The UK National Security and Investment Act 2021 (NSI Act) created a stand‑alone UK screening regime for acquisitions of control over entities and assets that may pose a national security risk. It applies irrespective of deal value or the acquirer's nationality.

We have previously written about the NSI Act's operative provisions and about foreign direct investment (FDI) regimes, as well as keeping abreast of updates (see here and here).

The NSI Act has now become a standard consideration for deal lawyers advising on UK transactions. The UK government is prepared to intervene significantly in transactions if it considers that they pose a risk to national security, and this trend looks likely to continue. In addition, because the NSI Act applies to transactions involving technology and artificial intelligence (AI), given the key importance of both those sectors to the UK economy, it will continue to be a relevant, significant consideration for deals for the foreseeable future. Therefore, in this article, we summarise the key aspects of the NSI Act, including the mandatory notification regime, the UK government’s call-in powers and some practical points for parties to consider.

What does the NSI Act cover?

The NSI Act applies to transactions involving the acquisition of a specified level of control over "qualifying entities" or "qualifying assets." Qualifying entities include any entity other than an individual; qualifying assets include land, tangible moveable property and intangible assets like ideas, information or techniques with economic value that are used in connection with activities or supplies in the United Kingdom (collectively, Qualifying Targets). Its ambit can extend to entities and assets located outside the United Kingdom, provided there is a sufficient UK nexus. Notably, the NSI Act does not impose any thresholds based on turnover, market share or deal value, and UK investors are not exempt.

Core features of the NSI Act

  • Decision maker and scope. The NSI Act applies across the United Kingdom, with most provisions in force from 4 January 2022, and a call‑in power that captures qualifying acquisitions completed on or after 12 November 2020. While the NSI Act does not define "national security," the factors guiding call‑in are set out in the statutory Section 3 statement (updated May 2024). The regime is administered by the Investment Security Unit (ISU) in the Cabinet Office, with decisions taken by the Chancellor of the Duchy of Lancaster (the Secretary of State in the Cabinet Office).
  • Trigger events (control thresholds). The NSI Act captures a range of transactions (Trigger Events) that involve acquiring control over qualifying entities or assets. These include:
    • shareholdings and voting rights crossing specified thresholds;
    • rights enabling or preventing the passage of resolutions;
    • acquisitions of "material influence" over a qualifying entity's policy; and
    • rights in qualifying assets enabling use of, or control over, the asset.
  • Mandatory notification. Acquisitions of control over qualifying entities that carry on activities in any of the specified sensitive sectors must be notified and cleared pre‑completion. The sectors in scope include: advanced materials; advanced robotics; artificial intelligence; civil nuclear; communications; computing hardware; critical suppliers to government; critical suppliers to the emergency services; cryptographic authentication; data infrastructure; defence; energy; military and dual‑use; quantum technologies; satellite and space; synthetic biology; and transport. A mandatorily notifiable acquisition completed without approval will be void. In addition, significant sanctions may apply, including fines of up to the greater of £10 million or 5 percent of global turnover, and potential imprisonment for individuals involved.
  • Voluntary notification. If a transaction is not subject to mandatory notification but nonetheless may present national security concerns, submitting a voluntary notice can offer greater transactional certainty and protect the parties from the risk of a later call-in. Unlike mandatory cases, voluntary notices can be filed pre‑ or post‑completion.
  • Call-in power. For acquisitions that are not notified, the Secretary of State has the power to call in the transaction for review within six months of becoming aware of it, and up to five years after completion. However, this five-year limit does not apply in cases where a mandatory notification was required but not made. The Secretary of State may “call in” any in‑scope acquisition (notified or not) for national security assessment if there is a reasonable suspicion of a national security risk. The call-in power applies to deals completed since 12 November 2020. In the year 1 April 2024 to 31 March 2025, under the NSI Act, 56 deals were called-in for full review, of which 49 were for notified acquisitions – an increase on the previous year.
  • Remedies and sanctions. The Secretary of State may impose conditions, prohibit or unwind transactions, and levy civil/criminal penalties for noncompliance.

Notifying in‑scope transactions

Notification process and initial screening

The ISU can discuss scope and process on a non‑binding basis and can provide guidance on whether a particular acquisition is notifiable in cases of genuine uncertainty.

Notices are submitted via the NSI electronic portal and must be in the prescribed form. A representative, such as a law firm, may submit on behalf of the notifying party.

Once a notice is submitted, acceptance by the ISU typically takes about a week – recently, the median has been seven working days for mandatory notifications and eight for voluntary notifications. After acceptance, the Secretary of State has 30 working days to either clear the transaction or call it in for further review. Importantly, the issuance of information or attendance notices during the screening period does not pause the 30-day review timeline.

A flowchart to assess whether a transaction is notifiable appears at the end of this article.

Retrospective validation of void notifiable acquisitions

If a mandatory filing was missed and the deal completed, the Secretary of State must either call in the acquisition or issue a validation notice within six months of becoming aware. Affected parties can also apply for a validation notice. If granted, the acquisition is treated as approved and ceases to be void.

Call‑in power and how risk is assessed

Call‑in notices and time limits

The Secretary of State has the authority to call in a qualifying acquisition that is in progress, under contemplation or completed, provided this occurs within the relevant statutory time limits.

For acquisitions completed before the main commencement of the regime, specifically between 12 November 2020 and 3 January 2022, the Secretary of State may still exercise the call-in power, subject to specific timing rules and exceptions where intervention under the Enterprise Act has already taken place.

For transactions that have been notified, the decision to call in must be made within 30 working days of the notice being accepted. For non-notified transactions, the general rule is that the Secretary of State may call in the deal within six months of becoming aware of it, and up to five years after completion.

Section 3 statement: risk factors

The following are considered risk factors under the Section 3 statement:

  • Target risk. What the entity or asset does, is used for or could be used for; proximity to sensitive sites; and critical supply relationships. Deals within or closely linked to the mandatory sectors are more likely to be called in.
  • Control risk. The type and degree of control acquired (including cumulative and financing‑related control), and whether that could be used to harm national security.
  • Acquirer risk. Characteristics such as past behaviour, sectoral capabilities, cumulative holdings, ties or obligations to hostile states or organisations, and sanctions exposure. UK origin does not confer immunity; state‑owned/sovereign investors are not inherently riskier, but ties to hostile actors are relevant.
  • Assets and land. Asset call‑ins are more likely when connected to mandatory‑sector activities or where land is, or is proximate to, sensitive sites. Export controls and ECJU licensing are considered.
  • Extraterritorial scope. Non‑UK entities/assets may be called in where there is a UK nexus, including outward direct investments transferring sensitive technology/intellectual property (IP) to non‑UK entities.

National security assessment following call‑in

Timelines and procedure

Once a transaction is called in, the Secretary of State has an initial assessment period of 30 working days, which can be extended by an additional 45 working days if the Secretary of State determines that such extension is needed. If a national security risk is identified and additional time is required to develop appropriate remedies, the parties may agree to a further voluntary extension.

During the assessment period, the timeline may be paused if the Secretary of State issues information or attendance notices. The assessment clock will only resume once the requested information is provided or the notice expires.

Interim orders and information powers

The Secretary of State has the power to issue interim orders during the assessment process. These orders can prevent a transaction from being completed. For example, the Secretary of State could order the parties to refrain from sharing IP or other information. In the case of a transaction that has already completed, the Secretary of State could order the parties to cease taking any steps towards integrating the relevant businesses. Breaching an interim order constitutes both a civil and criminal offence.

Additionally, the Secretary of State may issue information notices, requiring parties to provide documents or attend interviews. These notices can be served extra-territorially on individuals and businesses with a UK connection. Supplying false or misleading information in response to such notices is a criminal offence.

Outcomes and remedies

  • Clearance. Final notification confirms no further action.
  • Final orders. Imposed where a national security risk is found and conditions are necessary and proportionate. Conditions commonly address access to sensitive sites/information, governance, supply continuity, UK location of key functions, or restrictions on technology transfer. Prohibitions or unwind orders are possible in rare cases.
  • Variation/revocation. Final orders are kept under review and can be varied or revoked. Parties may request changes.
  • Financial assistance. In exceptional cases and with HM Treasury approval, financial assistance may be granted to implement a final order. However, it is worth noting that none has been granted to date.

Sanctions, enforcement and appeals

  • Civil penalties. For completing notifiable acquisitions without approval, breaching orders or failing to comply with information/attendance notices. Maximum fixed penalties:
    • Businesses: higher of £10 million or 5 percent worldwide turnover.
    • Individuals: up to £10 million.
    • Daily penalties may apply for continuing breaches of orders or information/attendance notices (up to the higher of 0.1 percent worldwide turnover or £200,000 for businesses; up to £200,000 for individuals).
  • Criminal penalties. For serious offences, including completing a notifiable acquisition without approval, breaching orders and certain information‑related offences. Sentences include up to five years of imprisonment.
  • Extra‑territorial application. Offences may be committed by conduct inside or outside the United Kingdom. Interim/final orders can apply to conduct outside the United Kingdom where the person has specified UK links.
  • Civil enforcement. Orders and notices can be enforced by injunction or other relief.
  • Appeals and judicial review. Monetary penalties are subject to a full merits appeal in the High Court (or equivalent) within 28 days. Other decisions are subject to judicial review, typically within 28 days of grounds arising. No decision has been successfully appealed to date.

The bigger picture: regulation, guidance, reform and next steps

Interaction with merger control and other regimes

  • CMA merger control. NSI screening runs in parallel with CMA processes. The Secretary of State can direct the CMA to act (or not act) where necessary to avoid undermining national security remedies. The CMA must provide information and assistance to the Secretary of State.
  • Takeover Code, export control and sectoral rules. Parties must also consider applicable Takeover Code requirements, export controls (ECJU licensing) and any sector‑specific regulations.

Guidance and administration

Comprehensive government guidance is available to help parties navigate the NSI regime. This includes detailed information on how to apply the rules, sector definitions for notifiable acquisitions, instructions for completing notification forms, considerations for academia and research, extra-UK application, market practice, process and timelines, publication policy, and compliance and enforcement. Notably, the Section 3 statement and market guidance were updated in May 2024, and the NSI notification service and templates were refreshed in 2025.

Early and well-evidenced engagement with the ISU is strongly recommended, especially for complex sector assessments, questions regarding non-UK nexus and specific timing requirements. Proactive communication with the ISU can help streamline the process and address potential issues before they arise.

Forthcoming reforms

The UK government is currently consulting (closes 14 October 2025) on updating sector definitions, including:

  • adding water as a new sector;
  • creating standalone sectors for semiconductors and critical minerals; and
  • clarifying and refining several existing sector schedules (for example, AI, data infrastructure, communications, energy, defence and synthetic biology).

The UK government has also announced its intention to exclude certain internal reorganisations and the appointment of liquidators, special administrators and official receivers from the regime.

Practical points for clients

  • Build NSI into deal planning. Allow time for acceptance plus a 30‑working‑day screening period. Where call‑in is plausible, budget for up to 75 working days of assessment (plus potential clock‑stops) and possible interim orders.
  • Test for mandatory filing early. Map target activities against the sector schedules. Be alert to adjacent activities and supply chain roles, and to indirect acquisitions through chains of ownership.
  • Consider voluntary filings. Where target, control or acquirer characteristics could raise risk, a voluntary notice may de‑risk timing and execution.
  • Intra‑group reorganisations and financing. Internal reorganisations and enforcement over shares can be caught if control thresholds are crossed. While equitable share security at grant typically does not confer control, enforcement or legal title arrangements may. Take counsel and plan filings/conditions accordingly.
  • Non‑UK targets and assets. Overseas entities that supply into or carry on activities in the United Kingdom, or overseas assets used in connection with UK activities, can be in scope. Outward transfers of sensitive IP/technology may be called in.
  • UK investors are in scope. Nationality does not determine whether a transaction is notifiable. Acquirer risk is assessed on a case-by-case basis.
  • Accuracy matters. Provide complete and accurate information. False or misleading information can reopen decisions and constitutes an offence.
  • Coordinate with other regimes. Align NSI assessments with CMA merger control, Takeover Code, export control and sectoral authorisations.

If you would like tailored guidance on whether your transaction is within scope, whether to notify, and how best to structure and timetable your deal in light of the NSI regime and the ongoing consultation, please contact us.

Should I notify the ISU?















*Eleanor Bines, a trainee in our London office, contributed to this advisory.

Related Professionals
Recent Advisories