The Art of Keeping Calm: Four Years of Navigating UK National Security Reviews
The UK National Security and Investment Act 2021 (NSIA) came into force in January 2022. After almost four years of enforcement, we take stock of how the government approaches problematic deals and what type of remedies it imposes.
The three key takeaways are:
- First, outright prohibitions remain rare and are typically reserved for transactions involving sensitive sectors and acquirers from China or Russia. Since NSIA’s inception, there have been only six outright prohibitions and some 38 cases involving remedies. Last year, there was only one outright prohibition.
- Second, very few notified transactions require remedies, even after a detailed review. We are currently seeing around 1,000 notifications per annum, out of which around 40 were called in for a detailed review, and around four of these involved the imposition of remedies.
- Third, when remedies are imposed, they follow a general playbook. Here’s the cheat sheet:
| Remedy Category | What the Remedy Really Covers |
| Keep the Brain in Britain |
Maintain UK-based capabilities, prevent relocation, protect strategic tech assets. |
| Don’t Drop the Government |
Continue uninterrupted supply of critical goods and services, especially for defense and public services. |
| Guard the Secrets |
Restricted information sharing, enhanced security controls, appointment of a vetted Chief Information Security Officer, and security audits. |
| Tell “Big Brother” |
Notify and report to the government on new customers, new agreements, asset transfers, and compliance. |
| Whitehall in the Boardroom |
Appointment of observers, security-vetted board members, and creation of security committees. |
Each of these categories is discussed in more detail below.
1. Keep the Brain in Britain
Where the target business is engaged in security-sensitive R&D (e.g., defense contracts, precision engineering, or atomic clocks), the government often requires acquirers to maintain UK-based research, development, and production capabilities. The intent is to ensure that strategic technological capabilities remain within the UK and are not relocated or diminished post-acquisition, even to allied nations.
Examples:
- Retention of site and capability for current and future UK defense contracts (Exosens/Centronic)
- Restrictions on the location of precision engineering capabilities and operational activity (Walsin/Advanced Manufacturing)
2. Don’t Drop the Government
Where there are existing supply contracts with the government, particularly with the Ministry of Defense but also with the emergency services, obligations have been imposed to ensure the continuity of those supplies. This includes requirements that the target company continues to provide essential goods or services without interruption.
Examples:
- Maintenance of UK capabilities in repairing, servicing, and maintaining devices for emergency services networks (Epiris/Sepura)
- Requirement to maintain continuity of supply for critical UK government programs (Pen10/Amiosec), including those of the MoD (Stellex Captial Management/David Brown Santassio)
3. Guard the Secrets
Unsurprisingly, for sensitive sectors, the government is seeking to ensure that sensitive information remains protected. What is perhaps more surprising is that in many instances these remedies involve behavioral restrictions and/or structural safeguards through changes to the company’s governance rather than an outright prohibition. Importantly, these obligations are often imposed irrespective of whether the acquirer is from an allied nation or from China, and the restrictions tend to be imposed on the UK operations, typically the target.
Examples:
The menu of restrictions includes the following:
- Restrictions on sharing information with acquirers or related parties (China Power/XRE Alpha)
- Enhanced physical, technological, and data security measures to protect sensitive information and technology from unauthorized access (Epiris/Sepura)
- Appointment of Chief Information Security Officers (CISO) or similar roles with vetting clearance with oversight of infrastructure, data handling, and IT systems (TP Global/Truphone and Intelligent Safety Electronics/FireAngel)
- Security audits and protocols for data handling, IT equipment, and visitor access by government-approved auditors (Vodafone/Three)
4. Tell “Big Brother”
The government has imposed a variety of obligations to report to, or seek approval from, the government in advance of changes to the corporate structure, governance, and commercial relationships of the target, including asset transfers.
Examples:
- Reporting details of all new customers annually (Voyis Imaging/Southampton University)
- Advance notification to the government of asset transfers or changes to supply arrangements (Delin Ventures/Agile Analog)
- Advance notification to the government of board appointments or changes to shareholdings (BASF/Harbour Energy)
- Annual or event-driven reporting on compliance with security measures or contractual obligations (Siliconix/Neptune 6)
5. Whitehall in the Boardroom
One of the most significant themes or remedies is government-imposed changes to the governance of the target or the merged entity. Remedies frequently address governance by mandating changes to board composition, committee structures, and introducing requirements for personnel vetting.
Examples:
- Appointment of government observers to the board or government-appointed non-executive directors (EDF/GE Oil & Gas Marine)
- Requirements for UK security vetting clearance for board members and senior management (Future Industry Investment Fund/Nanjing Scientific Instruments)
- Establishment of National Security Committees or similar subcommittees to oversee sensitive work (Emirates Telecom/Vodafone)
- Removal of acquirer representatives from boards where necessary (Sichuan Development/Ligeance Aerospace)
What Does That Mean for Dealmaking?
Early strategy formulation remains critical. The UK NSIA process, unlike UK merger control, is not iterative. Key stages of the review are conducted in the dark without much or any interaction with the notifying parties: think CFIUS, just even more black box as there may be no questions or other interactions with the screening unit before a call-in.
Sometimes questions arise early after notification, but we have also seen call-ins without prior questions. Therefore, dealmakers need to proactively identify and assess any potential national security risks. Where such risks arise, there is an established roadmap for remedies that allows an assessment of potential outcomes and enables parties to gauge deal risks. This provides a certain level of predictability in an otherwise uncertain and unpredictable process.
In the UK, remedies will only be imposed after a call-in. The initial assessment takes 30 working days, plus a week to two weeks for confirmation that the filing is complete. Following a call-in, there is a binding timetable of another 30 working days, which can be extended by a further 45 working days. Moreover, the clock stops with every request for information and only restarts once the response has been confirmed to be sufficient. Hence, the timelines can be long in problematic deals.
Looking beyond the UK, where international deals involve multiple jurisdictions, remaining alert to potentially long and different review periods across different countries continues to be key. Flexibility for different speeds of reviews and for significant extensions where issues materialize needs to be factored into the overall process.
* Special thanks to our colleague, Joy Wee, for her significant case research.
© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Key Contacts
