia and Canada, which in early January were deemed by CFIUS to have met the requirements, the U.K. was granted an extension until Feb. 13, 2023, likely so that CFIUS can evaluate the impact of the NSI Act once it takes effect.3

The U.K. government’s Impact Assessment of the NSI Act estimates that the new regime will result in 1,000 – 1,830 transactions being notified per year, with the top-most estimate far exceeding the U.S. Department of the Treasury’s projection of approximately 1,000 CFIUS cases being filed this year.4 This might be either an overestimate (CFIUS similarly overestimated an increased number of notified transactions immediately after FIRRMA passed), or it might also be due to the relatively broader application of the NSI Act compared to FIRRMA (it applies to certain acquisitions of intellectual property (IP)).

Transactions Subject to NSI Act Review

The NSI Act creates a “call-in” power, which allows the U.K. secretary of state for business, energy and industrial strategy (BEIS) to review post-closing transactions that were not notified if the secretary suspects the transactions are or could be a risk to the U.K.’s national security. For transactions subject to mandatory review, there is no statute of limitations on the call-in power. For transactions that do not trigger mandatory review, the secretary has five years to exercise its call-in power. In both mandatory and voluntary filings, the call-in power is limited to six months from the date the secretary became aware of the transaction. Coverage in the general press is deemed to be sufficient to establish awareness. Similarly, seeking informal advice from the U.K. government, which makes the secretary aware of the transaction, will shorten the window for intervention to six months.

Mandatory Filings

The mandatory filing regime only applies to investments that result in non-U.K. ownership or control over companies that operate in one of 17 specifically-designated “sensitive” sectors. The sensitive sectors list includes energy, data infrastructure, communications, computing hardware and critical suppliers5 to the U.K. government and emergency services, among others.6 Investors familiar with CFIUS Appendix A to 31 C.F.R. Part 800 will not be surprised by the sectors appearing on the U.K.’s list as there is significant overlap with the CFIUS concept of “critical technology” and CFIUS list of designated covered investment critical infrastructure.

A mandatory filing may be triggered in one of two ways: 1) investments of 25 percent or more or 2) acquisitions of voting rights that will enable the investor to control decisions of the company, including the right to secure or prevent the passage of any resolution or materially influence the company’s policy. Parties subject to the mandatory filing requirement may seek approval of their transaction from the U.K. government post-closing (prior to a call-in by the U.K. secretary of state).

Voluntary Filings

Transactions that fall outside the scope of the NSI Act mandatory filing may be “called-in” by the U.K. government on the basis of a perceived threat to the U.K.’s national security. A voluntary filing may be warranted for transactions involving companies in one or more of the 17 key sectors where none of the “trigger events” described above are present or where the transaction results in control of a U.K. business that does not operate in one of the 17 sectors. Additionally, acquiring certain assets, including land and IP, can trigger discretionary review and may warrant a filing by the parties to protect the investment from any future review. Like with CFIUS, the U.K. government is concerned about the proximity of the land to sensitive sites like military bases. Relevant IP assets include trade secrets, designs, encryption software and algorithms – in that, the NSI Act has broader application than FIRRMA and CFIUS regulations. Guidance from the U.K. government, however, suggests that “call-in” of transactions involving acquisition of such assets will be infrequent.

Risk Factors to Exercise “Call In” Power

The U.K. government will consider three risk factors when determining whether to exercise its call-in authority:

  1. target risk – whether the target of the qualifying acquisition is being used, or could be used, in a way that poses a risk to national security, taking into consideration the business of the target
  2. acquirer risk – whether the acquirer poses a risk to national security, taking into consideration the acquirer’s historic investments and its parent companies7
  3. control risk – whether the amount of control poses a risk to national security

Expressing pride in its open investment environment, the U.K. government emphasized that it will not use this call-in power to interfere arbitrarily with investment and will target investments that are closely related to the 17 key sectors requiring mandatory notification.8 Thus, for voluntary filing transactions, the U.K. government’s “call-in” authority – similar to CFIUS post-closing review authority – creates a business decision tied to the parties’ risk appetite.

Timeline, Potential Outcomes and Penalties

The Investment Security Unit (ISU), the CFIUS-equivalent office within BEIS, has 30 working days to assess a transaction, which can be extended by up to 45 working days; for a comparison to CFIUS timelines, see Holland & Knight’s previous alert, “New CFIUS Regulations Finally Take Effect,” Feb. 13, 2020. The parties may also agree to extend these timelines. There is no filing fee. Actions available to the ISU include freezing the transaction pending review, clearing the investment, clearing the investment subject to conditions or unwinding closed transactions.

The NSI Act also established monetary penalties for noncompliance (e.g., failure to complete a mandatory filing or comply with an order imposed by the ISU). Penalties are calculated based on the “turnover of a business” and prescribe the form and content of notices and validation applications. Criminal penalties also are available and include up to five years in prison and fines up to the greater of five percent of global turnover or 10 million pounds sterling (about $13.8 million).

Practical Considerations

The NSI Act applies retroactively to any transaction that closed after Nov. 12, 2020, when the act was passed by Parliament. As such, U.S. investors who have completed transactions involving U.K. businesses over the past year or so should evaluate each transaction’s terms and target’s sector of operations to determine whether a mandatory or voluntary filing is warranted. If the U.K. government was made aware of the transaction prior to the NSI Act coming into force, such as through a press release, the U.K. government has six months from the day the law went into effect – until July 4, 2022 – to exercise its call-in power.


1 For additional information on CFIUS regulations, see Holland & Knight’s previous alert, “New CFIUS Regulations Finally Take Effect,” Feb. 13, 2020.

2 To retain its status as an “Excepted Foreign State” under CFIUS, the U.K. must implement measures that would conform its investment regime with that of the United States. Originally, the U.K. had until Feb. 12, 2022, to make such changes; however, on Nov. 15, 2021, the U.S. government proposed a rule that would extend the deadline to Feb. 13, 2023. Although the U.S. government offered no explanation for wanting to extend the deadline, it may be to provide additional time for allies, like the U.K., to fully implement their revamped regimes. Although the NSI Act was passed on Nov. 11, 2020, it did not go into effect until Jan. 4, 2022.

3 See Holland & Knight’s previous alert, “CFIUS Updates the List of Excepted Foreign States,” Jan. 7, 2022.

4 See the full text of the Congressional Budget Justification and Annual Performance Report and Plan.

5 Critical supplies include advanced materials, advanced robotics, artificial intelligence (AI), civil nuclear, communications, computing hardware, critical suppliers to government, critical suppliers to the emergency services, cryptographic authentication, data infrastructure, defense, energy, military and dual-use, quantum technologies, satellite and space technologies, synthetic biology and transport.

6 The full list of the 17 “sensitive” sectors includes advanced materials, advanced robotics, AI, civil nuclear, communications, computing hardware, critical suppliers to government, cryptographic authentication, data infrastructure, defense, energy, military and dual-use, quantum technologies, satellite and space technologies, suppliers to the emergency services, synthetic biology and transport.

7 Notably, the U.K. government has stated that it will not make assumptions based on an acquirer’s country of origin but will consider an acquirer’s connection to countries that are hostile to the U.K.

8 For more information on the call-in authority and certain examples of acquisitions likely to be called in,…


Read More: UK’s National Security and Investment Act Takes Effect | JD Supra

Notify of
Inline Feedbacks
View all comments