The UK Government has today published its response to the consultation on mandatory notification in specific sectors under the proposed new national security screening regime contained in the National Security and Investment Bill (NSI Bill). The NSI Bill is currently making its way through the House of Lords, and is expected to enter into force in autumn 2021.
A wide range of stakeholders had expressed concerns that many of the sector definitions originally proposed in the consultation document were drafted too broadly, and in many cases were not sufficiently specific to enable acquirers to identify whether a particular transaction would fall within scope of mandatory notification.
The Government has clearly taken these comments on board, and has now published revised definitions for each of the 17 sectors that represent a significant narrowing of scope in many areas.
We set out below a brief overview of the key changes made to each of the 17 sector definitions.
Important highlights include:
Artificial Intelligence (AI): significantly narrowed to focus on three higher-risk applications: the identification of objects, people and events; advanced robotics; and cyber security. This is intended to provide greater clarity for businesses and investors, reduce the burden on industry, and support the Government’s ambition to grow the UK AI economy.
Communications: narrowed to focus on public communications networks, services and associated facilities, with associated facilities being caught only if they are associated facilities by reference to a public electronic communications network or service which meets specified turnover thresholds. The Government has also indicated that it is actively considering a number of further amendments to this sector definition.
Quantum Technologies: the scope of entities covered has been tightened in response to concerns that the original definition would have covered the majority of transactions relating to this sector, including the academic research community and associated supply chain sectors. The revised definition is focussed on capturing entities that develop or produce a quantum technology product.
Synthetic Biology (formerly Engineering Biology): comprehensively revised to concentrate on synthetic biology, and tightened to make clearer the scope of entities covered. A number of activities are now also expressly excluded from the definition, including diagnostics (subject to certain exceptions), industrial biotechnology, the production of substances ordinarily consumed as food or used as feed, certain gene therapy, general services and cell therapy.
These revised definitions remain in draft form, and may be subject to further amendment prior to the NSI regime entering into force. The Government states in its response that it intends to carry out further, targeted engagements with the sectors to refine further the description of acquisitions that are subject to mandatory notification, prior to including the final definitions in notifiable acquisition regulations (which will take the form of secondary legislation).
The final sector definitions adopted in the regulations will also be kept under review, and may be updated in the future as needed, for example as the relevant technology evolves.
As detailed in our previous briefing, the NSI Bill sets out significant legislative reforms which will overhaul the review of transactions and investments on national security grounds in the UK, against a backdrop of tightening of foreign direct investment (FDI) regimes globally.
The proposed new screening regime includes the introduction of a mandatory notification obligation (and related standstill obligation prohibiting completion prior to clearance) in respect of certain transactions involving a target entity which carries on specified activities in the UK in one of 17 specified sectors:
- the acquisition of a shareholding/voting rights of 15% or more;
- an increase in existing shareholdings/voting rights which crosses the 25%, 50% or 75% thresholds; or
- the acquisition of voting rights that enable the acquirer/investor to secure or prevent (i.e. veto) the passage of any class of resolution governing the affairs of the entity.
Definitions of the 17 specified sectors intended to be subject to mandatory notification requirements were set out in a consultation document published alongside the NSI Bill, under the following headings: advanced materials; advanced robotics; artificial intelligence; civil nuclear; communications; computing hardware; critical suppliers to Government; critical suppliers to the emergency services; cryptographic authentication; data infrastructure; defence; energy; military or dual-use technologies; quantum technologies; satellite and space technologies; synthetic biology (formerly engineering biology); transport.
The consultation on the proposed definitions closed on 6 January 2021. The Government response published today states that 94 formal responses were received, from a wide range of investors, individual businesses, legal and advisory firms, trade associations and industry groups, academics and regulators. In addition, the Government held various meetings and roundtables to discuss the proposed sector definitions.
The Government emphasises in its response its commitment to a robust but proportionate regime. It has clearly taken on board concerns expressed by stakeholders that many of the originally proposed definitions were extremely broad in scope, and has accepted that further specificity is required to enable acquirers to identify whether they would be in scope of mandatory notification.
Summary of key changes made to each of the 17 specified sector definitions
The definition of advanced materials has been revised with the stated intention of striking a better balance between protecting critical UK technology advantage and allowing companies and their innovations to flourish and deliver non-defence products and services.
A number of specific revisions have been made to improve specificity and remove ambiguity in the original definition. For example:
- Some of the materials sectors which originally included several types of material have now been split into separate categories to make it easier to follow. For example, “engineering and technical polymers and ceramics” has been split into “engineering and technical polymers” and “engineering and technical ceramics”.
- The nanotechnology and graphene sections have been clarified, including cross-references to internationally accepted definitions of key terms.
- The definition of semiconductors has been updated, including removing ambiguity around defining a material which exceeds performance of existing technology.
- The scope of the photonics and optoelectronics section has been significantly narrowed, in particular in respect of the definition of lasers in scope.
- The reference to the British Geological Survey risk list of critical materials has been replaced with a bespoke list of strategic critical materials for UK defence.
- Several items have been removed to avoid duplication with the UK Strategic Export Control List.
The Government expressly rejected a suggestion to specify the defence or military applications of advanced materials in the definition, on the grounds that the defence or military applications for which advanced materials have the potential to be used cannot be shared for national security reasons, and materials applications will evolve more quickly than the definition.
The Government acknowledges in its response concerns raised by stakeholders that the original definition of advanced robotics risked placing a significant burden on the business community by capturing virtually any organisation developing, producing or using sophisticated machines.
Key changes made to the definition include:
- The characteristic of “autonomy” has been incorporated as a core feature of advanced robotics of relevance to national security, described with reference to the ability to sense, make decisions and act depending on their environment. However, the Government has rejected calls to include specific or minimum capabilities, benchmarks or thresholds for autonomy.
- A range of exclusions is now included, covering entities involved in areas such as consumer or toy robots, ‘smart’ household appliances (eg robotic vacuum cleaners), ‘basic (largely pre-programmed) industrial automation robots that are widely adopted in manufacturing production lines, and smart speakers or other devices that are not independently mobile.
- In relation to core components, the revised definition seeks to ensure that only those specifically within the supply chain of advanced robotics are captured.
The Government has rejected calls to remove AI as a mandatory sector on the basis that it is an underlying technology rather than a specific sector. It considers that risks arising from AI technologies will not be covered by the other mandatory sectors in the NSI regime, and the opportunity to use AI technologies positively across the UK economy depends on ensuring that sensitive applications of AI are protected from the risk of hostile actors intending to do harm to the UK.
However, in response to concerns that the original definition was drafted too broadly, the Government has refined the definition in a number of ways to improve clarity and narrow its scope:
- The revised definition focusses on three higher-risk applications: identification of objects, people and events; advanced robotics; and cyber security (noting that the Secretary of State may exercise his/her call-in powers in relation to qualifying transactions outside of these three applications).
- The definition has been redrafted to align with existing EU and OECD definitions, including removing the reference to “complex” tasks (although the reference to “cognitive tasks” has been maintained).
- It is now made clear that those who purchase products or licenses in relation to AI (for use but not for further development) are not covered by this definition.
Amendments to the definition of the civil nuclear sectors relate largely to clarifications in light of comments received from stakeholders. For example:
- Clarifying that it applies to all tenants of civil nuclear sites, regardless of the type or level of activity undertaken on the site.
- Clarifying that it applies to an entity that submits an application for a relevant Development Consent Order, after the point of application.
- Clarifying that the legislation applies at the point of investment and includes only “active” licence applications.
The Government has also confirmed that it will remain the case that holders of non-nuclear radioactive material are not included.
The definition of the communications sector generated a large number of comments, with a number of stakeholders expressing concerns that it was too broadly drafted.
The Government has responded by narrowing the definition in a number of ways:
- The revised definition focusses on public communication networks, services and associated facilities. The Government acknowledges in its response that the original definition was likely to capture many private networks that posed no national security risk, such as private networks used by taxi firms.
- In relation to “associated facilities”, the definition has been amended to clarify that relevant associated facilities are caught only if they are associated facilities by reference to a public electronic communications network or service. In addition, the network or service in question must now meet a specific threshold (currently defined by reference to turnover, but the Government is still considering whether to use an end user-based threshold instead).
- This means that landowners whose land hosts associated facilities (eg masts) or electronic communications networks are not intended to fall within the definition merely because they own the land (although landowners which also make available associated facilities – such as masts or buildings which house electronic communications apparatus – would be considered to fall within the definition).
- Specific categories of businesses caught by the definition are included in the interests of clarity: providers of submarine cable systems, cable landing stations, and the operators of essential services in the digital infrastructure subsector as set out in the Network and Information Systems Regulations 2018 (namely Top Level Domain Name Registries, Domain Name System Resolver and Authoritative Hosting services, and Internet Exchange Points).
The Government states in its response that it is actively considering further narrowing the supply chain definition, potentially listing the specific components of the supply chain that should be caught. It is also still considering a number of other issues, including: the application of the definition to landowners; the interplay between the definitions of the communications and data infrastructure sector definitions; the application of the turnover threshold to qualifying entities in the supply chain such as vendors and service providers; determining precisely what infrastructure should be classed as passive and active; and whether further critical sector private networks should be added to other sector definitions (in the same way that private networks used by the emergency services are currently captured).
Further amendments may therefore be made to the revised definition in due course.
The focus of the computing hardware definition remains preventing the loss of intellectual property within the supply chain to hostile actors. The revised definition therefore has not been amended to make reference to the end-product hardware itself or CPU wafers. However, the Government has clarified and narrowed the definition in a number of ways:
- A number of terms have been removed in response to feedback that they were unclear, including “functional capability” and “provides support”.
- The definition of “computing processing unit” has been clarified by the inclusion of six sub-terms, which include “central processing unit”, so as to reduce the risk that the terms used could be confused by businesses.
- A specific reference to “integrated circuits with the principal purpose of providing memory” has been included to address concerns that it was unclear whether they were intended to be included or not.
- The revised definition now also expressly refers to “architectural, logical and physical designs”.
The Government has rejected calls to exclude consumer products from the definition, given the possibility of unforeseen dual-use applications of computing hardware products. The Government has however expressed a willingness to continue to speak with industry as the definition is iterated and states that it welcomes further discussions going forward.
Critical suppliers to Government
Whilst the Government agreed with respondents to the consultation that the tender process and change of control provisions in contracts could be useful in this context, it has rejected calls to remove this sector from the scope of the mandatory notification obligation. However, it has narrowed the definition in a number of ways:
- The revised definition focusses on contracts which relate to handling of classified information or estates and their protection, as well as ensuring that contracts relating to the security of government networks and information systems, and the provision of manned guarding services, remain in scope.
- References to government property, fuel and energy supplies, and personal identifiable information have been removed.
- Sub-contractors are no longer included, so as to ensure a more proportionate approach.
Critical suppliers to the emergency services
The Government considers that it is essential that this sector is included within the scope of the mandatory notification obligation, as one of the most sensitive sectors. Whilst change of control and assignment clauses can be useful in this context, they are not sufficient on their own.
However, the Government has reflected on the comments made by stakeholders and narrowed the scope of this definition accordingly:
- The revised definition incorporates definitions for terms such as “operational”, “critical” and “IT infrastructure”, as well as suggestions on specific items that should be included, with the aim of refining and clarifying each category of goods.
- PPE has been removed from the definition (subject to further engagement with key operational partners), reflecting the fact that action could be taken in relation to PPE supply concerns under the existing public interest merger regime contained in the Enterprise Act 2002 (following the recent addition of a new public interest ground of “public health emergency”).
The Government has also recognised that further refinement of this definition is required, and has stated that it intends to continue to engage closely with operational partners and stakeholders with a view to producing a narrower definition. This will include further exploration of the suggestion of including materiality thresholds.
The Government has acknowledged that the original definition of the cryptographic sector was too broad, and covered a range of companies using cryptographic authentication technology for their consumer and commercial devices, software and services, which should not be in scope of the mandatory notification obligation under the NSI regime.
The definition has been revised in a number of ways with the aim of ensuring that only products which pose a national security risk are captured. In particular, the Government has clarified that:
- The definition is intended only to capture entities that research, develop or produce products whose primary function is authentication using cryptographic means, where these products are to be used in systems critical for national security (ie the company provides the technology to UK third parties, such as government, critical national infrastructure or strategic industries).
- Products and systems that are generally available to the public, and intended for use by the consumer, are not within scope.
The Government has narrowed the scope of the data infrastructure definition and also sought to improve consistency and reduce overlap between this definition and other sector definitions. In particular:
- The scope of relevant data has been revised so that entities are captured only if they have a direct contractual relationship with a critical sector entity to store, process or exchange that critical sector entity’s data.
- In addition, the number of mandatory sectors that are cross-referenced in this context as critical sector entities has been reduced from 17 to 7.
- Landowners and leaseholders have been removed as categories of entities captured by the definition.
- Physical and logical access have been separated, with more clearly defined terms, and a precise definition of “administrative access” has been added.
- The provision of security services to relevant data infrastructure has been removed.
The definition of the defence sector remains largely unchanged. The Government has rejected calls to expressly define “national security”, and confirmed that it is intentional that the definition could capture contractors or sub-contractors who are providing services such as catering or cleaning to defence or national security facilities. In the Government’s view, this is consistent with the policy intent since contracts that provide access to such facilities may give rise to potential national security risks.
The definition of the energy sector is the subject of further ongoing consideration by the Government. The response states that as it develops the final definition, the Government will:
- Provide a significantly more detailed breakdown of exactly what it and is not captured.
- Set out how thresholds will be measured and over what period.
- Clarify the use of MegaWatts in the generation thresholds.
- Continue to review the thresholds for oil infrastructure, with the threshold for the capacity of a downstream facility being revised from 20,000 tonnes to 50,000 tonnes.
- Review the electricity definitions to cover entities with a key role in overseeing or operating any part of the Great Britain electricity and gas markets.
The Government has also clarified that electricity suppliers (retail) are not included within the scope of the legislation. As such, all references to “supply” or “suppliers” have been removed in the revised sector definition.
Military and Dual-use Technologies
The Government has emphasised in its response the importance of ensuring that the Export Control Criteria cannot be circumvented by allowing the acquisition of companies that produce such goods, rather than buying the goods themselves, without effective screening. However, the revised definition addresses a number of points raised by stakeholders:
- Information within the public domain will not, on its own, trigger the notification obligation.
- The exemption for controls that only concern a single country has been removed (due to concerns around consistency).
- In response to concerns about the inclusion of entities who hold information capable of use with or improvement of restricted goods (who may not be aware that the information they hold is able to be used in that way), the Government has focussed the requirement on the technology controls already set out in the export control lists.
The Government has rejected the suggestion that dual-use items made for UK markets alone should not come within the mandatory notification regime.
The Government is continuing to work with experts in this sector to explore the potential for more detailed work to refine further the technology definitions included in the final regulations, for example by developing a limited list of essential supply chain components for quantum technologies or the use of performance thresholds. However, in the meantime it has narrowed the original definition such that:
- Only entities that develop or produce a quantum technology product (as defined in the technical descriptions) are included.
- Entities that only undertake research are now excluded from the mandatory notification obligation, as are entities that use quantum technologies to enable them to supply a service, and the broad range of supply chain companies.
- Technical terms have been reviewed and revised to ensure that the meaning is well understood and unambiguous. Specific changes include removing the phrase “suspensions of atoms or ions” from the definitions of quantum navigation, sensing and imaging, re-framing the definition of connectivity in light of concerns that the previous definition was too broad, and amending the definition of “quantum computing or simulation”.
Satellite and Space Technologies
The Government has narrowed the definition of satellite and space technologies with the intention of focussing only on those transactions that pose the greatest risk to national security. Key changes include:
- Removing several limbs of the original definition, including specialised telecommunications applications, provision of internet access by satellite infrastructure, space science and exploration activities.
- Adding more explicit references to the focus on national security, for example referring to the use of space-derived data for any military or national security purpose.
Synthetic Biology (formerly Engineering Biology)
The proposed definition of the engineering biology sector generated a large number of comments from stakeholders, with a common concern being that the overly broad nature of the original definition would capture all foreign investment in this sector, including the academic research community and associated supply chain sectors.
The Government has rejected calls to remove this sector entirely from the mandatory notification regime, noting that monitoring this rapidly developing and changing sector is almost impossible without the use of a mandatory regime. However, it has significantly revised the proposed definition:
- The revised definition focuses specifically on synthetic biology (and this sector has been re-named as a result). Indeed, the new definition contains new sections that expressly list activities that are in scope (including, for example, using microbes to template materials). Gene therapy is expressly in scope, except where it is used solely for the purpose of replacing missing or defective genes to restore phenotypes to achieve a therapeutic effect.
- A number of activities are now expressly excluded from the definition, including diagnostics (except the storage or ownership of sensitive human genetic information that enables individual identification), industrial biotechnology, the production of substances ordinarily consumed as food or used as feed, certain gene therapy (see above), general services and cell therapy (where cells are modified by genetic engineering and then introduced into a patient to treat disease).
A number of amendments and clarifications have been made in response to feedback from stakeholders. For example:
- References to “12 passengers” in the definition of specified activities relating to ports and harbours have been removed, as have Category 1 goods. Acquisitions of smaller ports will now be considered using the call-in power where appropriate.
- The use of “owns and operates” has been reviewed in relation to infrastructure within a port or harbour, and the Government has clarified that this is intended to capture only those companies that own and operate terminals, wharves, or other port-related infrastructure, not those that have parent companies across various sites. The use of “operates” is intended to refer to controlling the functioning of the port, harbour, terminal, wharf or other infrastructure.
- Further detailed definitions have been incorporated to avoid doubts as to the nature or ports and infrastructure which this sector definition is intended to capture.
- The Government has also clarified that ground handling operations at airports, and other operations which carry out some activities but do not have overall control or management of them, are not included within the definition of an airport operator.