Refinements to the proposed UK National Security and Investment regime

In November 2020, the UK published a draft of its new National Security and Investment Bill ("NSIB"), introducing a new regime for reviewing investments on national security grounds. At the same time, the Government issued a consultation covering the 17 sensitive sectors that will be subject to a mandatory notification regime. Other qualifying transactions that have the potential to raise national security concerns will be subject to a voluntary notification and the Government will have the residual ability to “call-in” transactions to undertake a national security assessment. We highlight the key refinements and narrowed scope below.

The Government published its response to the consultation at the beginning of March 2021 and provided welcome clarification to businesses that could be affected by the new regime: National Security and Investment: Sectors in Scope of the Mandatory Regime.  

In particular, the Government has refined and narrowed the scope of the proposed definitions of the 17 specified sectors providing increased certainty and guidance to businesses as to the nature of the new regime. The final scope of the mandatory notification regime will be published in regulations expected to accompany the NSIB once it enters into force. For further information on the initial draft, please see our earlier article on the bill here.

These changes are welcome and whilst companies can seek informal guidance today on the potential application of the new regime to transactions (given the NSIB will apply retrospectively to deals closed after 11 November 2020), the narrowed scope of the regime is helpful to businesses considering whether it may be necessary to notify transactions. Below, we provide more detail on the 17 specified sectors. 

The 17 Sectors and the refinements


Overview of key updates and amendments

Advanced materials
In response to stakeholder comments, some material sectors, for example, engineering and technical polymers and ceramics, have been split into separate categories to make it easier to follow as the original scope was too broad. For example, engineering and technical polymers and ceramics are now called ‘engineering and technical polymers’ and ‘engineering and technical ceramics’

The general definition now clarifies that it captures all materials that are likely to give rise to national security concerns and which are contained in the relevant legislation in the UK Strategic Export Control List.
Advanced robotics
Autonomous robots - The Government has clarified the capabilities and level of sophistication that is of interest and has acknowledged that the principal driver of national security relevance is the capability of a robot to sense its environment and the autonomy to respond to it.

Off-the-shelf advanced robotics and robotics lacking autonomy (power tools, remote-control toys, consumer drones or simply industrial robots) have therefore been excluded.

Robots that only perform pre-set repetitive functions with no sophisticated ability to sense, decide on a new course of action and implement it, are also excluded.
Artificial intelligence

Despite concerns raised in the consultation that the Artificial Intelligence sector should be removed, the Government has decided that the sector should be retained. It is the Government’s view that the opportunity to use AI technologies positively across the UK economy can only be harnessed if sensitive applications of AI are protected from the risk of hostile actors intending to do harm to the UK.

However, in response to concerns that the definition was too broad the Government has restricted the definition of AI to focus on:

  • The identification of objects, people and events;
  • Advanced Robotics; and
  • Cyber Security.
Civil nuclear
There were no major updates apart from a few minor revisions.

The scope of “Communications” caught has been narrowed to only include public electronic communications networks, services, and associated facilities. The definition is divided into 3 sections (public communications, infrastructure critical to public communications and the associated supply chain).

The Government has also set out specific categories of businesses that will also be captured:

  • Providers of submarine cable systems;
  • Providers of Cable landing stations; and
  • Operators of essential services in the digital infrastructure subsector as set out in the Network and Information Systems Regulations 2018 as follows:
    o Top Level Domain Name Registries;
    o Domain Name System Resolver and Authoritative Hosting services; and
    o Internet Exchange Points.

Further clarity has also been provided in the definition covering the telecoms supply chain and which parts are captured (although this is subject to further discussion and whether the supply chain definition should be narrowed further, potentially listing the specific components that should be caught).

Associated facilities will only be caught if they are associated facilities by reference to a public electronic communications network or service.

The Government also proposed to introduce a materiality threshold to exempt acquisitions of smaller companies to minimize the burden on industry (£50m). This Government is also considering applying a threshold to qualifying entities in the supply chain such as vendors and service providers.

Finally, the definition has been revised to include housing and support infrastructures such as data centers. These were deemed critical to security as they allowed access to the network nodes.

Computing hardware

The focus for Computing Hardware remains the prevention of the loss of intellectual property in supply chains to hostile actors. Reference is now therefore made to ‘architectural, logical and physical designs’ and several other terms have been further clarified.

Six sub-terms have also been introduced to explain what a computing processing unit includes:

  • A Central Processing Unit;
  • A field programmable gate array;
  • A microcontroller;
  • A system on a chip;
  • A Graphics processor unit; and
  • A specialist processor for artificial intelligence applications.
Critical suppliers to the Government
The main focus of the revised definition is on the protection of classified material, estates, and the people who work with these materials since their compromise would represent a significant risk to national security.

Several limbs have been removed from the definition where they were covered by other “sensitive” sectors, or where voluntary notification, marketing monitoring or other remedies were deemed sufficient. For example, reference to government property, fuel and energy supplies, and personal identifiable information has been removed.

Subcontractors have also been removed from the scope of the definition as they may not be aware that they are a part of a government supply chain.
Critical suppliers to the emergency services
The Government has indicated that it will work on narrowing the scope of the definition in the future, but only a few amendments have been made at this stage.

These minor updates include providing further clarity by providing definitions for terms such as “operational”, “critical”, and “IT infrastructure” as well as excluding PPE from the scope of the definition.
Cryptographic authentication
The definition has been narrowed to limit the scope to the most critical National Security-relevant entities. Previously, the definition was too broad and covered companies that should not have been in scope such as those that use cryptographic authentication technology for their consumers and commercial devices, software, and services.
Data infrastructure
Data infrastructure is the infrastructure that underpins the modern use on data and provides the ability to store, process and transfer data and therefore the infrastructure must be resilient, secure and trustworthy.

Through this lens the scope of this definition was changed by refining definitions of administrative access, relevant data and data infrastructure, and amending qualifying entities to business activities who yield such access. For example, landowners and leaseholders are omitted as categories of entities captured by the definition.

Entities that have a direct contractual relationship with a critical sector entity to store, process or exchange that critical sector entity’s data are captured and the Government has also narrowed the number of mandatory sectors that are cross-referenced as critical sector entities, from 17 to seven (Civil Nuclear, Communication, Critical Suppliers, Emergency Services, Defence, Energy and Transport).

The definition of the Defence sector was designed to include companies at all tiers, including sub-contractors and entities in the chain of sub-contractors, which produce, research, develop, design, create, or apply goods or services used for defence or national security purposes.

The sector definition states that if one of the two following criteria are met, the mandatory notification requirement applies:

  1. Either the entity is a government contractor or any subcontractor in a chain of sub-contractors which begins with the government contractor; or
  2. The entity has been notified by the Government that they hold, or may come into possession of, classified material.
In the consultation particular concern was raised about the definition of ‘Petroleum Production Projects’ and whether infrastructure needed to be operational or if projects in construction would be included.

The Government updated the definition to clarify what is and is not captured. Retail electricity suppliers are now not in scope of the legislation and reference to ‘supply or ‘supplier’ have been removed.

Thresholds have also been amended for a downstream facility from 20,000 tonnes to 50,000 tonnes.

The Government acknowledges that as the UK works towards its net zero target, new energy technologies and services may need to be included in the definition. The scope will therefore be continuously reviewed and updated to reflect the rapidly developing technologies in this sector.
Military and dual use
This sector covers technologies that design and produce military items and items which could be used for both military and civil purposes. As it stands the mandatory notification requirement would therefore also apply to entities producing for civilian use and entities that are not exporting.

These requirements have been retained as the Government aims to protect against the transfer or loss of capability which has military use, even where that isn’t the development or production focus of the relevant entity.

There were no other major updates to the scope of this definition.
Quantum technologies
The definition has been narrowed by only including entities that develop or produce a specified quantum technology. The definition now therefore excludes entities that solely undertake research in quantum, and those that use quantum technologies to supply a service.

Provisions have also been removed that extend the scope across the supply chain. The Government is considering including a limited list of essential components that are of national security interest.
Satellite and space technologies
Several elements of the original definition have been removed to reduce the scope, such as specialised telecommunications applications, provision of Internet access by satellite infrastructure, space science and exploration activities. Note, however, there may be overlaps with other sensitive sectors for some definitions that have been removed – for example, specialised telecommunications applications may be included in the communications sector.
Synthetic biology
The sector name has been changed from Engineering biology. The definition has also been overhauled to concentrate on synthetic biology.

The Government has recognised that this is a rapidly developing sector and that many of the tolls or enabling technologies are dual-use and difficult for the Government to monitor.
Transport (maritime, aviation and air traffic control)
The provisions cover the Martime (ports and harbours) and Airports and the scope has been slightly revised to only include entities which have the highest potential to give rise to national security risks. In relation to airports, the operator of the airport (with overall responsibility for the management) will be caught and exclude ground handling operations and other operations which carry out some activities but do not have overall control or management of them. On the maritime side, ports are limited to the UK and is designed to capture the 51 major ports and the threshold of 1m tonnes has been maintained to determine a major port.

Latest insights

More Insights