Skip to main content

National Security And Investment Act 2021

01 September 2023

The National Security and Investment Act 2021 (“NSI Act”) provides the UK government with new powers to scrutinise investments on national security grounds. The regime set out in the NSI Act came into force on 4 January 2022.

In this briefing we provide an overview of the NSI Act and some commentary on its implementation to date.

View our tracker on the Act here.

What is the National Security and Investment Act 2021?

The NSI Act establishes a standalone regime for the scrutiny of, and intervention in, acquisitions and investments in the UK for the purposes of protecting national security. Key features include:

  • mandatory notification of some transactions in 17 specified sectors (see What are the 17 key sectors? below);
  • voluntary notification for certain transactions that may give rise to national security concerns; and
  • call-in powers under which the government’s powers to “call-in” transactions across all sectors of the economy on national security grounds are significantly extended.

The Department for Business, Energy and Industrial Strategy (“BEIS”) published market guidance notes based on notifications received under the NSI Act during the first six months of its operation on 19 July 2022. This market guidance was further updated by the Cabinet Office (following the move of the Investment Security Unit (“ISU”) from BEIS to the Cabinet Office) in April 2023. There are three principal guidance notes relevant to the NSI Act: (i) “Check if you need to tell the government about an acquisition that could harm the UK's national security”,1  (ii) “Details of the 17 types of notifiable acquisitions”,2  and (iii) “Guidance on completing and registering a notification form”.3

Which transactions does the regime in the NSI Act apply to?

The regime applies to specified categories of transaction or investment that involve the acquisition or control over certain “qualifying entities” or “qualifying assets”.

Both domestic UK and foreign entities are caught by the NSI Act. A “qualifying entity” is widely defined as an entity (including a company, LLP, any other body corporate, partnership, unincorporated association or trust) other than an individual. A foreign entity will be a “qualifying entity” if it carries on activities in the UK or supplies goods or services to the UK.

Notably, there are no financial thresholds, nor de minimis exemptions, under the NSI Act.

What is the mandatory notification regime?

The test for the mandatory notification regime is broadly in two parts, there must be: (i) a trigger event; and (ii) the transaction must involve a qualifying entity in one of the 17 high risk sectors identified (see Which transactions are caught by the mandatory notification Regime? and What are the 17 key sectors? below).

From 4 January 2022, buyers of shares or voting rights (exceeding certain thresholds) in an entity in one or more of the 17 high risk sectors identified need to seek prior authorisation from the ISU, before completing the transaction.

As mentioned above, there is no de-minimis exemption applicable to the NSI mandatory notification regime: a transaction that is subject to the mandatory notification regime will need to be notified irrespective of the parties’ combined share of supply or the target’s turnover.

Which transactions are caught by the mandatory notification regime?

The mandatory notification regime (and an associated stand-still) applies to the direct or indirect acquisition of more than 25%, more than 50% or 75% or more of the shares or voting rights in qualifying entities (this includes increases in existing shareholdings), or the acquisition of voting rights that enable or prevent the passing of a company resolution. The target entity must fall within one of the 17 high risk sectors listed below. Whether a target entity will be a qualifying entity will be very fact dependant based on what the target entity does, but it will not involve any subjective assessment about whether there is or is not a threat to national security.

This aspect of the regime only applies to acquisitions of qualifying entities (and not asset acquisitions, which are in scope for the voluntary element of the regime) (see What is the voluntary notification regime? below).

It is unlawful to complete a notifiable acquisition that falls within the mandatory notification regime unless and until it is approved. Failure to notify a transaction renders the transaction void, and civil and criminal penalties may be imposed. This means that transactions which may fall within the mandatory notification regime must be structured so that completion cannot occur until the requisite clearance is obtained.

What are the 17 key sectors?

  • Advanced materials
  • Advanced robotics 
  • Artificial intelligence
  • Civil nuclear
  • Communications
  • Computing hardware
  • Critical suppliers to Government
  • Suppliers to the emergency services
  • Cryptographic authentication
  • Data infrastructure
  • Defence
  • Energy
  • Military and dual-use
  • Quantum technologies
  • Satellite and space technology
  • Synthetic biology
  • Transport4

Greater detail on the 17 sectors can be found in the Cabinet Office’s guidance notes on the subject (see What is the National Security and Investment Act 2021? above)5. The Cabinet Office guidance notes are helpful in describing each sector, but there are not exact legal distinctions between the sectors and there is therefore an inevitable degree of ambiguity around whether an activity falls within one sector or another, or none at all. Based on the notifications made to date and the potential penalties for completing a transaction in breach of the NSI Act (see Are there penalties for non-compliance? below), where there is uncertainty parties may benefit from erring on the side of caution and making a notification.

What is the voluntary notification regime?

In addition, in circumstances where the mandatory notification regime does not apply, parties may notify transactions to the Secretary of State on a voluntary basis and obtain a “call in” decision in relation to a transaction. The voluntary regime is broad and covers acquisitions of shares, voting rights or qualifying assets where there is a perceived risk that the transaction may be “called in” for review (for example, where the acquisition involves a target that is on the periphery of one of the 17 key sectors). In particular, acquisitions of bare assets (such as the transfer of IP) can be caught. A qualifying asset includes: (i) land; (ii) tangible moveable property or (iii) ideas, information or techniques with value (such as trade secrets, source code, algorithms, formulae, designs, plans, drawings and software). Foreign assets may also be qualifying assets if they are used in connection with activities carried on in the UK, or the supply of goods or services to persons in the UK.

Parties to transactions falling outside the mandatory regime should carefully consider the risks of not notifying – the main risk is that the transaction may be “called-in” for detailed scrutiny, and if found to raise national security concerns, could lead to a final order being issued which might impose conditions or remedies on the transaction, or unwind it. In assessing whether to make a voluntary notification, parties to a transaction may find the Section 3 statement of assistance helpful (see What are the “call-in” powers? below).

What are the “call-in” powers?

The Secretary of State has the power to “call-in” any transaction that is within the scope of the regime – irrespective of whether it has been notified; this is only to assess its risk to national security. The “call-in” power can be exercised for up to six months after the Secretary of State becomes aware of the transaction, provided that it is within five years after completion. However, for the mandatory notification regime the five year long-stop period does not apply.

The right to call-in also has retrospective effect, so any relevant transactions entered into between 12 November 2020 and 3 January 2020 may potentially be called-in (even though the formal notification requirements did not exist at that time).

When exercising the “call-in” power, the Secretary of State must have regard to the “Section 3 statement”6  and consider:

  • target risk – the nature and activities of the target;
  • control (trigger event) risk – the type and level of control being acquired and how it could be used; and
  • acquirer risk – the extent to which the acquirer raises national security concerns.

Notably, the Section 3 statement does not give any indication of the substantive factors that the government will consider in assessing whether the target, transaction or acquirer give rise to national security concerns, nor does it define what is meant by “national security”. This is intentional and provides the government with maximum flexibility to protect the UK from national security concerns.

Does the regime apply only to overseas investors?

Notably, the NSI Act does not include the concept of a foreign investor. The focus of the regime is on the activities of the target relevant to national security, meaning that transactions involving UK investors are as likely to be caught as acquisitions by overseas investors from countries considered to be hostile towards the UK.

This country-agnostic approach has been borne out in the “final orders” published to date and this approach was emphasised by the Secretary of State in the recently published NSI Act 2021 Annual Report 2022-237  (the “2022-23 Annual Report”), which states that the NSI Act “applies equally to all acquirers and does not target any particular origin of investment”. The 2022-23 Annual Report also states that, of the final orders made for the relevant period, the most common countries attracting final orders were China, the UK and the US (see What has happened since the NSI Act came into force in January 2022? below).

What is the notification process?

Notification under the NSI Act is dealt with by the ISU. The information to be included in the notification is set out in secondary legislation and detailed guidance8 on the notification process has been published together with the forms to complete the notification9. The ISU can be contacted by emailing

The timetable for processing notifications is: (i) 30 working days to review the notification; and (ii) 30 working days, which may be extended by 45 working days and potentially a further voluntary period, to undertake the national security assessment. This means that the total time for review is up to 105 days (or even longer if a voluntary period is agreed). If an ‘information notice’ or ‘attendance notice’ is issued at any point, the clock stops, and starts running either after compliance with the notice or the deadline given to comply has passed – this is to ensure that the government is not timed out of an investigation by the parties deliberately delaying proceedings.

The 2022-23 Annual Report gives some indication of the average time that the Secretary of State takes to accept or give written reasons to reject a notification. The median time it took to accept a mandatory notification for the past financial year is four working days. This figure rises to 10 working days for mandatory notifications which are rejected. The equivalent timeframes for voluntary notifications are four working days and seven working days, respectively. On average, it took 81 working days to issue a final order and 93% of notifications were cleared within 30 days.

Are there penalties for non-compliance?

As noted above, notifiable acquisitions which complete without approval will be legally void. In addition, there are civil and criminal penalties for completing a notifiable acquisition without approval. The penalties include imprisonment for up to five years, fines of up to £10 million (or, if higher, 5% of worldwide turnover) and disqualification as a director for up to 15 years.

No penalties have been imposed in connection with the NSI Act as of 31 March 2023.

Comparisons to CFIUS

When the NSI Act was introduced, comparisons were drawn to the US Committee on Foreign Investment in the US (“CFIUS”), a regime which has been in place since 1975. Indeed, the CFIUS regime may have influenced the setting of the threshold for mandatory notification under the NSI Act: the threshold had been set at 15% in the NSI Bill but was raised to 25% shortly before the NSI Act received Royal Assent – which it seems was influenced at least in part by the equivalent threshold under CFIUS. CFIUS is a review process applicable to investments in US businesses (and some other assets) to address potential national security concerns.

Generally, CFIUS regime allows for the review of transactions that could result in a change of “control” of a US business or asset by a foreign investor, and which may result in a national security risk. As with the NSI Act, there is a declaration and review process and, if a national security risk is identified, CFIUS may then impose conditions on the transaction to mitigate the risk or suspend or prohibit the transaction altogether. As with the NSI regime, CFIUS also has the power to unwind transactions.

Like the NSI Act, there is mandatory notification requirement under CFIUS where a foreign person gains “control” of a US business which has a nexus to “critical technology”; potentially capturing investments of any size regardless of the percentage of shares or voting interest being acquired. However, unlike the NSI Act (which does not include the concept of foreign investor), where the “foreign person” is a national of Australia, Canada, the UK or New Zealand, they are an “excepted investor”, and a mandatory filing is unnecessary (though a voluntary one may be appropriate).

Outside of the mandatory requirements noted above, notifications under CFIUS are predominantly voluntary. Where parties have a concern that a contemplated transaction may pose national security risks due to the nature of the business, they often choose to notify CFIUS in advance to gain clearance of the transaction and obtain a “safe harbour” letter which, with limited exceptions, prevents CFIUS from reviewing the transaction later. In practice, unless such transactions involve obviously sensitive business sectors or countries which are considered high risk / “bad actor” countries like Russia, the parties undertake a cost benefit analysis to determine whether making a voluntary declaration is a worthwhile exercise.

The key difference between CFIUS and the NSI Act is that CFIUS applies only to foreign direct investments (contrasted with any acquisition or investment if it falls within one of the 17 key sectors). In addition, the concept of what constitutes “control” is more loosely defined under CFIUS, meaning that investments or acquisitions may be captured, irrespective of their size or sector, however, unlike the NSI Act, CFIUS applies only to inbound investments and foreign acquirers.

What has happened since the NSI Act came into force in January 2022?

At the time of writing, the UK government has issued 18 “final orders”11 on whether to prohibit, permit subject to remedies, or unwind a transaction. Of these, the government has cleared eleven transactions subject to remedies, prohibited three transactions and ordered two transactions to be unwound. One final order was revoked, and no further action was taken.

These final orders have largely been the “traditional” sectors of military, dual-use and defence; however, it is clear that that the government has recognised the significance of emerging and advanced technologies (including artificial intelligence, advanced materials, data infrastructure and energy) and is willing to intervene in these transactions to protect UK national security. For example, the field of semi-conductors, which is relevant to the “Computing Hardware” and “Advanced material” sectors, seems to be a growing area of focus.12

The table below summarises the final orders issued as at the date of publication of this article. A recent final order, issued on 8 June 2023, concerned the licencing of an unnamed asset belonging to the University of Southampton to a Canadian company called Voyis Imaging Inc. Given the transaction concerned the acquisition of an asset rather than shares or voting rights, this therefore came under the voluntary notification regime. The UK government’s view was that this posed a national security risk, as access to the asset might result in a military uplift to foreign states. As a result, conditions were imposed such that Voyis Imaging Inc must carry out due diligence on all new customers wanting to purchase the asset and to report to the UK government details of all new customers of the asset on an annual basis.

For transactions that have been cleared, the government has not shied away from adopting measures to address its national security concerns, and in all but one of the decisions the government has ordered some form of control or restriction over access to information.

For transactions that completed between 12 November 2020 and 3 January 2022 before formal notification requirements came into effect, the government has exercised its call-in power to scrutinise such transactions and has so far ordered two transactions to be unwound (the acquisition of Nexperia Newport Limited and the acquisition of Upp Corporation Ltd – see Overview of orders published so far… below). One of the targets operated an expanding full fibre broadband network, with concerns arising in relation to the ultimate beneficial owners. Concerns arose in relation to the other target due to the potential change in scope of its operations: a risk to national security relating to technology and know-how that could result from a potential reintroduction of compound semiconductor activities, plus consequential impact preventing local resources being engaged in future projects relevant to national security.

Recent insights

The first NSI Act annual report13 only covered a three-month period (4 January to 31 March 2022), so the publication of the 2022-23 Annual Report which covers the period from 1 April 2022 to 31 March 2023, provides some welcome information around how the NSI Act has been used in practice. Some key takeaways from the 2022-23 Annual Report include:

  • 866 notifications were received in total (below the estimated range of 1,000-1,830). Of these notifications, 671 were mandatory, 180 were voluntary and 15 were retrospective.
  • The vast majority of notifications (93%) were cleared within 30 working days.
  • Of the 849 notifications accepted or rejected (17 notifications were pending at the time of the report’s publication), the five most common areas applicable for mandatory notifications were: (i) Defence (47%), (ii) Critical Suppliers to Government (22%), (iii) Data Infrastructure (20%), (iv) Artificial Intelligence (16%), and (v) Military and Dual Use (16%). The equivalent list for voluntary notifications is: (i) Advanced Materials (18%), (ii) Defence (17%), (iii) Military and Dual Use (16%), (iv) Energy (16%), and (v) Academic Research And Development In Higher Education (15%). Note that each notification may be associated with more than one area of the economy.
  • 65 call-in notices were issued, 37 of which followed a mandatory notification and 17 of which followed a voluntary notification. 10 call-in notices were issued for non-notified acquisitions.

Overview of orders published so far…

Date Name  Trigger event (shares/asset) Sector Prohibition/conditions
7.8.23 Acquisition of GE Oil & Gas Marine & Industrial UK Ltd and GE Steam Power Ltd by EDF Energy Holdings Ltd via its wholly owned subsidiary, GEAST UK Ltd
Shares: from less than 75% to 75% or more
“critical national security and defence capabilities”

Approved subject to conditions:

  • meet physical and information security requirements
  • implement governance arrangements to protect sensitive information
  • place a HM Government-appointed board observer on the board of GEAST UK Limited and allow the board observer to observe meetings of the boards of GE Oil & Gas Marine & Industrial UK Limited and GE Steam Power Limited
  • establish a steering committee of the GEAST UK Limited board to provide oversight of compliance with security requirements and protection of sensitive information
  • maintain capacity and capability in respect of critical Ministry of Defence programmes in the UK

The final order also includes a provision that, in circumstances where the Final Order is breached in a manner serious enough to jeopardise the fulfilment of critical Ministry of Defence programmes, the Secretary of State has the power to step in and take operational control of and/or takeover the relevant business or part of the business necessary for the fulfilment of those Ministry of Defence programmes.

8.6.23 Acquisition of GE Oil & Gas Marine & Industrial UK Ltd and GE Steam Power Ltd by EDF Energy Holdings Ltd via its wholly owned subsidiary, GEAST UK Ltd
Shares: from less than 75% to 75% or more
Defencce Approved subject to conditions which require Voyis Imaging Inc. to carry out due diligence checks on all new customers wanting to purchase the asset and to report to HM Government details of all new customers of the asset on an annual basis.
22.2.23 Acquisition of David Brown Santasalo SARL by Stellex Capital Management LLC via its subsidiary Gear Bidco SARL
Shares: from less than 75% to 75% or more
Defence Production capability not to be reduced or relocated outside UK, to ensure continuity of supply to critical MoD programmes.
19.12.22 Acquisition of Upp Corporation Ltd by L1T FM Holdings UK Ltd 100% stake, purchased 21 January 2021 "full fibre broadband network"  

Retroactive prohibition:

  • 100% stake to be sold within a specified period following a specified process
  • Target to complete security audit prior to sale
19.12.22 Acquisition of HiLight Research limited by SiLight (Shanghai) Semiconductors Limited 100% shareholding "technological capabilities" Acquisition prohibited.
6.12.22 Acquisition of XRE Alpha Limited by China Power International Holdings Limited 90% shareholding in HK-based parent Energy (UK electricity asset and UK national grid) Approved subject to conditions:
  • Restrict the management of power offtake and ancillary service provision to National Grid to operators approved by HMG
  • Restrict the sharing of information by the operator of the site with the Acquirer outside of an inclusive list of permitted information
5.12.22 Acquisition of the assets and subsidiaries of Truphone Limited by TP Global Operations Limited Assets and subsidiaries, no previous control of any of the assets "UK mobile service" and "UK user data" Approved subject to conditions:
  • Appointment of a Chief Information Security Officer approved by the Secretary of State
  • Put in place telecoms information security measures and security audit to be carried out by an HMG approved auditor.
16.11.22 Acquisition of Nexperia Newport Limited (formerly Newport Wafer Fab) by Nexperia BV Shares: acquisition on 5 July 2021 of additional 86% taking "Technology and knowhow" (compound semiconductor activities) Retroactive prohibition: requirement to sell at least 86% acquired within a specified time period and by following a specified process
    shareholding to 100%    
10.10.22 Acquisition of Ligeance Aerospace Technology Co. Ltd by Sichuan Development Holding Co. Ltd Acquisition (detail unspecified) (Security of UK aerospace) Approved subject to five conditions concerning information sharing, security measures, board appointments, board appointment of HM Government observer, notification of asset transfers.
29.9.22 Acquisition of CPI Intermediate Holdings, Inc by Iceman Acquisition Corporation Entire share capital (Critical national infrastructure – atomic clocks) Approved subject to one condition: operations to remain UK-based.
29.9.22 Acquisition of Electricity North West Limited by Redrock Investment Limited Indirect acquisition of 35% interest in qualifying entity Energy Approved subject to conditions: restrict sharing of information from target to acquirer; restrict acquirer influence over appointment of some staff members of target.

20.12.22: final order revoked as acquirer decided not to proceed with the acquisition.
15.9.22 Acquisition of Connect Topco Limited by Viasat, Inc. Shares: from less than 75% to 75% or more Satellite and space technologies Approved subject to two conditions: controls preventing unauthorised access to information; continuation of provision of strategic capabilities to government.
14.9.22 Acquisition of the Stonehill project asset development rights by Stonehill Energy Storage Ltd Entirety of development rights for the Stonehill project Energy Approved subject to two conditions: HMG to approve power offtake operator (“POO”), restriction on POO sharing information with acquirer.
2.9.22 Acquisition of shares in Reaction Engines Limited by Tawazun Strategic Development Fund LLC Shares Military and dual-use Allowed subject to conditions.
17.8.22 Acquisition of Pulsic Ltd by Super Orange HK Holding Ltd Entire share capital Military and dual-use Acquisition prohibited. 
20.7.22 Acquisition of know-how related to SCAMP-5 and SCAMP-7 vision sensing technology by Beijing Infinite Vision Technology Company Ltd Grant of licence of IP relating to vision sensing technology Military and dual-use Acquisition of IP prohibited.
14.7.22 Acquisition of Sepura Ltd by Epiris LLP Shares and voting rights: from less than 75% to 75% or more Supplier to emergency services Conditions: preventing unauthorised access to sensitive information and technology; facilitating audit of compliance with security measures.




4 The National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021 contain detailed definitions of the businesses and activities that fall within scope of the mandatory notification regime.


6 For details, see:

7 See the 2022-23 Annual Report here:

8 Guidance is available here:


10 Following the move of the ISU from BEIS to the Cabinet Office, this email address may change.

11 For details of all the decisions, see

12 See the UK government’s policy paper on the National semiconductor strategy, which references plans to use the NSI Act in connection with its strategy.

13 See the initial annual NSI report for the period 4 January to 31 March 2022 here:

Related items

Back To Top