Defence and security M&A – the National Security and Investment Act

The UK’s National Security and Investment Act 2021 (the “NSIA”) established the UK’s first independent regime for national security and foreign direct investment. This regime has been in full force since 4 January 2022 and empowers the UK government to review, impose conditions on, or even block deals that are considered to pose a national security risk.

As might be expected, the NSIA covers a large number of transactions in the defence space – 75% of all notifications the Cabinet Office received between April 2024-March 2025 were in the defence space (‘Defence’ and ‘Military and Dual Use’) according to the most recent NSIA Annual Report.

Acquisitions in the defence sector – mandatory notification requirements

A mandatory notification is required in any acquisition of:

• shares or voting rights in a ‘qualifying entity’ where the acquirer’s share is increased from 25% or less to over 25%, from 50% or less to over 50%, or from less than 75% to 75% or more; or
• voting rights that enable the acquirer to secure or prevent the passing of any class of resolution governing the affairs of the qualifying entity.

AND

The target is active in one of 17 specified sectors, which include Defence, activities on the export control lists or nuclear activities.

Transactions which do not meet the criteria for mandatory notification, e.g. sensitive IP, defence-related assets, can still be reviewed by the government as the Secretary of State has the power to call in transactions for review if he/she considers that the transaction may give rise to a national security risk. Further details on the call in process and voluntary notifications are set out here.

What type of activities are caught by the mandatory notification regime?

The Defence definition is very wide, capturing all contractors or subcontractors in a chain where goods or services are supplied for defence or national security purposes. This means it can capture a wide range of activities including non-defence activities, e.g. NSIA guidance refers to cleaning or catering activities, if supplied to the Ministry of Defence or to known suppliers of the Ministry of Defence. Single contracts or purchase orders can trigger the mandatory notification requirement; there is no minimum threshold.

The Military and Dual Use definition captures all activities on the UK and EU export control lists, which covers a wide range of activities including software and chemicals, as well as the more typical military activities.

The definition for Critical Suppliers to government captures direct contracts with public sector bodies where the contracts have specific characteristics, namely (i) holding information as part of the contract classified as SECRET or TOP SECRET in line with the Government Security Classification; (ii) a requirement to have Facility Security Clearance (formerly known as List X accreditation); or (iii) a requirement for employees of the target to be vetted at or above ‘Security Check’ level.

What impact can this have on the transaction?

There are serious penalties for non-compliance with the NSIA regime:

• Civil penalties can be imposed of up to 5% of worldwide turnover or £10 million, whichever is the greater.
• Directors can also be disqualified for up to 15 years.
• Criminal penalties for completing a transaction without clearance -if this is done with the consent or connivance of, or due to neglect on the part of, a director or officer of a company or entity, such an individual is also guilty of an offence. Fines can be imposed and individuals found guilty can be imprisoned for up to five years.
• Voiding automatically those transactions that should have been notified under the mandatory regime, but were not.

Additionally, a mandatory notification can make the transaction timetable longer. If a transaction is notified and accepted under the mandatory or voluntary regime, the government then has 30 working days from the day the notification is accepted (the ‘review period’) to decide whether it will:

• take no further action; or
• call in the acquisition for a national security risk assessment (at which point a further 30 working day assessment period would be triggered and which can be extended for a further 45 working days, and then voluntarily extended with the buyer’s permission.

Following a mandatory notification, the transaction cannot be completed until the Cabinet Office has completed its review and cleared the transaction. In our experience, even straightforward transactions are rarely cleared much earlier than the 30-working day limit, so it is essential to factor this timeline into your planning when structuring a deal.

Transactions in the defence space are particularly susceptible to a call in notices and remedies, with 36% of all call in notices issued between April 2024-March 2025 being related to the Defence Sector, followed by Military and Dual Use with 29% according to the most recent NSIA Annual Report. This is not surprising given many activities in this space will be highly sensitive and require further scrutiny from the government.

These sectors were also subject to the highest number of final orders – orders issued in relation to transactions requiring the parties to comply with certain conditions in order to obtain clearance, or prohibiting the transaction entirely.

What is the best way to mitigate these risks?

To avoid unnecessary delays and understand the risk of a call in:

• Check the target’s activities as early as possible for NSIA applicability, including in relation to all customers, products and services – this may be challenging given information security restrictions (these issues are further considered in our piece on due diligence in defence M&A).
• Confirm if any contract is with the UK Ministry of Defence, as a contract or sub contractor.
• Confirm if any product or service is on any export control list.
• If there is a Ministry of Defence change of control provision in any contract, ensure the NSIA process aligns in terms of timing and information provided to the Ministry of Defence for consistency of messaging.
• Confer with key government stakeholders where relevant in advance of an NSIA submission.
• Do not insert any classified information into the form when making a submission to the Cabinet Office.

How we can help

Burges Salmon has significant experience advising domestic and international investors, acquirers and sellers in the defence sector on the NSIA.

If you have any questions in relation to the issues raised in this article, please contact Chris Worrall or Shachi Nathdwarawala.

Please also find other articles in our mini series on defence, including the lay of the landscape; private capital in defence; and due diligence in defence M&A.