Überblick
On 22 July 2025, the UK Government announced a set of targeted reforms to the National Security and Investment Act 2021 (NSI Act) and launched a consultation into proposed further changes. Alongside the reforms, the 2024-25 Annual Report was published. Overall, the UK government has been pragmatic in clearing deals and accepting remedies to get deals through and this approach is set to continue. However, the UK regime has so far required too many filings due to an overly broad regime and a lack of clarity in the guidance – the current and proposed changes provide welcome relief for some of these issues, but the legislation and guidance still lack clarity in places and some of the changes will result in more filings particularly in relation to data centres. The government should thus now use the results of the consultation to further clarify the regime.
Annual Report shows increase in filings but pragmatic approach to investigations
The 2024-25 Annual Report shows that the number of notifications increased to 1,143, most of which were resolved within 30 working days. Most notifications concerned UK acquirers. This was followed by China and the United States.
Only 4.5 % were “called-in” for review:
- 28 as part of mandatory notification (i.e. falling within one of the 17 relevant sectors);
- 20 due to voluntary notification (which includes deals where the target’s activities are closely related);
- 1 as a result of a remedial notification (i.e. a missed notification potentially identified by an acquirer); and
- 7 identified proactively by the government agency responsible for enforcing the NSI Act, the Investment Security Unit (ISU), highlighting an active monitoring policy (including close co-operation with other enforcers particularly in the United States).
The UK to-date has issued eight final orders in 2025 (the latest on Thursday, 24 July 2025). This is in line with the number of final orders issued in 2024 at the same time and continues to be up from 2022 and 2023.
The final orders do not include a prohibition. Rather, the UK Government has accepted a variety of remedies, including, amongst other things, reporting obligations, corporate-governance requirements (including vetting clearance for certain directors, sub-committees or compliance plans), limiting procurement to certain pre-approved geographies, ensuring continuity of supply and maintenance, or securing and limiting access to data. The final orders related to activities in a range of highly relevant sectors (e.g. defence, critical suppliers to the UK Government, semiconductors, advanced materials).
The ISU also identified 60 breaches of the NSI Act, but these did not lead to civil or criminal penalties. Rather, in each case, the acquirers were able to provide assurances or took remedial action to avoid recurrence. However, the imposition of penalties may only be a matter of time as the regime matures.
Changes to the NSI Act today and to its future scope and application
The changes aim to reduce compliance burdens while maintaining robust protections for national security.
Importantly, and most welcome to businesses, under the newly launched “Plan for Change”, mandatory notifications will no longer be needed for certain internal company reorganisations and transactions involving liquidators, special administrators and official receivers. Experience has shown that these types of deals are low risk and thus seldom lead to intervention, which has led to calls for such “technical” filings to be abolished. These calls have now been heeded but we have yet to see the details in a formal proposal.
Separately, the Government is also launching a public consultation until 14 October 2025 to review and potentially revise the scope of sectors subject to mandatory screening. Proposed changes to the current NSI Act (Notifiable Acquisitions) (Specification of Qualifying Entities) Regulations focus on reshuffling the existing “relevant” sectors in order to:
- Create three new standalone mandatory areas:
- Semiconductors. Responding to calls for greater clarity regarding semiconductors, the UK Government proposes to extract the semiconductor-related definitions from the Advanced Materials and Critical Hardware areas and merge them under a new sector. To close gaps in the existing definitions, the new sector will also cover advanced packaging techniques, R&D design activities, and materials that “can demonstrate semiconductor-like behaviour”.
- Critical Materials. The new definition will be extracted from the Advanced Materials area and will be aligned with the UK List of Critical Minerals, updated following the latest criticality assessment conducted by the Critical Mineral Intelligence Centre.
- Water. Introduced as a new sector, responding to increasing resilience risks faced by national water infrastructure. The UK Government plans to cover within this sector companies whose statutory powers and duties include water supply and/or sewerage services. Companies operating solely as retailers in the non-household retail water market will be excluded from the scope of the notification requirement.
- Update the definitions in eight of the seventeen sectors (Advanced Materials, Artificial Intelligence (AI), Communications, Critical Suppliers to Government, Data Infrastructure, Energy, Suppliers to the Energy Services, and Synthetic Biology). The update aims to declutter the definitions by removing or narrowing activities that have required notification but did not raise concerns, while at the same time adding activities that have become relevant as technology develops, in particular:
- AI. The new definitions will exclude “off-the-shelf” low-risk consumer AI systems (i.e., used as a tool within internal processes, without any further material research and development of the underlying AI technology) from the scope of notification. At the same time, several new AI systems will be added, such as those increasing computation speed or used to test AI safety.
- Data Infrastructure. The UK Government proposes to expand this section by adding third-party-operated data centres, such as data-processing and storage facilities. New providers subject to the notification requirement will include certain Cloud Service Providers (CSPs) and Managed Service Providers (MSPs) offering Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS).
- Synthetic Biology. Despite feedback from industry stakeholders that the sector is “a long and complex” one, the UK Government decided not to narrow its scope or introduce exhaustive lists. Existing exemptions for gene and cell therapies will, however, be simplified.
The Government’s focus on improving clarity and proportionality in the Regulations is welcome. However, the assessment of whether the announced measures are sufficient to respond to feedback received since the introduction of the NSI Act is more nuanced. Some measures are positive or at least neutral (including the tidying-up of the Advanced Materials sector, the use of clearer terms relating to semiconductors, or the exclusion of certain no-risk AI systems). Others will likely be seen as overly expansive (such as the addition of PaaS and IaaS providers to the Data Infrastructure sector) or a missed opportunity (such as the absence of meaningful changes to the Synthetic Biology sector).
Overall, even with the proposed amendments, some of the definitions under the NSI Act will remain complex and difficult to assess. In the context of potential criminal liability for violations of the NSI Act and in the absence of any published decisions, the UK Government’s objective to make “the updated draft schedules […] sufficiently clear to enable investors and businesses to self-assess whether they must notify” is the right one but has not yet been achieved with these changes. The Government should therefore use the results of the consultation to further clarify the regime.
