The National Security and Investment Act 2021 (NSIA), which came into force on January 4, 2022, allows the UK government to scrutinize and intervene in acquisitions in order to protect national security. The NSIA covers UK and foreign entities that perform sensitive activities in the UK. Acquisitions of entities involved in any of the 17 high-risk sectors under the NSIA (mandatory sectors) require mandatory notification if the acquirer obtains more than 25%, 50% or 75% of the shares or voting rights, or voting rights that allow the acquirer to secure or prevent the passage of resolutions on behalf of the entity – so-called trigger events. Non-compliance may result in the transaction being void and may lead to financial penalties (£10 million or 5% of global turnover, whichever is greater), as well as civil and criminal penalties (up to five years’ imprisonment). The NSIA has no de minimis threshold, meaning that even small or passive investments may be notifiable.
Parties need to consider when it is appropriate to notify an acquisition. If a transaction is not notified, the government may call in the transaction for review up to five years after the trigger event occurs and within six months of becoming aware of it. Although parties are not required to notify the government if a transaction is not subject to mandatory notification, they may submit a voluntary notification to seek comfort. Voluntary notification is advisable, especially if the data center supports sensitive functions or the acquirer gains material influence (as low as 15%). Similarly, parties should consider submitting a voluntary notification if the acquisition is closely related to a mandatory sector or if it is structured as an asset deal but would have been subject to mandatory notification had it been structured as a share deal.
If a notification is submitted, the government has up to 30 working days to complete the initial review and decide whether to call in or clear the transaction. If a call-in notice is issued, the government has an additional 30 working days to assess the acquisition, which can be extended by another 45 working days plus a further voluntary period agreed with the parties. Submitting a voluntary notification could provide parties with more certainty and allow them to factor in regulatory considerations in their transaction timelines.
Mandatory sectors: Implications for data centers
1. Data infrastructure
Data infrastructure is physical or virtualized infrastructure used for storing, processing or transmitting digital data or infrastructure provided for peering, interconnection or exchange of digital data. The government has a responsibility to ensure that data and its supporting infrastructure is secure, resilient and trustworthy in the face of established, new and emerging risks, protecting the economy as it grows.
According to the NSIA annual report for 2023-2024 (NSIA Report), data infrastructure was the fourth most common basis for NSIA filings and was associated with 17% of total call-in notices, including one that resulted in a final order.
An entity involved in data center operations may fall under this sector if it is engaged in relevant data infrastructure and performs any of the following relevant activities in the UK.
As per Schedule 9 of the Notifiable Acquisition Regulations, relevant data infrastructure is physical or virtualized infrastructure that does any of the following:
- Stores, processes or transmits digital data used in connection with the administration and operation of public authorities as listed in the guidance and Schedule 9 of the Notifiable Acquisition Regulations.
- Is provided for peering, interconnection or exchange of digital data between providers of public electronic communications networks and/or services (PECN/S) but is not owned by those providers.
- Enables the interconnection of PECN/S with an electronic communications network where part of that network is provided through a submarine cable system.
Performing any of the following activities in the UK would bring the transaction in scope:
- Owning or operating relevant data infrastructure
- Managing relevant data infrastructure on behalf of other entities
- Managing facilities where relevant data infrastructure is located
- Providing specialist or technical services to entities involved in any of the above activities
- Producing or developing software for entities involved in any of the above activities that configures or manages the provision of administrative access
Parties should note that, if data centers have a direct contract with public authorities, the acquiring business may be considered a qualifying entity, bringing the transaction within scope. Furthermore, data center providers who are part of a subcontract with a public authority may also be brought within scope if they are explicitly made aware that they are contributing to the fulfillment of a contract with that public authority. Data centers storing only paper records are not in scope.
Additionally, infrastructure provided by data centers allowing public and service provider networks to interconnect requires mandatory notification. Infrastructure located in data centers connecting UK networks with submarine cables may also be in scope.
Given the possible connection to public authorities, the government may require as a condition of clearance that measures are put in place for the protection of sensitive data as well as the continuance of any existing public authority contracts.
2. Communications
The communications sector is crucial for national security, the economy and society as it supports the operations of businesses, public safety organizations, the government, the wider public sector and citizens. According to the NSIA Report, 24% of total call-in notices and two final orders issued in 2023-2024 were linked to this sector.
As per Schedule 5 of the Notifiable Acquisition Regulations, an entity engaged in data center activities may fall under this sector if it:
- Is a PECN/S with a UK turnover of at least £50 million.
- Makes available an associated facility (i.e., a facility, element or service used in association with a PECN/S for specified purposes) to PECN/S with a turnover of at least £50 million. However, an associated facility that is passive or support infrastructure is exempted.
- Owns a building whose main purpose is to host active telecommunications equipment used by a PECN/S with a UK turnover of at least £50 million.
- Owns a submarine cable system or a cable landing station (or a relevant repair service) used by a PECN/S with a UK turnover of at least £50 million.
This sector also covers entities that operate a top-level domain name registry, system resolver, authoritative hosting service or internet exchange point (subject to certain thresholds) and entities that provide broadcast infrastructure for the BBC, Channel 3, Channel 4, Channel 5, S4C or national commercial radio.
It should be noted that providers of PECN/S are only in scope if the annual turnover of their specific business activity involving the provision of the PECN/S conducted in the UK is at least £50 million during the relevant period. This can have a great impact on transactions involving the telecommunications industry. This could also affect building owners and landowners who make available buildings whose main purpose is to host communications equipment. The government may also impose measures to protect sensitive information and ensure that the service provided continues after the acquisition is completed.
3. Critical suppliers to government
The NSIA defines “critical suppliers to government” as those contracted to access very sensitive government data, assets or estates, which could pose a significant risk to national security if they were subject to compromise. Only suppliers with direct contracts with the government are in scope, not subcontractors. According to the NSIA Report, 7% of total call-in notices issued in 2023-2024 were related to this sector.
An entity engaged in data center operations in the UK is in scope if it holds a direct contract with the government involving activities that would result in them processing/storing Secret or Top Secret material, a list X accreditation requirement or an employee vetting requirement at or above Security Check (SC) level, as per Schedule 7 of the Notifiable Acquisition Regulations.
If the entity has a direct contract with the government and may fall within the scope of this sector, acquirers should consider how the NSIA implications may impact their future business plans, including the possibility of the government imposing conditions for clearance. These could include imposing measures to protect sensitive information and requiring the data center to remain in the UK due to the storing/processing of sensitive data.
4. Suppliers to emergency services
The emergency services are essential to the safety and security of UK citizens. The government deems certain services provided within this sector sufficiently sensitive to require mandatory notification. It applies only to direct contracts. According to the NSIA Report, 7% of total call-in notices and one final order issued in 2023-2024 were linked to this sector.
This sector may apply to data centers if they store data supporting emergency services in the UK. It also covers entities supplying a PECN/S, maintenance to a PECN/S, or hardware, systems or platforms used by emergency services for crime prevention/detection or fire and rescue authority functions, as per Schedule 15 of the Notifiable Acquisition Regulations.
Therefore, an entity engaged in data center activities is in scope if it provides IT services for UK emergency services, including Border Force, the British Transport Police, the Civil Nuclear Constabulary, fire and rescue authorities, the Ministry of Defence Police, the National Crime Agency and police bodies.
When analyzing data center transactions, the government may require, as a condition of clearance, that measures be put in place to protect access to sensitive information. It could also require that any facilities remain in the UK and any existing contracts continue, given the impact the loss of service may have.
Key considerations
It is essential for acquirers to understand the business of the entity being acquired and conduct thorough due diligence of its UK activities in data center transactions to assess whether the transaction could fall within the scope or be closely linked to any of the mandatory sectors. Failure to notify could expose acquirers to regulatory risks, as the government may decide to call in the transaction in the future. It could also put acquirers in a vulnerable position if they subsequently sell the business, as sellers are often required to provide a warranty that they have complied with NSIA regulations in relation to past transactions that should have been notified. The breach may be identified during due diligence, leading to increased scrutiny, transaction delays and potentially jeopardizing the deal altogether.
Therefore, where parties can foresee that the NSIA could be triggered and their transaction may be in scope, they should consider whether they need to submit a notification and evaluate how their future business plans may be affected by the regime, including whether their services, technology and contracts should continue and remain in the UK. Furthermore, parties should assess what safeguards may need to be put in place to address national security risks. These could include imposing restrictions on access to sensitive information, requiring direct control by a UK company and appointing UK security-cleared British citizens to safeguard the sensitive information or monitor compliance. Lastly, parties should consider incorporating appropriate warranties and conditions precedent in share purchase agreements to mitigate regulatory risks and factor in NSIA considerations in transaction timelines.
