← Back to all briefings
Policy 5 min read Published Updated Credibility 91/100

Policy Briefing — UK National Security and Investment Act Passed

The UK National Security and Investment Act received Royal Assent on 29 April 2021, introducing mandatory notifications for 17 sensitive sectors, expansive call-in powers, and rigorous post-completion remedies for acquisitions affecting national security.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The UK National Security and Investment Act 2021 (NSI Act) received Royal Assent on 29 April 2021, establishing a standalone regime for government scrutiny of investments and acquisitions on national security grounds. The Act created the Investment Security Unit (ISU) within the Department for Business, Energy and Industrial Strategy (BEIS, now the Department for Business and Trade) and grants the Secretary of State power to “call in” transactions for review. A mandatory notification regime covers 17 sensitive sectors, with the Act applying retroactively to qualifying deals completed on or after 12 November 2020. The NSI regime commenced fully on 4 January 2022, but organisations had to prepare governance frameworks immediately upon Royal Assent.

Scope of review

The Act captures a broad range of “trigger events,” including acquisition of control over qualifying entities or assets. Control thresholds include:

  • Crossing shareholdings or voting rights of more than 25%, more than 50%, or 75% or more.
  • Acquiring material influence over policy (similar to UK merger control concepts).
  • Gaining the ability to use or direct the use of a qualifying asset (land, tangible moveable property, or intellectual property).

Qualifying entities include any company, LLP, partnership, unincorporated association, or trust carrying on activities in the UK or supplying goods/services into the UK. There is no minimum turnover threshold, meaning start-ups and foreign investors can be caught.

Mandatory notification sectors

Regulations specify 17 sectors requiring mandatory notification before completing certain acquisitions:

  1. Advanced materials
  2. Advanced robotics
  3. Artificial intelligence
  4. Civil nuclear
  5. Communications
  6. Computing hardware
  7. Critical suppliers to government
  8. Critical suppliers to the emergency services
  9. Cryptographic authentication
  10. Data infrastructure
  11. Defence
  12. Energy
  13. Military and dual-use
  14. Quantum technologies
  15. Satellite and space technologies
  16. Synthetic biology
  17. Transport

The sector definitions are detailed and technical—organisations must map their activities to government guidance, considering revenue streams, R&D projects, and intellectual property portfolios.

Voluntary notification and call-in

Transactions outside the mandatory sectors may still be called in if they could pose national security risks. Parties may submit a voluntary notification to gain certainty. The Secretary of State has five years from completion (or six months from becoming aware) to call in a transaction, reduced to six months when the government has been notified. The Act applies retroactively to deals completed after 12 November 2020, meaning completed transactions can still be called in after Royal Assent.

Review process

  • Notification. Parties submit details via the ISU’s online portal. The ISU assesses completeness within five working days before starting the statutory review.
  • Phase 1 assessment. The government has 30 working days to decide whether to issue a call-in notice. If called in, a detailed national security assessment begins.
  • Phase 2 assessment. A further 30 working days (extendable by 45 working days with consent) to reach a final decision. Remedies can include approving without conditions, imposing behavioural/structural remedies, or blocking/unwinding the transaction.
  • Interim orders. The government can impose interim orders to prevent integration or protect sensitive assets while the review is ongoing.

Sanctions and enforcement

Completing a notifiable acquisition without clearance renders the transaction void and exposes parties to civil and criminal penalties. Civil fines can reach the higher of £10 million or 5% of global turnover. Officers may face imprisonment up to five years. The government can also require divestment or impose conditions after completion for transactions reviewed voluntarily or retrospectively.

Governance implications for investors and companies

  • Deal screening. Implement NSI screening in M&A processes, venture investments, and joint ventures. Maintain a sector classification matrix referencing the detailed guidance and assess whether assets or subsidiaries fall within scope.
  • Transaction documents. Include NSI-related conditions precedent, covenants, and allocation of risk (long-stop dates, termination rights, cooperation obligations). Consider reverse break fees linked to NSI outcomes.
  • Board oversight. Boards should receive briefings on NSI obligations, especially in sectors like AI, quantum, and data infrastructure. Establish escalation pathways for potential trigger events, including licensing deals or asset sales.
  • Portfolio management. Private equity and venture capital investors must monitor portfolio activities (e.g., new IP development) that could change sector classification, triggering future notification requirements.

Interaction with other regimes

The NSI Act operates alongside UK merger control, export control, and procurement rules. Coordinating notifications with the Competition and Markets Authority (CMA) and the Ministry of Defence may be necessary. Internationally, investors should align NSI compliance with regimes such as the U.S. CFIUS, EU FDI Screening Regulation, and Australia’s Foreign Investment Review Board to manage multi-jurisdictional filings.

Preparation timeline

Although the Act’s substantive provisions commenced January 2022, the ISU accepted voluntary notifications from November 2021 and encouraged early engagement. Companies should have created NSI playbooks in 2021 covering transaction screening, document templates, and data collection. Post-commencement, maintain incident response procedures for government information requests and compliance with interim orders.

Action checklist

  1. Establish an NSI screening team spanning legal, corporate development, and security specialists to evaluate trigger events.
  2. Build a register of sensitive technologies, data assets, and suppliers mapped to the 17 sectors.
  3. Update due diligence questionnaires to capture NSI-relevant information (ownership structures, critical data access, government contracts).
  4. Draft template warranties and indemnities addressing NSI compliance and retroactive call-in risks.
  5. Develop communication plans for engaging with the ISU and managing stakeholder expectations during reviews.

Zeph Tech advises UK and international investors on NSI Act compliance, from deal screening to remedy execution and ongoing monitoring of sensitive technology portfolios.

Risk assessment considerations

The Secretary of State assesses risk based on target risk (nature of the entity or asset), control risk (type and level of control acquired), and acquirer risk (track record, ultimate ownership, links to hostile states). Companies should gather information on ownership structures, government contracts, data sensitivity, and supply chain roles to anticipate scrutiny. For example, cloud service providers hosting government workloads or start-ups developing quantum encryption technologies may attract heightened attention even if revenue is limited.

Mitigation agreements may include access restrictions, UK security-cleared personnel requirements, data localisation, and reporting obligations. Boards must plan for ongoing compliance with such remedies, allocating resources for monitoring and audit.

Sector-specific insights

Technology and critical infrastructure sectors face the most frequent call-ins. Semiconductor, AI, and quantum deals often involve intellectual property that could be transferred abroad, triggering national security concerns. Energy transactions involving electricity or gas transmission, or suppliers to critical national infrastructure, require early engagement with the ISU. Defence supply chain acquisitions should cross-reference Ministry of Defence security requirements and export control licences.

Communication and stakeholder management

Public disclosure of call-ins or remedies can affect investor confidence. Companies should prepare messaging for investors, employees, and customers, emphasising compliance and business continuity plans. Coordinate with government relations teams to maintain dialogue with the ISU and relevant departments, providing timely updates on organisational changes post-clearance.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • National Security
  • Investment Screening
  • United Kingdom
Back to curated briefings