Investing, acquiring or fundraising? Security threats need your attention

Investing, acquiring or fundraising? Security threats need your attention

This insight is part of our Legal Business News | Winter 2025 series. Explore the full series at the end of this piece.

Threats to UK national security are complex, dynamic and usually unforeseen. The UK government advocates the need for flexibility in responding to these threats appropriately. UK-based entities investing, making acquisitions or fundraising need to be mindful that their UK and foreign business activities might be subject to national security requirements.

The UK government is allowed to scrutinise, and intervene in, certain acquisitions and investments to protect UK national security by the National Security and Investment Act 2021 (NSI Act).The NSI Act came into force on 4 January 2022 and expands on the UK government’s powers under the previous Enterprise Act 2002 regime to intervene in transactions on the grounds of UK national security.

We are seeing the impact of the NSI Act regime on transaction documentation, including due diligence questionnaires and warranties, and undertakings in share purchase and investment agreements. Tough penalties and sanctions may be imposed for non-compliance, do it should be given due consideration at the outset of any transaction.

Here, we summarise the key points of the NSI Act regime.

The NSI Act’s reach

The NSI Act is relevant to certain acquisitions and to increasing one’s level of control over a qualifying entity. It applies to transactions which involve acquiring a specified level of control over qualifying entities or qualifying assets where there is or could be a potential risk to UK national security as a result.

Qualifying entities and qualifying assets are widely defined. This means that a qualifying entity can include any company, body corporate, partnership, unincorporated association or trust. A qualifying asset can include any tangible property, land or intellectual property. The transactions or so-called “trigger events” falling within the scope of the NSI Act regime include:

  • Acquiring votes or shares in a qualifying entity exceeding a threshold of 25% or 50% or reaching or exceeding a threshold of 75%.
  • Acquiring voting rights that enable or prevent the passage of any class of resolution governing the affairs of a qualifying entity.
  • Acquiring material influence over a qualifying entity’s policy.
  • Acquiring a right or interest in, or in relation to, a qualifying asset enabling the ability to:
    • use the asset or do so to a greater extent than before the acquisition; or
    • direct or control how the asset is used or do so to a greater extent than before the acquisition.

Transaction notifications

There is a transaction notification and screening regime, which is managed and administered by the Investment Security Unit (ISU). Transaction notifications (whether mandatory or voluntary) must be submitted to the ISU via a digital platform. Parties may submit general enquiries to the ISU concerning the NSI Act regime or request informal discussions around future acquisitions or a specific notification. The UK government also has a so-called call-in power to review certain in-scope transactions.

Mandatory notification

It is a mandatory requirement for proposed acquirers of shares or voting rights (exceeding defined thresholds) in companies and other entities undertaking specified activities in the UK in certain “high-risk” sectors of the economy to notify the transaction and obtain UK government approval before completing the acquisition.

If a transaction that requires mandatory notification is completed without being approved, it will be void and of no legal effect (although there is a mechanism enabling the retrospective validation of unnotified transactions). Additionally, the acquirer may be subject to civil or criminal penalties for completing the transaction without obtaining clearance.

The 17 high-risk sectors triggering a mandatory notification are: advanced materials, advanced robotics, AI, civil nuclear, communications, computing hardware, critical suppliers to government, cryptographic authentication, data infrastructure, defence, energy, military and dual-use technologies, quantum technologies, satellite and space technologies, critical suppliers to the emergency services, synthetic biology, and transport. Where a mandatory notification is required, clearance should be obtained before completing the transaction and it is expected that completion will be conditional upon clearance being obtained.

Voluntary notification

For transactions that are not subject to mandatory notification, there is a voluntary notification system to encourage notifications from parties who consider that their transaction may raise UK national security concerns. To help inform their assessment as to whether a voluntary notification should be made, transaction parties should refer to the section 3 statement (see below), which sets out how the UK Secretary of State expects to exercise the UK government’s call-in power.

Call-in power

The UK government has the power to call in for review any in-scope transaction (whether or not notified to the ISU) where there is a reasonable suspicion that it has given, or could give, rise to a risk to UK national security. A call-in notice may be issued at any time while the transaction is in progress or contemplation, or within a specified period following its completion (but there is no such time limit where there is a failure to notify a transaction that falls within the mandatory notification regime). The UK government may still call in for review any acquisitions or investments which do not meet the thresholds for mandatory notification, but which could still give cause for concern from a UK national security perspective.

The NSI Act summary

  • There is no de minimis in terms of transaction value and there are no financial thresholds for notification. The NSI Act regime is not confined to high-profile and/or high-value transactions (although in practice these are more likely to attract greater UK government scrutiny).
  • UK investors can fall within the scope of the NSI Act regime, and investments by a UK investor require the same analysis and possible notification as acquisitions by any foreign investor.
  • Foreign entities and assets may be caught under the NSI Act regime if they have a connection with activities carried out in the UK, or the supply of goods or services to persons in the UK.
  • The UK government has the power to impose remedies to address risks to UK national security (including the imposition of conditions or prohibiting or unwinding a transaction) and sanctions for non-compliance with the NSI Act regime, including fines of up to 5% of worldwide turnover or £10 million (whichever is the greater) and imprisonment of up to five years.
  • Currently, the mandatory notification regime only applies to acquisitions of control over qualifying entities and not to acquisitions of qualifying assets (although this may be varied by secondary legislation, including the possibility of expanding the regime to include asset acquisitions). However, in-scope asset transactions can be notified to the ISU under the voluntary notification regime if the parties consider that the transaction could raise UK national security issues.
  • The NSI Act does not define national security for the purposes of its transaction screening and notification regimes, nor does it include factors that must be considered when assessing national security risks. To do so could serve to limit the UK government’s ability to protect UK businesses from unforeseen security risks. Instead, factors that the UK Secretary of State will consider when deciding whether to exercise its call-in power are set out in a statutory statement made under section 3 of the NSI Act (the section 3 statement). While the section 3 statement does not aim to define national security, nor does it set out an exhaustive list of circumstances in which UK national security is, or may be, considered to be at risk, it indicates that the call-in power is likely to be used where:
    • an acquisition may present potential for immediate or future harm to national security;
    • an acquisition, or a series of cumulative acquisitions, may lead to disruption, erosion or degradation to critical national infrastructure, or present risks to governmental and defence assets, including risks to related supply chains, or where an acquisition may create a dependency that could lead to a UK national security risk;
    • there are perceived risks to UK capabilities which may undermine UK national security – e.g. where the acquisition could disrupt or erode the UK’s military, intelligence, security or technological capabilities, or enable those with hostile intentions to build defence, intelligence, security or technological capabilities which may present a UK national security threat;
    • an acquisition is within one or more of the 17 high-risk sectors that are subject to the mandatory notification regime, as the activities in which these entities are engaged are more likely to give rise to risks to UK national security.

Assessing risk

When assessing the likelihood of a risk to UK national security being caused by a trigger event, the ISU judges national security based on the following three primary risk factors which are identified in the section 3 statement:

  • The target risk

    This concerns whether the entity or asset being acquired could be used in a way that poses a risk to UK national security. Entities carrying out certain activities within the 17 defined high-risk sectors will potentially be seen as a risk to national security. It is also possible for the acquisition of control over an asset to give rise to national security concerns – e.g. where an asset is key to the activities of an entity in a sensitive sector.

  • The control risk

    This refers to the type and level of control being acquired and whether this is being used, or could be used, in a way that presents a risk to UK national security. It concerns the amount of control that has been, or will be, acquired through a qualifying acquisition which enables a possible hostile to control an entity’s activities or strategy, thereby presenting a threat to national security, and may be of particular concern if it has the potential to allow the possible hostile to exercise control over a critical supply chain or certain sector, or provide access to a sensitive site.

  • The acquirer risk

    This concerns the extent to which the acquirer possesses characteristics that suggest there is, or may be, a risk to UK national security from the acquirer having some control of the target. Acquirer risk involves an examination of the specific investor, which includes an assessment of those in ultimate control of the investor, their track record in acquisitions, their other holdings in the relevant sector and their known associations.

The target risk, control risk and acquirer risk will be considered together to determine whether a UK government intervention is justified, but each risk factor will be different for each transaction and assessed on a transaction-specific basis.

Sensible precautions

The UK government has significant powers to block or impose conditions on relevant transactions. There could be a significant negative impact on transaction timelines due to the requirement to notify relevant transactions before completion. It is recommended that this be built into transaction timelines, with early notification to the ISU being made where required to mitigate against such potential delays.

Contact our business and corporate legal experts for further information or support with investing, acquiring or fundraising.

Read the rest of our Legal Business News | Winter 2025 series here:

Companies House reforms Are EOTs still popular Business leaders beware Sole director companies are your articles appropriate Key considerations for UK businesses with a sponsor licence after ownership change

Contributors

Michael Fox

Director +44 (0)20 4582 1285