The National Security and Investment Act 2021 – what is it and what do you need to do about it?

June 6, 2021

A few weeks ago, the National Security and Investment Bill was enacted in the UK. This follows similar action taken by a number of other G20 countries – prompted by record levels of activity by state-owned entities, concerns about state sponsored espionage, as well as a quickly evolving landscape of national security threats. But what exactly is it? And why should you care?

Put simply, the act aims to manage national security risks associated with international business, including foreign investment. It imposes mandatory reporting of Mergers and Acquisition (M&A) activity in 17 sectors (and encourages voluntary reporting in others) where the Department for Business, Energy and Industrial Strategy (BEIS) might demand “remedies” before allowing foreign investment to take a stake in UK industry, if doing so could endanger UK National Security.  

For lawyers and businesses looking for outside investment or international expansion, this new UK regime needs to be on the radar. It involves a complete overhaul of the UK’s approach to national security assessments. We expect a 5 times increase in the number of transactions being assessed for national security concerns (a number of transactions were not looked at previously when concerns were raised, because they did not meet the criteria). There will be serious consequences (criminal and civil penalties) for completing a qualifying acquisition without clearance. There will also be an impact on deal timetables which may cause frustrations. 

All this is a price worth paying to ensure the future security of the UK. The new dedicated unit within BEIS is welcomed and should result in better coordination across government. The previous regime relied on the knowledge and enthusiasm of a few individuals based in various departments with little central coordination. When individuals moved on, that knowledge was lost. What’s more, previous efforts have not yielded much in the way of results. Historically there were only about a dozen instances of Government interference in M&A on National security grounds, based upon the UK Competition and Market’s Authority’s mergers framework under the Enterprise Act 2002. There have been instances where objections would have been raised but were not covered by the previous act. We were perhaps too light touch compared to others around the world such as France, Germany and USA.  

BEIS predicts there will be approximately 1000 to 1,800 notifications (an increase from no more than 200 in 2018) and 70-95 detailed national security assessments undertaken under both the compulsory and voluntary regimes per year. BEIS can also seek to enquire about a transaction up to 5 years after completion.

What does the Act cover?

The act covers companies that carry on activities in the United Kingdom, or (more broadly) supply goods or services to persons in the United Kingdom. It covers relevant transactions completed on or after 12 November 2020, or transactions that are currently being negotiated.


Under the act a “Qualifying asset” is land, property or ideas. The part that is the most wide ranging is ideas, information or techniques which have industrial, commercial or other economic value covering:

(a) trade secrets,

(b) databases,

(c) source code,

(d) algorithms,

(e) formulae,

(f) designs,

(g) plans, drawings and specifications,

(h) software.

Developments in technology have widened the potential scope of national security concerns over the past few years to include such areas as data and intellectual property. The intention is that these powers will be exclusively for use on national security grounds, and this has been written into the act. 

The government should not be able to use these powers to intervene in business transactions for broader economic reasons -but businesses will have to be alert to the possibility of political interference. There is a chance that EU based companies might (in the future) be considered a national security risk in terms of the control they may have on the UK’s Critical National Infrastructure. There may also be repercussions from the USA taking a harder line with a particular supplier and the downstream implications on the UK (without this act ever being used).

Transactions involving stakes of below 25% do not fall within this regime, but a trigger will be moving from a stake of 25% or less to more than 25%.


The type of industries covered are listed here, but note that many of these involve the sort of advanced technology that is likely to be in more and more demand:

  1. Advanced materials
  2. Advanced Robotics
  3. Artificial intelligence (the identification of objects, people, and events; advanced robotics and cyber security)
  4. Civil nuclear 
  5. Communications (e.g. electronic public communication network or service) 
  6. Computing hardware (preventing the loss of intellectual property within the supply chain to hostile actors)
  7. Critical suppliers to government
  8. Critical suppliers to the emergency services
  9. Cryptographic authentication (including encryption – only products posing a national security risk are captured) 
  10. Data infrastructure (e.g. data centres) 
  11. Defence
  12. Energy (e.g. gas and electricity networks, the oil sector and power generation) 
  13. Military and dual-use technologies 
  14. Quantum technologies
  15. Satellite and space technologies
  16. Synthetic Biology (formerly known as Engineering Biology)
  17. Transport (e.g. air traffic control, major airports, seaports and harbours)

‘Smart Cities’

One area that might be impacted by this new act is that of the ‘Smart City’. The term ‘Smart City’ is used to describe the technology to improve urban infrastructure and services, including energy grids, systems for transport and parking, water treatment, waste management, CCTV, security, and many others. Major cities already well developed with this technology include Manchester, Hull, London, Bristol and Glasgow.

Earlier I referenced USA taking a harder line than the UK. During 2019, an ‘entity list’ was developed by the Bureau of Industry and Security (BIS) of the US Department of Commerce. This was a list of companies effectively banned from doing business with US firms from areas like telecommunications, but also Chinese technology and surveillance companies (video surveillance and facial recognition systems). These companies are all central to China’s smart city ecosystem and have been listed because the US administration considers them as potentially able to conduct cyber-espionage and sabotage, and therefore to pose a security threat. It is likely that the UK, under the new act, will look at these companies in a similar way.

China has made the Smart City part of its national development strategy with the President endorsing it in 2015 and it becoming part of the 13th Five-Year Plan (2016-2020). Chinese central government has driven the development of smart cities within China and urged their technology companies to become global leaders and to reach out to foreign cities in support of global smart city developments. These Chinese companies are likely to be looked at in relation to Smart City projects in the UK.

The Covid-19 crisis accelerated China’s Smart City development. The Chinese government increased the use and testing of integral smart city functions including Artificial Intelligence (AI) surveillance cameras, drones, facial recognition technology, big data collection and analysis, tracking apps, and QR codes linking travel history and medical data. In addition, tracking apps and devices were streamlined and improved. There was an acceleration in the collection and sharing of data from both public and private sources. All of this will sound warning bells in terms of national security when applied to the UK.

Greater levels of global scrutiny may mean that business projects and the intended business partner will be subject to review by governments. 

How to make the process easier 

Whether a buyer, a seller, or considering a collaboration, conducting an early risk assessment to determine if there are national security concerns will lead to more information and a better negotiating position. This will also highlight any challenges to look out for and the kind of legal and security advice needed.

More focussed international regulations on international business means additional checks on investments or engagements with parties that are directly or indirectly state owned, controlled, or influenced. This may also be true for private companies based in authoritarian states where there is minimal distinction between state-owned and private entities. Being well informed about the parties you are doing business with, including all the entities in consortiums, will enable better mitigation of any risks. It also gives a better insight into any additional national security processes required.

Early identification of target countries to do business in will help legal, security, and strategy teams be better prepared to engage with the authorities in that country as well as relevant UK authorities. Most jurisdictions which have national security and investment review frameworks provide foreign investors with the opportunity to obtain formal or informal guidance from the reviewing authority.

The process and timelines for screening investments can vary depending on the country and can be more complex without early engagement. Understanding the process, timelines, and disclosures needed will help ensure commercial decisions are not delayed.

As part of the overall strategy, consider mitigation measures prior to engaging with government. Informal consultation with authorities can also help identify actions required. This will give time to consider commercial options, implications, and even address risks upfront by adapting the terms of the deal.

profile picture of peter yapp

Peter Yapp, Cyber Partner at Schillings Peter started his career in investigation and has been involved in computer forensics for nearly three decades. He was a deputy director at the UK’s National Cyber Security Centre and now provides pre and post cyber security incident advice to a range of individuals, companies, boards and operators of essential services.