The National Protective Security Authority (NPSA) is the UK government’s national technical authority for physical and personnel protective security.

To break down what that means, let’s start at the beginning. The term national technical authority means that NPSA is considered the UK government’s authoritative voice on a set of issues. As we will see, the NPSA works with organisations that are the national technical authority in other areas.  

The term physical security covers the protection of physical assets such as buildings and infrastructure. It involves things like access control, video surveillance, the design and construction of buildings, and countering threats from drones.  

In contrast, personnel security refers to the risk posed by people who work within an organisation, or used to work there. Personnel security therefore covers activities such as vetting and the identification of malicious activity by employees. As the NPSA argues, “if you have people, you have risk”.

Lastly, the NPSA considers physical and personnel security as aspects of protective security. This means the protection of an organisation and its assets against the full range of security threats. Protective security therefore also includes areas such as cyber security. The National Cyber Security Centre (NCSC) is the UK’s national technical authority for cyber security. The NPSA and the NCSC work together to help organisations such as universities and start-ups mitigate risks to the security of research and the development of innovative technologies. 

The NPSA was established in March 2023, taking over the roles previously performed by the Centre for the Protection of National Infrastructure (CPNI), but also adopting an expanded remit. The announcement of the NPSA’s creation warns that the theft of “sensitive research and information” can damage businesses and weaken a country’s competitiveness. 

This expanded remit reflects the UK government’s growing concern over threats to research security. This was addressed in the 2021 Integrated Review and confirmed in the subsequent ‘Refresh’ of that review, which emphasised the need to protect the strategic advantages that the UK derives from science and technology. 

Securing research and innovation, particularly in emerging technologies, is critical for that goal. The work of the NPSA is important because universities, start-ups, and most tech companies simply do not have the expertise or the resources necessary to mitigate threats from foreign states.

We assess that demand from universities, businesses, and other research performing institutions is very likely to exceed the NPSA’s capacity. The NPSA will therefore likely seek to encourage an ecosystem of collaboration, promoting the exchange of guidance, best practices, and information. Navigating this ecosystem effectively will be key to the development of many organisations’ research security strategy and operations.