THE NSIA REGIME: HOW THE UK IS RESHAPING CROSS-BORDER DEALS

For a long time, regulatory analysis in UK transactions followed a fairly predictable path. Parties focused on competition law, sector-specific approvals, and, where applicable, regulatory oversight from bodies such as the Financial Conduct Authority, alongside occasional public interest interventions under the Enterprise Act framework. National security rarely sat at the centre of deal planning.

That position has shifted in a way that is both subtle and far-reaching. The National Security and Investment Act 2021 (“NSIA”) has introduced a framework that does not just regulate investment but actively influences how transactions are structured, negotiated, and executed. What is particularly striking is not merely the breadth of the regime, but the way in which it has begun to shape commercial decision-making in cross-border deals.

This article looks at the NSIA in three parts: first, the structure of the regime; second, how it is being applied in practice; and third, how recent developments are refining its scope and what that means for businesses and investors.

Understanding the Structure of the NSIA

At a conceptual level, the NSIA is designed to give the UK Government wide powers to scrutinise transactions that may pose risks to national security. What makes the regime distinctive is how broadly it defines both the types of transactions it captures and the forms of control that trigger review.

The regime is not limited to acquisitions of companies. It extends to acquisitions of assets, including land, intellectual property, databases, software, and technical know-how. In an economy where value increasingly sits in intangible assets, this significantly expands the reach of the law. It also means that transactions which might not traditionally be viewed as M&A, such as technology licensing arrangements or acquisitions of data-rich businesses, can fall within scope.

The jurisdictional reach is equally wide. An entity does not need to be incorporated in the UK to be caught. It is sufficient if it carries on activities in the UK or supplies goods or services into the UK market. As a result, offshore transactions can still trigger UK national security review where there is a sufficient connection to the UK.

The key question under the NSIA is whether a transaction gives rise to a ‘trigger event’, which is defined by reference to the level of control being acquired. The regime distinguishes between acquisitions of entities and acquisitions of assets, and the analysis differs slightly in each case.

In the context of entities, a trigger event arises where an investor acquires certain levels of control, including crossing thresholds of more than 25 percent, more than 50 percent, or 75 percent or more of shares or voting rights, or where the investor gains the ability to pass or block resolutions governing the entity’s affairs. In addition, the concept of material influence brings within scope situations where an investor is able to influence the policy or strategic direction of the entity, even without majority control. In practice, this means that minority investments, particularly those involving board representation or veto rights over key matters, may fall within the regime.

The regime also applies to acquisitions of assets, which are defined broadly to include land, tangible property, and intangible assets such as intellectual property, databases, software, and technical know-how. In this context, a trigger event arises where a person acquires control over the asset or the ability to use the asset, either entirely or to a greater extent than previously. This means that transactions involving licensing, access rights, or the transfer of technology can also fall within scope, even where there is no acquisition of shares in an entity.

Whether a notification is required will then depend on whether the entity or asset operates within one of the specified sensitive sectors and the level of control being acquired.

The review process itself is relatively structured. Once a notification is submitted, the Government conducts an initial review, typically within 30 working days. If concerns arise, the transaction may be subjected to a more detailed assessment, which can extend the timeline further. While these timelines may appear manageable on paper, in practice they have introduced an additional layer of complexity into deal execution, particularly where timing is commercially sensitive.

From Framework to Reality: How the NSIA Operates in Practice

The true significance of the NSIA becomes clearer when one looks at how the Government has exercised its powers. Recent interventions, particularly in transactions with a defence or national infrastructure angle, illustrate that the regime is not merely procedural. It is actively being used to shape outcomes.

One of the most notable features of the regime in practice is that transactions are not typically blocked outright, with recent final orders indicating a clear preference for conditional approvals over outright prohibition.

In several defence-related transactions reviewed under the NSIA, including the acquisition of Ultra PMES Limited by ESCO Maritime Solutions, approvals have been granted on the basis that certain capabilities remain within the UK. This includes requirements to maintain specific operations, facilities, or supply arrangements within the UK, along with enhanced governance and security oversight obligations. From a commercial perspective, this can have a direct impact on how businesses plan post-acquisition integration and operational restructuring.

Another recurring theme in recent decisions is the protection of sensitive information. Conditions have been imposed to restrict access to certain data, particularly where there is a risk that such data could be accessed by individuals outside approved jurisdictions. This is especially relevant in sectors involving advanced technology or critical infrastructure, where data itself can be a strategic asset.

Governance has also become a focal point. Recent final orders show that companies have, in some cases, been required to appoint specific personnel, such as security officers, or to establish internal structures to oversee compliance with national security obligations. These requirements go beyond traditional regulatory conditions and extend into the internal functioning of the business.

Similar conditions have also been observed in transactions such as the acquisition of Centronic Limited by Exosens UK Limited, where operational and governance safeguards were imposed.

Perhaps the most important takeaway from these interventions is that scrutiny is not limited to investors from jurisdictions typically associated with national security concerns. Transactions involving investors from allied jurisdictions have also been subject to review and conditional approval. The focus is increasingly on the nature of the target and the potential risks associated with the transaction, rather than solely on the identity of the acquirer.

Taken together, these developments suggest that the NSIA is being used not only to prevent harmful transactions but also to impose ongoing conditions on how strategically important businesses operate post-acquisition. In that sense, it is as much about preserving national capability as it is about screening investment. These patterns are reflected in recent final orders issued under the NSIA, particularly in defence-related transactions, where the Government has imposed conditions relating to operational continuity, data access, and governance.

An Evolving Regime: Recent Developments and Policy Direction

The NSIA is still relatively new, and recent developments indicate that the Government is actively refining the regime in response to both practical experience and broader economic considerations. On 12 March 2026, the Government confirmed a series of changes to the mandatory notification regime, representing the first significant update since the regime came into force.

A key development is the confirmation that the mandatory notification regime will be extended to include certain entities operating in the water sector, reflecting the strategic importance of critical infrastructure and the scale of expected investment. At the same time, the Government has indicated that semiconductors and critical minerals will be carved out into standalone categories, with a broadly defined scope and the possibility of further expansion, particularly in relation to critical minerals.

Importantly, the approach is not solely expansionary. The Government has also narrowed aspects of the artificial intelligence framework by excluding off-the-shelf AI, including licensed third-party systems and routine business applications, from mandatory notification. This reflects an attempt to focus scrutiny on higher risk use cases while avoiding unnecessary regulatory burden.

These changes have been confirmed by the Government but will be implemented through secondary legislation, and the current regime continues to apply until they come into force.

What This Means for Dealmakers and Investors

From a commercial perspective, the impact of the NSIA is difficult to overstate. It has fundamentally changed how transactions are approached, particularly in cross-border contexts, with NSIA risk assessment now forming a core part of legal due diligence, especially in sectors involving technology, data, or infrastructure.

First, NSIA analysis now needs to be undertaken at a much earlier stage in the transaction process. It is no longer sufficient to consider regulatory approvals as a closing formality. Instead, parties must assess at the outset whether a transaction may fall within the regime and, if so, how that affects timing, structure, and risk allocation.

In practice, the NSIA is now factored directly into transaction documentation. Share purchase agreements increasingly include specific conditions precedent tied to NSIA clearance, along with long stop dates that reflect potential review timelines. In higher risk transactions, parties are also negotiating risk allocation mechanisms, including reverse break fees or obligations on the buyer to pursue clearance. What was once a regulatory afterthought is now being priced and negotiated as part of the deal itself.

Second, the regime introduces a level of uncertainty that did not previously exist to the same extent. Even where a transaction is ultimately approved, the possibility of conditions being imposed means that the commercial outcome of the deal may differ from what was initially envisaged. This requires parties to think carefully about how risks are allocated in transaction documents and how potential outcomes are managed.

From a timing perspective, NSIA clearance is increasingly critical in competitive transactions, where delays can affect deal certainty and bidder attractiveness.

Third, the interaction between the NSIA and other regulatory frameworks adds another layer of complexity. Transactions involving sensitive technologies may require parallel analysis under export control laws or other investment screening regimes in different jurisdictions. This creates a more interconnected regulatory landscape where issues cannot be considered in isolation. The UK’s approach also reflects a broader global trend, with regimes such as CFIUS in the United States and investment screening frameworks across the European Union similarly expanding in scope.

Finally, the regime reflects a broader shift in how governments approach foreign investment. Economic considerations are increasingly intertwined with national security concerns, and this is now a central feature of cross-border dealmaking. For investors, this means that understanding the regulatory environment is as important as understanding the commercial opportunity.

Conclusion

The NSIA has introduced a new reality for transactions in the UK. What was once a relatively limited area of regulatory oversight has become a central factor in deal execution. The regime is broad in scope, actively enforced, and continuing to evolve in response to changing economic and geopolitical conditions. For businesses and investors, this means that national security considerations are no longer theoretical or peripheral. They are a practical part of transaction planning.

In many cases, the question is no longer whether a deal raises national security issues, but how those issues will be managed within the commercial framework of the transaction. As the regime continues to develop, those who engage with it early and understand its implications will be better placed to navigate the challenges it presents. In an environment where regulatory scrutiny is becoming more sophisticated, the ability to anticipate and manage these issues is likely to be a key differentiator in successful dealmaking.

[Disclaimer: The views expressed are personal and do not necessarily reflect those of the author’s employer or any organisation with which the author is associated]