Skip to main content

We value your privacy

This website uses cookies to ensure you get the best experience on our website.

Introduction

Defence of the realm is the first duty of government.

In its enactment of the National Security and Investment Act 2021 (“Act”) which comes into force on 4th January 2022 but operates with retrospective effect from 12th November 2020, the Government has taken very wide ranging powers to force the disclosure of, to call-in for review and to make orders to block or reverse the acquisition of entities or assets of specified descriptions, of which it becomes aware, which it reasonably suspects may give rise to a risk to national security.

Investment fund managers and acquisition growth companies are likely to have three key concerns; how will the Government exercise its call-in powers? Will an acquisition completed within the period between 12th November 2020 and 4th January 2022 when it will become a notifiable acquisition be void given that it will not have been completed with the approval of the Government? And what risks do commercial bodies and their directors run if they do not comply wholly with this complex legislation and the associated regulations and guidance given that breach of the Act is a criminal offence, the Government has the power to impose severe monetary penalties and claims for judicial review of decisions made by the Government must be made within 28 days?

Government guidance published on 15th November 2021 warns that

“If you are planning an acquisition of a qualifying entity in one of 17 defined sensitive areas of the UK economy, you may need to get approval from the government before you can complete it. This is called a notifiable acquisition. Completing a notifiable acquisition without approval will mean the acquisition is void and may mean that the acquirer is subject to civil and criminal penalties.”

The Government regards activities in 17 areas of the economy, or closely linked activities, as particularly sensitive and thus as being more likely to raise a target risk. These areas are specified in Schedules 1 to 17 of The National Security and Investment Act 2021 (notifiable Acquisitions) (Specification of Qualifying Entities) Regulations 2021 No. 1264 (“Notifiable Acquisition Regulations”).

How sensitive are all these 17 areas? No doubt some of the areas will be sensitive but might zealous and controlling civil servants also be taking the opportunity to scope into sectors which are unlikely to give rise to a reasonable suspicion as to risk to national security?

Section 3 Statements
Under section 3 of the Act the Government may publish statements setting out how it expects to exercise its power to give a call-in notice, including details of factors it expects to take into account. On 2nd November 2021, the Government published its first section 3 statement (the section 3 Statement) setting out how it expects to exercise its power to give what is termed as a ‘call-in notice’.

Paragraph 6 states that:

“The call-in power will not be used to interfere arbitrarily with investment. The UK has a proud record as one of the most open economies in the world and the Secretary of State’s use of the call-in power will not change that. The UK remains firmly open to investment and the government wants the UK to be the best place in the world to work and do business”

Paragraph 7 says that:

“Qualifying acquisitions across the whole economy are in scope of the Act but the call-in power may only be used in respect of qualifying acquisitions that the Secretary of State reasonably suspects give rise to or may give rise to a risk to national security. The Act is not a system for screening all acquisitions in the economy”

This section 3 statement sets out the three primary risk factors the Government will consider when deciding to exercise the call-in power. These are: Target Risk, Acquirer Risk and Control Risk, that is the amount of control acquired over an asset, which includes controlling or directing its use as well as using it.

As regards Target Risk, the section 3 statement states that the call-in power is more likely to be used for qualifying acquisitions of assets that are or could be used in connection with the activities set out in the Notifiable Acquisition Regulations or closely liked activities. This is because these acquisitions are more likely to pose a risk to national security.

Acquisition of Qualifying Entities operating in defined sensitive areas and notifiable acquisitions that are automatically void if completed without Government approval

The Act regulates the acquisition of Qualifying Entities operating in defined sensitive areas of the UK economy as specified in Schedules 1 to 17 of the Notifiable Acquisition Regulations.

A Qualifying Entity is defined as any entity, other than an individual, but where formed or recognised outside the UK, only if it carries on activities in the UK or supplies goods or services to persons in the UK.

Any acquisition caught by the new legislation as a ‘notifiable acquisition’ (see below under the heading Control of entities and notifiable acquisitions) is void if it is completed without the approval of the Government.

This risk of a transaction being void is likely and presumably is designed to force the giving of Mandatory Notices providing details to the Government of the acquisitions proposed.

The Government may then make interim and final orders in relation to the acquisition or issue a notice that no further action will be taken.

On 15th November 2021, the Government published guidance on mandatory notification applying across these 17 sensitive areas of the economy.

It is not at all clear whether the Act has the effect of making transactions completed since 12th November 2020, that will become notifiable transactions on 4th January 2022, automatically void.

It is just about arguable that reliance might be placed on an oddly worded provision that ‘a notifiable acquisition does not take place if complying with the requirement to give a mandatory notice …. would be impossible for the person …’ on the basis that, until the Act comes into force it will not have been possible to give mandatory notices, but in the interests of clarity and certainty of the rule of law a provision which clearly said that transactions completed within the period between 12th November 2020 and 4th January 2022 would not be void would have been far preferable.

As it stands, the Act raises the uncertain question of whether a mandatory notice, validation notice or voluntary notice should be given in respect of such historic transactions as a matter of urgency; see post under the heading Mandatory notification procedure, applications for retrospective validation and voluntary notification procedure.

We act for many leading investment fund managers that invest in technology-based SMEs to further their future growth and development. It surely cannot have been intended that all transactions completed since 12th November 2020, that become notifiable acquisitions on 4th January 2021, also automatically immediately become void on that date. I have written to the new BEIS Investment Security Unit to seek their immediate confirmation of this point and, additionally, their guidance as to the relevant provision in the Act that they believe addresses this point if other than the provision referred to above.

The following examples are given in the schedule 3 statement of acquisitions of Qualifying Entities.

Example 1: Qualifying acquisition of a qualifying entity that is likely to be called in
Company A is developing cryptographic authentication for the purpose of activities that would be in scope of mandatory notification. Party B acquires <25% shares/voting rights which enables it to materially influence the policy of B. The target risk is high as cryptographic authentication technology could be used for malicious purposes. The acquirer risk is high as the UK government has concerns that the activities of Party B may be linked to hostile activity. Whilst material influence is the lowest form of control risk B could materially influence how A’s technology is used or sold. Therefore the acquisition is likely to be called in .

Example 2: Qualifying acquisition of a qualifying entity that is unlikely to be called in
Investor C is a non-UK based entity that increases its share of the voting rights in Company D from 15% to 26%. D is a financial services company which holds public contracts with the UK government. C is well-known to the UK government and there is no existing activity that would give rise to concerns around national security. The target risk is low as D’s activities do not require mandatory notification nor are they closely linked to the activities which require mandatory notification. The acquirer risk is low as C’s activities are well known to the UK government and there has been no history of activity by C that would give rise to national security concerns. Despite the acquisition increasing C’s share from 25% to more than 25% the control risk is unlikely to increase materially. The acquisition is unlikely to be called in.

Acquisition of Qualifying Assets
The Act also regulates the acquisition of Qualifying Assets. A Qualifying Asset is defined widely as “(a) land, (b) tangible (or in Scotland, corporeal) moveable property, (c) ideas, information or techniques which have industrial, commercial or other economic value,” but land or moveable property situated outside the UK, is only caught if it is used in connection with activities carried on in the UK or the supply of goods or services to persons in the UK. Examples of assets within (c) include – trade secrets, databases, source code, algorithms, formulae, designs, plans, drawings and specifications and software. Asset acquisitions are not subject to the mandatory notification provisions but parties can make a voluntary notification. There is an oddly worded exception which provides that “a person is not to be regarded as gaining control of a qualifying asset by reason of an acquisition made by an individual for purposes that are wholly or main outside the individual’s trade, business or craft.” This exception is expressed not to apply to certain assets of a type one would expect to be restricted, such as nuclear assets and military equipment etc. Significantly this exception also does not apply to the acquisition of land.

The Government expects to call in rarely acquisitions of assets compared to acquisitions of entities. Three examples are given in the section 3 statement of acquisitions of Qualifying Assets.

Example 3: Qualifying acquisition of a tangible asset that is unlikely to be called in:
Company A, an overseas pharmaceutical company, buys a building adjacent to a sensitive military site for residential use. A is known to the UK government with no evidence of ties to hostile activity in the UK. The target risk is medium however it is unlikely the adjacent property for residential use could pose a risk to national security given other security protections in place at the military site. The acquirer risk is low. As A has purchased the asset outright the control risk is high. Nonetheless the acquisition is unlikely to be called in because of the low levels of target risk and acquirer risk.

Example 4: Qualifying acquisition of a tangible assets that is likely to be called in:
Company C, based in the UK but owned by an overseas organisation with potentially concerning behaviour, seeks to acquire some specialised machinery used in the manufacture of military hardware. The target risk is accordingly high, as is the acquirer risk. The control risk is high as the acquisition would result in a high level of control as it would enable C to use or to control or direct the use of the machinery and is therefore likely to increase the level of national security risk. Therefore the acquisition is likely to be called in.

Example 5: Qualifying acquisition of an intellectual property asset that is likely to be called in:
Business E supplies computer programmes for use by UK air traffic control operators – an area of the economy in which certain acquisitions of entities are covered by mandatory notification. E is approached by party G who wishes to acquire the right to access and use the underlying source code. The target risk is high as the source code may be used to identify vulnerabilities in the programmes used to monitor and communicate with aircraft in UK airspace. The acquirer risk is high as G is known by the Government to have existing ties to an organisation that is hostile to the UK. There is a control risk as the acquisition of the right to access and use the source code means that G could use the asset for malicious purposes. However G does not have full ownership over the asset and so does not have full control over the asset. Nonetheless this acquisition is likely to be called in.

Notifiable Acquisition Regulations
The following are the Schedule headings in the Notifiable Acquisition Regulations,
1. Advanced Materials
2. Advanced Robotics
3. Artificial Intelligence
4. Civil Nuclear
5. Communications
6. Computing Hardware
7. Critical Suppliers to Government
8. Cryptographic Authentication
9. Data Infrastructure
10. Defence
11. Energy
12. Military and Dual-Use
13. Quantum Technologies
14. Satellite and Space Technologies
15. Suppliers to the Emergency Services
16. Synthetic Biology
17. Transport

The Schedules themselves provide the source law but are very detailed. The Government published guidance on 15th November 2021 as to their scope. This guidance is set out in the Annex to this paper.

Trigger event
A trigger event takes place when a person gains Control of a qualifying entity or a qualifying asset.

Control of entities and notifiable acquisitions
A person gains control of a qualifying entity if the person acquired a right or interest in. or in relation to, the entity and as a result:

(i) the percentage of shares increases to > 25%; or to > 50% or > 75%

(ii) the percentage of voting rights increases to > 25%; or to > 50% or > 75%;

(iii) the acquisition of voting rights enables the person to secure or prevent the passage of any class of resolution governing the affairs of the entity;

and the acquisition of Control of a Qualifying Entity under (i) to (iii) above is a notifiable acquisition

(iv) the acquisition enables the person materially to influence the policy of the entity (unless the person already holds an interest of right that enables the person to materially influence the policy of the entity.

A notifiable acquisition completed without the approval of the Government is void.

A notifiable acquisition in relation to which a final order has been made that is completed otherwise than in accordance with the final order is void.

Mandatory notification procedure, applications for retrospective validation and voluntary notification procedure.
A person must give notice (a “Mandatory Notice”) to the Government before he gains Control under (i)-(iii) of a Qualifying Entity of a specified description.

The Government may then reject or accept the notice. The Government may reject if the Mandatory Notice does not meet the requirements prescribed by the regulations or does not contain sufficient information to enable the Government to decide whether to give a call-in notice. If rejected the Government must give notice. If accepted the Government must within the review period give notice that no further action will be taken.

Within six months of the Government becoming aware of a notifiable acquisition having been completed without its approval the Government must give a call-in notice or a validation notice. If a validation notice is given a notifiable acquisition is to be treated as if it were approved and accordingly is not void.

A person materially affected by the fact that a notifiable acquisition is void – that is a notifiable acquisition that has been completed without approval – may apply for a validation notice and the Government may reject or accept with similar consequences within a review period of 30 days.

A seller, acquirer or the qualifying entity may, as regards acquisitions which are not notifiable i.e. acquisitions that enable person person materially to influence the policy of the entity or acquisitions of Qualifying Assets) give a voluntary notice that a trigger event has taken place or that arrangements are in progress which might result in a trigger event. The Government may reject or accept that voluntary notice with similar consequences within a review period of 30 days.

Control of assets
The acquisition of a right or interest enabling a person to use the asset or to use it to a greater extent than before the acquisition; or to direct or control how the asset is used or direct or control how it is used to a greater extent than prior to the acquisition but “a person is not to be regarded as gaining control of a qualifying asset by reason of an acquisition made by an individual for purposes that are wholly or mainly outside the individual’s trade, business or craft” though this exception does not apply to (a) land; or (b) controlled radioactive substances; the movement of certain medicinal products to the USA; military goods software and technology; UK controlled due-use goods software and technology; ‘dual use items’ per Annex 1 or IV SI 2008/3231; firearms under Annex 1 EU No 258/2012; and goods for capital punishment and torture etc. There are no mandatory notice requirements where a person acquires Control of a Qualifying Asset but a person can give a voluntary notice.

Call-in notice
A call-in notice is a notice given by the Government:

(i) generally,

(a) within six months of the Government becoming aware of the trigger event and,

(b) before the fifth anniversary of that event, except where the trigger event relates to a notifiable acquisition completed without the approval of the Government, but

(ii) as regards trigger events occurring between 12th November 2020 and 3rd January 2022 then:

(a) the notice must be given before 4th June 2022, or if the Government did not become aware of the trigger event until after 4th January 2022, within six months of the Government becoming aware of the trigger event and,

(b) before the fifth anniversary of that event, with no exception

where the Government reasonably suspects

(a) a trigger event has taken place in relation to a qualifying entity or a qualifying asset and the event has given rise to or may give rise to a risk to national security, or

(b) arrangements are in progress or contemplation which, if carried into effect will result in a trigger event taking place in relation to qualifying entity or a qualifying asset and the event may give rise to a risk to national security.

The time limits noted above do not apply where misleading or false information is given to the Government.

Conclusion
The list of sensitive areas in the Notifiable Acquisition Regulations is a very comprehensive list and quite worrying. It certainly covers just about everything modern scientists have ever been involved with and what might be some work done for a very good reason may have subsequent security implications. My three concerns noted above:

• How will the Government exercise its call-in powers?

• Will an acquisition completed within the period between 12th November 2020 and 4th January 2022 when it will become a notifiable acquisition be void given that it will not have been completed with the approval of the Government?

• And what risks do commercial bodies and their directors run if they do not comply wholly with this complex legislation and the associated regulations and guidance given that breach of the Act is a criminal offence, the Government has the power to impose severe monetary penalties and claims for judicial review of decisions made by the Government must be made within 28 days?
will be of concern for many investment fund managers.

What would be useful is to see how the Research Councils and Charities view this as regards what they fund.

Another point is that much research in this area is undertaken with international partners. Does this mean that these links should cease as it could be construed that information has been given away to third parties?

Much may also depend on what is contained in the first retrospective review of the Notifiable Acquisition Regulations due in three years’ time on 4th January 2025

The existing regulations, when they come into force on 4th January 2021, will already operate retrospectively from 12th November 2020 in respect of which (as noted above) a call-in notice must be given before 4th June 2022, or if the Government did not become aware of a relevant trigger event until after 4th January 2022, within six months of the Government becoming aware of the trigger event.

Investment fund managers and CEOs of technology growth companies will do well to scrutinise the Notifiable Acquisition Regulations and consider whether they need to apply to the Government for the issue of a Validation Notice in respect of notifiable acquisitions completed since 12th November 2020.

A person commits an offence under the Act if they complete a notifiable acquisition without approval or fail to comply with an interim or final order or fail to supply information or attend as a witness if called upon to do so.

If an offence under the Act is committed by a body (that is, a body corporate, a partnership or an unincorporated association) (a) with the consent or connivance of an officer of the body; or (b) due to any neglect on the part of such an officer, in both cases, the officer, as well as the body is guilty of the offence and liable to be proceeded against and punished accordingly.

For further information and advice and assistance in complying with and filing notices under the National Security and Investment Act 2021, please contact:

Roger Blears | Senior Partner | RW Blears LLP
70 Colombo Street, South Bank, London, SE1 8PB
T +44 (0)208 159 2501 M +44 (0)7896 151376
E roger@blears.com | W http://www.blears.com


ANNEX
National Security and Investment Act: Guidance on notifiable acquisitions, published 15th November 2021©
Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government- licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/national-security- and-investment-act-guidance-on-notifiable-acquisitions/national-security-and-investment-act-guidance-on-notifiable-acquisitions

Overview

The National Security and Investment Act comes into force on 4 January 2022. It allows the government to scrutinise and intervene in certain acquisitions made by anyone, including businesses and investors, that could harm the UK’s national security.
From 4 January 2022, subject to certain criteria, you will be legally required to tell the government about acquisitions of certain entities in 17 sensitive areas of the economy (called ‘notifiable acquisitions’).

The 17 areas of the economy are:

1. Advanced Materials
2. Advanced Robotics
3. Artificial Intelligence
4. Civil Nuclear
5. Communications
6. Computing Hardware
7. Critical Suppliers to Government
8. Cryptographic Authentication
9. Data Infrastructure
10. Defence
11. Energy
12. Military and Dual-Use
13. Quantum Technologies
14. Satellite and Space Technologies
15. Suppliers to the Emergency Services
16. Synthetic Biology
17. Transport

If an entity you are acquiring performs a certain activity, it could put you in scope of the National Security and Investment Act and you may be legally required to tell the government about it (known as a ‘mandatory notification’). This guidance tells you what these activities are.

Before reading this guidance, you should read guidance on preparing for the National Security and Investment Act (https://www.gov.uk/government/publications/national-security-and-investment-act- prepare-for-new-rules-about-acquisitions) to understand the wider rules around acquisitions and check what you need to do from 4 January 2022.

You can contact the Investment Security Unit (ISU) at investment.screening@beis.gov.uk for further support.

1. Advanced Materials

The development and utilisation of Advanced Materials across Defence as well as civil sectors is rapidly growing and is crucial to help transform important industrial sectors and underpin key areas of high-value manufacturing.

The risk to national security posed by Advanced Materials is also clear. Advanced Materials offer significant benefits to military capability, through increased functionality, improved survivability, enhanced maintainability and reduced through-life cost.

The cross-cutting and dual-use nature of Advanced Materials also means that emerging technologies using advanced materials are likely to have defence and security applications and implications; irrespective of the application or sector that is driving their development.

Am I in scope of the Advanced Materials part of the regulations?

You will be legally required to submit a mandatory notification to the government if the qualifying entity you are acquiring carries out activities in relation to advanced materials.

Generally, Advanced Materials cover the following:

• advanced composites
• metals and alloys
• engineering and technical polymers
• engineering and technical ceramics
• technical textiles
• metamaterials
• semiconductors
• photonic and optoelectronic materials and devices
• graphene and related 2D materials
• nanotechnology
• critical materials
• other materials

The activities covered are:

• research
• development or production
• development or production of anything designed as an enabler
• development or production of anything designed to be used for the purpose of production the provision of qualified or certified designs, materials, parts or products
• owning, creating, supplying or exploiting intellectual property the provision of know-how or services of enablers
• recycling or re-using

Check which Advanced Materials are covered

The material is an ‘advanced material’ if it is listed in either of the following documents:

• the Advanced Materials section of the regulations. You should read all the sections of the Advanced Materials regulations as the categories overlap with one another
• the Strategic Export Control List (SECL) (https://www.gov.uk/guidance/uk-strategic-export- control-lists-the-consolidated-list-of-strategic-military-and-dual-use-items)

You must check both documents to see if your acquisition is in scope.

The following sections of the SECL are of relevance to the requirement to notify the UK government in relation to Advanced Materials:

• UK Military List [Schedule 2 to the Export Control Order 2008]
• EU Dual-Use List [Annex I to Council Regulation (EC) No. 428/2009] EU Dual-Use List [Annex IV to Council Regulation (EC) No. 428/2009]

Further information about semiconductors

Application-specific integrated circuit (ASICs) are a type of chip included in the Advanced Materials and not the Computing Hardware part of the regulations. This is because ASICs can be an important component in these other technological applications, whereas they are not for central processing units and provision of memory.

For further information on semiconductors and what is meant by the terms ‘fabrication’ and ‘packaging’ you should review the Computing Hardware guidance.

2. Advanced Robotics

Robots are no longer limited to factory or laboratory settings, with increasingly capable, mobile and autonomous robots providing new services and capabilities on land (for example, self-driving cars or fruit-picking robots), in the air (drones), on or under the sea and in space. While these capabilities, including the ability to operate independently and to work safely alongside humans, will unlock important business and public benefit applications, even where an entity develops or produces robots or services specifically for civilian applications, these could potentially be adapted for use in military or national security relevant applications.

Am I in scope of the Advanced Robotics part of the regulations?

You will be legally required to submit a mandatory notification if the qualifying entity you are acquiring either:

• develops or produces advanced robotics
• develops or produces core components specially designed or modified for use in advanced robotics

‘Advanced robotics’ are defined as meeting both of the following criteria:

• it’s a physical machine that can interact with its environment and can move itself or its ‘limbs’ or tools
• it has either a meaningful degree of autonomy, and/or the ability to use sensors to carry out sophisticated surveillance and data collection

‘Autonomy’ means the capability to operate independently of human control, either fully or partially. Where the autonomy is partial, this may be in addition to remote control or tele-operation or though pre-programming of operations or responses.

Autonomy therefore includes the ability to sense, reason (for example, using forms of artificial or machine intelligence) and respond or adapt to its surroundings. This may include but is not limited to:

• the ability to self-navigate and react to changing circumstances, such as a self-driving vehicle navigating the roads and responding to traffic lights
• the ability to autonomously make changes to improve performance, for example adapting or learning through iteration and experience, and/or
• the ability to self-repair, self-heal or adapt to their surroundings, including, for example, through the use of compliant or flexible materials that mimic the natural world, known as ‘soft robotics’

‘Advanced robotics’ also includes the ability to use sensors to carry out sophisticated surveillance and data collection. This does not include simple data capture such as CCTV cameras (or other static devices) but includes robots with the ability to capture high fidelity data from their environment, including those that may be entirely pre-programmed or remotely controlled. This would include reconnaissance activities by drones, satellites, underwater vessels or other forms of mobile robot.

You will also be legally required to submit a mandatory notification to the government if you are acquiring a qualifying entity that develops or produces core components specially designed or modified for use in advanced robotics.

These core components include:

• sensors which give advanced robotics the ability to accurately sense their environment, the objects around them or their own position
• end-effectors such as grippers, manipulator arms, magnetic, pneumatic or vacuum tools that enable them to physically interact and deliver their capability with the intended precision and effect
• bespoke means of locomotion for use in advanced robotics, including for example, wheels, propellors or fins
• bespoke energy sources for use in advanced robotics and
• control systems (including forms of artificial intelligence for use in advanced robotics) and communications systems (including components that enable the advanced robotics to communicate with other robots or a central artificial intelligence system that, for example, controls a swarm of robots).

Example: autonomy

Company A is considering acquiring Company B, which designs and builds a mobile fruit picking robot equipped with AI, sensors and a new form of dextrous soft gripper. The AI and sensors enable the robot to demonstrate a meaningful degree of autonomy and it therefore meets the relevant test for being considered advanced robotics. Company A must notify the UK government of this acquisition, as Company B is a qualifying entity that develops and produces advanced robotics.

Example: components specially designed or modified for advanced robotics

Company A specialises in the provision of machine learning software for robotic control systems, to optimise picking and packing of a range of physical products. Company A does not itself produce any physical machines, but sells this capability to Company B, which Company B integrates into a broader automated robotic warehouse and stock-picking management solution. If Company C wishes to acquire
either Company A or Company B it would be required to notify the UK government. This is because the integration of the standalone software capability into the broader automated robotic solution constitutes the development or production of advanced robotics capabilities.

In the event that Company A provides the systems integration capability to Company B, and Company B is therefore a consumer not involved in developing or producing the broader advanced robotics solution, then the acquisition of Company B would be out of scope.

What is out of scope of the Advanced Robotics part of the regulations?

The following are out of scope of the Advanced Robotics regulations:

• robotics that are widely available consumer goods including robotic toys and smart appliances (such as vacuum cleaning or lawnmowing robots)
• consumers of advanced robotics who purchase ‘complete systems’ or standalone devices or equipment and use them as they are intended, for example to perform their farming, surveying or logistics operations. By ‘complete systems’ we mean systems whose core technical capabilities cannot be altered, in contrast to technology or equipment that will be used in production or development activities relating to advanced robotics. If a qualifying entity purchases specific components or advanced robotics systems that it then integrates into or alters to deliver new advanced robotic functions or capabilities as part of a wider system, that qualifying entity is in scope and would need to notify.
• robots performing pre-programmed repetitive tasks, most frequently seen in the older generation of industrial robotics, for example the machining, lifting or pressing operations of a manufacturing process or assembly line. This includes mechanical robotic tools performing repetitive functions with basic or no sensory or cognitive abilities.
• automated parking and lane departure warning capabilities for cars or other mobile robotics, which are now commonplace across the market. However, self-driving cars and the core capabilities of autonomy underpinning them are in scope of the regulations.
• basic, static, sensing, imaging or computing devices such as temperature monitors, cameras or smart speakers.
• entities in the supply chain producing components intended for use more broadly than advanced robotics, including basic or generic hardware or electrical components, for example, industry standard electronics such as Complementary Metal Oxide Semiconductor (CMOS) sensors or radio transmitters.

Example: an acquisition that isn’t in scope

Company A, an audit company, purchases from Company B an advanced, high-definition drone services contract, to survey and report on the activities of a range of infrastructure and construction sector clients with high specificity. Company A uses the drone in a range of different environments and uses the data it finds as part of its own business but has no expertise in developing or producing the drone itself. If Company C acquires Company A at a future date, it would not be required to notify the UK government, as it is merely a consumer / user of the products and services of Company B.

If you do not think your acquisition is covered by the Advanced Robotics guidance, you should read guidance for the following areas:

• Artificial Intelligence
• Computing Hardware – activities relating to ‘a specialist processor for artificial intelligence applications’. You are advised to consider if the qualifying entity’s work covers a) the ownership, creation or supply of intellectual property to or b) the fabrication or packaging of specialist processors for artificial intelligence applications
• Defence
• Military and Dual-Use
• Satellite and space technologies

3. Artificial Intelligence

The development of artificial intelligence (AI) technologies is growing rapidly and transforming the global economy. The development and application of these technologies is an industry in its own right, but AI is also transforming business models across many sectors.

AI can optimise the efficiency, precision, and performance of many existing technologies.

AI is also inherently dual-use and potentially easy to repurpose. There is increasing interest by military and law enforcement organisations to advance the use of AI in their domains. There is potential for other actors to deploy AI applications for malicious and harmful uses. This means technologies that are used for the commercial market and consumers could also be repurposed and used in manners which could give rise to national security concerns. The opportunity to use AI positively across the UK economy can only be harnessed if sensitive and critical applications of AI can be protected.

As AI technologies are often general purpose and used across sectors, this regulation will capture entities that do not necessarily identify as ‘AI companies’. Whether a qualifying entity is focused solely on AI, or incorporates or develops AI as part of a wider approach to their sector or business, it is the specific work being undertaken that is most important to consider.

Am I in scope of the Artificial Intelligence part of the regulations?

To determine if a qualifying entity you are seeking to acquire is in scope of the AI part of the regulations, you will need to consider 2 questions:

• does the qualifying carry on entity research into, or develop or produce goods, software or technology that use AI?
• is the AI work of the qualifying entity used for one of the following applications: identification or tracking, advanced robotics or cyber security?

If the answer is yes to both questions for the qualifying entity being acquired, you will be legally required to submit a mandatory notification to the government.

There are two steps to considering the entity you are acquiring is in scope.

1 Confirm the use of AI.
2 Confirmation application of AI.1

Step 1: Confirm the use of AI

You first need to consider if the qualifying entity researches into, or develops or produces goods, software or technology that use ‘artificial intelligence’.

‘Artificial Intelligence’ is defined in the regulations as:

“technology enabling the programming or training of a device or software to:

(i) perceive environments through the use of data
(ii) interpret data using automated processing designed to approximate cognitive abilities and
(iii) make recommendations, predictions or decisions with a view to achieving a specific objective”

‘Cognitive abilities’ means reasoning, perception, communication, learning, planning, problem solving, abstract thinking, decision-making or organisation

Step 2: Confirm application of AI

If you believe the qualifying entity does fit the definition of AI, you then need to consider how this is being applied.

Three categories of application are in scope of the new rules. You will be legally required to submit a mandatory notification if the qualifying entity does any of the following:
• identification or tracking
• advanced robotics
• cyber security

Identification
Examples of ‘identification’ may include, but are not limited to:

Human identification:
• audio and speech recognition data re-identification
• emotion recognition
• facial recognition
• gait analysis

Object identification:
• automated vehicle parking systems image classification
• image retrieval
• machine inspection
• object localisation
• object detection and object segmentation
• surveillance (human and object)

Event identification:
• activities captured in ‘real time’ (i.e. video analysis to track an individual moving)
• tracking and processing

Advanced robotics

“Advanced robotics” has the same meaning as in Schedule 2 of the National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021.

Examples of ‘advanced robotics’ may include, but are not limited to:

• autonomous vehicles
• digital twinning
• path or action execution
• path or action planning
• sensor data processing.

Cyber security

“Cyber security” means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats. “Cyber threat” means any potential circumstance, event or action that could damage, disrupt or otherwise adversely affect network and information systems, the users of such systems and other persons”.

Examples of ‘cyber security’ may include, but are not limited to:

• authentication
• behaviour analysis
• predictive analysis
• threat detection and classification
• vulnerability discovery

If you do not think your acquisition is covered by the AI guidance, you are advised to read guidance for the following areas:

• Advanced Robotics – where the application of the qualifying entity’s work relates to robotics.
• Computing Hardware – this covers activities relating to ‘a specialist processor for artificial intelligence applications’. You are advised to consider if the qualifying entity’s work covers (a) the ownership, creation or supply of intellectual property to or (b) the fabrication or packaging of specialist processors for artificial intelligence applications

4. Civil Nuclear

The UK’s civil nuclear sector is among the most advanced in the world, from fuel production, generation, new build, research through to decommissioning, waste management and transportation and our world class regulatory system.

The civil nuclear sector is also part of the UK’s Critical National Infrastructure (CNI). It generates essential baseload, low carbon electricity critical to families and businesses, providing around 17% of the UK’s current electricity needs.

As well as generating electricity, the civil nuclear sector also stores, processes and transports radioactive material, and nuclear safety and nuclear security are essential to any nuclear operation.

Am I in scope of the Civil Nuclear part of the regulations?

In the UK, certain types of nuclear material, information and technology are regulated for safety and/or security, and the Civil Nuclear part of the regulations specifically references some of the notifiable acquisition regulations and relevant legislation.

As a first step when self-assessing whether your proposed acquisition will fall into the scope of the mandatory notification requirement, you should find out whether the qualifying entity you are seeking to acquire holds any licences or certifications in relation to nuclear activities, as this may be helpful in identifying whether an acquisition needs to be notified.

This guidance is structured to reflect each individual criterion of the regulations. To identify whether you need to submit a notification, you should find out if the qualifying entity you are seeking to acquire meets any of the criteria below.

You will be legally required to notify if the qualifying entity you are acquiring is involved in any of the following.

The qualifying entity either:

• holds a nuclear site licence for non-military purposes
• is a tenant on a non-military licensed nuclear site
• holds Category I, II or III nuclear material
• holds a Class A or Class B licence to transport nuclear material s
• is planning to build a nuclear reactor

• is awaiting the outcome of a relevant assessment by the Office for Nuclear Regulation
• holds equipment, software or information relevant to enrichment of uranium
• holds Sensitive Nuclear Information (SNI)
• is receiving relevant public funding in relation to fission nuclear reactors

The qualifying entity holds a nuclear site licence for non-military purposes

You should review whether the qualifying entity you are seeking to acquire holds a nuclear site licence for non-military purposes, and if you conclude that it does you will be legally required to submit a mandatory notification to the government. In the UK, nuclear site licences are issued by the Office for Nuclear Regulation (ONR). The activities for which a site licence is required are described in Section 1 of the Nuclear Installations Act 1965 (https://www.legislation.gov.uk/ukpga/1965/57), and include things such as operating a nuclear power plant, producing nuclear fuel, or enriching uranium.

The qualifying entity is a tenant on a non-military licenced nuclear site

Licensed civil nuclear sites may have tenants. When assessing whether your acquisition will fall into the scope of mandatory notification, you should review whether the qualifying entity you are seeking to acquire holds a tenancy agreement for premises on the type of licensed nuclear site described above. If you conclude that it does, you will be legally required to submit a mandatory notification.

The qualifying entity holds Category I, II or III nuclear material

You should check whether the qualifying entity you are seeking to acquire holds any Category I, II or III nuclear material. If you assess that it does, you will be legally required to submit a mandatory notification to the government. Categories I, II and III of nuclear material are described in the Nuclear Industries Security Regulations 2003 (https://www.legislation.gov.uk/uksi/2003/403/contents/made). This includes certain types of plutonium, uranium, neptunium, americium, and other types of reactor fuel or irradiated nuclear material.

The qualifying entity holds a Class A or Class B licence to transport nuclear material

In order for an entity to transport nuclear material of Category I, II or III, it must be approved as either a Class A or Class B carrier by the Office for Nuclear Regulation. You should review whether the qualifying entity you are seeking to acquire holds a relevant licence to transport nuclear material, and if you conclude that it does you will be legally required to submit a mandatory notification to the government.

The qualifying entity is planning to build a nuclear reactor

You should check whether the qualifying entity you are seeking to acquire intends to build certain types of infrastructure defined as a Nationally Significant Infrastructure Project in the Planning Act 2008 (https://www.legislation.gov.uk/ukpga/2008/29/contents), for example, certain types of large-scale electricity generation projects. If so, you should find out whether it has received development approval from the Secretary of State for Business, Energy & Industrial Strategy (BEIS), or has submitted an application for this. If you conclude that it has and that the development consent or application relates to a nuclear reactor, you will be legally required to submit a mandatory notification to the government. A nuclear reactor is as defined in the Nuclear Installations Act 1965 (https://www.legislation.gov.uk/ukpga/1965/57/section/26).

The qualifying entity is awaiting the outcome of a relevant assessment by the Office for Nuclear Regulation

Some entities may be required to pay a fee to the Office for Nuclear Regulation in relation to an assessment of a design proposal, or the preparation of a relevant assessment agreement. These purposes are defined in the relevant section of the Health and Safety and Nuclear (Fees) Regulations 2021 (https://www.legislation.gov.uk/uksi/2021/33/contents/made) and include, for example, a Generic Design Assessment. You should check whether the qualifying entity you are seeking to acquire has asked ONR to carry out this type of assessment, and if you conclude that it has and that this assessment is on-going you will be legally required to submit a mandatory notification to the government.

The qualifying entity holds equipment, software or information relevant to enrichment of uranium

Some entities may hold equipment, software or information relevant to enrichment of uranium as defined in the Uranium Enrichment Technology (Prohibition on Disclosure) Regulations 2004 (https://www.legislation.gov.uk/uksi/2004/1818/contents/made). You should check whether the qualifying entity you are seeking to acquire holds any equipment, software or information defined in this legislation, and if you conclude that it does you will be legally required to submit a mandatory notification to the government. Enrichment of uranium refers to the process of treating uranium to increase the proportion of the isotope 235 contained in the uranium.

The qualifying entity holds Sensitive Nuclear Information (SNI)

Sensitive Nuclear Information (SNI) is a type of officially classified information and is defined in the Anti-Terrorism, Crime and Security Act 2001 (https://www.legislation.gov.uk/ukpga/2001/24/contents). Within the UK, holders of SNI outside of nuclear facilities are regulated by the Office for Nuclear Regulation (ONR) under Regulation 22 of the Nuclear Industries Security Regulations (NISR) 2003 (https://www.legislation.gov.uk/uksi/2003/403/contents/made). Regulation 22 duty holders may be placed on ‘List N’. Further information on SNI is available on the ONR website (https://www.onr.org.uk/cnss/regulation-of-sensitive-nuclear-information-list-n.htm). You should review whether the qualifying entity you are seeking to acquire holds any SNI, and if you conclude that it does you will be legally required to submit a mandatory notification to the government.

The qualifying entity is receiving certain public funding in relation to fission nuclear reactors

Some entities receive public funding for research and development purposes – such as funding from UK Research and Innovation – under the Science and Technology Act 1965 (https://www.legislation.gov.uk/ukpga/1965/4) or the Higher Education and Research Act 2017 (https://www.legislation.gov.uk/ukpga/2017/29/contents/enacted).

You should review whether the qualifying entity you are seeking to acquire is directly receiving funding from a public organisation under either of these Acts in relation to fission nuclear reactors (including Small Modular Reactors and Advanced Modular Reactors). If you conclude that it is, then you will be legally required to submit a mandatory notification to the government. The financial support arrangements will usually state the legislation under which funding has been awarded.

5. Communications

The communications sector is a diverse, technologically advanced and constantly evolving. It is integral to national security, the economy and society as it supports the operations of businesses, public safety organisations, government, the wider public sector, other critical national infrastructure and citizens. The mandatory notification requirements include many of the most significant providers within the sector.

As a regulated sector, the mandatory notification requirements in the Communications part of the regulations are informed by existing legislation, primarily the Communications Act 2003 (https://www.legislation.gov.uk/ukpga/2003/21/contents), in order to provide clarity and consistency across the regulatory frameworks.

Am I in scope of the Communications part of the regulations?

You will be legally required to submit a mandatory notification if any of the following apply. The entity you are acquiring either:

• is a public electronic communications network or service (PECN/S) with a UK turnover of at least £50 million
• makes available an ‘associated facility’ to a PECN/S with a turnover of at least £50 million (exceptions apply, see below)
• owns a building where its main purpose is to host active telecommunications equipment owns a submarine cable system with a UK turnover of at least £50 million
• owns a cable landing station which is used by a PECN/S with UK turnover at least £50 million owns a repair or maintenance service for submarine cable systems or cable landing stations which is used by PECN/S with UK turnover at least £50 million.
• has a top-level domain name registry, domain name system resolver, authoritative hosting service or internet exchange points subject to certain thresholds
• provides broadcast infrastructure for either:
• the BBC
• Channel 3 (ITV PLC and STV)
• Channel 4
• Channel 5
• S4C
• national commercial radio (analogue or digital)

Telecommunications

Public electronic communications providers

The qualifying entity you are acquiring is in scope if it is a public electronic communications network or service (PECN/S) with a turnover of at least £50 million, or is a provider of certain associated facilities by reference to such a PECN/S.

A PECN refers to an electronic communications network that is provided wholly or mainly for the purpose of making electronic communications services available for use by members of the public.

A PECS refers to an electronic communications service that is either:

• an internet access service
• a number-based interpersonal communications service
• any other service consisting in, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services or for broadcasting – provided so as to be available for use by members of the public

Social media services (such as Facebook and Instagram) or messenger/video services (such as WhatsApp and Zoom) are not in scope when they are only providing content or number- independent interpersonal communications services.

Private electronic communications networks and services (for example, those used on transport systems) are not in scope. However, private networks used by emergency services and some private networks used within the defence sector are in scope of the regulations.

The turnover threshold

Providers of PECN/S are only included if the annual turnover of their specific business activity that involves the provision of a PECN/S conducted in the UK is at least £50 million during the relevant period. This applies to those who own, or have controlling interests in, such providers of PECN/S and other associated entities. If you are seeking to acquire a qualifying entity which falls above this threshold, you will be legally required to notify the government.

Associated facilities

An ‘associated facility’ refers to a facility, element or service used in association with an electronic communications network or service for specified purposes.

Your acquisition is in scope if the qualifying entity you are acquiring makes available an associated facility to a qualifying PECN/S. There are exceptions for ‘passive infrastructure’ and ‘support infrastructure’ (see below).

A facility can be physical infrastructure such as a data centre used to provide the core network function of a PECN/S, or a satellite ground station. It can be a service provided to communications service providers such as businesses who provide billing services or managed service providers.

Businesses who provide more general services to communications service providers such as cleaning or HR services would not be included here, as these services do not specifically enable or support the provision of communications networks or services.

A qualifying entity making available an associated facility would not include a supply chain vendor of equipment or software if the qualifying entity simply sells its product onwards and does not also operate or retain control over it when in use. However, if the contractual relationship allowed a supply chain vendor to retain an element of control over the use of the equipment, then they might be included in mandatory notification.

Your acquisition is in scope of mandatory notification if you are seeking to acquire an operator of an associated facility that is used by a PECN/S with a UK turnover of at least £50 million. If you are acquiring a qualifying entity that operates an associated facility with a UK turnover of over £50 million, but the entity only provides that facility to a PECN/S with a turnover below £50 million, then your acquisition would not be in scope of mandatory notification.

Passive infrastructure

Your acquisition is not in scope of mandatory notification if the associated facility is a ‘passive’ network element. This means it has equipment which transmits information but does not convert or process it and is unlikely to consume electrical power. Examples of passive infrastructure for the purposes of these regulations include pipes, ducts, cables and wires.

Support infrastructure

Some elements within a network are used to support or “host” other elements. The term “host” refers to support infrastructure which houses, protects, guides or supports other network elements, which are themselves active or passive.

If you are seeking to acquire a qualifying entity which meets the turnover threshold and makes available network elements which are passive, but hosts active network elements, then you will be legally required to submit a mandatory notification to the government.

Passive network elements that host other passive elements are not in scope for mandatory notification. For instance, street cabinets are passive support infrastructure that may host active equipment, whereas telephone poles are passive infrastructure which may only host passive equipment (cables).

Some types of equipment such as antenna can be active or passive depending on the specific piece of equipment and how it is used. Similarly, masts and towers may host active or passive equipment and therefore the operators of masts and/or towers will only be exempt from mandatory notification if their masts/towers only host passive equipment such as cables and not any active equipment such as active antenna.

Building owners and landowners

Entities which own or make available buildings that host telecommunications equipment, including on the roof of the building, are excluded from mandatory notification. The only exception to this is if the main purpose of that building is to host active telecommunications equipment, and where that active equipment is used by a PECN/S with a UK turnover of at least £50 million. Owners of residential properties or unrelated commercial properties which have active telecommunications equipment on their roofs, such as 5G small cells, are not in scope of mandatory notification, as the main purpose of those buildings is not to host active telecommunications equipment. Owners of cable landing stations, satellite ground stations and relevant data centres are in scope of mandatory notification, as the specific purpose of these buildings is to host active telecommunications equipment.

Owners of land upon which a qualifying associated facility is located (whether that is active, passive or support infrastructure) are not in scope of mandatory notification. Exceptions to this include when the landowner is also carrying out other activities which are in scope of the regulations, such as owning/operating the telecommunications infrastructure on its land, which would mean it would be making available an associated facility or if they were also providing a PECN/S within the turnover threshold.

Submarine cable systems and cable landing stations

If you are seeking to acquire a qualifying entity which owns a submarine cable system which has a UK turnover at least £50 million then you will be legally required to submit a notification to the government as these are considered to be PECN/S.

Cable landing stations are considered to be associated facilities therefore, if you are seeking to acquire a qualifying entity which owns a cable landing station which is used by a PECN/S with UK turnover at least £50 million, then your acquisition will be in scope.

Please note: The explicit reference to submarine cable systems and cable landing stations have been included in the Communications part of the regulations for completeness. They should not be read as meaning that they would otherwise necessarily fall outside the scope of the Communications Act 2003 definitions of PECN/S and associated facilities.

If you are seeking to acquire a repair and maintenance service for submarine cable systems and cable landing stations, which is used by a PECN/S with UK turnover above £50 million, you will be required to submit a notification to the government too.

Information systems

If you are seeking to acquire a top-level domain name registry, domain name system resolver, authoritative hosting services and internet exchange points then (subject to the thresholds below) your acquisition is in scope of the mandatory notification requirements. These terms are defined in the Network and Information Systems Regulations 2018 (as amended) (NIS Regulations) (https://www.legislation.gov.uk/uksi/2018/506/made).

The thresholds reflect those in the NIS Regulations, and are as follows:

• top-level domain name registry: services 14 billion or more queries from any UK device in a consecutive 168-hour period for domains registered within the Internet Corporation for Assigned Names and Numbers
• domain name system resolver service: services 500,000 or more different Internet Protocol addresses used by persons in the UK in any consecutive 168-hour period
• domain name system authoritative hosting service: services 100,000 or more domains registered to persons with an address in the UK
• internet exchange points: has 30% or more market share for such services in the UK in terms of interconnected autonomous systems

It is important to note that qualifying entities that operate internet exchange points (those that are involved or operate infrastructure which is provided for the exchange of digital data) are also in scope of the Data Infrastructure part of the regulations, where no threshold is applied.

Supply chain

Entities in the supply chain which sell equipment and software, but do not subsequently operate that equipment and do not have any control over its use, are excluded from the Communications part of the regulations.

Broadcasting

Providers of broadcast infrastructure for the BBC, national commercial radio (analogue or digital) or television services for the UK’s public service broadcasters (holders of Channel 3 licenses, Channel 4, Channel 5 and S4C) are also included. However, the definition of a PECS service excludes services that are content services, meaning that providers of broadcasting content services (including television and radio) are not included and therefore not subject to the mandatory notification requirements. Enterprises which provide both broadcasting infrastructure and content are covered by the Communications part of the regulations.

6. Computing hardware

Computing hardware is essential to all digital devices. Technological advances in computing hardware have changed the way in which people can use digital devices to interact and the way businesses develop and grow. Digital technologies are used in our day to day lives, but they are also important to the UK’s national security, underpinning critical UK infrastructure, and are now just as intrinsic to defence uses as they are to our daily lives.

The Computing Hardware part of the regulations focus on specific activities, products and functions that take place within the supply chain for these products. As the process for creating computing hardware is advancing all the time, risks can emerge upstream of the final product, including vulnerabilities that could cause harm.

Am I in scope of the Computing Hardware part of the regulations?

To determine if a qualifying entity you are seeking to acquire is in scope of the Computing Hardware part of the regulations, you will need to consider 2 questions:
• is the qualifying entity involved with any of the activities set out in the definition?
• if so, do these activities apply to any of the corresponding products or functions as listed in the definition?

If the qualifying entity you are seeking to acquire falls into both categories, then you will be legally required to submit a mandatory notification to the UK government.

You will need to check if the qualifying entity you are acquiring is involved in any of the following activities:

• the ownership, creation, supply or exploitation of intellectual property of certain products or functions
• design, maintenance or delivery of a service for secure provisioning or management
• fabrication of packaging

The ownership, creation, supply or exploitation of intellectual property of certain products or functions

An acquisition is likely to be in scope if the qualifying entity is involved in the ownership, creation, supply or exploitation of intellectual property of any of the following products or functions:
• computer processing units
• architectural, logical or physical designs for such units the instruction set architecture for such units
• code, written in a low-level language, that can control how such units operate integrated circuits with the purpose of providing memory

Computer processing units include field central processing units (CPUs), programmable gate arrays (FPGA), microcontrollers, system on chips, graphics processor units and specialist processors for Artificial Intelligence applications.

Design, maintenance or delivery of a service for secure provisioning or management

Your acquisition is likely to be in scope if the qualifying entity is involved in the design, maintenance or delivery of a service for the secure provisioning or management of any of the following products or functions:

• roots of trust of computer processing units
• code, written in a low level language, that can control how such units operate

Fabrication or packaging

Your acquisition is likely to be in scope if the qualifying entity is involved in the fabrication or packaging of any of the following products or functions:
• central processing units (CPU)
• integrated circuits with the principal purpose of providing memory

Fabrication means the process of producing a microelectronic circuit on a semiconductor substrate or using other advanced materials.

Examples of fabrication include, but are not limited to:

• deposition
• etching
• ion implantation
• lithography
• wafer preparation

Packaging means the process of turning a microelectronic circuit on an appropriate substrate into a package suitable for use in an electronic circuit but does not include the assembly and packaging of chips and devices into circuit boards.

Example of packaging include, but are not limited to:

• bonding
• die preparation
• encapsulation
Further details on terms used

Artificial Intelligence

The Computing Hardware part of the regulations references ‘a specialist processor for artificial intelligence applications’, a definition of ‘Artificial intelligence’ is provided in the Artificial Intelligence part of the regulations.
‘Artificial intelligence’ means technology enabling the programming or training of a device or software to—
(i) perceive environments through the use of data
(ii) interpret data using automated processing designed to approximate cognitive abilities and
(iii) make recommendations, predictions or decisions with a view to achieving a specific objective.

Products and functions

The following are examples of terms used in the definition. These are for example only and should not be seen as an exhaustive list.

Architectural, logical or physical designs

Examples include, but are not limited to:

• electronic Design Automation (EDA) software
• layout / schematic designs microarchitecture
• register transfer language (RTL)

Instruction set architecture

Examples include, but are not limited to:

• instruction set architectures
• formal definitions of these
• instruction set extensions

Code, written in a low level language, that can control how such units operate

Examples include, but are not limited to:

• microcode
• drivers
• firmware for roots of trust

Roots of trust of computer processing units – means hardware, firmware or software components that are inherently trusted to perform critical security functions

Examples include, but are not limited to:
• cryptographic key material bound to a device that can identify the device or verify a digital signature to authenticate a remote entity)

Integrated circuits with the purpose of providing memory

An example could include, but is not limited to:

• a chip developed to provide volatile or non-volatile memory to an external computer processing unit, using either well developed memory technologies (e.g. SRAM, DRAM, flash) or newer memory technologies (e.g. PCM, RRAM, FRAM, MRAM)

A specialist processor for artificial intelligence applications
Examples include, but are not limited to

• approximate processors and other architectures with a similar purpose of accelerating artificial
• intelligence
• machine learning applications
• neuromorphic processors

If you do not think your acquisition is covered by the Computing Hardware guidance, you should read guidance for the following areas:

• Artificial Intelligence – if the entity works with ‘a specialist processor for artificial intelligence applications’.
• Advanced Materials – If the entity uses application-specific integrated circuit (ASICs), or an electronic component not captured under the Computing Hardware regulations

7. Critical Suppliers to Government

The purpose of this part of the regulations is to help protect the government supply chain from potential national security risks. The regulations focus on the most sensitive government information, assets or estates where the risk to national security is the greatest were they subject to compromise.

Am I in scope of the Critical Suppliers to Government part of the regulations?

For the purpose of these regulations, Critical Suppliers to Government are those contracted to access very sensitive government data, assets or estates, all of which might be subject to attack from adversaries.

The critical suppliers to government part of the regulations only applies to suppliers that hold direct contracts with government (sometimes referred to as prime suppliers). It does not apply to subcontractors.
The regulations define government as being equivalent to “contracting authorities” as outlined in the Public Contracts Regulations 2015 (https://www.legislation.gov.uk/uksi/2015/102/contents/made). A contracting authority includes:

• the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law, and includes central government authorities but does not include Her Majesty in her private capacity.

You will be legally required to submit a mandatory notification if the qualifying entity you are seeking to acquire holds a public contract with government which includes any of the following features:

• processing and/or storing SECRET or TOP SECRET material a requirement to have list X accreditation
• a requirement for employees to be vetted at or above Security Check (SC) level
Processing and/or storing SECRET or TOP SECRET material
Government information is classified to indicate sensitivity, with SECRET and TOP SECRET being the most sensitive. Visit the government security classifications page (https://www.gov.uk/government/publications/government-security-classifications) to understand how the government classifies information assets.

You will be legally required to submit a mandatory notification if the qualifying entity you are seeking to acquire has both of the following features:

• a public contract with government
• processes or stores SECRET or TOP SECRET material

List X accreditation

List X (sometimes referred to as Facility Security Clearance) applies to companies operating in the UK which have government contracts which require them to hold information on site that is classified as:

• SECRET and above or
• international partners’ information classified as CONFIDENTIAL and above

Further information can be found on the international classified information page
(https://www.gov.uk/government/publications/international-classified-information).

The UK government does not publish the names or locations of List X facilities, but the Ministry of Defence is the contracting authority for the majority of these sites.
List X contractors are also required to notify the Ministry of Defence of potential changes in ownership. Check the guidance for security requirements for List X contractors (https://www.gov.uk/government/publications/security-requirements-for-list-x-contractors).

You will be legally required to submit a mandatory notification if the qualifying entity you want to acquire has both of the following features:

• a public contract with government
• a contractual requirement to have a list X accreditation

Vetting employees to Security Check level or above

There are currently 5 levels of national security vetting in the UK:

• Counter Terrorist Check (CTC)
• Security Check (SC)
• Enhanced Security Check (eSC) Developed Vetting (DV)
• Enhanced Developed Vetting (eDV)

View guidance from UK Security Vetting for more information on clearance levels
(https://www.gov.uk/government/publications/united-kingdom-security-vetting-clearance-levels).

As a general rule, those who need frequent access to SECRET material will require Security Check clearance. Individuals who need unsupervised access to TOP SECRET material will require Developed Vetting clearance.

You will be legally required to submit a mandatory notification if the qualifying entity you want to acquire has both of the following features:
• a public contract with government
• a requirement for their employees to be vetted at SC level or above

8. Cryptographic Authentication

Authentication is the process of verifying the identity of a person or device. Where the technical method depends on cryptography, rather than a non-technical method such as checking the signature of an individual or that their face matches their driving licence, it is deemed to be a sensitive technology.

Companies that provide cryptographic authentication operate across much of the economy, providing software and hardware tools for businesses to enable a number of key capabilities, including:

• verification of user identity through passwords, two-factor or multi-factor authentication (such as a hardware token or software application)
• authentication of a human-operated or automated device to a network to allow access to the network, data and other resources
• verification of the origin and integrity of an email, message or document through digital certificates, and security protocols

These functions can be enablers of further security steps, such as management of access, and help to prevent unauthorised access to data, network resources, personal information, physical spaces, intellectual property and other assets. This might include use or ownership of a device containing a cryptographic key. It can include determining the identity or some attributes of the device owner asserted by an authoritative third party or recognising the user as a repeat visitor or as the owner of a previously established account.

Am I in scope of the Cryptographic Authentication part of the regulations?

You will be legally required to notify the government if the qualifying entity you are acquiring is involved in one, or more, of the following activities:

• research into any product(s)
• developing any product(s)
• producing any product(s)

Where that product(s) meets the following 3 criteria:

• has authentication as a primary function
• employs cryptography in performing the authentication function and
• is a product that is not ordinarily supplied to or made available for acquisition by consumers

Examples of technologies within scope, but are not limited to, are systems that authenticate:

• the identity of a physical person using an access token to gain entrance to a restricted area at a critical national infrastructure site
• the identity of a user to gain electronic access to the computer network of a power station
• a biometric property of an individual to allow access to a restricted area of an industrial site
• a credit/debit chip-and-pin card at an ATM or retail point of sale; and
• the digital information held on an e-passport to determine whether to allow the holder into the country

9. Data Infrastructure

Data infrastructure provides the ability to store, process and transmit data. The government has a responsibility to ensure that data and its supporting infrastructure is secure, resilient and trustworthy in the face of established, new and emerging risks, protecting the economy as it grows.

Data infrastructure is physical or virtualised infrastructure used for storing, processing or transmitting data in digital form or infrastructure that is provided for peering, interconnection or exchange of digital data~

Am I in scope of the Data Infrastructure part of the regulations?
Qualifying entities in the Data Infrastructure part of the regulations could include:

• data centre operators
• cloud storage service providers managed service providers
• specialist or technical service providers with physical access to relevant data infrastructure
• software providers whose product gives the software provider ongoing privileged access to customer data

Types of entities not in scope of the Data Infrastructure part of the regulations include:

• a data centre storing exclusively paper records
• an entity that sells off-the-shelf software to customers with no ongoing configuration, integration or maintenance support or
• an entity that provides a public electronic communications service or network but does not provide any dedicated infrastructure or facilities to its customers for storing, processing, or transmitting data in addition to the provision of that electronic communications network or service.

You may need to submit a mandatory notification if the qualifying entity you are acquiring stores, processes or transmits data in a digital form.

To find out if you need to submit a mandatory notification to the government, you will need to:

1. Check if the qualifying entity you are acquiring is involved in ‘relevant data infrastructure’.
2. Check if the qualifying entity performs a ‘qualifying activity’.

If you meet both criteria, you will be legally required to notify the government about your planned acquisition.

Step 1: check if the entity is involved in ‘relevant data infrastructure’

A qualifying entity must perform any one of the activities listed below in relation to relevant data infrastructure in order to be in scope of mandatory notification.

‘Relevant data infrastructure’ is physical or virtualised infrastructure which does any of the following:

• stores, processes or transmits data in digital form which is used in connection with the administration and operation of certain public sector authorities
• is provided for peering, interconnection or exchange of digital data between providers of public electronic communications networks and/or services but which is not owned by a provider of public electronic communications networks or service or
• enables the interconnection of one or more public electronic communications networks with an electronic communications network where part of that network is provided by means of a submarine cable system.

If you provide data infrastructure services to a public authority, check which public authorities are covered by the regulations

You may need to notify if the qualifying entity that you want to acquire has a relationship with certain public sector authorities to perform relevant activity – that is, to store, process or transmit data in digital form.

This could be a direct contract or an indirect relationship, such as a subcontractor to the qualifying entity which has the direct contract with the public sector authority. If the qualifying entity is a subcontractor, it is only in scope if it has been made aware at or before the time that the acquisition took place that it is storing, processing or transmitting data for certain public sector authorities, or providing an activity that would fulfil or contribute towards the fulfilment of the main contract with the public sector authority.

Example

Company A is a colocation data centre and has a direct contractual relationship with Company B, a web hosting company. Company B has a direct contractual relationship with Company C, a public sector authority, whose data is stored in Company A’s facilities. However, Company A does not have a direct contract with Company C and has not been notified that it is a subcontractor in the contractual relationship between Company B and C. Company A is therefore not in scope of mandatory notification.

The scope of the definition of relevant activity may include a public communications provider (PCP) that owns or operates infrastructure which stores, processes or transmits public sector authority data. PCPs should also review the Communications guidance to determine if their acquisition is in scope of mandatory notification.

View a list of the public sector authorities that are covered by the regulations (https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1033 352/public-sector-authorities-covered-by-nsi-regulations.ods).

Peering and interconnection infrastructure

Peering infrastructure that is owned or operated by a provider of public electronic communications networks or a provider of a public electronic communications service itself is not in scope of mandatory notification. The infrastructure which is provided by a third party – such as a data centre – and which provides the facilities for public network and service providers to interconnect with each other is in scope of mandatory notification. Any qualifying entity carrying out a qualifying activity in relation to this third party provided peering infrastructure is in scope of mandatory notification. It is also advised that you review the Communications guidance to determine if your acquisition is in scope of mandatory notification.

Infrastructure which is used to connect a public electronic communications network as defined in the Communications Act 2003 (https://www.legislation.gov.uk/ukpga/2003/21/contents) to a network transmitting data into the UK via a submarine cable is in scope of mandatory notification. This infrastructure could be located at a cable landing station. The infrastructure may also be located inside inland facilities, such as a data centre.

Step 2: check what activities are covered by the rules
You may need to notify your acquisition if the qualifying entity you are seeking to acquire does any one of the following activities. It is not necessary for the qualifying entity to perform all of the activities to be in scope. The activities are as follows:

• owns or operates relevant data infrastructure
• manages relevant data infrastructure on behalf of other entities manages facilities where relevant data infrastructure is located
• provides specialist or technical services to entities involved in any of the above activities produces or develops software for entities involved in any of the above activities and
• is given administrative access to relevant data infrastructure.

Further information on these terms is outlined below.

Specialist or technical services

You may need to notify if you are seeking to acquire a qualifying entity which provides specialist or technical services to entities which:
• own or operate relevant data infrastructure
• manage relevant data infrastructure on behalf of other entities or manage facilities where relevant data infrastructure is located

and where the provision of those services enables physical access to relevant data infrastructure.

For example:

• a qualifying entity performing specialist or technical services that has physical access to infrastructure used for peering, interconnection or exchange of digital data between providers of public communications networks and services
• a qualifying entity performing specialist or technical services that has physical access to infrastructure used to enable the interconnection of one or more public communications networks with a network which is part of a submarine cable system
• a qualifying entity performing specialist or technical services with physical access to infrastructure storing, processing or transmitting data in digital form is only in scope if it could be expected to know that the infrastructure is used for “relevant activity”

The type of services that are captured by the regulation are installation, equipment repair or maintenance.

Example

If Company A’s business activities include installation of cooling equipment to Company B and Company B is an owner/operator of relevant data infrastructure, then Entity A is in scope of the regulations.

If Company C is performing maintenance on cables located in a facility where relevant data infrastructure is located, then Company C will also be in scope of the regulations.

Administrative access

“Administrative access” is used to describe logical access to virtualised data infrastructure. It refers to either or both authorisation or access granted via either or both logical or administrative access controls by virtue of which an entity may access relevant data infrastructure or control access to relevant data infrastructure where such access would otherwise be restricted or compartmented and where such access would permit the modification of the relevant data infrastructure in a way that was not authorised.

The scope of the administrative access definition has several caveats to ensure that it is capturing only those entities that could present risks to national security, for example:

• “would otherwise be restricted or compartmented” – this captures a service provider whose service is of a type that gives it unrestricted rights and permissions to data and its underlying infrastructure that would not be available to a standard user and
• “would permit the modification of the relevant data infrastructure in a way that was not authorised” – this captures a service provider whose service gives it a level of authorisation that would enable it to effectively bypass controls intended to protect the confidentiality, integrity and availability of the relevant data and its underlying infrastructure. It does not mean that the service provider is in scope of mandatory notification only if and when it bypasses controls rather, it means that if the service provider has the access to enable it to bypass such controls if it wished to, then it would be in scope of mandatory notification

Producing or developing software

You may need to notify the government if a qualifying entity that you are acquiring produces, designs or develops software that could be used by a qualifying entity to provide services which give it administrative access to virtualised data infrastructure.

A qualifying entity that sells off-the-shelf software to customers with no ongoing configuration, integration or maintenance support is not in scope. However, the entity that you are acquiring may be in scope if it provides any such support to customers.

The qualifying entity does not need to know whether the software it is producing, designing or developing is used or is going to be used in relation to “relevant data infrastructure”, only whether the software is of a type that could be used to configure or manage the provision of administrative access to virtualised infrastructure which hosts, processes or transmits data.

A qualifying entity which produces, designs or develops software should also be aware of the type of activities carried out by customers for whom it is producing, designing or developing the software. Where those customer activities involve providing a service the provision of which requires administrative access to virtualised data infrastructure, the qualifying entity is in scope of mandatory notification.

You are advised to read the guidance for these other areas of the regulations.

A qualifying entity might be in scope of more than one part of the regulations as some areas of the economy are closely related and may overlap. If you are an acquirer considering whether you are in scope of the Data Infrastructure guidance, you are advised to read guidance for the following areas:

Communications

Suppliers to Emergency Services Artificial Intelligence

Guidance for procurement and supply chains

The Notifiable Acquisition Regulations will provide the government with a strong lever to mitigate national security risks while minimising the impact on businesses in the sector. However, the NSI Act does not negate the need for businesses to take a proactive approach toward mitigating risk in their procurement and supply chains, particularly around the protection and security of data.

Supply chains can be large and complex, involving many suppliers undertaking many different activities. Effectively securing the supply chain can be challenging because vulnerabilities can be inherent or introduced and exploited at any point in the supply chain.

The National Cyber Security Centre (NCSC) and Centre for the Protection of National Infrastructure (CPNI) have produced Supply Chain Security Guidance (https://www.cpni.gov.uk/system/files/documents/2e/87/Supply_Chain_Security_Collection_Jan2018.pdf
) with 12 principles designed to help entities establish effective control and oversight of supply chains. The guidance will provide organisations with an improved awareness of supply chain security, as well as helping to raise the baseline level of competence in this regard, through the continued adoption of good practice.

The NCSC has also produced Supplier Assurance Questions (https://www.ncsc.gov.uk/guidance/supplier-assurance-questions), which will help entities to gain confidence in suppliers’ cyber security practices. You are advised to understand who has responsibility for cyber security at the supplier organisation and what policies the organisation has in place.

10. Defence

A robust defence sector is vital to our national security. It provides defence capabilities that are critical to our national security and prosperity, it sustains jobs and skills, contributes to research and development programmes, supports manufacturing and offers export opportunities.

The government recognises that inward investment creates a dynamic industry, promotes innovation and supports the development of first-class military capabilities that enable us to protect our people, territories, values and interests at home and overseas. Given its importance to our national security the defence sector must remain resilient to a wide range of evolving threats.

Am I in scope of the Defence part of the regulations?

All suppliers to the Ministry of Defence (MOD) will be covered by the regulations. This includes companies at all tiers, including sub-contractors and those in the chain of sub-contractors, where the goods or service that they research, develop, design, produce, create or apply are provided or used for defence or national security purposes.

You will be legally required to submit a mandatory notification to the government if:

• you are seeking to acquire a qualifying entity whose UK activities include the research, development, production, creation or application of goods or services which are used or provided for defence or national security purposes

and either of the following apply. The qualifying entity you are acquiring either:

• is a government contractor, or any subcontractor in a chain of sub-contractors which begins with the government contractor, which provides such goods or services, or
• has been notified by the government that they hold, or may come into possession of, classified material

Contracts which provide access to defence facilities may still give rise to potential national security risks. The obligation to notify extends to contractors or subcontractors who provide goods or services without clear ‘military’ applications, such as catering or cleaning.

The meaning of “defence” and “government contractor” (Section 3 of the regulation) can be found in section 2(4) and section 12, respectively, of the Official Secrets Act 1989 (https://www.legislation.gov.uk/ukpga/1989/6/contents).

Contractors and sub-contractors

The government expects that most suppliers who are providing goods and services for defence and national security purposes will be aware of the nature of their contractual arrangements. The MOD has a standing contractual requirement for providers to notify the department of a change of control of a contractor, including any sub-contractors, through Defence Contractual Condition (DEFCON) 566 – Change of Control of Contractor.
The mandatory notification requirement in the regulations reinforces this standing requirement and the entities with a statutory obligation to notify will be clearly identifiable by virtue of their contractual arrangements.

Classified material

The government has an established Security Policy Framework Security policy framework: protecting government assets (https://www.gov.uk/government/publications/security-policy- framework) and entities which are subject to that framework are notified that they are involved in the handling of classified material. This notification may be issued in different ways, depending on the nature of the activity concerned, but most commonly through the issuing of a Security Aspects Letter or the designation of a facility as a List X (Facility Security Clearance) site.

Defence Contractual Condition (DEFCON 566 – Change of Control of Contractor)

The obligation contained in Defence Contractual Condition (DEFCON) 566, requires companies within the defence supply chain (i.e. those with a contract with the MOD) to provide the MOD with prior notice of a change in control. This obligation remains extant.

This requirement goes beyond the NSI screening process (with its focus on national security) and extends to wider due diligence that allows the MOD to make informed decisions on such issues as the conduct of extant competitions or negotiations, future contract award and other such issues. The contractual obligation does, however, provide an important indicator as to whether a company satisfies the first condition of the notification obligation as set out.

DEFCON 566 can be found within the Commercial section of the Knowledge in Defence guidance (https://www.gov.uk/guidance/knowledge-in-defence-kid). To access the website, interested parties must register via the KiD portal – which is a free and straight-forward process.

11. Energy

Energy is a diverse sector that is rapidly developing to deliver the UK’s 2050 net zero goal. The energy sector produces and uses a wide range of products and services in its operation and new and innovative technologies are being integrated all the time.
The government believes that there are certain areas within the sector that are sufficiently sensitive that they should be included in the mandatory notification requirement. The regulations covers upstream oil and gas, downstream gas, downstream oil and electricity entities.

Am I in scope of the Energy part of the regulations?

The regulations cover:
• upstream oil and gas
• downstream gas
• electricity
• downstream oil

Upstream oil and gas

The Upstream Oil and Gas sector refers to companies involved with upstream petroleum facilities,

i.e. upstream petroleum pipelines (including subsea pipelines), terminals and infrastructure necessary to a petroleum production project. A “petroleum production project” means a project carried out under a relevant licence (e.g. under section 3 Petroleum Act 1998 (https://www.legislation.gov.uk/ukpga/1998/17/contents)) to search for, bore for and get petroleum (i.e. oil and gas).

You will be legally required to submit a mandatory notification if the qualifying entity carries on at least one of the following activities onshore in the UK:

• it owns an upstream petroleum facility
• it operates an upstream petroleum facility
• it develops an upstream petroleum facility (for “new” facilities only, i.e. those still being constructed, or which only began operations less than 12 months before the date of the proposed acquisition)
• it enables the operation of an upstream petroleum facility
• it enables the development of an upstream petroleum facility (for “new” facilities only) or
• it holds a Petroleum Act licence for an upstream petroleum facility (under s3 of the Petroleum Act 1998 or s2 of the Petroleum (Production) Act 1934)

In each case, the relevant facility must also:

• meet the 3,000,000-tonne throughput threshold (see below) and be either:
 onshore in the UK
 offshore and used in connection with the supply of oil and gas to people in the UK

Calculation of the throughput thresholds for Upstream oil and gas

If the qualifying entity you are acquiring has a throughput of more than 3,000,000-tonnes in their facility for the 12 months calculated as below, you will be legally required to submit a mandatory notification to the government.
The throughput threshold for existing facilities is calculated over the 12 calendar months preceding the month in which a person gains control.

The throughput threshold for “new” facilities is calculated by the expected throughput in its first 12 calendar months of operation.

Example

Facility A is owned by Company A and began operating three years ago. Facility A is therefore an “existing” facility. Someone intends to acquire Company A on 15 June this year. The throughput of Facility A would be assessed for the period between 1 June of the previous year and 31 May of this year.

Downstream gas

Downstream Gas activity refers to the onshore processing, transportation or distribution of gas across Great Britain (GB) (but not Northern Ireland). It contributes, either directly or indirectly, to the supply of gas to domestic and/or commercial properties.

You will be legally required to submit a mandatory notification if the qualifying entity you are acquiring does any of the following. The qualifying entity:

• holds a Transmission licence or exemption under the Gas Act 1986 (https://www.legislation.gov.uk/ukpga/1986/44/contents): this captures owners and operators of GB’s gas transmission network
• holds a Distribution licence or exemption under the Gas Act 1986 (https://www.legislation.gov.uk/ukpga/1986/44/contents): this captures the owners and operators of GB’s Gas Distribution Networks (GDNs)
• holds a Gas Interconnector licence or exemption under the Gas Act 1986 (https://www.legislation.gov.uk/ukpga/1986/44/contents): this captures the owners and operators of gas interconnectors. For these purposes, a gas interconnector means any pipeline used to transfer gas between GB and another country or territory
• owns or operates a gas processing facility: this captures the operators and owners of onshore facilities in GB that treat imported gas and bring it within the prescribed quality specifications for safe use in homes and businesses. This only applies if the gas processing facility has the technological capacity to carry on gas processing operations in relation to greater than 6 million cubic metres of gas per day
• owns or operates a Liquefied Natural Gas (LNG) import or export facility: this captures the owners and operators of onshore terminals in GB which are used for the importation, offloading, re-gasification or export of Liquid Natural Gas. This only applies if the export facility which has the technological capacity to carry on the importation, regasification or liquefaction of greater than 6 million cubic metres of gas per day

Example

Company B plans to acquire Company C. Company C operates a gas processing facility in the East of England. The facility is able to process up to 10 million cubic metres of gas per day.

Therefore, Company C’s facility has the technological capacity to carry on gas processing operations in relation to greater than 6 million cubic metres of gas per day. Company B must submit a mandatory notification to government.

Electricity

Electricity activity refers to the onshore and offshore generation, storage, aggregation, transmission or distribution of electricity across GB (but not Northern Ireland). It contributes, either directly or indirectly, to the supply of power to homes and business.

You will be legally required to submit a mandatory notification if the qualifying entity you are acquiring holds any of the following types of licence or exemption under the Electricity Act 1989 (https://www.legislation.gov.uk/ukpga/1989/29/contents):

• a transmission licence or exemption: this captures owners and operators of GB’s electricity transmission networks which transport electricity from onshore or offshore generators to onshore substations, regional distribution networks or directly to large industrial users
• a distribution licence or exemption: this captures the owners and operators of GB’s Electricity Distribution Networks, which transport electricity from the transmission network to domestic and commercial properties. It includes smaller networks owned and operated by Independent Distribution Networks Operators (IDNOs) which are located within the areas covered by the larger distribution networks
• an interconnector licence or exemption this captures the owners and operators of electricity interconnectors that allow the transfer of electricity across GB borders, or
• a Generation licence or exemption this includes all technology types capable of generating or storing electricity for the purpose of enabling supply

You will also be legally required to submit a mandatory notification if the qualifying entity you are acquiring conducts the following activity:

• aggregates electricity this activity includes combining multiple customer loads or generated electricity for sale, purchase or auction in the electricity market of GB

The mandatory notification requirement only applies to substantial generators or aggregators of electricity. These activities are therefore subject to the following thresholds:

• the qualifying entity you are acquiring owns or operates a single generating asset (onshore or offshore) with a capacity of 100MW or more or
• you, your group companies and the qualifying entity you are acquiring together have a cumulated generation or aggregation capacity of 1GW or more

Example

Company D holds a generation licence and owns several power generating assets in Wales with a total generation capacity of 800MW. Company E manages the demand of 500MW of customer load for sale in the GB electricity market. Therefore, Company E is carrying on aggregation. The combined “relevant capacity” of Company D and Company E is 1,300MW which is greater than one gigawatt. A mandatory notification must be submitted to the government if Company D acquires Company E or if Company E acquires Company D.

Downstream oil

Downstream oil sector activity is that which is carried out in the UK in the course of a business, and which contributes, either directly or indirectly, to the supply of crude oil-based fuels to UK consumers.

You will be legally required to submit a mandatory notification if the qualifying entity you are acquiring has a capacity in excess of 500,000 tonnes of oil or owns a facility in the UK that has capacity in excess of 50,000 tonnes, and carried on at least one of the following activities, in at least one of the three previous calendar years:

• storing oil: this captures activities associated with the storage of crude oil and oil products. handling oil: this captures activities associated with the receipt, production, storage, transport and sale of crude oil and oil products
• the carriage of oil by sea or inland water: this captures activities associated with the transport of crude and oil products via waterways
• transporting oil by road: this captures activities associated with the distribution of oil feedstocks and products in road tankers, generally by haulage firms
• conveying oil by pipes: this captures activities associated with the distribution of oil products via the network of underground pipelines across the UK or
• refining or otherwise processing oil: this captures activities associated with the conversion of crude oil or oil feedstocks into finished products through large scale processing plants (including refineries)

Example

Company F intends to gain control of Company G. Company G supplies petrol to the UK market. To determine whether a mandatory notification is required we need to look at the volume of petrol handled in the UK by Company G over a 3 year period:

• in 2020, it imported 300,000 tonnes of finished fuel
• in 2021, it imported 400,000 tonnes of finished fuel and produced a further 200,000 tonnes of finished fuel through blending
• in 2022, it imported 100,000 tonnes of finished fuel

In 2021, Company G therefore had a capacity of 600,000 tonnes, so a mandatory notification must be submitted for the acquisition.

12. Military and Dual-Use

Military and dual-use items can, in the wrong hands, pose immediate and direct threats to the UK.

Military items are goods, software and technology (including for example documents and diagrams) and include arms, military and paramilitary equipment used for a military purpose. Dual- use items are goods, software and technology which can be used for both civil and military applications. Dual-use items can range from raw materials to components to complete systems, for example aluminium alloys, bearings, or lasers. Dual-use items could also be used in the production or development of military goods or chemical, biological or nuclear weapons, for example machine tools, chemical/manufacturing equipment and computers.

The Military and Dual-use part of the regulations purposefully relates to goods and technology which are already ‘controlled’ due to their military or dual-use characteristics under the export control regime.

The Department for International Trade maintains the Strategic Export Control Lists, which form the basis for determining whether any products, software or technology intended for export are ‘controlled’ and therefore require an export licence. A “Consolidated list of strategic military and dual-use items that require export authorisation”’ can be found on the gov.uk website (see link below). It is compiled from several lists of controlled goods from a number of legislative sources.

Am I in scope of the Military and Dual-use part of the regulations?

You will be legally required to submit a mandatory notification if you are seeking to acquire a qualifying entity that researches, develops or produces restricted goods or technology that are controlled by the aspects of the export control legislation which concern national security controls.

View the list of restricted goods and technology in the consolidated list of strategic military and dual-use items that require export authorisation (https://www.gov.uk/government/publications/uk- strategic-export-control-lists-the-consolidated-list-of-strategic-military-and-dual-use-items-that-require- export-authorisation).

The relevant lists are:

• UK Military List [taken from Schedule 2 to the Export Control Order 2008] UK Dual-Use List [taken from Schedule 3 to the Export Control Order 2008]
• UK Radioactive Sources List [taken from the Schedule to the Export of Radioactive Sources (Control) Order 2006]
• Dual-Use List [taken from Annex I to Council Regulation (EC) No. 428/2009].

You will not need to submit a mandatory notification if the activities of the qualifying entity concern goods or technology which appear on the Human Rights Strategic Export Control Lists and the Non-Military Firearms List – unless they also appear on the Military and Dual-Use Lists.

Technology

The Military and Dual-Use regulations adopt the definition of technology which is used within the export control regime.

Technology means specific ‘information’ necessary for the development, production or use of goods or software.

‘Information’ may take forms including, but not limited to: blueprints, plans, diagrams, models, formulae, tables, ‘source code’, engineering designs and specifications, manuals and instructions written or recorded on other media or devices (for example disk, tape read-only memories).

‘Source code’ (or source language) is a convenient expression of one or more processes which may be turned by a programming system into equipment executable form.

‘Information’ is not Restricted Technology where it is in the public domain, i.e. when it is realistically accessible to a member of the general public.

13. Quantum Technologies

The increasing understanding and control of what are known as ‘quantum effects’ (for example superposition and entanglement) are leading to a new wave of advances in areas such as sensing, data transmission and encryption, timing and computing that will have significant civil, defence and national security applications. These are often referred to as ‘second generation’ quantum technologies.

All areas of second generation quantum technology production and development are of potential importance for national security. This is predicated on the dual-use potential that all quantum technologies hold.

Am I in scope of the quantum technologies part of the regulations?

To determine if the qualifying entity you are seeking to acquire is in scope of the quantum technologies part of the regulations, you will need to consider whether the qualifying entity develops or produces a quantum technology.

If the qualifying entity you are seeking to acquire is in scope then you will be legally required to submit a mandatory notification to the UK government.

For the purposes of these regulations, development and production mean as follows:

• ‘development’ means all stages prior to production, including design, design research, design analyses, design concepts, assembly and testing of prototypes, pilot production schemes, design data, process of transforming design data into goods or software, configuration design, integration design, layouts and
• ‘production’ means all production stages, including product engineering, manufacture, integration, assembly (mounting), inspection, testing and quality assurance

Quantum technologies’ employ the mathematical theory of quantum mechanics to describe the physical world and process information in new ways. Quantum technologies cover the following technology groups:

• quantum communications quantum connectivity
• quantum imaging, sensing, timing or navigation quantum resistant cryptography
• quantum information processing, computing or simulation

Quantum communications

This includes:
• transmitting information using quantum effects, such as superposition (the fundamental principle of quantum mechanics allowing a single quantum property to be in more than one quantum state at the same time), entanglement (when two quantum objects – an object at the atomic scale which is described by the physical laws of quantum mechanics, such as an electron or photon – are entangled together, their state can only be described as a whole system not for the components separately), or conjugate variable technologies (technologies that store, process or transmit information using the quantum effect of conjugate variables, meaning pairs of variables which are subject to the uncertainty principle in quantum mechanics)
• using a communication network to send information that is encoded in a quantum state (a mathematical representation of a physical system, such as an atom, that provides the basis for processing quantum information)
• the use of quantum effects to create and send a digital key that can then be used to encrypt data, as well as to create truly random (i.e. unpredictable) numbers to secure and authenticate data

Quantum connectivity

This covers the preservation of a quantum superposition state (see definition above) as it is shared between separate devices. In this context, coherence refers to the time a quantum superposition state can survive before beginning to degrade.

Quantum imaging, sensing, timing or navigation

This includes devices that use quantum effects to offer, for example, increased resilience, enhanced situational awareness, higher sensitivity, accuracy and speed, to perform a function. This function could include:

• creating images of objects
• sensing the size, shape or movement of an object
• establishing the location of and guide objects
• providing a timing signal

In the case of imaging, ‘the phase or amplitude properties of quantum mechanics’ refers to the measurement of the properties of the wave-like characteristics of quantum objects – such as an electron or a photon. Quantum imaging includes ‘sub-Poissonian sources or detectors’, which are quantum light sources such as those capable of emitting single photons, or detectors (devices capable of detecting single photons and their properties).

Quantum information processing, computing or simulation

This covers systems that harness quantum effects to perform computation. This includes all levels or layers of software (operating system, system utilities, development tools and software tools,
e.g. mathematical functions) as well as quantum emulation (a classical computer representing the operation of a quantum computer) and the hosting of quantum computing as a cloud-based service.

Quantum resistant cryptography

This covers methods of securing information or data with the purpose of protecting against the threat of quantum computers to break current encryption techniques. If you are seeking to acquire a qualifying entity that ‘develops’ or ‘produces’ one of the above quantum technologies, then you will be legally required to submit a mandatory notification to the government

Example 1

Company A is considering acquiring company B, which designs and builds quantum sensors for the purposes of underground surveying. Company A is required by law to notify the government of this acquisition, as company B is a qualifying entity that develops and produces a specified quantum technology.

What is not in scope of the Quantum Technologies part of the regulation?

If you are seeking to acquire a qualifying entity which fits into the following, then you are unlikely to fall within the scope of the mandatory notification requirement in relation to quantum technology:

• an entity undertaking solely fundamental research into quantum information science
• an entity which uses use quantum goods or services provided by others, without having played a part in developing or producing the technology. For example, an energy company that purchases a quantum sensor to detect emissions of greenhouse gases
• an entity that supplies a component for use in a quantum technology system, for example a company that provides a dilution refrigerator for use in the development of quantum computing technology. Please note, however, that the Advanced Materials regulations capture technology with relevance to quantum, such as photonics and semiconductors. You are advised to review the Advanced Materials guidance

Example 2
Company A, a pharmaceutical company, is developing a new drug. It procures the services of Company B to access its quantum computer to speed up the processing of information. If Company C acquires Company A at a future date, it would not be required by law to notify the government as Company A would in scope of mandatory notification.

Example 3
Company A, a bank, employs the services of Company B, a quantum company, to explore the use of quantum computing technology to improve its operations. Company A has an in-house team that is tasked with developing an algorithm to run on a quantum computer to help speed up financial trading. If Company C acquires Company A at a future date, it would be required to notify the Government, as Company A has played a role in the development of a quantum technology (namely quantum algorithms that enable the functionality of the overall system).

14. Satellite and Space Technology

Space is a rapidly developing sector that delivers a broad range of services and capabilities. By nature, all space-based services have crossover and affect other Critical National Infrastructure (CNI) sectors. The range of products and technologies available can vary hugely depending on the service (for example, earth observation, position, navigation, and timing).

The ease with which satellite and space technology can be used for both civilian and military purposes – either in the UK or internationally – is a growing concern and is something that the government will continue to monitor closely. This concern is nuanced, and the main issue is the potential for adversaries to use what seem to be predominantly civil capabilities to meet military objectives.

Am I in scope of the Satellite and Space Technology part of the regulations?

‘Carrying on activities’ in the Satellite and Space Technology part of the regulations means the qualifying entity you are acquiring is carrying on activities that consist of or include operating, developing, producing, creating, or using any of these activities:

• space debris management
• in-orbit activities
• satellite communication links
• secure facilities
• manufacture or testing
• space-derived data for any defence purpose
• space infrastructure operational control facilities
• provision or processing of space situational awareness data (SSA)

Space debris management

This includes ‘clean-up services’ – sending an object into outer space to remove or manage space debris or using an object that is already in outer space to remove or manage space debris.

In-orbit activities

This covers servicing and robotic activities carried out while the satellite is in orbit. This includes:

• making satellites that are already in orbit last longer (for example, by repairing or refuelling them)
• inspection services (for example, checking a satellite to see what condition it is in) performing maintenance
• moving a satellite while it is in orbit
• any technology or system that could be used to disrupt, change or interfere with other satellites. Changing a satellite includes, but is not limited to, repairs, relocation and refuelling of a satellite

Satellite communications links

Satellite communications links are the links that enable and facilitate communication between various objects in space and from space to earth. This includes radio frequency and optical links. Optical links are communications links that provide a data connection between two points and that use optical (light) signals instead of traditional radio frequencies. Satellite communications links are provided:

• between satellites that are in orbit
• between spacecraft and satellites that are in orbit
• between satellites and celestial bodies (for example the Moon and Mars), or from earth to outer space, and from outer space to earth

Secure facilities

Secure facilities (including secure ground infrastructure, such as command-and-control stations and ground sites, and secure systems) are required for the smooth operation of satellite and space technologies. Any of these secure facilities and systems that relate to space activity or sub-orbital activity, or to services that are derived from space activity, will be in scope of the mandatory notification requirement.

Any operation or maintenance of the capability of these secure facilities is covered by mandatory notification. Capability covers anything that ensures the safe and secure access to services that are derived from space activity. For example, services such as general cleaning services would not be in scope, because they would not contribute to maintaining the secure nature of the facilities – but control rooms would be, because they provide and maintain the secure capability of the facilities that allow secure access to services derived from space activity.

‘Space activity’ has the same meaning as set out in section 1(4) of the Space Industry Act 2018
(https://www.legislation.gov.uk/ukpga/2018/5/contents/enacted/data.htm).

Manufacture or testing

If the qualifying entity you intend to acquire is involved in testing or manufacturing any of the below, then you will be legally required to submit a mandatory notification. This includes the manufacturing or testing of:

• spacecraft (the meaning of which can be found in Section 2(6) of the Space Industry Act 2018 (https://www.legislation.gov.uk/ukpga/2018/5/contents/enacted/data.htm))
• launch vehicles
• satellites
• planetary probes (spacecrafts that explore outer space and planets/bodies other than Earth – for example the Moon or Mars)
• orbital stations (space stations), or
• ground support equipment (ground support means all ground-based parts of a spacecraft system – so for example, ground stations or launch facilities)

Included are any materials, component parts or materials used for the manufacturing and/or testing of any of the items listed above.

‘Testing’ means that the qualifying entity provides quality assurance assessments of equipment or systems for space activity (including engines, component parts, radio frequency, software and systems), launch site equipment and facilities and equipment and facilities for the transport of satellites, launch vehicles or their major parts between sites.

Space-derived data for any defence purpose

Space-derived data are data that are obtained from space activity, or from ground stations that receive data from outer space, or from both space activity and ground stations receiving data from outer space, and include:

• position, navigation and timing services earth observation
• space situational awareness (which includes space surveillance tracking, space weather monitoring and forecasting, mapping or detection of near-earth objects and space debris) telecommunications
• signal intelligence (this means the gathering of intelligence through the interception of signals – for example, through radar or electronic systems)
• remote sensing (this is the science of gathering data about objects (for example, satellites or planetary bodies) from a distance using remote sensors)
• research and development

If the qualifying entity that you are seeking to acquire uses space-derived data for defence purposes, then you will be legally required to submit a mandatory notification. You must notify the government regardless of how you wish to use the data as an acquirer.
‘Defence’ has the same meaning that is given to it in the Official Secrets Act 1989
(https://www.legislation.gov.uk/ukpga/1989/6/contents) in Section 2(4).

Space infrastructure operational control facilities

If the qualifying entity you intend to acquire provides space infrastructure operational control facilities, then you will be legally required to submit a mandatory notification. Here, ‘infrastructure’ includes:

• command and control stations
• ground stations, ground sites and ground segment equipment software (which includes any analysis software)
• information technology and telecommunications networks (including fibre cables)
• uplink and downlink terminals (uplink is the portion of the link that transmits signals from earth to space, and downlink is from space to earth)
• data processing and storage facilities (which includes databases) satellites
• technological systems or equipment that are deployed either in space or on earth

Provision/processing of space situational awareness data (SSA)

Space situational awareness includes:

• the mapping or detection of near-earth objects and space debris space surveillance and tracking
• space weather monitoring and forecasting

If the qualifying entity you are seeking to acquire provides or processes any of these SSA data, either on earth, or by space activity, you will be legally required to submit a mandatory notification. You will also be required to notify the government if the qualifying entity provides or processes SSA data for any of the following:

• orbital or sub-orbital activity (the definition for which can be found in section 1(4) of the Space Industry Act 2018 (https://www.legislation.gov.uk/ukpga/2018/5/contents/enacted/data.htm))
• the mapping or detection of near-earth and space weather events defence purposes

15. Suppliers to the Emergency Services

The emergency services are essential to the safety and security of citizens in the UK. They use a wide variety of tools, goods and services to achieve their goals. The government believes that there are certain services provided within the sector that are sufficiently sensitive that inclusion is justified in the mandatory notification requirement.

The government does not seek to include goods and services that, while important, are non- essential to the execution of key emergency service functions, such as general office supplies or non-emergency IT infrastructure.

Am I in scope of the Emergency Services part of the regulations?
If you are acquiring all or part of a qualifying entity that supplies the emergency services with one or more of the goods and services which are used for the operational delivery of that emergency service, you will be required to submit a mandatory notification to the government.

The Emergency Services include:

• Border Force
• The British Transport Police Force
• The Civil Nuclear Constabulary
• a fire and rescue authority
• the Ministry of Defence Police
• the National Crime Agency
• a police body, including a Police Force

Ambulance Service Providers are only covered in the sections that relate to electronic communications networks or electronic communications services.

Unmanned aircraft

If the qualifying entity you are acquiring provides unmanned aircraft, or drones, and their associated technology and equipment to the Emergency Services, then you will be required to submit a mandatory notification to the government. Unmanned aircraft for these purposes means “any aircraft operating or designed to operate autonomously or to be piloted remotely without a pilot on board”.

• This includes associated technologies such as (but not limited to): Global Positioning Systems (GPS)
• transmission equipment
• cameras
• software related to the control or operation of unmanned aircraft remote controls
• technology designed to detect, track and identify drones equipment designed to disrupt the systems of unmanned aircraft
Unmanned aircraft, such as drones, supplied to the general public are not covered.

Firearms

This category covers firearms and ammunition that are subject to mandatory notification. The College of Policing has helpful summaries of the legal definition of firearms in the Authorised Professional Practice for Armed Policing (https://www.app.college.police.uk/app-content/armed- policing/weapons-and-equipment/).

If the qualifying entity you are acquiring provides any of the following you will be legally required to submit a mandatory notification:

• firearms, defined in section 57(1) of the Firearms Act 1968:
• prohibited weapons
• any equipment that attaches to firearms or has been designed to diminish the noise and the flash by firing the weapon, for example sound moderators (silencers) and flash suppressors.
• ammunition, defined in section 57(2) of the Firearms Act 1968:
• specialist munitions – including those designed to have a non-lethal effect on an individual, or those munitions where there is no designed effect on an individual, but collateral damage may occur

Items that are not covered include (but are not limited to):

• telescopic truncheons
• batons (straight, side-handled or friction-lock)
• pepper sprays and other self-defence sprays

Other Goods and Services

If you are acquiring a qualifying entity that provides the below goods and services to the Emergency Services, you will be legally required to submit a mandatory notification.

Maintenance and Supply

Supply, maintenance or support in the following categories:
• Border Force vessels, including the supply of electronic aids to navigation, repairs and certification, and
• unmanned aircraft, including any component, part or product of an unmanned aircraft as well as any electronic device relating to the unmanned aircraft

Entities that supply or maintain the following services are not covered:

• any other marine vessels used by the emergency services
• other emergency services vehicles including police vehicles, and
• any parties who provide maintenance and repairs of unmanned aircraft for the general public are outside the scope of the regulations

Fuel cards

You will be legally required to submit a mandatory notification if the qualifying entity you are acquiring supplies any card to the emergency services which is specifically designed to enable the holder to pay for fuel, discharging their obligation to a supplier of fuel in respect of payment for that fuel with the supplier being reimbursed by a third party.

Security access to buildings

You will be legally required to submit a mandatory notification if the qualifying entity you are acquiring provides an access control system to a building used by the emergency services.
This could be in the form of (but is not limited to):

 pin access keypad
 proximity card/card readers (key fobs)
 fingerprints and other biometrics and
 covert systems used to secure entry and egress from buildings.

Security alarms designed to detect intruders are not included.

Communications and Storage of Electronic Data

The emergency services use a variety of electronic systems which can be split into two broad categories:
• electronic communications, which refers to any information sent between parties over a phone line or internet connection. This includes phone calls, faxes, text messages, video messages, emails and internet messaging
• a range of physical infrastructure, cloud-based solutions and platforms that store electronic data

If you are acquiring a qualifying entity that supplies any of the following you will be legally required to submit a mandatory notification:

• a private electronic communications network that is used by the emergency service for the purposes of:
• the prevention or detection of crime
• fulfilling the functions of a fire and rescue authority
• maintenance to a private electronic communications network that is used by the emergency service for the purposes of:
• the prevention or detection of crime and
• fulfilling the functions of a fire and rescue authority.
• hardware, systems or platforms to facilitate the storage of electronic data, used exclusively or primarily by the emergency service for the purposes of:
• the prevention or detection of crime
• fulfilling the functions of a fire and rescue authority or the storage of personal data, including personnel data.

This may include:

• private networks, their connections and devices used by individual police force and law enforcement organisations’ systems, national policing systems and force-managed systems for the policing community
• communication and processing devices and network infrastructure, including information exchange communication services
• information systems and data centres
• systems which hold and store local and national emergency services records and crime and intelligence records and
• the resilience direct system, helplines, and email for assisting in crime investigation holding personal information.

The following are not covered:

• any public electronic communications network or public electronic communications service.
• generally available information such as the content of web pages or broadcast programming. Read more information on electronic communicaitons (https://ico.org.uk/for-organisations/guide- to-pecr/key-concepts-and-definitions/)

Ambulance Service Providers

The only notification required in relation to Ambulance Services Providers is where a qualifying entity is acquired that supplies an Ambulance Services Provider with:
• an electronic communications network or electronic communications service that:
• is not a public electronic communications network or a public electronic communications service and
• is used by the ambulance services provider for the purposes of fulfilling its functions

Contingency labour against strike action

If you are acquiring a qualifying entity which has a contract with a fire and rescue authority to provide frontline personnel in the event of a strike, then you will be legally required to submit a mandatory notification.

The provision of any other contractual service to the emergency services during a strike is not included.

16. Synthetic Biology

Synthetic biology is a rapidly evolving and developing technology that delivers an increasingly broad range of services and capabilities. It has high dual use potential and will overlap with other Critical National Infrastructure (CNI) sectors. The range of products and technologies available varies hugely depending on the application.

Synthetic biology can be used for both civilian and military purposes. The challenge is identifying an offensive capability interest over legitimate industry and research. It is the capability that the synthetic biology technology may enable that will decide a national security concern rather than the specific approach. Undertaking the activities listed in the scope section below may appear innocuous but given their dual-use potential, they could present a national security concern in the wrong hands. There are increasingly lower barriers to entry as the enabling technology and knowledge becomes more accessible, meaning that identifying offensive capabilities in the synthetic biology sector is a concern.

Am I in scope of the Synthetic Biology part of the regulations?

You will be legally required to submit a mandatory notification if you are acquiring a qualifying entity that carries out any of the activities described in the regulations:

• carrying out basic scientific research into synthetic biology involved in the development of synthetic biology
• produces goods using synthetic biology
• uses synthetic biology to enable the degradation of materials, or
• the provision of services that enable these activities

Meaning of synthetic biology and the definitions of other related terms

Synthetic biology is defined in the regulations as the process of applying engineering principles to biology to design, redesign or make biological components or systems that do not exist in the natural world.
Synthetic biology includes but is not limited to the following:

• the design and engineering of biological-based parts of:
• enzymes
• genetic circuits and cells novel devices and systems
• redesigning existing natural biological systems using microbes to template materials
• cell-free systems
• gene editing and gene therapy
• the use of DNA for data storage, encryption, and bio-enabled computing. This includes approaches which may be adapted to permit cryptography. It also includes using nucleic acids as part of an overall computing system alongside, for example, silicon and quantum computing approaches

Definitions

“Basic scientific research” means experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts and not primarily directed towards a specific practicable aim or objective.

“Core” synthetic biology refers to those activities without which experiments cannot be conducted, such as DNA synthesis and cloning.

“Medicine” means:

• any substance or combination of substances presented as having properties of preventing or treating disease in human beings or animals
• any substance or combination of substances that may be used by or administered to human beings or animals with a view to:
• restoring, correcting or modifying a physiological function by asserting a pharmacological, immunological or metabolic action
• making a medical diagnosis

“Services” are the routine synthetic biology processes that are outsourced to specialist providers for completion before being re-integrated into the original workstream to assemble into an experiment or product. This includes making a specific strand of DNA or running a proprietary algorithm on a dataset but does not include maintenance of equipment.

Exempt activities in the Synthetic Biology part of the regulations

You will not need to submit a mandatory notification if the qualifying entity you are seeking to acquire carries out activities in one of the following areas:
• general services and servicing not related to core synthetic biology
• the use of microorganisms to remove harmful contaminants, pollutants, and toxins from the environment (known as bioremediation), including bio-based reagents that allow for testing for contaminants
• gathering clinical information for the purpose of making a clinical decision or making a diagnosis, known as diagnostics. However, the storage or ownership of sensitive human genetic information that enables the identification of an individual is not exempt and is in scope of mandatory notification
• industrial biotechnology research, development and production using enzymes or organisms that have not been modified through the application of systematic biodesign techniques, including the approaches described in the synthetic biology definition
• the production of substances ordinarily consumed as food or used as feed, including any ingredient or component thereof. However, delivery systems employing synthetic biology approaches to deliver compounds including chemicals, drugs or nucleic acids to multiple plants or animals in the environment simultaneously, are in scope of mandatory notification
• gene therapy where it is used solely for the purpose of replacing missing or defective genes to restore phenotypes to achieve a therapeutic effect. However, the addition of new genes (beyond the replacement of missing or defective genes), and deleting or inactivating genes are not exempt
• cell therapy where cells are modified by genetic engineering and then introduced into a patient to treat disease or
• the ownership, including of intellectual property, or Development of both human or veterinary medicines and immunomodulatory approaches that employ synthetic biology at any stage of development or production. However, these are not exempt from mandatory notification if they have a synthetic biology technology that could be employed or modified to produce and/or deliver:
• toxic chemicals to achieve an incapacitating or lethal effect, or
• uses materials, substances, or pathogens set out in Schedule 5 to the Anti-terrorism Crime and Security Act 2001 (https://www.legislation.gov.uk/ukpga/2001/24/schedule/5)

For example, a company developing antibody-drug-conjugates would not be exempt from mandatory notification since these products contain highly potent toxins and use a linker technology that enable antibodies to deliver toxins to specific tissues. However, a company developing standard monoclonal antibody therapies would be exempt from submitting a mandatory notification.

17. Transport

The transport sector keeps the country moving and is an enabler of increased prosperity, security and a higher quality of life. Our transport sector therefore needs to be secure.
Only certain entities are sensitive enough to be subject to mandatory notification, therefore we have not included all transport-related entities. The transport part of the regulations focuses on key transport infrastructure in the maritime, aviation and air traffic control sectors. In some cases, the regulations will supplement existing notification requirements under the existing regulatory regimes, in which notification to the government is already either a requirement or unavoidable due to public ownership.

Am I in scope of the Transport part of the regulations?

The regulations apply to:

• ports and harbours
• airports
• air traffic control

Ports and harbours

You will be legally required to submit a mandatory notification to the government if either:
• the qualifying entity you are acquiring owns or operates a port or harbour in the UK that handled at least 1 million tonnes of cargo in the year preceding the year in which the acquisition is due to be completed, or
• the qualifying entity you are acquiring owns and operates terminals, wharves or other infrastructure situated in a port or harbour that handled at least 1 million tonnes of cargo in the year preceding the year in which the acquisition is due to be completed

Check the Port Freight Annual Statistics to see how much cargo is handled in each port and harbour (https://www.gov.uk/government/collections/maritime-and-shipping-statistics).

A port refers to an area of land and water made up of infrastructure, facilities, and equipment that permits the following activity:

• the receiving and departing of ships
• the loading and unloading of ships
• the storage of cargo
• the receipt and delivery of cargo, or
• the embarkation and disembarkation of passengers, crew and other persons

A harbour refers to estuaries, navigable rivers, piers, jetties, and other works in, via or at which ships can obtain shelter or ship and unship goods or passengers. This meaning is set out in section 313(1) of the Merchant Shipping Act 1995 (https://www.legislation.gov.uk/ukpga/1995/21/section/313).

Airports
You will be legally required to submit a mandatory notification to the government if the qualifying entity you are acquiring owns or has overall responsibility for the management of an airport in the UK that handled either:

• 6 million passenger movements or more in 2018, or
• 100,000 tonnes of freight or more in 2018

To help assess whether your qualifying entity is in scope, you can:
check passenger movements at airports in 2018 (https://www.caa.co.uk/uploadedFiles/CAA/Content/Standard_Content/Data_and_analysis/Datasets/ Airport_stats/Airport_data_2018_annual/Table_08_Air_Pax_by_Type_and_Nat_of_Op.pdf)
check the tonnes of freight handled at airports in 2018
(https://www.caa.co.uk/uploadedFiles/CAA/Content/Standard_Content/Data_and_analysis/Datasets/ Airport_stats/Airport_data_2018_annual/Table_13_2_Freight.pdf)

2018 figures are used as a benchmark due to reduced demand for travel since 2020 due to the COVID-19 pandemic.

The definition of airport is the same as set out in section 66(1) of the Civil Aviation Act 2012 (https://www.legislation.gov.uk/ukpga/2012/19/section/66). In summary an airport comprises an aerodrome which contains other land, buildings and structures used for the purposes of:

• the landing and taking off of aircraft
• the manoeuvring, parking, or servicing of aircraft
• the arrival or departure of persons as passengers, together with their baggage
• the arrival or departure of cargo
• the processing of such persons, baggage, and cargo between their arrival and departure and
• the arrival or departure of persons who work at the airport

The meaning of aerodrome is set out in section 105(1) of the Civil Aviation Act 1982 (https://www.legislation.gov.uk/ukpga/1982/16/section/105). An aerodrome includes any area of land or water designed, equipped, set apart or commonly used for affording facilities for the landing and departure of aircraft.

For the purposes of the regulations the entities that are to be regarded as owning an airport are the company which owns the airport as well as any parent undertaking of that company. Parent undertaking has the same meaning as in section 1162 of the Companies Act 2006 (https://www.legislation.gov.uk/ukpga/2006/46/contents).

Air traffic control

You will be legally required to submit a mandatory notification to the government if the qualifying entity you are acquiring either:

• provides en route air traffic control services in the UK or
• owns a provider of en route air traffic control services in the UK

A provider of these services will hold a licence for air traffic services under section 6 of the Transport Act 2000 (https://www.legislation.gov.uk/ukpga/2000/38/section/6) and will be providing en route air traffic control services pursuant to that licence.

Air traffic control services, means the giving of instructions or advice to aircraft, whether in flight or on the manoeuvring area or apron of an aerodrome, for the purpose of: (a) preventing, or assisting in the prevention of, collisions between aircraft and (b) managing the flow of air traffic for the purpose of expediting and maintaining an orderly flow of air traffic. (See further the definition of air traffic control services in condition 1 interpretation and construction of the air traffic services licence for NATs (En Route) Plc) (https://publicapps.caa.co.uk/docs/33/NERL%20LICENCE%2017%20(December%2020).pdf).

For the purposes of the regulations the entities which are to be regarded as owning a provider of en route air traffic control services are the company which owns the provider as well as any parent undertaking of that company. As noted above parent undertaking has the same meaning as in section 1162 of the Companies Act 2006 (https://www.legislation.gov.uk/ukpga/2006/46/section/1162/2008-04-06).

© Crown copyright
-END-