Compliance Briefing — January 4, 2022

Executive briefing: The UK National Security and Investment Act 2021 (NSIA) came into force on 4 January 2022, transforming how acquirers, investors, and suppliers approach UK transactions. The Act grants the UK government “call-in” powers over acquisitions of control and requires mandatory notification for deals within 17 sensitive sectors ranging from advanced materials to satellite communications. The Investment Security Unit (ISU) within the Department for Business and Trade (formerly BEIS) now vets transactions, with serious criminal and civil penalties for closing without approval. Boards must embed NSIA compliance into M&A governance, minority investment strategies, supply chain reviews, and joint venture planning.

Regulatory scope and triggers

The NSIA applies to qualifying acquisitions of entities and assets where the target has UK nexus. Mandatory notification captures transactions granting acquirers more than 25%, 50%, or 75% of votes or shares—or material influence—in specified sectors. Voluntary notifications are encouraged for deals outside mandatory sectors but presenting potential national security concerns. The government can “call in” transactions up to five years post-completion (or six months after becoming aware) and impose remedies, including conditions on information access, governance, or even unwinding deals.

Sector definitions for mandatory notifications are set out in The National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021, with accompanying guidance clarifying technical boundaries. Parties must assess whether targets conduct relevant activities within the UK, even if headquartered abroad. Asset acquisitions, including intellectual property and land, fall within scope when connected to sensitive use cases. The regime applies equally to domestic and foreign investors, and there is no financial threshold for notification.

Operational priorities for deal teams

Corporate development, legal, and compliance functions need disciplined processes to manage NSIA obligations:

• Screening workflow. Implement intake questionnaires covering sector classification, UK nexus, ownership thresholds, and supply chain exposure. Integrate NSIA checks into M&A playbooks, venture investment reviews, and partnership approvals. Maintain documented analyses supporting decisions on whether to notify.
• Timeline management. Mandatory notifications trigger a 30 working-day review period, extendable by an additional 45 working days and beyond by agreement. Deal timetables must include NSIA milestones, with contingencies for potential “call-in” reviews. Ensure purchase agreements contain conditions precedent addressing NSIA clearance and allocate risk for governmental remedies.
• Information governance. Prepare secure data rooms tailored to ISU information requests, including ownership structures, technical descriptions, security controls, and customer profiles. Design protocols for sharing classified or export-controlled data with government reviewers while safeguarding intellectual property.
• Recordkeeping. Retain NSIA assessments, filings, correspondence, and clearance notices for at least five years to evidence compliance and support future transactions involving the same assets.

Operational leaders should coordinate NSIA compliance with export controls, the UK’s Official Secrets Act, and sectoral licensing regimes (e.g., defence, energy). For group restructurings, ensure internal transfers of shares or intellectual property also undergo NSIA review when necessary.

Governance moves for boards and investors

Boards must treat NSIA risk as a core governance issue, particularly for companies pursuing growth through acquisitions or capital raises:

• Board education. Provide directors with sector-specific briefings on NSIA triggers, including case studies from published final orders. Incorporate NSIA into annual strategy sessions, highlighting how the regime affects corporate development and venture investment pipelines.
• Delegated authorities. Update delegated authority matrices so that any transaction involving sensitive sectors or foreign investors requires legal review and board sign-off before signing. Establish escalation protocols for potential call-ins.
• Risk appetite. Integrate NSIA considerations into risk appetite statements. Boards may set thresholds for acceptable review timelines, remedy obligations, or divestment risks, ensuring that management escalates transactions exceeding limits.
• Transparency. Document board deliberations on NSIA exposures in meeting minutes and risk reports, demonstrating oversight to regulators and shareholders.

Private equity sponsors and venture capital funds should train investment committees on NSIA due diligence. Limited partners may require assurance that fund managers can navigate NSIA reviews without jeopardising exit timelines.

Supplier and ecosystem impacts

NSIA compliance extends beyond direct acquisitions. Companies must evaluate supply chain relationships and technology collaborations that could draw scrutiny:

• Supplier onboarding. Procurement teams should incorporate NSIA screening into third-party due diligence, especially when suppliers gain access to sensitive technology or infrastructure. Contract clauses can obligate suppliers to inform the company of ownership changes that might trigger NSIA reviews.
• Joint ventures and partnerships. Technology sharing arrangements or joint ventures involving foreign investors may constitute qualifying acquisitions if they confer material influence. Legal teams should structure agreements to mitigate NSIA risk, such as limiting control rights or allocating decision-making power.
• Licensing and IP transfers. Granting exclusive licences over critical intellectual property or know-how may be considered asset acquisitions. Document assessments and consider voluntary notifications where national security value is high.

Companies providing managed services to government or critical national infrastructure should establish NSIA compliance clauses in master services agreements, ensuring clients are aware of potential call-in risks when subcontracting or transferring assets.

Sourcing strategy and advisory support

Given the complexity of NSIA analysis, organisations often require specialised advisors:

• Legal counsel. Engage UK counsel experienced in NSIA filings to interpret sector definitions, prepare notification forms, and liaise with the ISU. Firms should offer rapid response capabilities for deal-critical timelines.
• Technical experts. In sectors like quantum technologies or advanced materials, engage subject-matter experts to articulate the technology’s national security relevance and propose mitigations. Their input can expedite ISU understanding and reduce follow-up questions.
• Risk intelligence providers. Use geopolitical risk services to monitor investor backgrounds, sanctions exposure, and links to state actors that could heighten scrutiny.
• Transaction insurance. Consider representation and warranty insurance endorsements or bespoke NSIA risk coverage to offset financial losses from delayed or blocked transactions.

Procurement teams should formalise service-level agreements with advisors, including response times for ISU information requests and obligations to support remedial negotiations, such as security clearances or board observer limitations.

Operational controls post-clearance

When the government clears deals with conditions, organisations must enforce ongoing obligations:

• Monitoring trustees. Some remedies appoint monitoring trustees to oversee compliance with behavioural commitments. Companies must facilitate access to facilities, provide periodic reports, and integrate trustee feedback into governance processes.
• Information barriers. Implement technical and organisational controls to restrict access to sensitive data for investors subject to national security concerns. This may include segregated IT environments, encryption, and auditing of data access logs.
• Board composition. Conditions may limit board seats or voting rights for certain investors. Corporate secretaries should update governance documents, track compliance, and prepare attestations for the ISU.

Failure to comply with final orders can result in penalties or forced divestments, making post-clearance governance just as critical as initial notification.

Metrics and reporting

Establish dashboards to monitor NSIA compliance:

• Number of transactions screened and categorised by sector.
• Volume of mandatory, voluntary, and exempt deals, with associated review timelines.
• Outstanding remedial obligations and status of compliance actions.
• Supplier ownership changes triggering reassessments.
• Training completion rates for deal teams and procurement staff.

Reporting should flow to executive committees and boards quarterly, with ad hoc updates for call-in notices or significant policy changes, such as updated sector guidance or changes to filing forms.

Forward look

The government publishes annual NSIA statistics and, when possible, redacted final orders providing insight into enforcement priorities. Early data from 2022 shows a concentration of call-ins in defence, military and dual-use, and critical suppliers to government. Organisations should monitor ongoing consultations, including proposed updates to the sector definitions and ISU service standards. Coordination with allied screening regimes—such as the U.S. Committee on Foreign Investment (CFIUS) and the EU Foreign Direct Investment (FDI) framework—will influence expectations for information sharing and remedial consistency. Proactive governance and sourcing strategies help companies maintain deal certainty in an era of heightened national security scrutiny.

Key resources

• UK Government: National Security and Investment Act Guidance
• Specification of Qualifying Entities Regulations 2021
• National Security and Investment Act Statistics

Zeph Tech supports UK deal teams with NSIA screening workflows, intelligence integrations, and governance dashboards that keep transactions on track.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 90/100 · January 1, 2022

Compliance Briefing — January 1, 2022

The No Surprises Act’s January 2022 go-live forced U.S. payers, providers, and air ambulances to operationalize balance-billing bans, governance playbooks, and sourcing for price transparency infrastructure under tight…

Compliance · Credibility 88/100 · January 1, 2022

Compliance Briefing — January 1, 2022

Large EU public-interest entities entered their first EU Taxonomy climate reporting cycle on 1 January 2022, demanding cross-functional data governance, board oversight of KPI attestations, and sourced evidence for…

Compliance · Credibility 89/100 · December 30, 2021

Compliance Briefing — December 30, 2021

HKMA’s GS-1 Climate Risk Management module establishes board accountability, risk integration, and disclosure expectations that Hong Kong banks must embed into strategy and ICAAP planning.

Compliance · Credibility 88/100 · December 21, 2021

Compliance Briefing — December 21, 2021

The EU Whistleblower Protection Directive’s 21 December 2021 transposition deadline activates mandatory internal reporting channels, timelines, and anti-retaliation safeguards for companies with 250+ workers.

Compliance · Credibility 89/100 · February 1, 2022

Compliance Briefing — February 1, 2022

EU CSDR settlement discipline took effect 1 February 2022, forcing market participants to embed fail penalties, buy-in workflows, and governance for cross-venue operations.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• SOX Modernization Control Playbook — Zeph Tech

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.