How is the UK National Security and Investment Act shaping up in its second year?
Published on 3rd Apr 2023
Businesses need to understand the NSIA's reach, applicability and filings that are made under its rules
The UK National Security and Investment Act (NSIA) 2021 requires mandatory notification to the Cabinet Office's Investment Security Unit (ISU) of potential transactions in specified sectors that may pose a significant risk to the UK's national security.
The NSIA came into force in January 2022 after its enactment in April 2021, creating a new standalone regime for the government to intervene in a broad range of transactions on national security grounds with substantial implications for the UK M&A landscape.
After more than a year for the legislation to bed in, it is becoming clear that the NSIA is not simply a tool to block Chinese acquirers of sensitive UK assets, as may have originally been thought.
The scope of the NSIA is wide reaching. More deals are being blocked or permitted to proceed only subject to conditions to protect national security than was the case before the NSIA's enactment and best practice relating to the making of notifications is becoming established.
The UK is not alone in legislating to control foreign direct investment (FDI). A number of countries have recently legislated or are in the process of introducing legislation to control FDI on similar lines. There has been a similar precautionary approach taken in these jurisdictions to filings as sectors often have very broad definitions. For example, the FDI regime in Italy applies to "critical technologies".
In the UK, the net for mandatory notifications is wide. There were over 1000 mandatory notifications in 2022, with 95% of these cleared unconditionally at the initial screening phase. The ISU has 30 working days to review an acquisition at this phase, prior to which a company can expect to wait three to four days for formal acceptance to be received.
Only 5% of transactions were subject to in-depth scrutiny and most of these eventually received conditional approval, but the process of achieving conditional approval can take months.
However, five deals were blocked altogether in the UK in 2022, of which four involved companies with Chinese ownership and one a Russian oligarch.
Additionally, 14 deals were approved subject to conditions, and these mostly involved Chinese owners. The conditions imposed were intended to safeguard national security, including requirements for a UK government attendee at board meetings, external monitoring, commitments for intellectual property (IP) to remain in the UK, and obligations to continue to supply specified UK entities such as the Ministry of Defence (MoD) or an emergency service.
The nature of these deals shows that acquisitions by companies from states considered hostile by the UK government may be more likely to face scrutiny than other acquisitions. However, even acquisitions emanating from traditional allies of the UK have been subject to conditions placed upon them under the NSIA where it was felt that these transactions presented a national security risk.
Defence, energy, data infrastructure and artificial intelligence (AI) are among the sectors in the UK with the most ISU notifications and debate and analysis to assess whether a transaction is in scope. These are raising interesting considerations and questions around the application of the NSIA one year on.
Although first thoughts about the defence sector may suggest that it is clearly defined, there are nuances to the definition of this sector that may catch out some businesses.
A qualifying entity under the defence sector can include any subcontractor in a chain of contractors that begins with the MoD and involves the provision of goods or services used for defence or national security purposes.
Additionally, contracts that provide access to defence facilities may give rise to potential national security risks. The obligation to notify even extends to contractors or subcontractors that provide goods or services without clear military applications, such as catering or cleaning.
Another industry that requires careful examination is energy. The acquisition of a company with an electricity generation licence, even if it is not currently generating, may require mandatory notification.
Another aspect that may be unexpected is if the purchaser already owns or controls a capacity of over 1GW across its group or portfolio then this may mean that any acquisition in this sector will require a mandatory notification.
AI transactions are likely to lead to a requirement for mandatory notification in a wide-ranging set of circumstances. This is due to the broad definition of AI within the NSIA.
AI is defined as 'technology enabling the programming of a device or software to … perceive environments through the use of data … interpret data using automated processing … and make recommendations, predictions or decisions with a view to achieving a specific objective.'
These objectives are identification or tracking, advanced robotics or cybersecurity. Examples of AI in this definition include audio and speech recognition, automated-vehicle parking systems, image classification, object detection, object segmentation, and human and object surveillance.
Another broad sector is data infrastructure, which can apply if the target entity being acquired stores, processes or transmits data in a digital form that is used in connection with the administration and operation of certain public sector authorities. The scope of data infrastructure is limited to specified central and devolved government bodies but it is still a very wide concept. These broad sectors have led to mandatory notification in some unexpected cases, including a small telecoms provider with a contract to provide mobile phone and data services to a local police force, and a provider of online training and workshops with access to central government data.
Other examples of unexpected mandatory notifications include a plethora of small companies and start-ups that supply Spaceport Cornwall, and a company that installs heat pumps and has access to secure government buildings to carry out maintenance.
The wide scope of these sectors means that the application of the NSIA should be considered even for transactions that are not obvious candidates for national security scrutiny.
A credible national security risk may be present in situations where the purchaser is owned or controlled by a foreign entity or has connections to a non-ally of the UK. Also it is important to consider the nature of the agreement – does it concern IP in a sensitive sector and/or an asset or property proximate to a defence location or one with defence capabilities.
Notification preparation steps
With the serious consequences of missed filings under the NSIA, a business needs to be well prepared to deal with a notification if needed. There are a number of steps that can be taken to smooth the NSIA process:
- An acquirer should consider the NSIA as early as possible in the transaction process and make a mandatory filing as soon as it appears that one is required. This is to minimise the impact an assessment has on the transaction timeline.
- Deal parties should consider filing pre-exchange provided the headline details of the deal are settled. This may help to shorten the transaction timetable.
- Vendors and their advisers should think about the likely NSIA risks when evaluating potential purchasers and investors on competitive auction processes – a lower bid may be quicker to execute when there is no NSIA notification needed.
- Acquirers should get advice on NSIA FDI equivalents elsewhere if the target entity has non-UK revenues and activities.
- Companies should also consider the NSIA in relation to internal group reorganisations. The NSIA also applies to acquisitions that take place by members of the same corporate group.
- Voluntary notifications can be made by transaction parties for deals outside of the mandatory regime. This reduces the timeframe in which the government can exercise its call-in powers under the NSIA to scrutinise a deal. However, if an acquisition is outside of the mandatory regime, a voluntary notification would be ill-advised unless credible national security risks have been identified. This is due to the unnecessary time and expense of undertaking a voluntary notification.
- Focused and tailored questions should be put to the vendors to help analyse applicability of the act in an effective and streamlined fashion.
- If an omission or error is identified in the notification, parties to the transaction should rectify it as soon as possible. Currently the ISU is being very patient but this may change; consequences of failure to make a mandatory notification where needed are serious, and could lead to the transaction being void.
- Vendors and their advisers should be aware that there may be more than one regulatory process running in parallel. As well as an NSIA assessment, the acquisition could also be subject to a competition assessment by the Competition and Markets Authority, approval by the Financial Conduct Authority or be subject to the Takeover Code. This requires advisers to consider how to structure the timeline of these processes.
Osborne Clarke comment
The scope of the NSIA and the ISU's approach to its application are becoming better understood by advisers and businesses, as more deals are notified and guidance and ISU annual reports produced. However, there is always the possibility that its application may change over time.
Domestically, a new government may – but is unlikely to – change the ISU's approach materially and geopolitical events may result in greater scrutiny of acquisitions by certain actors. Certainly, the Covid-19 pandemic, tensions with China and war in Ukraine expedited the bringing into force of the NSIA in recent years. Technological developments may also result in changes to the specified high-risk sectors under the legislation. In light of these factors, it is important for businesses to continue to monitor developments and discuss the potential impact of the NSIA with their advisers.