The National Security and Investment Act 2021 (NSIA 2021) requires acquirers to obtain government clearance before completing certain transactions in sensitive sectors of the UK economy. For investors in telecoms infrastructure, data centres and digital services, NSIA clearances are a routine but critical part of the deal timetable. We advise acquirers, targets and their advisors on mandatory and voluntary notifications to the Investment Security Unit, deal structuring to manage national security risk, and the practical steps needed to obtain clearance efficiently.

How does the NSIA 2021 affect my transaction?

The NSIA 2021 gives the Secretary of State power to review any acquisition that could harm UK national security. The regime applies to acquisitions of shares, voting rights and assets in entities carrying on activities in the UK, regardless of whether the acquirer is UK-based or foreign. It operates separately from the competition merger control regime administered by the CMA under the Enterprise Act 2002.

For transactions in the telecoms, data and payments sectors, NSIA clearance is relevant because several of the 17 mandatory notification sectors directly overlap with these industries. Communications, data infrastructure, artificial intelligence and computing hardware are all specified sectors under the National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021, SI 2021/1264. An acquisition of a qualifying entity active in one or more of these sectors must be notified to the ISU and cleared before completion.

The regime catches acquisitions that cross specified shareholding thresholds: from 25% or less to more than 25%, from 50% or less to more than 50%, and from less than 75% to 75% or more (NSIA 2021, section 8). An acquisition of voting rights enabling the investor to secure or prevent the passage of any class of resolution on substantially all matters is also caught. Below these thresholds, an acquisition of material influence over the policy of the entity may still be reviewable on the government’s own initiative, although it does not trigger a mandatory notification.

Which sectors trigger mandatory notification?

Seventeen sectors are designated for mandatory notification. Those most relevant to telecoms, data and digital infrastructure transactions are:

Sector	What it covers	Key consideration for acquirers
Communications	Providers of public electronic communications networks and services; operators of subsea cable systems; associated repair and maintenance	Telecoms operators, ISPs, subsea cable owners and MVNOs may fall within scope
Data Infrastructure	Third-party data centre operators and cloud service providers above specified thresholds	PE investors in data centre platforms should assess whether targets meet the threshold
Artificial Intelligence	Entities that develop or modify AI systems (not mere deployers)	AI-enabled product companies in the telecoms or fintech space may be caught
Computing Hardware	Semiconductor design and manufacture (to be merged into a new Semiconductors schedule)	Relevant to acquisitions of chipset or hardware businesses supplying telecoms equipment
Defence	Suppliers to the UK military, broadly defined	Telecoms providers with MoD contracts may trigger this schedule
Critical Suppliers to Government	Entities providing goods or services critical to government functions	Telecoms and data centre operators with government contracts should check this schedule

The sector definitions are set out in SI 2021/1264 and can be narrower or broader than the sector name suggests. The definition of “communications” does not cover every telecoms company: it focuses on providers of public electronic communications networks and services as defined by the Communications Act 2003, section 151, operators of associated facilities, and operators of subsea cable systems and repair vessels. Whether a particular target falls within scope requires careful analysis of its activities against the statutory definitions.

Forthcoming changes: In March 2026, the government published its response to the consultation on the Notifiable Acquisition Regulations. Key changes relevant to our sectors include narrowing the Communications schedule to capture only repair and maintenance companies that operate cable repair vessels (excluding low-risk SMEs), refocusing the AI schedule to cover only entities that create or modify AI systems (excluding deployers), and creating a standalone Semiconductors schedule by merging Computing Hardware with semiconductor elements of Advanced Materials. A new Water sector will also be added. These changes require secondary legislation, which the government intends to lay before Parliament later in 2026. Until then, the existing sector definitions remain in force.

What about acquisitions of payments and financial services businesses?

There is no standalone “financial services” sector in the 17 mandatory notification schedules. However, acquisitions of payments and fintech businesses can still engage the NSIA 2021 through several routes. A payments processor operating its own data centre infrastructure may fall within the Data Infrastructure schedule. A fintech company developing proprietary AI fraud detection or credit scoring models may fall within the Artificial Intelligence schedule. A payments firm holding a government contract (for example, processing welfare payments or tax collections) may fall within Critical Suppliers to Government.

Separately, an acquisition of a qualifying holding in an FCA-authorised firm, including a payments institution authorised under the Payment Services Regulations 2017 or an electronic money institution authorised under the Electronic Money Regulations 2011, requires prior FCA approval under section 178 Financial Services and Markets Act 2000. This is a separate regime from the NSIA 2021 and the two processes run in parallel. Where a target is both FCA-authorised and active in a mandatory NSIA sector, the acquirer will need to manage dual clearance workstreams with different timetables, decision-makers and information requirements.

Clearance regime	Decision-maker	Trigger	Typical timetable
NSIA 2021 mandatory notification	Secretary of State (via ISU)	Acquisition crossing 25%, 50% or 75% threshold in entity active in specified sector	6-8 weeks (initial review); 3-5 months if called in
FCA change in control	FCA	Acquisition of qualifying holding (10%, 20%, 33% or 50%) in FCA-authorised firm	60 working days (statutory assessment period)
CMA merger control	CMA	Turnover or share of supply thresholds met	Variable; Phase 1 typically 40 working days

For PE investors and acquirers in the payments sector, understanding which of these regimes applies, and coordinating conditions precedent and timetables accordingly, is a core part of deal planning.

What is the notification and clearance process?

The notification process is administered by the Investment Security Unit, which currently sits within the Cabinet Office. The formal decision-maker is the Secretary of State (Chancellor of the Duchy of Lancaster).

Step 1: Assess whether notification is required. Determine whether the target is a qualifying entity active in one or more mandatory sectors. If so, the transaction must be notified before completion. If the target falls outside the mandatory sectors but the transaction is otherwise within scope (for example, an acquisition of material influence), the acquirer may choose to notify voluntarily for legal certainty.

Step 2: Submit the notification. Notifications are submitted through the NSI notification service online portal. The form requires details of the target’s activities, the transaction terms and the acquirer’s ownership structure. Each notifiable transaction must generally be notified separately, although the ISU accepts single notifications for related acquisitions from the same seller. The notification must be accompanied by a signed declaration confirming accuracy. The ISU’s market guidance notes recommend notifying only once there is a good faith intention to proceed, evidenced by agreed heads of terms, board approval or a firm intention announcement.

Step 3: Initial review period. Once the ISU accepts the notification, it has 30 working days to decide whether to clear the transaction or call it in for further assessment (NSIA 2021, section 14). In the 2024-25 reporting period, the median time to accept a mandatory notification was 7 calendar days, and 95.5% of reviewed acquisitions were cleared within the initial review period without being called in.

Step 4: Call-in and detailed assessment (if required). If the ISU identifies potential national security concerns, it issues a call-in notice. Following call-in, there is an initial 30 working day assessment period, extendable by a further 45 working days on notice, and by further periods with the acquirer’s agreement (NSIA 2021, section 23). Information notices and attendance notices issued during this period stop the clock. The Secretary of State may impose interim orders to prevent pre-emptive action during the review.

Step 5: Final order or clearance. If the Secretary of State concludes that, on the balance of probabilities, a transaction gives rise to a risk to national security, a final order may impose conditions (such as maintaining UK management or restricting information sharing) or prohibit the transaction. In the 2024-25 period, 17 final orders were issued from 56 call-ins: 16 imposed conditions and one required divestment.

What are the consequences of not obtaining clearance?

The penalties for non-compliance are severe. Under NSIA 2021, section 13(1), a notifiable acquisition completed without ISU approval is void. The transaction is treated in law as if it had never taken place.

Completing a notifiable transaction without approval is a criminal offence, punishable by up to five years’ imprisonment and an unlimited fine. Officers of a body corporate may be held personally liable if the offence was committed with their consent or connivance. The Secretary of State may also impose civil monetary penalties of up to 5% of worldwide turnover or GBP 10 million, whichever is higher, without the need for criminal prosecution.

In the 2024-25 reporting period, the ISU identified 60 instances of parties completing notifiable acquisitions without approval. No criminal prosecutions were brought, but parties were required to provide assurances on future compliance. Retrospective validation is available on application by any materially affected person under NSIA 2021, section 16, but it should not be relied upon as a substitute for proper notification.

What does the regime mean in practice for deal timetables?

For acquirers in the telecoms and digital infrastructure sectors, the practical implications are as follows.

Deal documentation. Transaction agreements should contain NSIA-specific conditions precedent. The completion mechanism must include suspensory provisions preventing closing until ISU clearance is received. This is distinct from any CMA merger control condition and must be drafted separately.

Timetable. A straightforward mandatory notification typically adds 6 to 8 weeks to the deal timetable: approximately one week for form acceptance and up to 30 working days for the initial review. If the transaction is called in, the assessment may take a further 3 to 5 months. Transaction timetables and funding arrangements must account for this.

Risk assessment. The risk of intervention depends on three factors set out in the Secretary of State’s section 3 statement (updated May 2024): target risk (whether the target operates in a sensitive sector), acquirer risk (the identity and affiliations of the acquirer), and control risk (the extent of control being acquired). Recent data shows that defence, military and dual-use, and advanced materials account for the majority of call-ins. Chinese-origin acquisitions are disproportionately represented in final orders, although UK-origin acquirers now represent the largest share of call-ins by volume.

Engagement with the ISU. Where the risk profile is uncertain, early engagement with the ISU can help. The ISU provides informal guidance on whether a transaction falls within scope, although this guidance does not have legal force. In higher-risk cases, preparatory contact with stakeholders in the Ministry of Defence or other relevant departments can facilitate a smoother review.

How Bratby Law helps with NSIA clearances

We advise acquirers, targets and their professional advisors on all aspects of the NSIA 2021 regime as it applies to telecoms, data and digital infrastructure transactions. Our services include:

1. Assessing whether a transaction triggers mandatory notification by analysing the target’s activities against the 17 specified sectors
2. Preparing and submitting mandatory and voluntary notifications to the ISU
3. Advising on deal structuring, conditions precedent and suspensory mechanisms specific to NSIA clearance
4. Managing the ISU review process, including responding to information notices and preparing for call-in
5. Advising on potential remedies and conditions to address national security concerns
6. Coordinating NSIA clearance with parallel CMA merger control and FCA change in control processes where the target operates in a regulated financial services sector
7. Advising on retrospective validation where a notifiable acquisition has been completed without approval

Our experience as General Counsel to operators in the telecoms and payments sectors means we understand the target’s business and regulatory position from the inside. This is particularly valuable when explaining the target’s activities to the ISU and assessing whether those activities fall within the mandatory notification sectors.

Related Transactions pages

See also our other Transactions pages:

• Mergers and Acquisitions (M&A)
• SaaS and Cloud Services
• Private Equity
• Subsea Cables
• MVNOs and MVNEs
• Interconnection, Peering and Access Agreements
• Network Sharing and Co-location Agreements
• Digital Infrastructure Projects
• Data Commercialisation and Licensing
• Transactions (pillar page)

Frequently asked questions about NSIA clearances

Do all telecoms transactions require NSIA notification?

No. Mandatory notification applies only where the target is a qualifying entity active in a specified sector and the acquisition crosses a shareholding threshold (25%, 50% or 75%) or confers the ability to pass or block resolutions on substantially all matters. Many telecoms transactions, including MVNO agreements and service contracts, do not involve an acquisition of control and will not require notification. An acquisition of shares in a telecoms provider that does not cross a threshold is not notifiable, although it may still be reviewable if it confers material influence.

How long does NSIA clearance take?

Most transactions are cleared within the initial 30 working day review period. In 2024-25, the ISU accepted mandatory notifications within a median of 7 calendar days, and 95.5% of reviewed acquisitions were cleared without being called in. If a transaction is called in, the detailed assessment typically takes 3 to 5 months from call-in to final order.

Can I complete the transaction before receiving clearance?

No. A notifiable acquisition completed without ISU approval is void under section 13(1) NSIA 2021. The transaction is treated as if it had never taken place. Completion without approval is also a criminal offence carrying up to five years’ imprisonment.

Does the NSIA apply to foreign-to-foreign transactions?

Yes. The regime applies to any acquisition of a qualifying entity that carries on activities in the UK or supplies goods or services to persons in the UK, regardless of where the acquirer or target is incorporated (NSIA 2021, section 7). A foreign-to-foreign acquisition of a company operating UK telecoms infrastructure or data centres is within scope.

What happens if we missed a mandatory notification?

The acquirer should apply for retrospective validation under section 16 NSIA 2021. The ISU identified 60 instances of completion without approval in 2024-25. While no criminal prosecutions were brought, the ISU required compliance assurances. Retrospective validation does not guarantee clearance, and the Secretary of State retains the power to call in the transaction.

Is a voluntary notification advisable?

It depends on the risk profile. Voluntary notifications accounted for 12% of all notifications in 2024-25. They are worth considering where the target’s activities are close to a mandatory sector boundary, where the acquirer’s identity or nationality may raise concerns, or where the acquirer wants legal certainty that the transaction will not be called in after completion. The government can call in non-notified transactions for up to six months from the date it becomes aware of the acquisition, with an absolute backstop of five years.

How does NSIA clearance interact with CMA merger control?

The two regimes operate in parallel. A transaction may require both NSIA clearance and CMA merger control clearance. The timetables run independently: obtaining NSIA clearance does not affect the CMA process, and vice versa. Where both apply, deal documentation should include separate conditions precedent for each clearance. The NSIA 2021 replaced the previous public interest merger regime for national security cases under the Enterprise Act 2002.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology