New National Security and Investment Bill Will Usher in New Regime for UK

On November 11, 2020, the UK government published the much-anticipated National Security and Investment Bill (the “Bill”). If passed, the Bill will require parties to notify the government of a variety of transactions involving sensitive industrial sectors. Consistent with existing frameworks implemented by other Five Eyes alliance members, the Bill also would establish a stand-alone mechanism for the UK government to vet — and in some instances impose mitigation measures on or even block — transactions subject to review.  

The Bill represents a major overhaul of the UK government’s approach to reviewing investments and incorporates concepts from the Committee on Foreign Investment in the United States (“CFIUS”) and the national security review mechanisms of certain EU member states. If passed in its current form, the Bill will be a sharp break from the UK government’s past practice with respect to screening investments and will create myriad new challenges for dealmakers seeking to complete transactions that occur within or involve the United Kingdom.  

The UK’s new approach is consistent with recent trends. The United States has recently strengthened CFIUS, and a number of EU member states have either adopted or updated their systems for reviewing transactions on national security grounds. In addition, the European Union finalized regulations in October to regulate foreign direct investment that occurs within the EU. Parties participating in cross-border deals increasingly will need to consider multiple national security review systems before completing transactions.

Overview of the New Regime

The new regime will utilize a hybrid notification system for so-called “trigger events.” The trigger events are specifically defined in the Bill, but generally involve situations where a party acquires control of a qualifying entity or a qualifying asset. For certain trigger events involving high-risk sectors, acquirers will be required to submit pre-closing notifications and obtain approval from the Department for Business, Energy & Industrial Strategy (“BEIS”). Other parties participating in trigger events have the option of notifying BEIS if they believe that the trigger event could implicate national security concerns.

Following notification, BEIS will have 30 working days to assess whether the trigger event should be “called in” for a national security review assessment.¹ If BEIS determines that a full assessment is not necessary, then it will notify the parties that it has cleared the transaction.  

By contrast, if BEIS elects to call in a trigger event, an assessment period will follow. The first phase of the assessment will be an initial period of 30 working days. At the conclusion of the initial period, BEIS can clear the trigger event, issue a final order imposing remedies or extend the assessment period for an additional period of 45 working days. At the conclusion of the additional period, BEIS can clear the trigger event, issue a final order imposing remedies or the parties can mutually agree to an extension of the assessment period. When analyzing risks associated with trigger events, BEIS will consider target risk, trigger event risk and acquirer risk to determine whether the trigger event poses a risk to UK national security.

A new unit within BEIS, the Investment Security Unit, will screen all trigger events that are notified by mandatory or voluntary filings, or that they unilaterally elect to call in. The Secretary of State for BEIS, currently Alok Sharma, will have ultimate responsibility for all decisions. The proposed regime will replace the government’s historical mechanism for reviewing transactions under the Enterprise Act 2002. Until Parliament enacts the legislation, the current, and far more limited, regime under the Enterprise Act will continue to operate in relation to transactions raising national security concerns.

The National Security and Investment Bill

The Bill contains a number of interesting features that in some instances represent a break from previous consultations as well as a series of open issues regarding how the new regime will be administered.  

Key Provisions

• Parties to certain trigger events will be subject to mandatory notification requirements: The Bill will require mandatory notifications for certain trigger events that involve the acquisition of qualifying entities in certain high-risk sectors.² The government has identified an initial list of 17 high-risk sectors, which are broad in scope (e.g., “defence,” “energy,” “data infrastructure”).³ BEIS has published a public consultation to seek input regarding what types of transactions that occur in these sectors should be subject to mandatory reviews. The consultation will then lead to the publication of regulations under the new act that will further define the scope of the transactions that require notification. In addition, transactions in which an acquirer acquires 15% or more of the votes or shares in an entity in a high-risk sector are considered to be “notifiable acquisitions” that are subject to mandatory notifications so the government can assess whether they reasonably suspect a trigger event will take place. For trigger events that require notification, the duty to alert BEIS will rest solely with the acquiring party.    

• Transactions that require mandatory notification will be void if not notified and cleared: If the parties close a transaction that requires mandatory notification and the parties do not notify BEIS and obtain clearance prior to closing, the transaction will be legally void. This aspect of the Bill likely will lead to parties electing to report any transactions that potentially could be subject to mandatory reporting requirements. The criminal penalties for failing to make a mandatory notification likewise will provide a powerful incentive for parties to take a proactive approach to filing notifications. The Bill does allow the Secretary of State to retrospectively validate notifiable acquisitions that were not reported to BEIS.

• Parties may submit voluntary notifications: Parties participating in trigger events that do not require mandatory notification can elect to submit voluntarily notifications. BEIS will have the right to call-in non-notified transactions that it deems might present a national security risk, so it is expected that parties may elect to file precautionary notifications to avoid the risk of BEIS later calling in the transactions.   

• BEIS will have broad powers to retrospectively review trigger events: The Bill authorizes the government to call in trigger events that were not notified and those not subject to mandatory reporting requirements for up to six months after the Secretary of State becomes aware of the trigger event, so long as the call in occurs within five years of the trigger event. Other EU member states have adopted similar five-year look back periods (e.g., France, Italy and Germany). The Secretary of State will be able to call in a transaction subject to mandatory notification at any point (i.e., the five-year-long stop date does not apply in these circumstances). In addition, the Bill would grant the Secretary of State the authority to call in transactions that take place between November 12, 2020, and the commencement date of the legislation. It is expected that acquirers will be subject to mandatory notification requirements for trigger events that occur in high-risk sectors and have not completed prior to the commencement date of the legislation.          

• The UK nexus test is expansive: BEIS will have the authority to review trigger events that could potentially raise national security concerns, even if the entities involved do not have a direct link to the UK. The regime allows the government to call in trigger events that involve entities or assets outside of the UK, provided that: (1) the entities carry on activities or supply goods/services in the UK; or (2) the assets are used in connection with activities taking place in the UK. Accordingly, this regime is potentially applicable even when the relevant parties do not include a UK subsidiary, which is a departure from many foreign investment review regimes. With that said, the government has advised that it will “legislate for a tighter nexus test for mandatory transactions.”

• The Bill specifies transactions that do not give rise to trigger events: Transactions in which a party acquires less than (i) a 15% interest in a qualifying entity in a high-risk sector or (ii) a 25% interest in a qualifying entity in a non-high-risk sector will not be a trigger event provided that the acquiring party does not obtain material influence over the policy of the qualifying entity. These provisions will provide comfort to minority investors in some types of acquisitions.    

• The Bill does not envision BEIS adopting “black lists” or “white lists”: The new regime “will apply to investors from any country,” and BEIS apparently will not put particular foreign countries on “black lists” or “white lists.” In addition, the government has expressly advised that it does not consider state-owned entities, sovereign wealth funds or other entities associated with foreign states to be “inherently more likely to pose a national security risk” than other parties from a national security perspective.

• The Bill includes sanctions for non-compliance: The Bill grants the government authority to impose stringent civil fines and criminal penalties on parties that violate the new legislation by not complying with mandatory notification obligations, breaching mitigation conditions or supplying false or misleading information to BEIS.  

• Judicial review: Parties will have the ability to challenge the Secretary of State’s decisions made during national security reviews through the standard judicial review process.   

Notable Changes From Previous Consultations and Unresolved Issues

• The Bill does not contain turnover or share of supply thresholds: Unlike the Enterprise Act regime, the Bill does not contain minimum turnover or share of supply thresholds. A trigger event will not necessarily be excluded from review because it involves a small qualifying entity or qualifying asset of limited value.

• The government expects a large number of notifications: The government anticipates that each year parties will file between 1,000 and 1,830 notifications and that BEIS will call in between 75 and 90 trigger events. The government expects BEIS to impose conditions upon approximately eight to 10 transactions per year. These numbers would represent a massive uptick in filings and reviews. Since 2002, parties have not been subject to mandatory reporting requirements, and the UK government has reviewed a total of 12 transactions on national security grounds under the Enterprise Act regime.

• The Bill removes national security reviews from the remit of the Competition and Markets Authority (“CMA”): The Bill bifurcates merger control reviews from national security reviews. On a going forward basis, the CMA will no longer play a role in reviewing transactions on national security grounds. The government has advised that antitrust and national security reviews will proceed concurrently. In the relatively rare situation where a proposed CMA remedy presents national security concerns, the Secretary of State will have the authority to intervene and overrule the CMA.  

• BEIS review process could be time consuming: The Bill sets forth a proscribed schedule for reviewing trigger events and carrying out national security risk assessments. However, in practice, the timeline for BEIS’s reviews may be less certain. The “clocks” for each of the relevant time periods (i.e., preliminary review, initial period, etc.) will stop running when the Secretary of State issues an information or attendance notice to a party and will only re-start after the Secretary of State subsequently issues a compliance notice. In addition, BEIS and the parties can mutually agree to indefinite extensions. These features ultimately could result in lengthy and uncertain review periods.       

• Defining scope of high-risk sectors will be important: The government has stated that it expects that a subset of transactions within 17 specified sectors will require mandatory notifications.  BEIS has published a consultation document that sets forth proposed definitions for the type of entities within each of the high-risk sectors that would require mandatory notifications. The government’s ongoing consultation process regarding the areas that will require notification and pre-approval will be important in defining the nature of transactions that give rise to mandatory notifications.⁴ 

Conclusion

The Bill represents the dawn of a new era in the vetting of UK transactions on national security grounds. Assuming the Bill survives largely intact in its passage through Parliament, the new regime will require dealmakers to approach UK transactions that might involve national security considerations with much greater care.

^{1. BEIS has the authority to call in both notified trigger events and trigger events that were not notified.↩}

^{2. Earlier government proposals had indicated that the new law would set forth a purely voluntary notification regime. ↩}

 ^{3. The Bill identifies 17 high-risk sectors: civil nuclear; communications; data infrastructure; defence; energy; transport; artificial intelligence; autonomous robotics; computing hardware; cryptographic authentication; advanced materials; quantum technologies; engineering biology; critical suppliers to the emergency services; critical suppliers to government; military or dual-use technologies; and satellite and space technologies.↩}