If your organisation acquires businesses, invests in companies, licenses technology or restructures corporate entities with any connection to the United Kingdom, the National Security and Investment Act 2021 (NSI Act) applies to you. It does not matter whether you are a UK investor or a foreign one. There are no turnover thresholds, no deal-size exemptions and no safe harbours based on nationality. Since 4 January 2022, this Act has given the UK government the power to scrutinise, impose conditions on or block transactions across every sector of the economy.

The consequences of getting it wrong are severe. A transaction completed without required notification is legally void. Civil penalties reach up to 5% of global turnover or £10 million, whichever is greater. Criminal sanctions include imprisonment for up to five years. The government can call in a transaction for review up to five years after completion.

Yet the NSI Act is not designed to obstruct investment. The vast majority of notified transactions are cleared without conditions. The Act exists to identify and manage the small number of transactions that pose genuine risks to national security. Organisations that conduct effective due diligence, engage early with government and structure transactions intelligently will find the regime manageable and predictable. This guidance note provides a step-by-step framework for conducting that due diligence. It is written for executives, board members and senior decision-makers who need to understand what the Act requires, what good practice looks like and how to build national security awareness into commercial processes.

This document does not constitute legal advice. Organisations should obtain professional legal counsel on specific transactions.

How the Regime Works

The NSI Act operates through three mechanisms:

•       Mandatory notification. A mandatory notification regime requiring pre-completion approval for acquisitions exceeding specified shareholding thresholds (25%, 50% or 75%) in entities carrying out activities within 17 designated sectors.

•       Voluntary notification. A voluntary notification regime enabling parties to seek clearance for transactions outside mandatory notification that may nonetheless raise national security concerns.

•       Call-in power. A call-in power enabling the Secretary of State to review any qualifying acquisition, in any sector, within six months of becoming aware of it, subject to a five-year longstop from completion.

The Investment Security Unit (ISU) within the Cabinet Office administers the regime. Upon accepting a mandatory notification, the Secretary of State has 30 working days to screen the transaction and decide whether to clear it or call it in for a full assessment. If called in, a further 30 working days apply, extendable by 45 working days. The government may also stop the clock with information requests.

The 17 Mandatory Sectors

Mandatory notification applies to entities with specified activities in these sectors:

The sector definitions are detailed and technical. An entity may fall within multiple sectors simultaneously. Do not assume your activities are out of scope without careful analysis. When in doubt, seek specialist advice.

A notifiable acquisition arises when a person gains a right or interest in a qualifying entity that crosses a specified threshold. Trigger events are not limited to outright purchases. They include share issues, intra-group transfers, enforcement of share security, amendments to shareholder agreements and any restructuring that alters voting control. The regime also covers acquisitions of assets (including intellectual property and land) under the voluntary notification pathway, though these are not subject to mandatory notification.

This article provides executives with a structured, step-by-step framework for conducting effective due diligence under the National Security and Investment Act 2021, covering intelligence gathering, security risk management and organisational readiness to ensure compliance, protect transactions and turn regulatory obligation into competitive advantage."

Effective due diligence under the NSI Act begins with intelligence gathering. This is the systematic collection, analysis and assessment of information that enables your organisation to determine whether a transaction engages the Act, whether it is likely to raise national security concerns and how those concerns might be addressed. The following steps provide a structured methodology.

Step 1: Map the Target’s Activities Against the 17 Sectors

Begin by establishing whether the target entity’s activities fall within one or more mandatory sectors. This is not a superficial exercise. It requires detailed examination of:

▸    The entity’s core commercial activities, including all revenue-generating operations.

▸    Research and development programmes, including those at early or speculative stages.

▸    Adjacent activities that may not form part of the primary business but could fall within a sector definition (for example, a logistics company that also operates data infrastructure).

▸    Intellectual property portfolios, including patents, trade secrets and proprietary algorithms.

▸    Data holdings that may have national security relevance, particularly datasets relating to critical infrastructure, government operations or large-scale personal data.

Executive action: Appoint a named individual to lead the sector mapping exercise for every transaction. Require written confirmation that all activities, including peripheral ones, have been assessed against the 17 sector definitions.

Step 2: Analyse the Supply Chain and Customer Base

The NSI Act’s scope extends to entities that supply goods or services into the UK, meaning that supply chain relationships can bring an entity within scope even where its primary operations are overseas. Your intelligence gathering should establish:

▸    Whether the target supplies government departments, defence contractors, intelligence agencies or critical national infrastructure operators.

▸    Whether the target’s products or services form part of a supply chain with national security implications, even if the target itself does not operate in a mandatory sector.

▸    Who benefits from the target’s outputs downstream. A company manufacturing specialist components may not itself raise concerns, but its role in a sensitive supply chain may do so.

▸    Whether the target holds government security clearances, classified contracts or is subject to export control obligations.

Executive action: Require your corporate development team to include supply chain and customer sensitivity analysis as a standard deliverable in every transaction information memorandum.

Step 3: Profile the Acquirer

The Secretary of State considers acquirer risk as a central factor in national security assessments. Even where you are the acquirer, your counterparty (whether a co-investor, joint venture partner or vendor with retained interests) should be assessed. Where you are the target or seller, profiling the acquirer is essential to anticipate government scrutiny.

The intelligence gathering should establish:

▸    The ultimate beneficial ownership of the acquiring entity, traced through all intermediate holding structures, nominee arrangements and fund vehicles.

▸    Whether any state-owned or state-influenced entities sit within the ownership chain.

▸    The acquirer’s relationships with foreign governments, military or intelligence organisations.

▸    Whether the acquirer, its principals or its affiliates appear on sanctions lists, export control restricted party lists or have been subject to adverse regulatory findings in any jurisdiction.

▸    The acquirer’s track record in comparable transactions, including any previous NSI Act notifications, CFIUS reviews (in the United States) or equivalent proceedings in other jurisdictions.

Executive action: Mandate enhanced due diligence on all counterparties using sanctions screening, corporate registry searches, open source intelligence and, where warranted, specialist investigative providers. Do not accept opaque ownership structures without explanation.

Step 4: Assess Technology and Intellectual Property

Where the target holds proprietary technology, the due diligence process must assess whether these assets could, in the hands of a hostile actor, provide a military or strategic advantage. This assessment should consider:

▸    The current application of the technology and its potential dual-use applications.

▸    Whether the technology is export-controlled under the UK Strategic Export Licensing regime, the Wassenaar Arrangement or equivalent frameworks.

▸    The trajectory of the underlying research programme and the potential for the technology to advance into sensitive capability areas.

▸    Whether the target’s researchers have affiliations with institutions or programmes in countries identified as strategic competitors.

Executive action: For transactions involving advanced technology, commission an independent technical assessment from a specialist with relevant domain expertise. Do not rely solely on the target’s own characterisation of its technology.

Step 5: Evaluate the Transaction Structure

The structure of the transaction itself carries national security implications. Your assessment should examine:

▸    The level of control being acquired, including voting rights, board representation, information rights and veto powers.

▸    Whether the governance arrangements post-completion give the acquirer access to sensitive information, technology, facilities or personnel.

▸    Whether the transaction includes provisions that could enable further transfers of control to third parties (for example, drag-along rights, call options or pre-emption waivers).

▸    Whether staged acquisitions, earn-out arrangements or option agreements could shift control beyond the thresholds assessed at completion.

▸    Whether the transaction involves asset transfers (including IP licensing) that could fall within the voluntary notification regime even if share transfers do not trigger mandatory notification.

Executive action: Instruct legal advisors to provide a specific NSI compliance opinion on the transaction structure, identifying all potential trigger events and recommending notification strategy.

Step 6: Gather and Synthesise Intelligence

The preceding steps generate a substantial body of information. This must be synthesised into a coherent intelligence picture that supports decision-making. Sources to draw upon include:

▸    Corporate registries (Companies House, overseas equivalents) for ownership and officer information.

▸    Patent databases for intellectual property analysis.

▸    Sanctions lists (UK, EU, US OFAC, UN) and export control restricted party lists.

▸    Open source intelligence including media reporting, academic publications and industry analysis.

▸    Government guidance, including ISU market guidance notes and annual reports.

▸    Pre-notification engagement with the ISU, which provides informal guidance on whether a transaction is likely to raise concerns.

▸    Specialist risk consultancies and investigative due diligence providers where open sources are insufficient.

Executive action: Establish a standard intelligence-gathering protocol for NSI due diligence that specifies sources, responsibilities, timelines and quality standards. Ensure that findings are documented in a format suitable for retention and potential regulatory scrutiny.

Intelligence gathering provides the evidence. Security risk management provides the framework for interpreting that evidence and making sound decisions. The following steps translate intelligence into a structured risk assessment and mitigation strategy.

Step 7: Assess Risk Across Three Dimensions

The Secretary of State evaluates transactions against three risk dimensions. Your internal assessment should mirror this framework to anticipate government scrutiny and identify areas of concern.

Target Risk

What does the target entity do, what is it used for and what could it be used for? Entities whose activities are closely linked to the 17 mandatory sectors carry the highest target risk. However, target risk extends beyond mandatory sectors to include entities with significant data holdings, proximity to sensitive sites, access to government networks or supply chain dependencies that could be exploited. Assess not only what the target does today but the trajectory of its capabilities and the potential for its assets to be repurposed.

Acquirer Risk

What are the characteristics of the acquiring party? Factors include the acquirer’s sector of activity, its technological capabilities, its ownership and governance structures and any links to entities or states that may seek to undermine UK national security. The assessment must be objective and evidence-based. Acquirers with connections to states identified as strategic competitors in UK government policy documents attract heightened attention, but UK investors are not exempt from scrutiny.

Control Risk

What degree of control is being acquired and how could that control be exercised? Higher shareholding thresholds generally correlate with higher control risk, but minority investments can carry significant risk where they confer board representation, information rights or veto powers. Evaluate the full suite of governance rights being acquired, not merely the headline shareholding percentage.

Executive action: Require your transaction team to produce a written risk assessment addressing all three dimensions for every qualifying transaction. This assessment should be reviewed by a senior individual with authority to approve, escalate or halt the process.

Step 8: Determine the Notification Strategy

Based on your risk assessment, determine the appropriate notification approach:

Executive action: Never assume that the absence of a mandatory filing obligation means the transaction is free from scrutiny. The call-in power applies across all sectors. Where risk is identified, voluntary notification is the most reliable protection.

Step 9: Develop and Implement Mitigations

Where your risk assessment identifies moderate or elevated national security risk, develop mitigations that could reduce the likelihood of adverse government intervention or satisfy conditions the Secretary of State might impose. Effective mitigations demonstrate that you have identified the risk and taken steps to address it proactively.

Information and Access Controls

Restrict the acquirer’s access to security-sensitive information, technology or facilities. This may involve ring fencing arrangements, security clearance requirements for key personnel, clean-team protocols during the transaction and ongoing information barriers post-completion.

Governance Protections

Establish board-level controls including the appointment of independent directors (where appropriate, with security clearance), reserved matters requiring government consent for sensitive decisions and restrictions on onward share transfers without regulatory approval.

Operational Continuity

Guarantee continuity of supply to government and critical infrastructure customers. Commit to maintaining UK-based operational capabilities, retaining key personnel and preserving intellectual property within the UK where national security requires it.

Transaction Restructuring

Where the risk profile is driven by the level of control being acquired, consider restructuring the transaction to reduce the shareholding, carve out sensitive activities or assets or stage the acquisition to manage risk incrementally.

Executive action: Present the risk assessment and proposed mitigations to the board or investment committee before committing to the transaction. Ensure that mitigations are legally binding and practically enforceable, not merely aspirational.

Step 10: Build NSI Timelines Into Transaction Planning

NSI review periods are significant and must be factored into transaction timetables from the outset. The statutory timelines are:

In practice, the pre-notification period (preparing the notification form, gathering required information, engaging informally with the ISU) can add several further weeks. Organisations that fail to account for these timelines risk delay, abortive costs or the need to restructure transactions under time pressure.

Executive action: Instruct legal and corporate development teams to include an NSI timeline assessment in every transaction planning document. Build conditionality into transaction agreements to protect against NSI-related delay.

Intelligence gathering and risk management are capabilities that must be sustained, not improvised for each transaction. The following steps establish the organisational infrastructure required for consistent NSI compliance.

Step 11: Assign Governance and Accountability

Designate a senior individual (typically the General Counsel, Company Secretary or Chief Risk Officer) as the organisation’s NSI compliance lead. This individual should be accountable for ensuring that all transactions are screened for NSI applicability and should have authority to escalate transactions for specialist assessment and to impose holds on completion where national security concerns are identified. Board-level awareness is essential: directors should understand their personal exposure to criminal liability for non-compliance.

Step 12: Embed NSI Screening in All Transaction Processes

NSI screening should be a standard checkpoint in every corporate transaction process, not an afterthought. This includes acquisitions, disposals, joint ventures, licensing arrangements, share issues and corporate restructurings. The screening should be triggered at the earliest stage of the transaction lifecycle, ideally during initial opportunity assessment, to provide maximum time for intelligence gathering and notification where required.

Step 13: Train Your People

Personnel involved in corporate development, legal, compliance, finance and investor relations should receive training on the NSI Act’s requirements. This training should cover the identification of trigger events, the mandatory sectors, the notification process, the consequences of non-compliance and the organisation’s internal protocols. Training should be refreshed periodically to reflect changes in government guidance. Senior leaders should receive tailored briefings that focus on strategic risk and decision-making responsibilities.

Step 14: Maintain Records and an Audit Trail

Document every NSI due diligence assessment and retain the records. This includes the rationale for concluding that a transaction does or does not require notification, the intelligence gathered, the risk assessment performed, the notification strategy adopted and the decision taken. The Secretary of State’s power to call in transactions up to five years after completion means that records must be retained for an extended period. A robust audit trail protects the organisation in the event of subsequent government inquiry and demonstrates good faith compliance.

Step 15: Monitor the Evolving Landscape

The NSI regime is not static. Sector definitions may be expanded, government enforcement practice evolves and the geopolitical context in which national security assessments are made shifts continuously. Organisations should monitor ISU annual reports, government consultations on sector definitions and enforcement trends. Where your organisation operates in or adjacent to mandatory sectors, consider establishing a periodic review process to reassess existing investments and corporate structures against current requirements.

The Cost of Getting it Wrong

The penalties for non-compliance are designed to be deterrent:

The NSI Act represents a permanent feature of the UK’s regulatory landscape. It applies broadly, enforces strictly and carries consequences that can fundamentally alter the viability of a transaction. Treating national security due diligence as a peripheral compliance task exposes your organisation to material legal, financial and reputational risk.

Effective compliance requires three capabilities working in concert. First, intelligence gathering that identifies and assesses security-relevant information with the same rigour applied to financial and legal due diligence. Second, security risk management that provides a structured analytical framework for evaluating and mitigating national security risk. Third, an organisational infrastructure of governance, training and record-keeping that embeds NSI awareness into the fabric of commercial decision-making.

The organisations that manage these requirements most effectively will be those that recognise national security due diligence not as a regulatory burden but as a source of competitive advantage: providing certainty to transaction counterparties, credibility with government and resilience against a risk environment that continues to evolve.

© Emerging Risks Global 2026. All rights reserved. This guidance is provided for information purposes only and does not constitute legal advice. Organisations should obtain professional legal counsel on specific transactions