This article was last updated on 17 November 2021
The UK's National Security and Investment Act 2021 has the potential to have a significant impact on transactions and investments in relation to UK companies and entities carrying on business in the UK. Our briefing, "Government powers to intervene in transactions on UK national security grounds", provides an overview of the Government's new "call-in" powers to reverse, block and impose remedies and sanctions in relation to investments that it considers a potential threat to national security. While the Act will not come fully into force until January 2022, the retroactive effect of the call-in power means that it may be advisable to seek clearance for investments already in progress. This makes understanding the guidance published to date and the scope of the regime in tech sectors all the more important. This article therefore considers the particular impact of the new regime on M&A and investments involving technology businesses.
Acquisitions of control or threshold interests in entities in 17 specified sectors will be subject to a mandatory notification regime, with a voluntary notification regime applying to other types of transactions. Key questions for participants in proposed transactions involving technology businesses will include whether the intended transaction falls within the mandatory notification regime and, regardless of whether the transaction is notifiable, how likely it is that the transaction will be "called in" for further scrutiny by the Government and ultimately subject to remedies or conditions.
Will the transaction be subject to the mandatory notification requirement?
The 17 sectors and activities within them that will be subject to the mandatory notification regime are specified in regulations, a draft of which was published on 20 July 2021 and which was approved by the House of Commons and House of Lords on 3 November 2021. The 17 sectors are: advanced materials; advanced robotics; artificial intelligence; civil nuclear; communications; computing hardware; critical suppliers to the government; cryptographic authentication; data infrastructure; defence; energy; military and dual-use; quantum technologies; satellite and space technologies; suppliers to the emergency services; synthetic biology (formerly known as engineering biology); and transport. On 15 November 2021, the Government published guidance to help businesses and investors determine whether an entity being acquired falls within one of the mandatory notification sectors.
Where an M&A or investment transaction is proposed, the participants will need to consider carefully the sector and activity definitions to analyse whether the mandatory notification regime might be triggered. A number of the defined sectors will be relevant to tech transactions, although the sectors and activities within those sectors are now more narrowly defined following consultation.
Taking the example of the Artificial Intelligence sector, "artificial intelligence" (AI) is defined in the regulations as technology enabling the programming or training of a device or software to: (a) perceive environments through the use of data; (b) interpret data using automated processing designed to approximate cognitive abilities; and (c) make recommendations, predictions or decisions, with a view to achieving a specific objective. Mandatory notification will only be triggered, however, where an entity either carries on research into AI or develops or produces goods, software or technology that use AI for one or more specified purposes. The purposes are: (a) the identification or tracking of objects, people or events; (b) advanced robotics; and (c) cyber security (each as defined in the regulations).
The AI sector definition was refined and narrowed following consultation and engagement with technical and policy experts. In particular, responses to the consultation suggested that the originally proposed definition of AI was too broad and required further specificity to provide reassurance to businesses and investors.
The Government's guidance published on 15 November notes that the AI sector definition will capture entities that do not necessarily identify as "AI companies". Whether an entity is focused solely on AI, or incorporates or develops AI as part of a wider approach to their sector or business, it is the specific work that is being undertaken that is most important to consider. The guidance notes that there are two steps to consider: (a) confirming the use of AI (i.e. does the entity carry on research into, or develop or produce goods, software or technology that use AI?); and (b) confirming the application of AI (i.e. is the AI work of the entity used for one of the following applications: identification or tracking, advanced robotics or cyber security?). If the answer is yes to both questions, a mandatory notification will be required to be submitted to the Government.
The definition of "Advanced robotics" was also refined in response to comments that the definition should be narrowed in scope to only companies developing the most advanced robotics. The definition now makes clear that autonomy is one of the core features of advanced security relevant to national security. The "characteristic of autonomy" is defined in the regulations by reference to the capability of the robotics of performing actions either independent of human control, or independent of human control but complemented by manual control, pre-programmed operations or control or control derived from other robotics or software control systems.
The Government's guidance published on 15 November gives examples of robotics that are within and outside the scope of the definition. For example, a mobile fruit picking robot equipped with AI, sensors and a new form of dextrous soft gripper, whose AI and sensors enable it to demonstrate a meaningful degree of autonomy, would be within scope. On the other hand, robotics that are widely available consumer goods including robotic toys and smart appliances, or consumers of advanced robotics who purchase "complete systems" or standalone devices or equipment and use them as they are intended (for example, to perform their farming, surveying or logistics operations) are outside the scope of the definition.
More generally, the regulations have now also clarified that a qualifying entity falls within the description of the 17 sectors only if it carries on the relevant activity in the United Kingdom.
How can technology deal participants assess the risk of a transaction being called in?
The Act does not define national security for the purposes of the new notification regimes or call-in power. The factors that the Secretary of State will take into account when deciding whether to exercise the call-in power are set out in a statutory statement known as the "Section 3 Statement". The Section 3 Statement is intended to assist entities and their advisers in understanding whether the acquisition is likely to be called in and to help them plan accordingly. Following consultation, the final text of the Section 3 Statement was published on 2 November 2021. While the Section 3 Statement does not define "national security", it does confirm that the call-in power is likely to be used where there may be a potential for immediate or future harm to UK national security. This includes risks to governmental and defence assets, such as "disruption or erosion of military advantage; the potential impact of a qualifying acquisition on the security of the UK’s critical infrastructure; and the need to prevent actors with hostile intentions towards the UK building defence or technological capabilities which may present a national security threat to the UK.".
The Section 3 Statement identifies three primary risk factors that the Secretary of State will consider when assessing the likelihood of a risk to national security being caused by a trigger event. There is the target risk (i.e. whether the entity or asset could be used in a way that raises a national security risk); the control risk (i.e. the amount of control being acquired) and the acquirer risk (i.e. the extent to which the acquirer possesses characteristics that suggest that there may be a risk to national security from the acquirer having control).
The Section 3 Statement makes clear that acquisitions within the 17 areas of the economy that are subject to mandatory notification (or which are closely linked to one of those sectors) are more likely to be called in for scrutiny.
Could the new regime discourage some technology-related M&A and investment?
To try to give some comfort to investors, the Section 3 Statement also emphasises that although trigger events across the whole economy are in the scope of the Act, the call-in power may only be used in respect of the small number of acquisitions that give rise to or may give rise to a risk to national security and says that the call-in power "will not be used to interfere arbitrarily with investment."
Some have speculated, however, that the new regime might discourage M&A and investment in relation to early-stage tech start-ups in sensitive sectors. The Act does not include minimum turnover and share of supply thresholds and so transactions of any size and in relation to any size of business can potentially be caught. While many transactions relating to tech start-ups will be unlikely to fall within the mandatory notification regime or be likely to be called in, time and resources will be required to determine whether a notification might be required and to navigate the call-in risk, including analysing detailed definitions of the mandatory sectors in relation to the potential transaction. Not all potential investors or acquirers may be prepared to commit those resources where there is uncertainty as to whether the investment in question is likely to be subject to the call-in power.
Tech sector investors and businesses should familiarise themselves with the mandatory sector definitions and the Government's accompanying guidance so that they can work with their advisers to undertake the necessary analysis in relation to each potential transaction. The Government has also made clear that even though the sector definition regulations have been finalised, the mandatory notification sectors will be kept under review, so that where a need arises to update the regulations due to emerging technology or newly identified national security risks, it will be possible to do this through further regulations.