The National Security and Investment Act (the Act) is the UK's statutory regime giving powers to the Government to scrutinise and intervene in business transactions to protect national security. Responsibility for national security lies with the Cabinet Office and a dedicated Investment Security Unit (ISU) is responsible for assessing transactions that fall within the Act's scope. The analysis carried out by this body is separate from any merger control analysis undertaken by the Competition and Markets Authority (CMA) to assess the impact on competition. The Act provides for a hybrid notification system: mandatory notification obligations that will attach to certain transactions in specified sectors; and voluntary notifications available for other transactions that otherwise might be capable of being "called in" by the Secretary of State where the Government reasonably suspects that the transaction is a qualifying acquisition that has given rise to, or may give rise to, a risk to national security. The Act's "call-in" mechanism enables the Government to review a transaction at any time while the transaction is in progress or contemplation, or within six months of the Secretary of State becoming aware of a completed transaction (for up to five years post-completion). The five-year limit does not apply where there has been a failure to notify a transaction required to be notified under the mandatory regime. Scope of the regime For transactions to come within either the Act's mandatory or voluntary notification regimes, a "trigger event" must take place. Each trigger event involves a person acquiring control over either a "qualifying entity" or a "qualifying asset". "Qualifying entity" is broadly defined, and the Act therefore applies to a wide range of entities (whether or not having legal personality), including not just companies and LLPs but also UK partnerships, unincorporated associations and trusts. Entities formed or recognised outside the UK are capable of constituting a qualifying entity if they carry on activities in the UK, or supply goods or services to persons in the UK. A person will acquire control over a qualifying entity where the person acquires a right or interest which: reaches or crosses certain thresholds (25%; 50%; and 75% of votes or shares) in an entity; is a voting right that enables the person to secure or prevent the passage of any class of resolution governing the affairs of the entity; or enables the person to materially influence the policy of the entity. The Act treats reorganisations in the same way as other transactions and expressly captures situations where, for example, an ultimate parent company holds an interest indirectly through a wholly-owned subsidiary and decides to transfer the interest to itself so that it is held directly. The Cabinet Office indicated in April 2024 that it intended to undertake an assessment to understand whether making targeted exemptions from notification for certain internal reorganisations. "Qualifying assets" comprise land; tangible moveable property; and ideas, information or techniques which have industrial, commercial or other economic value, and which are used in connection with either activities carried on the UK, or the supply of goods or services to persons in the UK. Land or moveable property located outside the UK will be a qualifying asset if it is used in connection with activities carried on in the UK, or the supply of goods or services to persons in the UK. A trigger event will occur in relation to a qualifying asset where there is an acquisition of a right or interest in (or in relation to) an asset which gives the acquirer the ability to use the asset (or use it to a greater extent) or to direct or control how the asset is used (or direct or control how the asset is used to a greater extent than prior to the acquisition). Mandatory and voluntary notifications The Act's mandatory notification regime obliges proposed acquirers of shares or voting rights (exceeding the thresholds described above) in qualifying entities undertaking specified activities in the UK in certain high-risk sectors of the economy to obtain approval from the Secretary of State before the acquisition is completed. A mandatorily notifiable transaction that is completed without being approved by the Secretary of State will be void and of no legal effect, although the Act does include a mechanism enabling the Secretary of State retrospectively to validate non-approved notifiable transactions in certain circumstances. Where the proposed transaction does not fall within the mandatory notification regime, parties are encouraged to notify a "trigger event" voluntarily where they consider that it may raise national security concerns. When assessing whether a voluntary notification should be made, the parties to a transaction will need to refer to the "Section 3 Statement" (discussed further below), which sets out how the Secretary of State expects to exercise the call-in power under the Act. If a voluntary notification is not made, the relevant trigger event can still be implemented, but the Secretary of State will have the power to call in a non-notified trigger event within six months of becoming aware of it, provided this takes place within five years of the trigger event. High risk sectors The sectors that are relevant to the mandatory notification regime are: Advanced materials Advanced robotics Artificial intelligence civil nuclear Communications Computing hardware Critical suppliers to the government Cryptographic authentication Data infrastructure Defence Energy Military and dual-use Quantum technologies Satellite and space technologies Suppliers to the emergency services Synthetic biology Transport The definitions of the relevant sectors, and the particular activities within them, that are caught by the mandatory notification regime are specified in secondary legislation, with Government guidance available to help businesses and investors determine whether an entity being acquired falls within the mandatory notification regime. Participants in M&A or investment transactions will need to consider carefully the definitions of the activities within the mandatory notification regime's 17 sectors in the context of their transaction. In relation to tech transactions, for example, a number of the sectors could be potentially relevant. It is important to bear in mind, however, that although the sectors are wide ranging, only specific types of activity within each sector are caught. These definitions are likely to evolve over time to respond to new security threats – for example, the April 2024 outcome of the Cabinet Office's call for evidence stated that a formal consultation would be launched on updating the definitions. Taking the example of the Artificial Intelligence sector, "artificial intelligence" (AI) is defined as technology enabling the programming or training of a device or software to: (a) perceive environments through the use of data; (b) interpret data using automated processing designed to approximate cognitive abilities; and (c) make recommendations, predictions or decisions, with a view to achieving a specific objective. Mandatory notification will only be triggered, however, where an entity either carries on research into AI or develops or produces goods, software or technology that use AI for one or more specified purposes. The purposes are: (a) the identification or tracking of objects, people or events; (b) advanced robotics; and (c) cyber security. The Government guidance notes that the AI sector definition will capture entities that do not necessarily identify as "AI companies". Whether an entity is focused solely on AI, or incorporates or develops AI as part of a wider approach to their sector or business, it is the specific work that is being undertaken that is most important to consider. The outcome of the Cabinet Office's call for evidence indicated that it is possible that the scope of the AI sector definition will be refined to remote activities that do not present national security risks, and to include other activities not currently in scope, such as generative AI. The definition of "Advanced robotics" was also refined by the Government in response to comments that the definition should be narrowed in scope to only include companies developing the most advanced robotics. The definition now makes clear that autonomy is one of the core features of advanced security relevant to national security. The "characteristic of autonomy" is defined in the regulations by reference to the capability of the robotics of performing actions either independent of human control, or independent of human control but complemented by manual control, pre-programmed operations or control or control derived from other robotics or software control systems. The Government guidance gives examples of robotics that are within and outside the scope of the definition. For example, a mobile fruit picking robot equipped with AI, sensors and a new form of dextrous soft gripper, whose AI and sensors enable it to demonstrate a meaningful degree of autonomy, would be within scope. On the other hand, robotics that are widely available consumer goods such as robotic toys and smart appliances, or consumers of advanced robotics who purchase "complete systems" or standalone devices or equipment and use them as they are intended (for example, to perform their farming, surveying or logistics operations) are outside the scope of the definition. What is "national security" and when are transactions likely to be called in? The Act does not define national security for the purposes of the notification regimes or the Government's call-in power. The factors that the Secretary of State will take into account when deciding whether to exercise the call-in power are set out in a statutory statement known as the "Section 3 Statement", an updated version of which was published in May 2024 following a Government consultation. The Section 3 Statement is intended to assist entities and their advisers in understanding whether the acquisition is likely to be called in and to help them plan accordingly. While the Section 3 Statement does not define "national security", it does confirm that the call-in power is likely to be used where there may be a potential for immediate or future harm to UK national security. This includes risks to governmental and defence assets, such as "disruption or erosion of military advantage; the potential impact of a qualifying acquisition on the security of the UK’s critical infrastructure; and the need to prevent actors with hostile intentions towards the UK building defence or technological capabilities which may present a national security threat to the UK." The Section 3 Statement identifies three primary risk factors that the Secretary of State will consider when assessing the likelihood of a risk to national security being caused by a trigger event. These are the target risk, the control risk and the acquirer risk. Target risk – this refers to whether the entity or asset could be used in a way that raises a national security risk. The way in which the target is used or may be used is most likely to pose a threat to national security where the trigger event involves the acquisition of a qualifying entity that is active in any of the 17 areas of the economy that are within the scope of the mandatory regime (or which are closely linked to one of those sectors). Control risk – this refers to the amount of control that the acquirer gains either of an entity's operational business or future strategy, or over an asset, which includes controlling or directing the asset's use, as well as using it. A large amount of control may increase the possibility of a target being used to harm national security. Acquirer risk – this is the extent to which the acquirer possesses characteristics that suggest that there may be a risk to national security from the acquirer having control. When assessing the level of risk the acquirer may pose, the acquirer's sectors of activity and technological capabilities are likely to be considered, along with any links to entities which may seek to undermine or threaten the UK's national security. The Secretary of State does not regard state-owned entities, sovereign wealth funds or other entities affiliated with foreign states, as being inherently more likely to pose a national security risk. The statement confirms that the Secretary of State expects that, when calling in an acquisition, all three risk factors will be present, but does not rule out calling in an acquisition on the basis of fewer risk factors. Trigger events will be assessed on a case-by-case basis, having regard to the three risk factors. The Section 3 Statement makes clear that acquisitions within the 17 areas of the economy that are subject to mandatory notification (or which are closely linked to one of those sectors) are more likely to be called in for scrutiny. The Statement also indicates that the Secretary of State expects to call in asset acquisitions rarely compared to acquisitions of entities. Process and potential outcomes The Act provides that where a proactive notification is made (either mandatory or voluntary), the Government has 30 working days to issue a "call-in" notice. Where a "call-in" notice is issued (including for non-notified transactions), the Government will have 30 working days to assess the transaction, which is extendable by an additional 45 working days if the Government reasonably believes that the investment poses a risk to national security. Beyond 75 working days, an additional period may be agreed upon between the Government and the acquirer. Detailed assessments will take full account of the range of security risks of investment into the UK. The Government expects only a small proportion of such assessments will result in Government intervention being required. Impact on transaction documents If an acquisition is subject to mandatory notification, the share purchase agreement will need to reflect the fact that the acquisition cannot be completed until the transaction has been authorised by the Secretary of State. From a deal certainty perspective, it may also be appropriate to include conditions in cases either where mandatory notification is not required but the parties determine that a voluntary notification should be made or where neither a mandatory or voluntary notification will be made. In the latter case, completion might be conditional, for example, on no call-in notice having been issued before completion. Any conditions will need to be tailored carefully to the circumstances of the transaction and to make sure that the share purchase agreement reflects the outcomes that are acceptable to the parties. Remedies and sanctions Following a national security assessment, the Government could decide to approve the transaction, approve the transaction subject to conditions, or prohibit the transaction (or order the transaction to be unwound if already implemented). Possible conditions include altering the number of shares an investor is allowed to acquire, restricting access to commercial information, or controlling access to certain operational sites or works. The Government expects to impose conditions, or unwind or block transactions rarely and that the vast majority of deals will be able to proceed without delay. There are sanctions for non-compliance with the regime, which includes fines of up to 5% of worldwide turnover or £10 million – whichever is greater – and imprisonment of up to five years. These serious sanctions are intended to ensure compliance with the new regime and to avoid buyers/investors "taking a view" on the risk of not making a filing. The Government's approach to imposing sanctions on parties in breach will undoubtedly influence the degree of compliance and if large fines are imposed this will send a clear message to the business and investor community. Interplay with other regulatory requirements As mentioned above, the analysis carried out by the ISU under the Act is separate from any merger control analysis undertaken by the CMA to assess the impact on competition. The new national security regime sits alongside other existing regulatory requirements and does not change the requirements that already apply. These include, for example, the UK Takeover Code, which is administered by the Takeover Panel and applies to publicly traded companies and certain other public and private companies. The Code provides a framework to allow acquirers awaiting a decision under the Act to suspend or pause the offer timetable prescribed by the Code. The Act is also not intended to prevent persons complying with any statutory obligations imposed on them by the Financial Conduct Authority or the Prudential Regulation Authority. As the Government's guidance acknowledges, there may be acquisitions that require consideration by multiple bodies and interactions with other regulators may need to be managed as appropriate. For example, acquisitions involving communications will often require the consent of Ofcom under the Communications Act (in addition to a filing under the Act).