The United Kingdom's National Security and Investment Act (the NSI Act) is now fully in force. First proposed in 2016, the NSI Act creates a stand-alone regime that authorizes the UK government to consider and address the national security implications of a wide variety of acquisitions, investments, and other transactions. The commencement of the NSI Act marks a new era for the UK government's approach to scrutinizing corporate transactions on national security grounds.
NSI Act Framework
Under the NSI Act, trigger events occur when one party acquires "control" (as defined in the NSI Act) of a qualifying entity or a qualifying asset. Trigger events occur when one party:
The UK government has identified 17 high-risk industrial sectors. The Department for Business, Energy, and Industrial Strategy (BEIS) has published definitions and accompanying guidance for each of these sectors:
For a subset of trigger events involving qualifying entities in the high-risk sectors (i.e., so-called "notifiable acquisitions"), acquirers must i) notify the Investment Security Unit (ISU) within BEIS of the trigger event and ii) obtain clearance before the trigger event closes. The completion of such a trigger event without taking these steps will result in the transaction being legally void. In addition, the acquirer in such transactions could face civil fines or criminal penalties.
The mandatory notification requirement will not apply to trigger events in which an acquirer solely obtains material influence over a qualifying entity or acquires control over qualifying assets. Parties participating in trigger events that are not notifiable acquisitions will have the option to submit voluntary notifications to the ISU.
The ISU is responsible for reviewing mandatory and voluntary notifications. (In addition, the ISU may elect to unilaterally review non-notified trigger events.) After receiving a notification, the ISU will have a 30-working day "review period" to determine whether the trigger event should be "called in" for a more in-depth review during a subsequent "assessment period." If the ISU decides not to call in a trigger event, it will clear the transaction.
The ISU will consider target risk, acquirer risk, and control risk when determining whether to call in a trigger event. The ISU expects to exercise its call-in power when all three risk factors are present, although it may call in trigger events when fewer risk factors are present.
When a trigger event is called in, the ISU will have up to 75 working days to carry out a full national security review during the assessment period. The review "clock" will stop running for information notices and attendance notices that BEIS issues during the assessment period, which could further extend the timeline. In addition, BEIS may request that parties enter into voluntary agreements to provide the ISU with even more time to review the trigger event. At the close of the assessment period, the ISU will clear the trigger event, issue a final order imposing conditions, or prohibit the trigger event from completing.
Parties subject to notifiable acquisitions may not complete the trigger event while an ISU review is pending. If parties attempt to do so, the transaction will be legally void. By contrast, parties that have submitted voluntary notifications may close a trigger while an ISU review is pending, provided that the ISU has not issued an interim order prohibiting closing. However, in this scenario, BEIS could elect to use its powers to retrospectively review—and potentially unwind—such trigger events following closing.
Key Issues and Considerations
a. Parties to Transactions Involving Non-UK Entities May Be Subject to the NSI Act
The NSI Act defines qualifying entities to include entities based outside the United Kingdom that: i) carry on activities in the UK; or ii) supply goods or services to persons in the UK. Similarly, assets outside of the UK used in connection with such activities and services constitute qualifying assets.
These broad definitions mean that non-UK entities and non-UK assets with minimal links to the UK will be characterized as qualifying entities and qualifying assets, which, in turn, will result in many transactions involving these non-UK entities and non-UK assets being trigger events. For these trigger events to result in notifiable acquisitions, the qualifying entity at issue must carry on one or more activities described in the high-risk sector definitions within the United Kingdom. This jurisdictional limitation will reduce the number of notifiable acquisitions.
Parties to trigger events that are not notifiable acquisitions may elect to submit voluntary notifications. The ISU also will have the power to unilaterally call in trigger events involving non-UK qualifying entities and non-UK qualifying assets.
b. Corporate Restructures and Reorganizations Can Be Trigger Events That Give Rise to Mandatory Notifications
Corporate restructurings and reorganizations involving qualifying entities can result in trigger events. BEIS explained that a qualifying acquisition that "takes place within the same corporate group" may give rise to a trigger event. Even if the ultimate beneficial owners of the qualifying entity remain unchanged, a trigger event may still occur if the "ownership [] goes through a different corporate chain" following the restructure.
c. Parties Making Mandatory and Voluntary Notifications Are Required to Submit Lengthy Notifications
Parties that submit mandatory and voluntary notifications will be required to file submissions containing detailed information regarding the acquirer, qualifying entity, and relevant individuals. Acquirers must specify whether they have submitted a notification to any overseas investment screening regime during the previous year. Also, they must provide details regarding the acquirer's ownership structure and specify whether any of its directors is a politically exposed person pursuant to the Money Laundering regulations. Information regarding the relevant qualifying entity must be included as well, including a summary of the qualifying entity's business, information regarding the qualifying entity's shareholders, a description of whether the qualifying entity requires licenses to operate with any high-risk sectors, and a statement regarding whether the qualifying entity "owns or holds any dual-use items."
Considering these informational requirements, the acquirer and seller often will need to cooperate to complete these forms. Parties to trigger events should consider incorporating contractual protections to ensure cooperation between the parties. They also should account for the time necessary to draft these filings when considering the timeline for a transaction.
d. The Acquisition of Veto Rights and Consent Rights Typically Are Not Trigger Events
BEIS has advised that a party's acquisition of veto rights or consent rights in connection with an investment in a qualifying entity alone typically will not give rise to a trigger event. Veto rights or consent rights will be viewed as a trigger event only if they grant the acquirer the ability to secure or block shareholder resolutions governing "all or substantially all matters" related to the qualifying entity.
Veto rights or consent rights linked to discrete actions or events—which are commonly acquired by investors in venture capital investments—would not meet these criteria. However, an investment in which an acquirer obtains veto rights or consent rights could still give rise to a trigger event on other grounds (e.g., the acquirer obtains an equity interest in a qualifying entity that crosses the 25 percent, 50 percent, or 75 percent thresholds).
e. Parties to Trigger Events That Are Not Notifiable Acquisitions Should Assess Whether to Submit Voluntary Notifications
Many trigger events will not be notifiable acquisitions. Parties to these type of trigger events should consider whether submitting a voluntary notification is advisable. In making this determination, parties should consider the specific risk factors articulated by BEIS: target risk, control risk, and acquirer risk. Furthermore, they should assess the trigger event timeline, whether regulatory approvals will be necessary in the UK or other jurisdictions, and the target entity's dealings with the UK government.
f. Acquirers May Seek to Utilize the NSI Act's Safe Harbor Provision
The new regime is not limited to foreign direct investment in the UK (unlike many other national security regimes), does not contain monetary or market share thresholds (the UK's merger control regime), and does not treat any class of investors as inherently higher risk or lower risk (unlike the United States' Committee on Foreign Investment in the United States (CFIUS) regime). The broad applicability of the NSI Act will result in many transactions potentially being subject to review.
But in some circumstances, parties may be able to structure transactions to avoid review under the NSI Act. Transactions in which the acquiring party obtains less than a 25 percent interest in a qualifying entity will not be a trigger event, provided that the party does not acquire "material influence" over the policy of the entity, obtain voting rights that allow it to secure or prevent the passage of any class of resolution governing the entity or secure control over qualifying assets. Minority investors and co-investors may seek to make use of this safe harbor.
g. BEIS Is Most Likely to Call in Trigger Events Involving Entities Operating in High-Risk Sectors or in Sectors "Closely Linked" to High-Risk Sectors
BEIS has advised that the ISU is most likely to call in trigger events "where there may be a potential for immediate or future harm to UK national security." BEIS has provided illustrative examples of specific risks that may necessitate a call in, such as trigger events that: i) pose risk to governmental and defense assets, ii) undermine critical infrastructure, or iii) allow hostile actors to develop defense or technological capabilities that could undermine national security.
The trigger events most likely to meet these criteria will involve qualifying entities operating in high-risk sectors. The ISU also is likely to call in acquisitions of qualifying entities operating in industrial sectors that are "closely linked" to the high-risk sectors. By contrast, the ISU is less likely to call in trigger events involving qualifying assets and trigger events related to non-UK qualifying entities.
h. The ISU's Review Process Could Be Lengthy
Given the detailed nature of the notifications, parties may require several weeks to prepare these submissions. Following acceptance—which may not occur immediately after submission—the ISU's review process could take up to 105 working days, assuming no standstills or voluntary extensions. From start to finish, drafting the notifications and going through the ISU review process could last six months or longer. Parties participating in trigger events that result in notifications should account for this timeline in deal documents and, more generally, in the context of transactions subject to review under the NSI Act.
i. The ISU Can Retrospectively Review Non-Notified Transactions
The ISU can retrospectively review completed trigger events. The ISU can review completed, non-notified trigger events that were not subject to mandatory notifications for up to five years after they occur. However, the ISU must commence a review within six months after becoming aware of such a trigger event within the relevant five-year period. There is no time limit for the ISU to review completed, non-notified notifiable acquisitions, although the ISU must call in such trigger events within six months of becoming aware of them.
The NSI Act also grants the ISU authority to retrospectively review transactions that were completed between November 12, 2020 and January 3, 2022. However, BEIS has advised that trigger events that were reviewed on national security grounds under the Enterprise Act prior to January 4, 2022 will not be scrutinized under the NSI Act.
j. The Consequences for Not Complying with the NSI Act Can Be Severe
The NSI Act mandates that attempts to complete notifiable acquisitions without notifying and obtaining clearance from the ISU will result in the underlying transaction being legally void. Also, persons who violate the NSI Act can face significant civil monetary fines up to the greater of £10 million or 5 percent of the acquirer's global turnover. Individuals can incur criminal liability for violating the NSI Act and face prison terms up to five years. Whether the UK government will seek to aggressively wield its enforcement powers against violators of the NSI Act remains to be seen.
Conclusion
The NSI Act has finally arrived. This new legislation vests the UK government with broad new powers and creates a host of new issues for parties participating in acquisitions, investments, and other transactions. Parties will be able to mitigate the challenges associated with the NSI Act through careful planning and proactive measures.
For more information about the NSI Act, please contact Wilson Sonsini partners Mike Casey, Stephen Heifetz, Joshua Gruenspecht, Daniel Glazer, or Beau Buffier.