Scope of new UK National Security and Investment Bill clarified

11 min read

World in Transition

Our views on changing dynamics in energy, ESG, finance, globalization and US policy.

In November 2020, the UK published a draft of its new National Security and Investment Bill ("NSIB"), heralding the introduction of a new regime for reviewing investments on national security grounds. The Bill introduced a mandatory pre-screening mechanism for certain deals involving investments in sensitive sectors. The draft was accompanied by proposed definitions for the seventeen "sensitive sectors" to which the mandatory notification requirement would apply. These definitions were the subject of a public consultation, which ran from 11 November 2020 until 6 January 2021. For more detail on the scope of the NSIB, please see our original alert here.

The Department of Business Energy and Industrial Strategy ("BEIS") has now published the government response, providing welcome clarification on the scope of those proposed definitions (the "Response"). The final scope of the mandatory notification regime will be published in regulations expected to accompany the NSIB once it enters into force, but the Response provides useful explanations of the UK government's direction of travel for the new regime.

These changes are welcome, not least because the NSIB will apply retrospectively to deals that have closed after 11 November 2020, even before the new law comes into force. Therefore, the Response has real practical consequences for on-going M&A transactions. Below, we look at some of the changes arising from the consultation that will apply to some of these sectors.


Sensitive Sectors: what has changed?

The seventeen "sensitive sectors" remain unchanged but the Response broadly supplements previously ambiguous drafting with more specificity around definitions and applications.

General clarifications

The Response also considered more general suggestions that could affect the broader regime. For example, suggestions to exclude internal or intra-group transactions from scope have been rejected.1 The Response also clarifies that there is no practical consequence for reporting if an entity is captured by more than one "sensitive sector" once the NSIB comes into force.

Changes in key sectors

Based on our experience of the sensitive sectors that were causing the most severe headaches for clients to date, the following clarifications are of particular note:

1. Communications

Communications was one of the sectors where the proposed sectoral definition had the capacity to capture a multitude of transactions, as the original proposal applied to any entity carrying on activities in the UK which "consist in or include" the provision of an electronic communications network or service.

The new focus following the Response is on public communications networks, services, and associated facilities. These are providers of submarine cable systems, cable landing stations and the operators of essential services in the digital infrastructure subsector. Private electronic communications network and service providers are therefore now excluded.

To determine what is and is not an "essential service" for digital infrastructure, BEIS has made reference to the Network and Information Systems Regulations 2018, which is a sensible addition. This will limit providers of essential services to top-level domain name registries, domain name system resolvers, authoritative hosting services and internet exchange points. The welcome corollary of this clarification is that private data centres, which otherwise could have been captured under a more generous reading, can be excluded from this heading. The revisions seek to make clear that only those who own buildings hosting data centres that are part of the core public telecommunications network (e.g., those that host internet exchange points and the 5G core networks) are still intended to fall in scope.

A distinction has also been drawn between "active" and "passive" infrastructure, which will exclude passive infrastructure manufacturers and suppliers such as those who make ducts and poles. The precise scope of this distinction is still under consideration. Further, the amendments make clear that the owners of "sites" that merely host associated communications infrastructure (e.g., masts) are not intended to fall in scope. The Response flagged that further amendments in respect of landowners are in contemplation pending the final version.

Materiality thresholds have also been added to exempt acquisitions of smaller companies. Entities that operate public communications networks or services with turnover of less than £50 million can be excluded. A threshold has also been introduced for the provision of infrastructure to public communications, whereby any entity supplying services in the UK which include the provision of an internet exchange point that has at least 30% market share will be captured. The Response also indicates that BEIS is still considering an end-user threshold and applying the turnover threshold to qualifying entities in the supply chain, such as vendors and service providers.

2. Critical Suppliers to Government

The revised sectoral definition is refocused on the protection of classified material, estates and the people who work with such materials, bringing a more national security-focused outlook to this heading. This is a welcome change as previous readings of this heading could have captured a substantial range of suppliers of generic products and services.

Of particular note is that subcontractors have been removed from the scope of this heading and therefore can be excluded from mandatory notification. Further, the Response helpfully clarifies that "government" contracts are limited to "contracting authority"2 contracts, i.e., contracts with the State, central government authorities, regional or local authorities, and bodies governed by public law. On this basis, contracts with, for example, institutions in which the government is a shareholder can be excluded if they would not otherwise meet the definition.

The reference to entities that provide goods or services that, if lost or compromised, could have an adverse impact on the "functioning of the state" has been removed in recognition that a term this broad could be interpreted to capture a wide variety of actors.

BEIS resisted calls to publish a list of critical suppliers that would be subject to mandatory notification, however, on grounds that this would be subject to frequent change and could itself pose a national security risk.

3. Data Infrastructure

The data infrastructure heading has been refocused on the provision of data infrastructure to "critical sector" entities, i.e., those public sector contracting authorities or entities that would be subject to mandatory notification under the civil nuclear, critical suppliers to government, critical suppliers to the emergency services, defence, energy or transport definition. Taken together with the respective changes in those categories this is a significant narrowing down of the breadth of this sectoral net.

Further, in terms of the provision of data infrastructure to those critical entities, the changes now make clear that this only relates to provision under a direct contractual relationship, negating the need to analyse second-degree access by other entities. These changes are illustrated below:

Relevant data infrastructure" means is physical or virtualised infrastructure which:

(a) hosts, stores, manages or processes or controls or transfers transmits relevant data in respect of which the qualifying entity has a direct contractual relationship with a critical sector entity

(b) is used by Ppublic Ccommunications Pproviders (as defined in section 151 of the Communications Act 2003) for peering, interconnection or exchange of digital data; or

(c) connects any major international cabling routes; or

(d) employs software defined networking or network functions virtualisation

The provision of security services to relevant data infrastructure has also been removed, as has mandatory notification for entities that own the site or building in which relevant data infrastructure is located, although managing of facilities where relevant data infrastructure is located remains a qualifying activity.

Clarifications on the exact meaning of the "provision of technical services" and "administrative access" to relevant data infrastructure have also been added.

4. Energy

Key among the clarifications in the energy sector is the explicit confirmation that retail electricity suppliers are not intended to be in scope. All references to "supply" and "suppliers" have been removed from the energy heading to clarify this intent.

The ambition is therefore clearly only to capture entities that control generation assets, i.e., that provide load via:

  • 100MW of total installed capacity for individual assets; or
  • 1GW on installed capacity when accumulated with the assets of the purchaser's affiliates. This is a reduction of the previous aggregated threshold of 2GW in the original draft.

Also of note is that this sub-heading is limited to Great Britain, meaning control of generation assets in Northern Ireland would not trigger on this basis.

In terms of petroleum infrastructure and pipelines, the amendments make clear that only those that meet the throughput thresholds (of 3 million TOE in 12 months) in their first year of operation will trigger. This is useful for prospective investors in infrastructure that do not intend to immediately deploy that infrastructure because, for example, it has not been operational for some time.

BEIS has again indicated that this is a sector that remains under scrutiny and further revisions can be expected, including an increase in the downstream supply capacity threshold from 20,000 tonnes to 50,000 tonnes. Further clarifications will include a more detailed breakdown of what is and is not going to be captured, including more specifications on how thresholds should be measured. As part of the ongoing review, BEIS is clear that its intention will be to capture any entities with a "key role in overseeing or operating any part of the GB electricity and gas markets". Again, this appears limited to Great Britain, and so may not extend to equivalent entities in Northern Ireland.

5. Transport

(a) Maritime Transport

In terms of maritime transport, the definitions have been narrowed to remove references to passenger capacity and the transport of Category 1 goods. These amendments are illustrated below:

An qualifying entity carrying on activities that consist of – 

(a) which ownsing or operatesing a maritime port or harbour situated in the United Kingdom which that handleds at least 1 million tonnes or more of cargo annually in the most recent relevant year preceding the year in which the notification is given under section 14 (Mandatory Notification procedure) of the Act, as recorded in for which the Annual Port Freight Annual Statistics records are published by the Department for Transport, Category 1 goods as listed in paragraph (2.c) or vessels capable of carrying at least 12 passengers.; or 

(b) Within such maritime ports or harbours, a company which ownings and operatinges terminals, wharves or other port-related infrastructure except where that company does not handle Category 1 goods. situated in a port or harbor as described in sub-paragraph (a). 

This revised wording is intended only to capture those companies that own and operate terminals, wharves or other port related infrastructure, not those that have parent companies across various sites. Further, the concept of port-related "infrastructure" has been clarified; it only applies to infrastructure, facilities and equipment within a port or harbour that enable effective operations directly related to the movement of freight, passengers or seafarers.

BEIS' stated intention is to consider acquisitions of smaller ports using the call-in power, "where appropriate". Of course, this will not prevent voluntary notifications by purchasers of smaller ports, so the definitional changes may not have much impact in practice.

(b) Airports

The concept of "operating" an airport has been clarified as "having overall responsibility for its management" in an effort to make it clear that operators which carry out some activities at airports but do not have overall control or management of them, e.g., ground handling operations, are not caught.

The thresholds for passenger movements and freight have been referenced to 2018 rather than the "most recent year" to reflect the reduced demand due to the COVID-19 pandemic, but BEIS foresees further updates once demand recovers. These amendments are illustrated below:

An Qualifying entities carrying on activities that consist of:y 

(a) which ownsing or operatesing an airport in the United Kingdom which that handled at least six million passenger movements or 100,000 tonnes of freight annually in the most recent relevant year in 2018, for which as recordeds in the UK Airports Annual Statements of Movements, Passengers and Cargo are published by the Civil Aviation Authority;

(b) providing en route air traffic control services in the United Kingdom;

(c) owning a provider of en route air traffic services in the United Kingdom.

Next steps

The Response re-emphasises that the scope of the mandatory notification regime under the NSIB is still in flux. It is therefore important to ensure appropriate attention is given to the potential requirement to make a mandatory notification in respect of deals that sign, but have not closed, before the new law comes into force. Adequate contractual protection is needed to cover this gap period; even if a deal closes before the law comes into force it can be subject to retrospective review for up to 5 years thereafter, so strategies to manage that risk continue to be important.


1 Response, paragraph 78.
2 Within the meaning of the Public Contract Regulations 2015.


White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2021 White & Case LLP