UK businesses, and in particular start-up companies, face a variety of security related threats. In some cases, these threats have the potential not just to cause financial or reputational damage to the business concerned, but also to threaten the UK's national security. In order to protect UK assets and infrastructure from national security threats, the Government has enacted the National Security and Investment Act 2021, which came into force on 4 January 2022. Alongside this new legislative regime, the Centre for the Protection of National Infrastructure (CPNI) and the National Cyber Security Centre (NCSC), in their "Secure innovation" guide (May 2021), have aimed to identify for businesses a range of security threats to which they should be alert.

It is important that businesses both understand their obligations under this new legislation, especially when seeking new investors, and take appropriate steps to guard against threats they face generally in their day-to-day operations. In this piece, we explore some of the threats businesses face and how to tackle them; provide an overview of the UK's new national security regime; and put it in context with the global trend towards greater scrutiny of foreign investments.

A particular risk lies with start-up and scale-up companies, which play a critical role in the UK's economy. A report by Tech Nation, a Government-backed start-up network, found that the UK tech start-up and scale-up ecosystem was valued at $585bn in 2020 – 120% more than in 2017. Start-up and scale-ups are not just critical from an economic perspective: analysis published in November 2021 by Dealroom for the UK's Digital Economy Council counted nearly 900 impact start-ups and scale-ups using technology such as artificial intelligence, deep tech, big data, and blockchain to develop next-generation solutions to global problems such as climate change, health and food insecurity.

A report by Singer Capital Markets and Beauhurst¹ ranking the UK's most valuable growth companies by transaction-based valuations over the three years to August 2021 notes that technology firms lead the way. 153 of the top 200 companies having some operations in the technology sector, with Fintech, AI and cybersecurity companies dominating in the top 200. As of 2021, there were 1,300 AI companies based in the UK, compared with just 180 in 2011, according to a 2021 Tech Nation report.

1300

AI companies
2021

180

AI companies
2011

The UK's strength in tech means that certain state actors intent on closing the technology gap, are focused on these companies - and in some cases are prepared to do this by theft and misappropriation. Tech businesses, and in particular, start-up and scale-up businesses, face increased security related threats in the context of collaboration with partners and in seeking investment. It is important, therefore, that the strategic advantage and economic interests of these businesses, as well as the national security of the UK as a whole, is protected.

¹ Singer Capital Markets and Beauhurst, The UK's Most Valuable Growth Companies 2021.

Investment into UK tech businesses is at a record high and the trend looks set to continue. According to figures prepared for the government's Digital Economy Council in December 2021, 2021 was UK's tech's best year since 2014 in terms of investment. £29.4bn was raised by start-ups and scale-ups, up 2.3x from 2020's figures of £11.5 billion. It is expected that the UK's tech sector will continue to attract investment and continue to grow as UK venture capital firms raised more money than ever before during 2021: £7bn. UK tech investment accounted for a third of the total £89.5 billion that flowed into the European tech ecosystem in 2021. The majority of the money coming into UK tech was from the US, with 37% of all funding coming from the States. Tech Nation's report notes that the UK is more attractive to international investors than ever, with 63% of investment into UK tech coming from overseas in 2020, up from 50% in 2016.

The UK is not alone in recognising the threats faced both by businesses and by countries to their national security. As we will see, while some jurisdictions have had in place legislation to provide for scrutiny of transactions on the basis of national security for some time, others have introduced new rules in this area relatively recently.

Given that the UK's status as both a hub for emerging technology businesses and a magnet for international investment brings both opportunities and threats, the Government's view is that robust rules are needed to protect the UK's national security and that that will in turn protect the interests of the businesses themselves.

Historically, the Government's powers to intervene to block transactions on public interest grounds were limited to powers within the merger control regime under the Enterprise Act. This meant only transactions of a certain size (until recently requiring target revenues of £70m or a combined market share of 25% of more) created the potential for intervention. Even then, the fairly narrow test of potential harm to national security gave the Government no powers to protect key national infrastructure or to prevent companies developing critical technologies from falling into the wrong hands. Increasingly the Government considered these powers inadequate, even though in the last few years the relevant merger control revenue thresholds were reduced for certain industries. The introduction of the Act creates a regime entirely separate to merger control for the purposes of controlled investments in what are regarded as key industries. The approach mirrors the approach being taken in many countries around the world (see below) and effectively brings the Government's powers into line with those of its closest allies.

The National Security and Investment Act (the Act) establishes a new statutory regime giving powers to the Government to scrutinise and intervene in business transactions to protect national security. A dedicated Investment Security Unit (ISU) in the Department for Business, Energy and Industrial Strategy is responsible for assessing transactions that fall within the Act's scope. The analysis carried out by this body is separate from any merger control analysis undertaken by the Competition and Markets Authority (CMA) to assess the impact on competition. Previously, the CMA had been involved in assisting the Secretary of State for Business, Energy and Industrial Strategy to undertake its assessment of public interest concerns.

The Act provides for a hybrid notification system: mandatory notification obligations that will attach to certain transactions in specified sectors; and voluntary notifications available for other transactions that otherwise might be capable of being "called in" by the Secretary of State where the Government reasonably suspects that the transaction is a qualifying acquisition that has given rise to, or may give rise to, a risk to national security.

The Act's "call-in" mechanism enables the Government to review a transaction at any time while the transaction is in progress or contemplation, or within six months of the Secretary of State becoming aware of a completed transaction (for up to five years post-completion). The five year limit does not apply where there has been a failure to notify a transaction required to be notified under the mandatory regime. The call-in power operates retroactively so that in-scope transactions completed on or after 12 November 2020 can be reviewed.

A key role for the ISU will be market monitoring to ensure that deals that should have been notified are identified and called in. In addition, information-sharing provisions between UK public authorities (including the CMA) and other allied foreign agencies have been relaxed to allow exchanges of relevant information and intelligence to be shared.

For transactions to come within either the Act's mandatory or voluntary notification regimes, a "trigger event" must take place. Each trigger event involves a person acquiring control over either a "qualifying entity" or a "qualifying asset".

"Qualifying entity" is broadly defined and the Act therefore applies to a wide range of entities (whether or not having legal personality), including not just companies and LLPs but also UK partnerships, unincorporated associations and trusts. Entities formed or recognised outside the UK are capable of constituting a qualifying entity if they carry on activities in the UK, or supply goods or services to persons in the UK.

A person will acquire control over a qualifying entity where the person acquires a right or interest which:

reaches or crosses certain thresholds (25%; 50%; and 75% of votes or shares) in an entity;
is a voting right that enables the person to secure or prevent the passage of any class of resolution governing the affairs of the entity; or
enables the person to materially influence the policy of the entity.

The Act treats reorganisations in the same way as other transactions and expressly captures situations where, for example, an ultimate parent company holds an interest indirectly through a wholly-owned subsidiary and decides to transfer the interest to itself so that it is held directly.

"Qualifying assets" comprise land; tangible moveable property; and ideas, information or techniques which have industrial, commercial or other economic value, and which are used in connection with either activities carried on the UK, or the supply of goods or services to persons in the UK. Land or moveable property located outside the UK will be a qualifying asset if it is used in connection with activities carried on in the UK, or the supply of goods or services to persons in the UK.

A trigger event will occur in relation to a qualifying asset where there is an acquisition of a right or interest in (or in relation to) an asset which gives the acquirer the ability to use the asset (or use it to a greater extent) or to direct or control how the asset is used (or direct or control how the asset is used to a greater extent than prior to the acquisition).

The Act's mandatory notification regime obliges proposed acquirers of shares or voting rights (exceeding the thresholds described above) in qualifying entities undertaking specified activities in the UK in certain high-risk sectors of the economy to obtain approval from the Secretary of State before the acquisition is completed. A mandatorily notifiable transaction that is completed without being approved by the Secretary of State will be void and of no legal effect, although the Act does include a mechanism enabling the Secretary of State retrospectively to validate non-approved notifiable transactions in certain circumstances.

Where the proposed transaction does not fall within the mandatory notification regime, parties are encouraged to notify a "trigger event" voluntarily where they consider that it may raise national security concerns. When assessing whether a voluntary notification should be made, the parties to a transaction will need to refer to the "Section 3 Statement" (discussed further below), which sets out how the Secretary of State expects to exercise the call-in power under the Act. If a voluntary notification is not made, the relevant trigger event can still be implemented, but the Secretary of State will have the power to call in a non-notified trigger event within six months of becoming aware of it, provided this takes place within five years of the trigger event.

Advanced materials

Advanced robotics

Artificial intelligence

civil nuclear

Communications

Computing hardware

Critical suppliers to the government

Cryptographic authentication

Data infrastructure

Defence

Energy

Military and dual-use

Quantum technologies

Satellite and space technologies

Suppliers to the emergency services

Synthetic biology

Transport

The definitions of the relevant sectors, and the particular activities within them, that are caught by the mandatory notification regime are specified in secondary legislation, with Government guidance available to help businesses and investors determine whether an entity being acquired falls within the mandatory notification regime.

Participants in M&A or investment transactions will need to consider carefully the definitions of the activities within the mandatory notification regime's 17 sectors in the context of their transaction. In relation to tech transactions, for example, a number of the sectors could be potentially relevant. It is important to bear in mind, however, that the definitions were narrowed following Government consultation with technical and policy experts, so that only specific types of activity within each sector are caught. This should go some way to providing reassurance to businesses and investors.

Taking the example of the Artificial Intelligence sector, "artificial intelligence" (AI) is defined as technology enabling the programming or training of a device or software to: (a) perceive environments through the use of data; (b) interpret data using automated processing designed to approximate cognitive abilities; and (c) make recommendations, predictions or decisions, with a view to achieving a specific objective. Mandatory notification will only be triggered, however, where an entity either carries on research into AI or develops or produces goods, software or technology that use AI for one or more specified purposes. The purposes are: (a) the identification or tracking of objects, people or events; (b) advanced robotics; and (c) cyber security.

The Government guidance notes that the AI sector definition will capture entities that do not necessarily identify as "AI companies". Whether an entity is focused solely on AI, or incorporates or develops AI as part of a wider approach to their sector or business, it is the specific work that is being undertaken that is most important to consider.

The definition of "Advanced robotics" was also refined by the Government in response to comments that the definition should be narrowed in scope to only include companies developing the most advanced robotics. The definition now makes clear that autonomy is one of the core features of advanced security relevant to national security. The "characteristic of autonomy" is defined in the regulations by reference to the capability of the robotics of performing actions either independent of human control, or independent of human control but complemented by manual control, pre-programmed operations or control or control derived from other robotics or software control systems.

The Government guidance gives examples of robotics that are within and outside the scope of the definition. For example, a mobile fruit picking robot equipped with AI, sensors and a new form of dextrous soft gripper, whose AI and sensors enable it to demonstrate a meaningful degree of autonomy, would be within scope. On the other hand, robotics that are widely available consumer goods such as robotic toys and smart appliances, or consumers of advanced robotics who purchase "complete systems" or standalone devices or equipment and use them as they are intended (for example, to perform their farming, surveying or logistics operations) are outside the scope of the definition.

The Act does not define national security for the purposes of the notification regimes or the Government's call-in power. The factors that the Secretary of State will take into account when deciding whether to exercise the call-in power are set out in a statutory statement known as the "Section 3 Statement". The Section 3 Statement is intended to assist entities and their advisers in understanding whether the acquisition is likely to be called in and to help them plan accordingly. While the Section 3 Statement does not define "national security", it does confirm that the call-in power is likely to be used where there may be a potential for immediate or future harm to UK national security. This includes risks to governmental and defence assets, such as "disruption or erosion of military advantage; the potential impact of a qualifying acquisition on the security of the UK’s critical infrastructure; and the need to prevent actors with hostile intentions towards the UK building defence or technological capabilities which may present a national security threat to the UK."

The Section 3 Statement identifies three primary risk factors that the Secretary of State will consider when assessing the likelihood of a risk to national security being caused by a trigger event. These are the target risk, the control risk and the acquirer risk.

Target risk – this refers to whether the entity or asset could be used in a way that raises a national security risk. The way in which the target is used or may be used is most likely to pose a threat to national security where the trigger event involves the acquisition of a qualifying entity that is active in any of the 17 areas of the economy that are within the scope of the mandatory regime (or which are closely linked to one of those sectors).
Control risk – this refers to the amount of control that the acquirer gains either of an entity's operational business or future strategy, or over an asset, which includes controlling or directing the asset's use, as well as using it. A large amount of control may increase the possibility of a target being used to harm national security.
Acquirer risk – this is the extent to which the acquirer possesses characteristics that suggest that there may be a risk to national security from the acquirer having control. When assessing the level of risk the acquirer may pose, the acquirer's sectors of activity and technological capabilities are likely to be considered, along with any links to entities which may seek to undermine or threaten the UK's national security.

The statement confirms that the Secretary of State expects that, when calling in an acquisition, all three risk factors will be present, but does not rule out calling in an acquisition on the basis of fewer risk factors.

Trigger events will be assessed on a case-by-case basis, having regard to the three risk factors. The Section 3 Statement makes clear that acquisitions within the 17 areas of the economy that are subject to mandatory notification (or which are closely linked to one of those sectors) are more likely to be called in for scrutiny. The Statement also indicates that the Secretary of State expects to call in asset acquisitions rarely compared to acquisitions of entities.

The Act provides that where a proactive notification is made (either mandatory or voluntary), the Government has 30 working days to issue a "call-in" notice. Where a "call-in" notice is issued (including for non-notified transactions), the Government will have 30 working days to assess the transaction, which is extendable by an additional 45 working days if the Government reasonably believes that the investment poses a risk to national security. Beyond 75 working days, an additional period may be agreed upon between the Government and the acquirer.

Of those transactions that are notified, Government expects that fewer than 10% will face a detailed national security assessment. Most transactions should be cleared quickly.

Detailed assessments will take full account of the range of security risks of investment into the UK. The Government expects only a small proportion of such assessments will result in Government intervention being required. Only time will tell whether this new regime actually results in deals being blocked that might otherwise have been allowed to proceed.

If an acquisition is subject to mandatory notification, the share purchase agreement will need to reflect the fact that the acquisition cannot be completed until the transaction has been authorised by the Secretary of State. From a deal certainty perspective, it may also be appropriate to include conditions in cases either where mandatory notification is not required but the parties determine that a voluntary notification should be made or where neither a mandatory or voluntary notification will be made. In the latter case, completion might be conditional, for example, on no call-in notice having been issued before completion.

Any conditions will need to be tailored carefully to the circumstances of the transaction and to make sure that the share purchase agreement reflects the outcomes that are acceptable to the parties.

Remedies and sanctions

Following a national security assessment, the Government could decide to approve the transaction, approve the transaction subject to conditions, or prohibit the transaction (or order the transaction to be unwound if already implemented). Possible conditions include altering the number of shares an investor is allowed to acquire, restricting access to commercial information, or controlling access to certain operational sites or works. The Government expects to impose conditions, or unwind or block transactions rarely and that the vast majority of deals will be able to proceed without delay.

There are sanctions for non-compliance with the regime, which includes fines of up to 5% of worldwide turnover or £10 million – whichever is greater – and imprisonment of up to five years. These serious sanction are intended to ensure compliance with the new regime and to avoid buyers/investors "taking a view" on the risk of not making a filing.

The Government's approach to imposing sanctions on parties in breach will undoubtedly influence the degree of compliance and if large fines are imposed this will send a clear message to the business and investor community.

Interplay with other regulatory requirements

As mentioned above, the analysis carried out by the ISU under the Act is separate from any merger control analysis undertaken by the CMA to assess the impact on competition. The new national security regime sits alongside other existing regulatory requirements and does not change the requirements that already apply. These include, for example, the UK Takeover Code, which is administered by the Takeover Panel and applies to publicly traded companies and certain other public and private companies. The Code provides framework to allow acquirers awaiting a decision under the Act to suspend or pause the offer timetable prescribed by the Code.

The Act is also not intended to prevent persons complying with any statutory obligations imposed on them by the Financial Conduct Authority or the Prudential Regulation Authority. As the Government's guidance acknowledges, there may be acquisitions that require consideration by multiple bodies and interactions with other regulators may need to be managed as appropriate. For example, acquisitions involving communications will often require the consent of Ofcom under the Communications Act (in addition to a filing under the Act).

While the UK's strength in innovative areas of tech and its proliferation of tech start-ups in particular are to be celebrated, these segments of the economy are associated with certain risks. All businesses face a range of security related threats but UK tech businesses and start-ups, given the potential to exploit new technology and the attractiveness of these businesses to international investors, are particularly vulnerable to certain types of threat.

The CPNI and NSCS's "Secure innovation" guide identifies some types of threats that all businesses should consider. These include, at one end of the spectrum, economic and state-sponsored espionage. Hostile actors may exploit an investment or relationship that a business has with a private company or individual to carry out espionage or obtain access to sensitive information. This could take the form of either industrial espionage conducted by foreign commercial competitors or state-sponsored espionage in support of a state’s economic development plans or national security objectives. It is important to note, that espionage is not the only threat businesses face: there is also the threat of competitors seeking commercial advantage in circumstances where those competitors are supported by, and have access to the resources of, state actors. State support for competitor businesses, with a view to gaining commercial, technological or military advantages, can result in those UK tech businesses suffering from unequal competition. While businesses should be alive to these risks, any security measures to tackle them will need to be proportionate for that business, recognising that all businesses have competing priorities and start-ups in particular will have limited resources. With that said, putting in place appropriate security measures are likely to have wider benefits for the business, beyond protecting against hostile actors: not least that fact that good security is likely to protect the efforts the founders have made so far in establishing the business and to help secure the business's financial future.

Start-up companies, no matter how small, face the same threats that all companies do. Indeed, start-ups can often be more vulnerable, given their security measures may not yet had a chance to mature. A company's security requirements can, however, change as it grows and UK companies working in emerging technologies are likely to be a particularly attractive target to a wider range of threats. CPNI and NCSC's "Secure innovation" guide stresses the importance of addressing security risks early in a business's life cycle, even where start-ups have limited resources, given that good security can protect competitive advantage and ultimately make the company more attractive to investors and customers.

Good governance at an early stage in a start-up's journey plays a key role in developing awareness of risks to its business and putting in place measures to deal with those risks. CPNI and NCSC recommend "leading from the top" by identifying a security lead at Board level, to ensure that security is factored into business decisions from the start. Businesses should also aim to develop a positive security culture through ongoing dialogue. These conversations will help develop a common understanding of what the business's most valuable assets are and what individuals' security responsibilities are.

The key steps for a start-up in protecting its value early on include identifying its most valuable assets, assessing security risks and mitigations and applying for appropriate intellectual property (IP) protections for the jurisdictions in which the business will operate. Even with legal protections in place for IP, a start-up will still need to review continuously who has access to its most sensitive information and how to ensure it remains secret. The "Secure innovation" guide also contains practical guidance on how to build security into the business's environment (by controlling access to information and assets) and build in basic security when setting up the business's IT.

With the risks of hostile investment in mind, due diligence issues that an emerging business should consider when it comes to assessing proposed investors include the investor's reputation and trustworthiness, the source of their funds, any unexpected commercial, political or military links they may have and any implications of the legal regime to which they are subject. In some regimes, for example, overseas investors could be compelled to release information or cooperate with their state. Resources that can help businesses determine whether a potential investor will be suitable include the US export entity control list; the UN sanctions list; and the UK Government trade restrictions on export.

CPNI's Secure innovation guide highlights that, while international collaboration can be very beneficial when developing cutting-edge technology, it also heightens the security risks for companies. Some foreign states may seek technological advancement for reasons that are at odds with UK interests and values. These could include developing a research and innovation base to increase military and technological advantage over other countries or deploying their technological and military advantages against their own population to prevent internal dissent or political opposition. The increased risk presented by collaboration can be managed by determining what data is appropriate to share and implementing measures to limit access to just that data, keeping sensitive systems independent from those accessible to the wider organisation and any external parties, and taking steps to ensure that collaborative partners are handling any sensitive data appropriately and securely.

When a start-up is small, its founders may rely primarily on personal relationships to ensure trust. As the workforce grows, however, this is unlikely to be sustainable and the importance of fostering a positive security culture comes to the fore. The "Secure innovation" guide gives practice tips for these purposes, including maintaining a positive security culture through strong communication, establishing a security training package for staff, identifying and supporting roles exposed to higher risks and putting in place a pre-employment screening process for all recruits.

A security threat that poses a particular risk to early stage companies is the risk of initial investment being used as a way of slowly gaining undue influence and access to an asset or an organisation in order to steer future decision-making. Hostile actors may influence foreign companies to take or threaten decisions which run counter to national interests, or use the assets of the relevant business (including for example intellectual property or trade secrets) to their own advantage.

Hostile investment could potentially damage both the business of the company into which the investment is made and also the UK's national security. Through access to non-public information, hostile investors could cause both serious financial damage and reputational damage to the company's business. This could be done, for example, by using the company's technological and military capabilities in a manner incompatible with the business's original intentions or values, such as to expand social control and limit individual freedoms. At a UK national security level, hostile actors who are backed by a foreign state whose aims may be at odds with UK interests, may exploit investment, for example, to develop a research and innovation foothold to increase military and technological advantage over the UK and other countries or to position themselves in an area of the UK's critical infrastructure which they could use to their advantage.

The UK has prided itself on being "open for business" and agnostic as to the source of funds or residence of investors. Investment brings jobs and enables UK companies to compete more vigorously on the international stage. Levels of inward investment have always been regarded as a bell weather for an economy's attractiveness to foreign investors and by definition therefore that that country is a better place to do business than alternative countries.

That said, there is increasingly a balance to be made between welcoming investment and avoiding the politically and commercially unsatisfactory situation of having key infrastructure and assets (tangible and intangible) in the hands of non-UK owners. In many countries, the balance has been on the side of protectionism. By way of example, the USA, Canada and Australia have had foreign investment rules in place for many years.

The Committee on Foreign Investment in the United States (CFIUS) was established by President Ford in 1975 to review foreign investments in the USA. Chaired by the US Secretary of the Treasury, CFIUS includes representatives from 16 U.S. departments and agencies, including the Defense, State and Commerce departments, as well the Department of Homeland Security. Although initially a fact gathering body, in 1988 its powers were extended by the Exon–Florio Amendment which empowered CFIUS to reject deals.

In Canada, the Foreign Investment Review Agency was first established in 1973 to review foreign investment and establishment in Canada. This was replaced in 1985 by Investment Canada. Above certain monetary thresholds (currently C$1 billion) the Canadian Government is entitled to review investments to decide if they are of "net benefit" to Canada and if necessary such investment can be blocked.

In Australia: the Foreign Investment Review Board is a non-statutory body which was established in 1976 to advise the Treasurer and the Government on Australia's Foreign Investment Policy and its administration. The Board's functions are advisory only and actual decisions are taken by the Treasurer.

Many other countries are now following suit by seeking to introduce rules that protect national assets and interests from investors with an actual or potential hostile intent.

More recently the EU has sought to legislate to monitor more closely - from a political as opposed to purely statistical basis - the level and nature of foreign investment into EU companies. Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 (the Regulation) establishes a framework for the screening of foreign direct investments into the Union, and came into force in October 2020.

The Regulation does not mandate the EU to block foreign investments but creates a mechanism for information-sharing between Member States and the Commission, and raises the minimum requirements by which national screening mechanisms should operate.

Currently only three Member States have no plans for formal screening mechanisms: Bulgaria, Cyprus and Croatia. Over time, as a result of pressure from the EU, they too are likely to introduce rules for screening specified foreign investments.

The two most important jurisdictions for investors into the EU are arguably Germany and Netherlands. A summary of those regimes follows below:

Germany enhanced its foreign investment rules in October 2020, and is currently considering a new amendment that would broaden the number of covered sectors. German law screens two types of transaction: sector-specific and cross-sectoral. Sector-specific filings are required for transactions involving defence or IT security, whereas cross-sectoral filings are required for transactions involving companies in critical infrastructure. Critical infrastructure includes the following sectors: health, energy, information technology, telecommunications, transportation, health, water and food supply, finance, and insurance.

Under the German regime, where a non-EU foreign investor agrees to purchase 10% or more in the relevant company, the investor must notify the German Ministry for Economic Affairs and Energy. Following the notification, the Ministry has two-months to start an investigation, otherwise the transaction is considered cleared. If an investigation is triggered, the Ministry has four months to discern whether the relevant transaction is “likely to affect” public order or security of Germany or another EU member state.

Germany is assessing a new amendment to further expand the number of investments that would be required to undergo review. This would extend the scope of what is included in “critical infrastructure,” adding 16 further sectors to the current list of 11 subject to cross-sectoral examination. These additional 16 activities include critical technologies such as AI, quantum, autonomous vehicles, semiconductors, and aerospace. The amendment also proposes expanding the defence-related sector-specific review to include investments in “companies that develop, manufacture, or are in possession of goods that are contained in the Export List or fall into the scope of classified IP rights."

The Netherlands has been a significant recipient of foreign investment, receiving an inflow of $84 billion, making it the third largest recipient behind the U.S. and China in 2019. Like the UK, the Netherlands has traditionally supported an open door policy to foreign investment. As is the case in the UK, however, that is changing.

The Netherlands' Economy and National Security Screening Act requires transactions to be filed where either: (a) the transactions are considered to be of interest for the continuity and resilience of vital processes; or (b) the target is active in the field of sensitive technologies. A transaction needs to bring about a change of control, which is defined as the ability to exercise decisive influence over business activities, or significant acquisitions. The Act introduces a mandatory filing regime and until clearance is accepted the transaction is not valid. If the Minister finds that the transaction poses a threat to national security, he or she has the right to block the transaction. Notably, the Minister is also permitted to revaluate the transaction even after it is cleared in the case that new information arises or circumstances substantially change.

Across the EU, Member States have and are taking steps towards greater scrutiny and control of foreign investment. By expanding the list of sectors subject to review – effectively looking at “critical infrastructure” rather than just national security and defence issues and by expanding the types of transaction and rigor of the screening process – European countries, including the UK, are now much more closely aligned with the US CFIUS regime with political control over foreign investment seen as no less valid and important as the competition law policies that have traditionally applied (what is usually a purely economic test) to the assessment of foreign investments.

Were the Commission to move from merely setting standards to actually enforcing an EU-wide regime for foreign investment this would dramatically alter the global framework for foreign investment and potentially result in a reduction in certain foreign investor activity in Europe.

The introduction of the UK's new national security regime is a significant development in UK law applicable to acquisitions and investments. Potential acquirers, investors and other parties to UK acquisitions and investments should familiarise themselves with the Government's guidance on the Act and take advice in the context of any potential transaction. The potential consequences of failing to file where required are severe.

UK businesses should consider not just the potential application of the Act, but the potential risks of investment generally as well as the wider security threats that all companies face. A helpful starting point are the recommendations in CPNI's Secure innovation guide.