On 21 May 2024, the UK government published updated guidance on the National Security and Investment Act 2021. This is an important piece of legislation for organisations working with advanced or emerging technologies, as well as for funders and investors in this space.

Under the law, the UK government can “scrutinise and intervene in certain acquisitions made by anyone, including academic institutions, businesses, and investors, that could harm the UK’s national security”. 

The government has set out 17 sensitive areas of the economy where notification is mandatory. You can find more information about those sectors here. 

In other cases, organisations can submit a voluntary notification. The decision of whether to make a voluntary notification can be a challenging one for any organisation, as argued in this useful blog post. 

There are some useful analyses of the new guidance from a legal perspective available online already, including here, here, and here.

These reviews draw out the scope of the NSIA’s coverage, highlighting the need for awareness from even the early stages of the research and innovation process. As one of the analyses cited above notes, the guidance makes clear that the NSIA covers 

acquisitions of IP in all its forms. This includes review of collaborations that are yet to produce any IP but are expected to develop such assets in the future. Similarly, the Government could review the licensing of IP or related rights, whether commercial or non-commercial, even if restricted to research and development.

In addition to being a must-read piece of legislation for researchers, innovators, and investors, the NSIA provides an insight into the complex relationship between compliance and security. Although security and compliance are not the same thing, the NSIA is an example of legislation that seeks to advance security – in this case national security. 

Moreover, the UK government’s decisions in several acquisitions reviewed under the Act have centred on the introduction of security processes and controls. In these cases, approval of the acquisition was conditional on the introduction of physical and information security controls and governance procedures. This makes clear that to be compliant with the law may require the ability to achieve and maintain a proportionate level of security. 

We assess that organisations with well designed and efficiently operated internal processes for security will be in a stronger position to ensure compliance with the NSIA and similar legislation. This is an area where security and compliance can be complementary.