Guidance

National Security and Investment Act: details of the 17 types of notifiable acquisitions

Updated 6 February 2024

Overview

The National Security and Investment NSI Act allows the government to scrutinise and intervene in certain acquisitions made by anyone, including businesses and investors, that could harm the UK’s national security.

Subject to certain criteria, you are legally required to tell the government about acquisitions of certain entities in 17 sensitive areas of the economy (called ‘notifiable acquisitions’).

The 17 areas of the economy are:

  • Advanced Materials
  • Advanced Robotics
  • Artificial Intelligence
  • Civil Nuclear
  • Communications
  • Computing Hardware
  • Critical Suppliers to Government
  • Cryptographic Authentication
  • Data Infrastructure
  • Defence
  • Energy
  • Military and Dual-Use
  • Quantum Technologies
  • Satellite and Space Technologies
  • Suppliers to the Emergency Services
  • Synthetic Biology
  • Transport

If an entity you are acquiring performs a certain activity, it could put you in scope of the NSI Act and you may be legally required to tell the government about it (known as a ‘mandatory notification’). This guidance tells you what these activities are.

Before reading this guidance, you should read guidance on preparing for the National Security and Investment Act to understand the wider rules around acquisitions.

If there is significant uncertainty about whether an acquisition is notifiable, you may contact the government (investment.screening@cabinetoffice.gov.uk) to seek a view. Any response does not constitute legal advice and the parties should obtain independent legal advice.

If you are seeking a view from the government, you should:

  • Include as much detail as possible about a qualifying acquisition, including the names of the parties and their activities.
  • Explain clearly, in relation to the NSI Act and the Notifiable Acquisition Regulations, why there is uncertainty in how the NSI Act can be applied to the acquisition at hand.
  • Explain clearly any timing considerations that the government should be aware of in relation to the acquisition. However, the government cannot guarantee a timeline within which such queries will be responded to.

While the government will endeavour to be as helpful as possible, there will be circumstances in which it may not be possible or appropriate for the government to give a substantive response. In particular, the government is unlikely to comment on hypothetical scenarios as they may be misapplied to similar but substantially different real scenarios.

Example 1

The target undertakes activities in the defence sector. These activities are to manufacture arms which are supplied to another company which in turn supplies those arms to the British armed forces. These arms contain unique advanced technologies which give the British armed forces advantages over adversaries.

Does this fall under the Notifiable Acquisition Regulations?

Based on the information provided, the government would be able to respond to this query. It provides clear details about the activities of the target and the sector in which it operates.

Example 2

The acquirer is exploring the possibility of acquiring an as-yet unidentified telephony company. There are several ways in which the acquirer could undertake such an acquisition and several targets that it may seek to acquire.

In any of those circumstances would the acquirer need to notify the government of its acquisition?”

Based on the information provided, the government would not be able to advise the notifier on this query. This is because it presents a hypothetical situation with no firm indication of the target. Although the query says which sector the acquisition is in (and that sector is subject to mandatory notification), there is not enough information to say whether or not it will technically require mandatory notification.

If you are uncertain about whether an acquisition is notifiable and the matter is considered urgent, you may submit a notification form to the best of your knowledge regarding whether it is voluntary or mandatory. However, a notifiable acquisition can only be notified using the mandatory notification form, and a voluntary notification must be notified using the voluntary form. If you do submit a notification using the wrong form the NSI Act requires the government to reject the notification. In that circumstance, the government will contact you as soon as reasonably practicable and explain why it has been rejected and advise you on possible next steps.


Advanced Materials

The development and utilisation of Advanced Materials across Defence as well as civil sectors is rapidly growing and is crucial to help transform important industrial sectors and underpin key areas of high-value manufacturing.

The risk to national security posed by Advanced Materials is also clear. Advanced Materials offer significant benefits to military capability, through increased functionality, improved survivability, enhanced maintainability and reduced through-life cost.

The cross-cutting and dual-use nature of Advanced Materials also means that emerging technologies using advanced materials are likely to have defence and security applications and implications; irrespective of the application or sector that is driving their development.

Am I in scope of the Advanced Materials part of the regulations?

You are legally required to submit a mandatory notification to the government if the qualifying entity you are acquiring carries out activities in relation to advanced materials.

Generally, Advanced Materials cover the following:

  • advanced composites
  • metals and alloys
  • engineering and technical polymers
  • engineering and technical ceramics
  • technical textiles
  • metamaterials
  • semiconductors
  • photonic and optoelectronic materials and devices
  • graphene and related 2D materials
  • nanotechnology
  • critical materials
  • other materials

The activities covered are:

  • research
  • development or production
  • development or production of anything designed as an enabler
  • development or production of anything designed to be used for the purpose of production
  • the provision of qualified or certified designs, materials, parts or products
  • owning, creating, supplying or exploiting intellectual property
  • the provision of know-how or services of enablers
  • recycling or re-using

Check which Advanced Materials are covered

The material is an ‘advanced material’ if it is listed in either of the following documents:

  • the Advanced Materials section of the regulations. You should read all the sections of the Advanced Materials regulations as the categories overlap with one another
  • the Strategic Export Control List (SECL)

You must check both documents to see if your acquisition is in scope.

The following sections of the SECL are of relevance to the requirement to notify the UK government in relation to Advanced Materials:

  • UK Military List [Schedule 2 to the Export Control Order 2008]
  • EU Dual-Use List [Annex I to Council Regulation (EC) No. 428/2009]
  • EU Dual-Use List [Annex IV to Council Regulation (EC) No. 428/2009]

Further information about semiconductors

Application-specific integrated circuit (ASICs) are a type of chip included in the Advanced Materials and not the Computing Hardware part of the regulations. This is because ASICs can be an important component in these other technological applications, whereas they are not for central processing units and provision of memory.

For further information on semiconductors and what is meant by the terms ‘fabrication’ and ‘packaging’ you should review the Computing Hardware guidance.


Advanced Robotics

Robots are no longer limited to factory or laboratory settings, with increasingly capable, mobile and autonomous robots providing new services and capabilities on land (for example, self-driving cars or fruit-picking robots), in the air (drones), on or under the sea and in space. While these capabilities, including the ability to operate independently and to work safely alongside humans, will unlock important business and public benefit applications, even where an entity develops or produces robots or services specifically for civilian applications, these could potentially be adapted for use in military or national security relevant applications.

Am I in scope of the Advanced Robotics part of the regulations?

You are legally required to submit a mandatory notification if the qualifying entity you are acquiring either:

  • develops or produces advanced robotics
  • develops or produces core components specially designed or modified for use in advanced robotics

‘Advanced robotics’ are defined as meeting both of the following criteria:

  • it’s a physical machine that can interact with its environment and can move itself or its ‘limbs’ or tools
  • it has either a meaningful degree of autonomy, and/or the ability to use sensors to carry out sophisticated surveillance and data collection

‘Autonomy’ means the capability to operate independently of human control, either fully or partially. Where the autonomy is partial, this may be in addition to remote control or tele-operation or though pre-programming of operations or responses.

Autonomy therefore includes the ability to sense, reason (for example, using forms of artificial or machine intelligence) and respond or adapt to its surroundings. This may include but is not limited to:

  • the ability to self-navigate and react to changing circumstances, such as a self-driving vehicle navigating the roads and responding to traffic lights
  • the ability to autonomously make changes to improve performance, for example adapting or learning through iteration and experience, and/or
  • the ability to self-repair, self-heal or adapt to their surroundings, including, for example, through the use of compliant or flexible materials that mimic the natural world, known as ‘soft robotics’

‘Advanced robotics’ also includes the ability to use sensors to carry out sophisticated surveillance and data collection. This does not include simple data capture such as CCTV cameras (or other static devices) but includes robots with the ability to capture high fidelity data from their environment, including those that may be entirely pre-programmed or remotely controlled. This would include reconnaissance activities by drones, satellites, underwater vessels or other forms of mobile robot.

You are also legally required to submit a mandatory notification to the government if you are acquiring a qualifying entity that develops or produces core components specially designed or modified for use in advanced robotics.

These core components include:

  • sensors which give advanced robotics the ability to accurately sense their environment, the objects around them or their own position
  • end-effectors such as grippers, manipulator arms, magnetic, pneumatic or vacuum tools that enable them to physically interact and deliver their capability with the intended precision and effect
  • bespoke means of locomotion for use in advanced robotics, including for example, wheels, propellors or fins
  • bespoke energy sources for use in advanced robotics and
  • control systems (including forms of artificial intelligence for use in advanced robotics) and communications systems (including components that enable the advanced robotics to communicate with other robots or a central artificial intelligence system that, for example, controls a swarm of robots).

Example: autonomy

Company A is considering acquiring Company B, which designs and builds a mobile fruit picking robot equipped with AI, sensors and a new form of dextrous soft gripper. The AI and sensors enable the robot to demonstrate a meaningful degree of autonomy and it therefore meets the relevant test for being considered advanced robotics. Company A must notify the UK government of this acquisition, as Company B is a qualifying entity that develops and produces advanced robotics.

Example: components specially designed or modified for advanced robotics

Company A specialises in the provision of machine learning software for robotic control systems, to optimise picking and packing of a range of physical products. Company A does not itself produce any physical machines, but sells this capability to Company B, which Company B integrates into a broader automated robotic warehouse and stock-picking management solution. If Company C wishes to acquire either Company A or Company B it would be required to notify the UK government. This is because the integration of the standalone software capability into the broader automated robotic solution constitutes the development or production of advanced robotics capabilities.

In the event that Company A provides the systems integration capability to Company B, and Company B is therefore a consumer not involved in developing or producing the broader advanced robotics solution, then the acquisition of Company B would be out of scope.

What is out of scope of the Advanced Robotics part of the regulations?

The following are out of scope of the Advanced Robotics regulations:

  • robotics that are widely available consumer goods including robotic toys and smart appliances (such as vacuum cleaning or lawnmowing robots)
  • consumers of advanced robotics who purchase ‘complete systems’ or standalone devices or equipment and use them as they are intended, for example to perform their farming, surveying or logistics operations. By ‘complete systems’ we mean systems whose core technical capabilities cannot be altered, in contrast to technology or equipment that will be used in production or development activities relating to advanced robotics. If a qualifying entity purchases specific components or advanced robotics systems that it then integrates into or alters to deliver new advanced robotic functions or capabilities as part of a wider system, that qualifying entity is in scope and would need to notify.
  • robots performing pre-programmed repetitive tasks, most frequently seen in the older generation of industrial robotics, for example the machining, lifting or pressing operations of a manufacturing process or assembly line. This includes mechanical robotic tools performing repetitive functions with basic or no sensory or cognitive abilities.
  • automated parking and lane departure warning capabilities for cars or other mobile robotics, which are now commonplace across the market. However, self-driving cars and the core capabilities of autonomy underpinning them are in scope of the regulations.
  • basic, static, sensing, imaging or computing devices such as temperature monitors, cameras or smart speakers.
  • entities in the supply chain producing components intended for use more broadly than advanced robotics, including basic or generic hardware or electrical components, for example, industry standard electronics such as Complementary Metal Oxide Semiconductor (CMOS) sensors or radio transmitters.

Example: an acquisition that isn’t in scope

Company A, an audit company, purchases from Company B an advanced, high-definition drone services contract, to survey and report on the activities of a range of infrastructure and construction sector clients with high specificity. Company A uses the drone in a range of different environments and uses the data it finds as part of its own business but has no expertise in developing or producing the drone itself. If Company C acquires Company A at a future date, it would not be required to notify the UK government, as it is merely a consumer / user of the products and services of Company B.

If you do not think your acquisition is covered by the Advanced Robotics guidance, you should read guidance for the following areas:


Artificial Intelligence

The development of artificial intelligence (AI) technologies is growing rapidly and transforming the global economy. The development and application of these technologies is an industry in its own right, but AI is also transforming business models across many sectors.

AI can optimise the efficiency, precision, and performance of many existing technologies.

AI is also inherently dual-use and potentially easy to repurpose. There is increasing interest by military and law enforcement organisations to advance the use of AI in their domains. There is potential for other actors to deploy AI applications for malicious and harmful uses. This means technologies that are used for the commercial market and consumers could also be repurposed and used in manners which could give rise to national security concerns. The opportunity to use AI positively across the UK economy can only be harnessed if sensitive and critical applications of AI can be protected.

As AI technologies are often general purpose and used across sectors, this regulation will capture entities that do not necessarily identify as ‘AI companies’. Whether a qualifying entity is focused solely on AI, or incorporates or develops AI as part of a wider approach to their sector or business, it is the specific work being undertaken that is most important to consider.

Am I in scope of the Artificial Intelligence part of the regulations?

To determine if a qualifying entity you are seeking to acquire is in scope of the AI part of the regulations, you need to consider 2 questions:

  • does the qualifying carry on entity research into, or develop or produce goods, software or technology that use AI?
  • is the AI work of the qualifying entity used for one of the following applications: identification or tracking, advanced robotics or cyber security?

If the answer is yes to both questions for the qualifying entity being acquired, you are legally required to submit a mandatory notification to the government.

There are 2 steps to considering the entity you are acquiring is in scope.

  1. Confirm the use of AI.

  2. Confirmation application of AI.

Step 1: Confirm the use of AI

You first need to consider if the qualifying entity researches into, or develops or produces goods, software or technology that use ‘artificial intelligence’.

‘Artificial Intelligence’ is defined in the regulations as:

“technology enabling the programming or training of a device or software to:

i) perceive environments through the use of data

ii) interpret data using automated processing designed to approximate cognitive abilities and

iii) make recommendations, predictions or decisions

with a view to achieving a specific objective”

‘Cognitive abilities’ means reasoning, perception, communication, learning, planning, problem solving, abstract thinking, decision-making or organisation

Step 2: Confirm application of AI

If you believe the qualifying entity does fit the definition of AI, you then need to consider how this is being applied.

Three categories of application are in scope of the new rules. You are legally required to submit a mandatory notification if the qualifying entity does any of the following:

  • identification or tracking
  • advanced robotics
  • cyber security

Identification

Examples of ‘identification’ may include, but are not limited to:

  • Human identification:
    • audio and speech recognition
    • data re-identification
    • emotion recognition
    • facial recognition
    • gait analysis
  • Object identification:
    • automated vehicle parking systems
    • image classification
    • image retrieval
    • machine inspection
    • object localisation
    • object detection and object segmentation
    • surveillance (human and object)
  • Event identification:
  • activities captured in ‘real time’ (i.e. video analysis to track an individual moving)
  • tracking and processing

Advanced robotics

“Advanced robotics” has the same meaning as in Schedule 2 of the National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021.

Examples of ‘advanced robotics’ may include, but are not limited to:

  • autonomous vehicles
  • digital twinning
  • path or action execution
  • path or action planning
  • sensor data processing.

Cyber security

“Cyber security” means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.

“Cyber threat” means any potential circumstance, event or action that could damage, disrupt or otherwise adversely affect network and information systems, the users of such systems and other persons”.

Examples of ‘cyber security’ may include, but are not limited to:

  • authentication
  • behaviour analysis
  • predictive analysis
  • threat detection and classification
  • vulnerability discovery

If you do not think your acquisition is covered by the AI guidance, you are advised to read guidance for the following areas:

  • Advanced Robotics - where the application of the qualifying entity’s work relates to robotics.
  • Computing Hardware - this covers activities relating to ‘a specialist processor for artificial intelligence applications’. You are advised to consider if the qualifying entity’s work covers a) the ownership, creation or supply of intellectual property to or b) the fabrication or packaging of specialist processors for artificial intelligence applications

Civil Nuclear

The UK’s civil nuclear sector is among the most advanced in the world, from fuel production, generation, new build, research through to decommissioning, waste management and transportation and our world class regulatory system.

The civil nuclear sector is also part of the UK’s Critical National Infrastructure (CNI). It generates essential baseload, low carbon electricity critical to families and businesses, providing around 17% of the UK’s current electricity needs.

As well as generating electricity, the civil nuclear sector also stores, processes and transports radioactive material, and nuclear safety and nuclear security are essential to any nuclear operation.

Am I in scope of the Civil Nuclear part of the regulations?

In the UK, certain types of nuclear material, information and technology are regulated for safety and/or security, and the Civil Nuclear part of the regulations specifically references some of the notifiable acquisition regulations and relevant legislation.

As a first step when self-assessing whether your proposed acquisition falls into the scope of the mandatory notification requirement, you should find out whether the qualifying entity you are seeking to acquire holds any licences or certifications in relation to nuclear activities, as this may be helpful in identifying whether an acquisition needs to be notified.

This guidance is structured to reflect each individual criterion of the regulations. To identify whether you need to submit a notification, you should find out if the qualifying entity you are seeking to acquire meets any of the criteria below.

You are legally required to notify if the qualifying entity you are acquiring is involved in any of the following.

The qualifying entity either:

  • holds a nuclear site licence for non-military purposes
  • is a tenant on a non-military licensed nuclear site
  • holds Category I, II or III nuclear material
  • holds a Class A or Class B licence to transport nuclear material
  • is planning to build a nuclear reactor
  • is awaiting the outcome of a relevant assessment by the Office for Nuclear Regulation
  • holds equipment, software or information relevant to enrichment of uranium
  • holds Sensitive Nuclear Information (SNI)
  • is receiving relevant public funding in relation to fission nuclear reactors

The qualifying entity holds a nuclear site licence for non-military purposes

You should review whether the qualifying entity you are seeking to acquire holds a nuclear site licence for non-military purposes, and if you conclude that it does you are legally required to submit a mandatory notification to the government. In the UK, nuclear site licences are issued by the Office for Nuclear Regulation (ONR). The activities for which a site licence is required are described in Section 1 of the Nuclear Installations Act 1965, and include things such as operating a nuclear power plant, producing nuclear fuel, or enriching uranium.

The qualifying entity is a tenant on a non-military licenced nuclear site

Licensed civil nuclear sites may have tenants. When assessing whether your acquisition falls into the scope of mandatory notification, you should review whether the qualifying entity you are seeking to acquire holds a tenancy agreement for premises on the type of licensed nuclear site described above. If you conclude that it does, you are legally required to submit a mandatory notification.

The qualifying entity holds Category I, II or III nuclear material

You should check whether the qualifying entity you are seeking to acquire holds any Category I, II or III nuclear material. If you assess that it does, you are legally required to submit a mandatory notification to the government. Categories I, II and III of nuclear material are described in the Nuclear Industries Security Regulations 2003. This includes certain types of plutonium, uranium, neptunium, americium, and other types of reactor fuel or irradiated nuclear material.

The qualifying entity holds a Class A or Class B licence to transport nuclear material

In order for an entity to transport nuclear material of Category I, II or III, it must be approved as either a Class A or Class B carrier by the Office for Nuclear Regulation. You should review whether the qualifying entity you are seeking to acquire holds a relevant licence to transport nuclear material, and if you conclude that it does you are legally required to submit a mandatory notification to the government.

The qualifying entity is planning to build a nuclear reactor

You should check whether the qualifying entity you are seeking to acquire intends to build certain types of infrastructure defined as a Nationally Significant Infrastructure Project in the Planning Act 2008, for example, certain types of large-scale electricity generation projects. If so, you should find out whether it has received development approval from the Secretary of State for Business, Energy & Industrial Strategy (BEIS), or has submitted an application for this. If you conclude that it has and that the development consent or application relates to a nuclear reactor, you are legally required to submit a mandatory notification to the government. A nuclear reactor is as defined in the Nuclear Installations Act 1965.

The qualifying entity is awaiting the outcome of a relevant assessment by the Office for Nuclear Regulation

Some entities may be required to pay a fee to the Office for Nuclear Regulation in relation to an assessment of a design proposal, or the preparation of a relevant assessment agreement. These purposes are defined in the relevant section of the Health and Safety and Nuclear (Fees) Regulations 2021 and include, for example, a Generic Design Assessment. You should check whether the qualifying entity you are seeking to acquire has asked ONR to carry out this type of assessment, and if you conclude that it has and that this assessment is on-going you are legally required to submit a mandatory notification to the government.

The qualifying entity holds equipment, software or information relevant to enrichment of uranium

Some entities may hold equipment, software or information relevant to enrichment of uranium as defined in the Uranium Enrichment Technology (Prohibition on Disclosure) Regulations 2004. You should check whether the qualifying entity you are seeking to acquire holds any equipment, software or information defined in this legislation, and if you conclude that it does you are legally required to submit a mandatory notification to the government. Enrichment of uranium refers to the process of treating uranium to increase the proportion of the isotope 235 contained in the uranium.

The qualifying entity holds Sensitive Nuclear Information (SNI)

Sensitive Nuclear Information (SNI) is a type of officially classified information and is defined in the Anti-Terrorism, Crime and Security Act 2001. Within the UK, holders of SNI outside of nuclear facilities are regulated by the Office for Nuclear Regulation (ONR) under Regulation 22 of the Nuclear Industries Security Regulations (NISR) 2003. Regulation 22 duty holders may be placed on ‘List N’. Further information on SNI is available on the ONR website. You should review whether the qualifying entity you are seeking to acquire holds any SNI, and if you conclude that it does you are legally required to submit a mandatory notification to the government.

The qualifying entity is receiving certain public funding in relation to fission nuclear reactors

Some entities receive public funding for research and development purposes – such as funding from UK Research and Innovation - under the Science and Technology Act 1965 or the Higher Education and Research Act 2017.

You should review whether the qualifying entity you are seeking to acquire is directly receiving funding from a public organisation under either of these Acts in relation to fission nuclear reactors (including Small Modular Reactors and Advanced Modular Reactors). If you conclude that it is, then you are legally required to submit a mandatory notification to the government. The financial support arrangements usually state the legislation under which funding has been awarded.


Communications

The communications sector is a diverse, technologically advanced and constantly evolving. It is integral to national security, the economy and society as it supports the operations of businesses, public safety organisations, government, the wider public sector, other critical national infrastructure and citizens. The mandatory notification requirements include many of the most significant providers within the sector.

As a regulated sector, the mandatory notification requirements in the Communications part of the regulations are informed by existing legislation, primarily the Communications Act 2003, in order to provide clarity and consistency across the regulatory frameworks.

Am I in scope of the Communications part of the regulations?

You are legally required to submit a mandatory notification if any of the following apply. The entity you are acquiring either:

  • is a public electronic communications network or service (PECN/S) with a UK turnover of at least £50 million
  • makes available an ‘associated facility’ to a PECN/S with a turnover of at least £50 million (exceptions apply, see below)
  • owns a building where its main purpose is to host active telecommunications equipment
  • owns a submarine cable system with a UK turnover of at least £50 million
  • owns a cable landing station which is used by a PECN/S with UK turnover at least £50 million
  • owns a repair or maintenance service for submarine cable systems or cable landing stations which is used by PECN/S with UK turnover at least £50 million.
  • has a top-level domain name registry, domain name system resolver, authoritative hosting service or internet exchange points subject to certain thresholds
  • provides broadcast infrastructure for either:
    • the BBC
    • Channel 3 (ITV PLC and STV)
    • Channel 4
    • Channel 5
    • S4C
    • national commercial radio (analogue or digital)

Telecommunications

Public electronic communications providers

The qualifying entity you are acquiring is in scope if it is a public electronic communications network or service (PECN/S) with a turnover of at least £50 million, or is a provider of certain associated facilities by reference to such a PECN/S.

A PECN refers to an electronic communications network that is provided wholly or mainly for the purpose of making electronic communications services available for use by members of the public.

A PECS refers to an electronic communications service that is either:

  • an internet access service
  • a number-based interpersonal communications service
  • any other service consisting in, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services or for broadcasting - provided so as to be available for use by members of the public

Social media services (such as Facebook and Instagram) or messenger/video services (such as WhatsApp and Zoom) are not in scope when they are only providing content or number-independent interpersonal communications services.

Private electronic communications networks and services (for example, those used on transport systems) are not in scope. However, private networks used by emergency services and some private networks used within the defence sector are in scope of the regulations.

The turnover threshold

Providers of PECN/S are only included if the annual turnover of their specific business activity that involves the provision of a PECN/S conducted in the UK is at least £50 million during the relevant period. This applies to those who own, or have controlling interests in, such providers of PECN/S and other associated entities. If you are seeking to acquire a qualifying entity which falls above this threshold, you are legally required to notify the government.

Associated facilities

An ‘associated facility’ refers to a facility, element or service used in association with an electronic communications network or service for specified purposes.

Your acquisition is in scope if the qualifying entity you are acquiring makes available an associated facility to a qualifying PECN/S. There are exceptions for ‘passive infrastructure’ and ‘support infrastructure’ (see below).

A facility can be physical infrastructure such as a data centre used to provide the core network function of a PECN/S, or a satellite ground station. It can be a service provided to communications service providers such as businesses who provide billing services or managed service providers. Businesses who provide more general services to communications service providers such as cleaning or HR services would not be included here, as these services do not specifically enable or support the provision of communications networks or services.

A qualifying entity making available an associated facility would not include a supply chain vendor of equipment or software if the qualifying entity simply sells its product onwards and does not also operate or retain control over it when in use. However, if the contractual relationship allowed a supply chain vendor to retain an element of control over the use of the equipment, then they might be included in mandatory notification.

Your acquisition is in scope of mandatory notification if you are seeking to acquire an operator of an associated facility that is used by a PECN/S with a UK turnover of at least £50 million. If you are acquiring a qualifying entity that operates an associated facility with a UK turnover of over £50 million, but the entity only provides that facility to a PECN/S with a turnover below £50 million, then your acquisition would not be in scope of mandatory notification.

Passive infrastructure

Your acquisition is not in scope of mandatory notification if the associated facility is a ‘passive’ network element. This means it has equipment which transmits information but does not convert or process it and is unlikely to consume electrical power. Examples of passive infrastructure for the purposes of these regulations include pipes, ducts, cables and wires.

Support infrastructure

Some elements within a network are used to support or “host” other elements. The term “host” refers to support infrastructure which houses, protects, guides or supports other network elements, which are themselves active or passive.

If you are seeking to acquire a qualifying entity which meets the turnover threshold and makes available network elements which are passive, but hosts active network elements, then you are legally required to submit a mandatory notification to the government.

Passive network elements that host other passive elements are not in scope for mandatory notification. For instance, street cabinets are passive support infrastructure that may host active equipment, whereas telephone poles are passive infrastructure which may only host passive equipment (cables).

Some types of equipment such as antenna can be active or passive depending on the specific piece of equipment and how it is used. Similarly, masts and towers may host active or passive equipment and therefore the operators of masts and/or towers are only exempt from mandatory notification if their masts/towers only host passive equipment such as cables and not any active equipment such as active antenna.

Building owners and landowners

Entities which own or make available buildings that host telecommunications equipment, including on the roof of the building, are excluded from mandatory notification. The only exception to this is if the main purpose of that building is to host active telecommunications equipment, and where that active equipment is used by a PECN/S with a UK turnover of at least £50 million. Owners of residential properties or unrelated commercial properties which have active telecommunications equipment on their roofs, such as 5G small cells, are not in scope of mandatory notification, as the main purpose of those buildings is not to host active telecommunications equipment. Owners of cable landing stations, satellite ground stations and relevant data centres are in scope of mandatory notification, as the specific purpose of these buildings is to host active telecommunications equipment.

Owners of land upon which a qualifying associated facility is located (whether that is active, passive or support infrastructure) are not in scope of mandatory notification. Exceptions to this include when the landowner is also carrying out other activities which are in scope of the regulations, such as owning/operating the telecommunications infrastructure on its land, which would mean it would be making available an associated facility or if they were also providing a PECN/S within the turnover threshold.

Submarine cable systems and cable landing stations

If you are seeking to acquire a qualifying entity which owns a submarine cable system which has a UK turnover at least £50 million then you are legally required to submit a notification to the government as these are considered to be PECN/S.

Cable landing stations are considered to be associated facilities therefore, if you are seeking to acquire a qualifying entity which owns a cable landing station which is used by a PECN/S with UK turnover at least £50 million, then your acquisition is in scope.

Please note: The explicit reference to submarine cable systems and cable landing stations have been included in the Communications part of the regulations for completeness. They should not be read as meaning that they would otherwise necessarily fall outside the scope of the Communications Act 2003 definitions of PECN/S and associated facilities.

If you are seeking to acquire a repair and maintenance service for submarine cable systems and cable landing stations, which is used by a PECN/S with UK turnover above £50 million, you are required to submit a notification to the government too.

Information systems

If you are seeking to acquire a top-level domain name registry, domain name system resolver, authoritative hosting services and internet exchange points then (subject to the thresholds below) your acquisition is in scope of the mandatory notification requirements. These terms are defined in the Network and Information Systems Regulations 2018 (as amended) (NIS Regulations).

The thresholds reflect those in the NIS Regulations, and are as follows:

  • top-level domain name registry: services 14 billion or more queries from any UK device in a consecutive 168-hour period for domains registered within the Internet Corporation for Assigned Names and Numbers
  • domain name system resolver service: services 500,000 or more different Internet Protocol addresses used by persons in the UK in any consecutive 168-hour period
  • domain name system authoritative hosting service: services 100,000 or more domains registered to persons with an address in the UK
  • internet exchange points: has 30% or more market share for such services in the UK in terms of interconnected autonomous systems

It is important to note that qualifying entities that operate internet exchange points (those that are involved or operate infrastructure which is provided for the exchange of digital data) are also in scope of the Data Infrastructure part of the regulations, where no threshold is applied.

Supply chain

Entities in the supply chain which sell equipment and software, but do not subsequently operate that equipment and do not have any control over its use, are excluded from the Communications part of the regulations.

Broadcasting

Providers of broadcast infrastructure for the BBC, national commercial radio (analogue or digital) or television services for the UK’s public service broadcasters (holders of Channel 3 licenses, Channel 4, Channel 5 and S4C) are also included. However, the definition of a PECS service excludes services that are content services, meaning that providers of broadcasting content services (including television and radio) are not included and therefore not subject to the mandatory notification requirements. Enterprises which provide both broadcasting infrastructure and content are covered by the Communications part of the regulations.


Computing hardware

Computing hardware is essential to all digital devices. Technological advances in computing hardware have changed the way in which people can use digital devices to interact and the way businesses develop and grow. Digital technologies are used in our day to day lives, but they are also important to the UK’s national security, underpinning critical UK infrastructure, and are now just as intrinsic to defence uses as they are to our daily lives.

The Computing Hardware part of the regulations focus on specific activities, products and functions that take place within the supply chain for these products. As the process for creating computing hardware is advancing all the time, risks can emerge upstream of the final product, including vulnerabilities that could cause harm.

Am I in scope of the Computing Hardware part of the regulations?

To determine if a qualifying entity you are seeking to acquire is in scope of the Computing Hardware part of the regulations, you need to consider 2 questions:

  • is the qualifying entity involved with any of the activities set out in the definition?
  • if so, do these activities apply to any of the corresponding products or functions as listed in the definition?

If the qualifying entity you are seeking to acquire falls into both categories, then you are legally required to submit a mandatory notification to the UK government.

You need to check if the qualifying entity you are acquiring is involved in any of the following activities:

  • the ownership, creation, supply or exploitation of intellectual property of certain products or functions
  • design, maintenance or delivery of a service for secure provisioning or management
  • fabrication of packaging

The ownership, creation, supply or exploitation of intellectual property of certain products or functions

An acquisition is likely to be in scope if the qualifying entity is involved in the ownership, creation, supply or exploitation of intellectual property of any of the following products or functions:

  • computer processing units
  • architectural, logical or physical designs for such units
  • the instruction set architecture for such units
  • code, written in a low-level language, that can control how such units operate
  • integrated circuits with the purpose of providing memory

Computer processing units include field central processing units (CPUs), programmable gate arrays (FPGA), microcontrollers, system on chips, graphics processor units and specialist processors for Artificial Intelligence applications.

Design, maintenance or delivery of a service for secure provisioning or management

Your acquisition is likely to be in scope if the qualifying entity is involved in the design, maintenance or delivery of a service for the secure provisioning or management of any of the following products or functions:

  • roots of trust of computer processing units
  • code, written in a low level language, that can control how such units operate

Fabrication or packaging

Your acquisition is likely to be in scope if the qualifying entity is involved in the fabrication or packaging of any of the following products or functions:

  • central processing units (CPU)
  • integrated circuits with the principal purpose of providing memory

Fabrication means the process of producing a microelectronic circuit on a semiconductor substrate or using other advanced materials.

Examples of fabrication include, but are not limited to:

  • deposition
  • etching
  • ion implantation
  • lithography
  • wafer preparation

Packaging means the process of turning a microelectronic circuit on an appropriate substrate into a package suitable for use in an electronic circuit but does not include the assembly and packaging of chips and devices into circuit boards.

Example of packaging include, but are not limited to:

  • bonding
  • die preparation
  • encapsulation

Further details on terms used

Artificial Intelligence

The Computing Hardware part of the regulations references ‘a specialist processor for artificial intelligence applications’, a definition of ‘Artificial intelligence’ is provided in the Artificial Intelligence part of the regulations.

‘Artificial intelligence’ means technology enabling the programming or training of a device or software to—

i) perceive environments through the use of data

ii) interpret data using automated processing designed to approximate cognitive abilities and

iii) make recommendations, predictions or decisions

with a view to achieving a specific objective.

Products and functions

The following are examples of terms used in the definition. These are for example only and should not be seen as an exhaustive list.

Architectural, logical or physical designs

Examples include, but are not limited to:

  • electronic Design Automation (EDA) software
  • layout / schematic designs
  • microarchitecture
  • register transfer language (RTL)

Instruction set architecture

Examples include, but are not limited to:

  • instruction set architectures
  • formal definitions of these
  • instruction set extensions

Code, written in a low level language, that can control how such units operate

Examples include, but are not limited to:

  • microcode
  • drivers
  • firmware for roots of trust

Roots of trust of computer processing units - means hardware, firmware or software components that are inherently trusted to perform critical security functions

Examples include, but are not limited to:

  • cryptographic key material bound to a device that can identify the device or verify a digital signature to authenticate a remote entity)

Integrated circuits with the purpose of providing memory

An example could include, but is not limited to:

  • a chip developed to provide volatile or non-volatile memory to an external computer processing unit, using either well developed memory technologies (e.g. SRAM, DRAM, flash) or newer memory technologies (e.g. PCM, RRAM, FRAM, MRAM)

A specialist processor for artificial intelligence applications

Examples include, but are not limited to

  • approximate processors and other architectures with a similar purpose of accelerating artificial intelligence
  • machine learning applications
  • neuromorphic processors

If you do not think your acquisition is covered by the Computing Hardware guidance, you should read guidance for the following areas:

  • Artificial Intelligence - if the entity works with ‘a specialist processor for artificial intelligence applications’.
  • Advanced Materials - If the entity uses application-specific integrated circuit (ASICs), or an electronic component not captured under the Computing Hardware regulations

Critical Suppliers to Government

The purpose of this part of the regulations is to help protect the government supply chain from potential national security risks. The regulations focus on the most sensitive government information, assets or estates where the risk to national security is the greatest were they subject to compromise.

Am I in scope of the Critical Suppliers to Government part of the regulations?

For the purpose of these regulations, Critical Suppliers to Government are those contracted to access very sensitive government data, assets or estates, all of which might be subject to attack from adversaries.

The critical suppliers to government part of the regulations only applies to suppliers that hold direct contracts with government (sometimes referred to as prime suppliers). It does not apply to subcontractors.

The regulations define government as being equivalent to “contracting authorities” as outlined in the Public Contracts Regulations 2015. A contracting authority includes:

the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law, and includes central government authorities but does not include Her Majesty in her private capacity.

You are legally required to submit a mandatory notification if the qualifying entity you are seeking to acquire holds a public contract with government which includes any of the following features:

  • processing and/or storing SECRET or TOP SECRET material
  • a requirement to have list X accreditation
  • a requirement for employees to be vetted at or above Security Check (SC) level

Processing and/or storing SECRET or TOP SECRET material

Government information is classified to indicate sensitivity, with SECRET and TOP SECRET being the most sensitive. Visit the government security classifications page to understand how the government classifies information assets.

You are legally required to submit a mandatory notification if the qualifying entity you are seeking to acquire has both of the following features:

  • a public contract with government
  • processes or stores SECRET or TOP SECRET material

List X accreditation

List X (sometimes referred to as Facility Security Clearance) applies to companies operating in the UK which have government contracts which require them to hold information on site that is classified as:

  • SECRET and above or
  • international partners’ information classified as CONFIDENTIAL and above

Further information can be found on the international classified information page.

The UK government does not publish the names or locations of List X facilities, but the Ministry of Defence is the contracting authority for the majority of these sites.

List X contractors are also required to notify the Ministry of Defence of potential changes in ownership. Check the guidance for security requirements for List X contractors.

You are legally required to submit a mandatory notification if the qualifying entity you want to acquire has both of the following features:

  • a public contract with government
  • a contractual requirement to have a list X accreditation

Vetting employees to Security Check level or above

There are currently 5 levels of national security vetting in the UK:

  • Counter Terrorist Check (CTC)
  • Security Check (SC)
  • Enhanced Security Check (eSC)
  • Developed Vetting (DV)
  • Enhanced Developed Vetting (eDV)

View guidance from UK Security Vetting for more information on clearance levels.

As a general rule, those who need frequent access to SECRET material will require Security Check clearance. Individuals who need unsupervised access to TOP SECRET material will require Developed Vetting clearance.

You are legally required to submit a mandatory notification if the qualifying entity you want to acquire has both of the following features:

  • a public contract with government
  • a requirement for their employees to be vetted at SC level or above

Cryptographic Authentication

Authentication is the process of verifying the identity of a person or device. Where the technical method depends on cryptography, rather than a non-technical method such as checking the signature of an individual or that their face matches their driving licence, it is deemed to be a sensitive technology.

Companies that provide cryptographic authentication operate across much of the economy, providing software and hardware tools for businesses to enable a number of key capabilities, including:

  • verification of user identity through passwords, 2-factor or multi-factor authentication (such as a hardware token or software application)
  • authentication of a human-operated or automated device to a network to allow access to the network, data and other resources
  • verification of the origin and integrity of an email, message or document through digital certificates, and security protocols

These functions can be enablers of further security steps, such as management of access, and help to prevent unauthorised access to data, network resources, personal information, physical spaces, intellectual property and other assets. This might include use or ownership of a device containing a cryptographic key. It can include determining the identity or some attributes of the device owner asserted by an authoritative third party or recognising the user as a repeat visitor or as the owner of a previously established account.

Am I in scope of the Cryptographic Authentication part of the regulations?

You are legally required to notify the government if the qualifying entity you are acquiring is involved in at least one of the following activities:

  • research into any product(s)
  • developing any product(s)
  • producing any product(s)

Where that product(s) meets the following 3 criteria:

  • has authentication as a primary function
  • employs cryptography in performing the authentication function and
  • is a product that is not ordinarily supplied to or made available for acquisition by consumers

Examples of technologies within scope, but are not limited to, are systems that authenticate:

  • the identity of a physical person using an access token to gain entrance to a restricted area at a critical national infrastructure site
  • the identity of a user to gain electronic access to the computer network of a power station
  • a biometric property of an individual to allow access to a restricted area of an industrial site
  • a credit/debit chip-and-pin card at an ATM or retail point of sale; and
  • the digital information held on an e-passport to determine whether to allow the holder into the country

Data Infrastructure

Data infrastructure provides the ability to store, process and transmit data. The government has a responsibility to ensure that data and its supporting infrastructure is secure, resilient and trustworthy in the face of established, new and emerging risks, protecting the economy as it grows.

Data infrastructure is physical or virtualised infrastructure used for storing, processing or transmitting data in digital form or infrastructure that is provided for peering, interconnection or exchange of digital data

Am I in scope of the Data Infrastructure part of the regulations?

Qualifying entities in the Data Infrastructure part of the regulations could include:

  • data centre operators
  • cloud storage service providers
  • managed service providers
  • specialist or technical service providers with physical access to relevant data infrastructure
  • software providers whose product gives the software provider ongoing privileged access to customer data

Types of entities not in scope of the Data Infrastructure part of the regulations include:

  • a data centre storing exclusively paper records
  • an entity that sells off-the-shelf software to customers with no ongoing configuration, integration or maintenance support or
  • an entity that provides a public electronic communications service or network but does not provide any dedicated infrastructure or facilities to its customers for storing, processing, or transmitting data in addition to the provision of that electronic communications network or service.

You may need to submit a mandatory notification if the qualifying entity you are acquiring stores, processes or transmits data in a digital form.

To find out if you need to submit a mandatory notification to the government, you need to:

  1. Check if the qualifying entity you are acquiring is involved in ‘relevant data infrastructure’.

  2. Check if the qualifying entity performs a ‘qualifying activity’.

If you meet both criteria, you are legally required to notify the government about your planned acquisition.

Step 1: check if the entity is involved in ‘relevant data infrastructure’

A qualifying entity must perform any one of the activities listed below in relation to relevant data infrastructure in order to be in scope of mandatory notification.

‘Relevant data infrastructure’ is physical or virtualised infrastructure which does any of the following:

  • stores, processes or transmits data in digital form which is used in connection with the administration and operation of certain public sector authorities
  • is provided for peering, interconnection or exchange of digital data between providers of public electronic communications networks and/or services but which is not owned by a provider of public electronic communications networks or service or
  • enables the interconnection of one or more public electronic communications networks with an electronic communications network where part of that network is provided by means of a submarine cable system.

If you provide data infrastructure services to a public authority, check which public authorities are covered by the regulations

You may need to notify if the qualifying entity that you want to acquire has a relationship with certain public sector authorities to perform relevant activity – that is, to store, process or transmit data in digital form.

This could be a direct contract or an indirect relationship, such as a subcontractor to the qualifying entity which has the direct contract with the public sector authority. If the qualifying entity is a subcontractor, it is only in scope if it has been made aware at or before the time that the acquisition took place that it is storing, processing or transmitting data for certain public sector authorities, or providing an activity that would fulfil or contribute towards the fulfilment of the main contract with the public sector authority.

Example

Company A is a colocation data centre and has a direct contractual relationship with Company B, a web hosting company. Company B has a direct contractual relationship with Company C, a public sector authority, whose data is stored in Company A’s facilities. However, Company A does not have a direct contract with Company C and has not been notified that it is a subcontractor in the contractual relationship between Company B and C. Company A is therefore not in scope of mandatory notification.

The scope of the definition of relevant activity may include a public communications provider (PCP) that owns or operates infrastructure which stores, processes or transmits public sector authority data. PCPs should also review the Communications guidance to determine if their acquisition is in scope of mandatory notification.

Peering and interconnection infrastructure

Peering infrastructure that is owned or operated by a provider of public electronic communications networks or a provider of a public electronic communications service itself is not in scope of mandatory notification. The infrastructure which is provided by a third party - such as a data centre – and which provides the facilities for public network and service providers to interconnect with each other is in scope of mandatory notification. Any qualifying entity carrying out a qualifying activity in relation to this third party provided peering infrastructure is in scope of mandatory notification. You should review the Communications guidance to determine if your acquisition is in scope of mandatory notification.

Infrastructure which is used to connect a public electronic communications network as defined in the Communications Act 2003 to a network transmitting data into the UK via a submarine cable is in scope of mandatory notification. This infrastructure could be located at a cable landing station. The infrastructure may also be located inside inland facilities, such as a data centre.

Step 2: check what activities are covered by the rules

You may need to notify your acquisition if the qualifying entity you are seeking to acquire does any one of the following activities. It is not necessary for the qualifying entity to perform all of the activities to be in scope. The activities are as follows:

  • owns or operates relevant data infrastructure
  • manages relevant data infrastructure on behalf of other entities
  • manages facilities where relevant data infrastructure is located
  • provides specialist or technical services to entities involved in any of the above activities
  • produces or develops software for entities involved in any of the above activities and
  • is given administrative access to relevant data infrastructure.

Further information on these terms is outlined below.

Specialist or technical services

You may need to notify if you are seeking to acquire a qualifying entity which provides specialist or technical services to entities which:

  • own or operate relevant data infrastructure
  • manage relevant data infrastructure on behalf of other entities or
  • manage facilities where relevant data infrastructure is located

and where the provision of those services enables physical access to relevant data infrastructure. For example:

  • a qualifying entity performing specialist or technical services that has physical access to infrastructure used for peering, interconnection or exchange of digital data between providers of public communications networks and services
  • a qualifying entity performing specialist or technical services that has physical access to infrastructure used to enable the interconnection of one or more public communications networks with a network which is part of a submarine cable system
  • a qualifying entity performing specialist or technical services with physical access to infrastructure storing, processing or transmitting data in digital form is only in scope if it could be expected to know that the infrastructure is used for “relevant activity”

The type of services that are captured by the regulation are installation, equipment repair or maintenance.

Example

If Company A’s business activities include installation of cooling equipment to Company B and Company B is an owner/operator of relevant data infrastructure, then Entity A is in scope of the regulations.

If Company C is performing maintenance on cables located in a facility where relevant data infrastructure is located, then Company C is also in scope of the regulations.

Administrative access

“Administrative access” is used to describe logical access to virtualised data infrastructure. It refers to either or both authorisation or access granted via either or both logical or administrative access controls by virtue of which an entity may access relevant data infrastructure or control access to relevant data infrastructure where such access would otherwise be restricted or compartmented and where such access would permit the modification of the relevant data infrastructure in a way that was not authorised.

The scope of the administrative access definition has several caveats to ensure that it is capturing only those entities that could present risks to national security, for example:

  • “would otherwise be restricted or compartmented” - this captures a service provider whose service is of a type that gives it unrestricted rights and permissions to data and its underlying infrastructure that would not be available to a standard user and
  • “would permit the modification of the relevant data infrastructure in a way that was not authorised” - this captures a service provider whose service gives it a level of authorisation that would enable it to effectively bypass controls intended to protect the confidentiality, integrity and availability of the relevant data and its underlying infrastructure. It does not mean that the service provider is in scope of mandatory notification only if and when it bypasses controls rather, it means that if the service provider has the access to enable it to bypass such controls if it wished to, then it would be in scope of mandatory notification

Producing or developing software

You may need to notify the government if a qualifying entity that you are acquiring produces, designs or develops software that could be used by a qualifying entity to provide services which give it administrative access to virtualised data infrastructure.

A qualifying entity that sells off-the-shelf software to customers with no ongoing configuration, integration or maintenance support is not in scope. However, the entity that you are acquiring may be in scope if it provides any such support to customers.

The qualifying entity does not need to know whether the software it is producing, designing or developing is used or is going to be used in relation to “relevant data infrastructure”, only whether the software is of a type that could be used to configure or manage the provision of administrative access to virtualised infrastructure which hosts, processes or transmits data.

A qualifying entity which produces, designs or develops software should also be aware of the type of activities carried out by customers for whom it is producing, designing or developing the software. Where those customer activities involve providing a service the provision of which requires administrative access to virtualised data infrastructure, the qualifying entity is in scope of mandatory notification.

You are advised to read the guidance for these other areas of the regulations.

A qualifying entity might be in scope of more than one part of the regulations as some areas of the economy are closely related and may overlap. If you are an acquirer considering whether you are in scope of the Data Infrastructure guidance, you are advised to read guidance for the following areas:

Guidance for procurement and supply chains

The Notifiable Acquisition Regulations provide the government with a strong lever to mitigate national security risks while minimising the impact on businesses in the sector. However, the NSI Act does not negate the need for businesses to take a proactive approach toward mitigating risk in their procurement and supply chains, particularly around the protection and security of data.

Supply chains can be large and complex, involving many suppliers undertaking many different activities. Effectively securing the supply chain can be challenging because vulnerabilities can be inherent or introduced and exploited at any point in the supply chain.

The National Cyber Security Centre (NCSC) and Centre for the Protection of National Infrastructure (CPNI) have produced Supply Chain Security Guidance with 12 principles designed to help entities establish effective control and oversight of supply chains. The guidance provides organisations with an improved awareness of supply chain security, as well as helping to raise the baseline level of competence in this regard, through the continued adoption of good practice.

The NCSC has also produced Supplier Assurance Questions, which is to help entities to gain confidence in suppliers’ cyber security practices. You are advised to understand who has responsibility for cyber security at the supplier organisation and what policies the organisation has in place.


Defence

A robust defence sector is vital to our national security. It provides defence capabilities that are critical to our national security and prosperity, it sustains jobs and skills, contributes to research and development programmes, supports manufacturing and offers export opportunities.

The government recognises that inward investment creates a dynamic industry, promotes innovation and supports the development of first-class military capabilities that enable us to protect our people, territories, values and interests at home and overseas. Given its importance to our national security the defence sector must remain resilient to a wide range of evolving threats.

Am I in scope of the Defence part of the regulations?

All suppliers to the Ministry of Defence (MOD) are covered by the regulations. This includes companies at all tiers, including sub-contractors and those in the chain of sub-contractors, where the goods or service that they research, develop, design, produce, create or apply are provided or used for defence or national security purposes.

You are legally required to submit a mandatory notification to the government if:

  • you are seeking to acquire a qualifying entity whose UK activities include the research, development, production, creation or application of goods or services which are used or provided for defence or national security purposes

and either of the following apply. The qualifying entity you are acquiring either:

  • is a government contractor, or any subcontractor in a chain of sub-contractors which begins with the government contractor, which provides such goods or services, or
  • has been notified by the government that they hold, or may come into possession of, classified material

Contracts which provide access to defence facilities may still give rise to potential national security risks. The obligation to notify extends to contractors or subcontractors who provide goods or services without clear ‘military’ applications, such as catering or cleaning.

The meaning of “defence” and “government contractor” (Section 3 of the regulation) can be found in section 2(4) and section 12, respectively, of the Official Secrets Act 1989.

Contractors and sub-contractors

The government expects that most suppliers who are providing goods and services for defence and national security purposes are aware of the nature of their contractual arrangements. The MOD has a standing contractual requirement for providers to notify the department of a change of control of a contractor, including any sub-contractors, through Defence Contractual Condition (DEFCON) 566 - Change of Control of Contractor.

The mandatory notification requirement in the regulations reinforces this standing requirement and the entities with a statutory obligation to notify will be clearly identifiable by virtue of their contractual arrangements.

Classified material

The government has an established Security Policy Framework Security policy framework: protecting government assets and entities which are subject to that framework are notified that they are involved in the handling of classified material. This notification may be issued in different ways, depending on the nature of the activity concerned, but most commonly through the issuing of a Security Aspects Letter or the designation of a facility as a List X (Facility Security Clearance) site.

Defence Contractual Condition (DEFCON 566 – Change of Control of Contractor)

The obligation contained in Defence Contractual Condition (DEFCON) 566, requires companies within the defence supply chain (i.e. those with a contract with the MOD) to provide the MOD with prior notice of a change in control. This obligation remains extant.

This requirement goes beyond the NSI screening process (with its focus on national security) and extends to wider due diligence that allows the MOD to make informed decisions on such issues as the conduct of extant competitions or negotiations, future contract award and other such issues. The contractual obligation does, however, provide an important indicator as to whether a company satisfies the first condition of the notification obligation as set out.

DEFCON 566 can be found within the Commercial section of the Knowledge in Defence guidance. To access the website, interested parties must register via the KiD portal - which is a free and straight-forward process.


Energy

Energy is a diverse sector that is rapidly developing to deliver the UK’s 2050 net zero goal. The energy sector produces and uses a wide range of products and services in its operation and new and innovative technologies are being integrated all the time.

The government believes that there are certain areas within the sector that are sufficiently sensitive that they should be included in the mandatory notification requirement. The regulations covers upstream oil and gas, downstream gas, downstream oil and electricity entities.

Am I in scope of the Energy part of the regulations?

The regulations cover:

  • upstream oil and gas
  • downstream gas
  • electricity
  • downstream oil

Upstream oil and gas

The Upstream Oil and Gas sector refers to companies involved with upstream petroleum facilities - upstream petroleum pipelines (including subsea pipelines), terminals and infrastructure necessary to a petroleum production project. A “petroleum production project” means a project carried out under a relevant licence (for example under section 3 Petroleum Act 1998) to search for, bore for and get petroleum (i.e. oil and gas).

You are legally required to submit a mandatory notification if the qualifying entity carries on at least one of the following activities onshore in the UK:

  • it owns an upstream petroleum facility
  • it operates an upstream petroleum facility
  • it develops an upstream petroleum facility (for “new” facilities only, that is those still being constructed, or which only began operations less than 12 months before the date of the proposed acquisition)
  • it enables the operation of an upstream petroleum facility
  • it enables the development of an upstream petroleum facility (for “new” facilities only) or
  • it holds a Petroleum Act licence for an upstream petroleum facility (under s3 of the Petroleum Act 1998 or s2 of the Petroleum (Production) Act 1934)

In each case, the relevant facility must also:

  • meet the 3,000,000-tonne throughput threshold (see below) and
  • be either:
    • onshore in the UK
    • offshore and used in connection with the supply of oil and gas to people in the UK

Calculation of the throughput thresholds for Upstream oil and gas

If the qualifying entity you are acquiring has a throughput of more than 3,000,000-tonnes in their facility for the 12 months calculated as below, you are legally required to submit a mandatory notification to the government.

The throughput threshold for existing facilities is calculated over the 12 calendar months preceding the month in which a person gains control.

The throughput threshold for “new” facilities is calculated by the expected throughput in its first 12 calendar months of operation.

Example

Facility A is owned by Company A and began operating 3 years ago. Facility A is therefore an “existing” facility. Someone intends to acquire Company A on 15 June this year. The throughput of Facility A would be assessed for the period between 1 June of the previous year and 31 May of this year.

Downstream gas

Downstream Gas activity refers to the onshore processing, transportation or distribution of gas across Great Britain (GB) (but not Northern Ireland). It contributes, either directly or indirectly, to the supply of gas to domestic and/or commercial properties.

You are legally required to submit a mandatory notification if the qualifying entity you are acquiring does any of the following. The qualifying entity:

  • holds a Transmission licence or exemption under the Gas Act 1986: this captures owners and operators of GB’s gas transmission network
  • holds a Distribution licence or exemption under the Gas Act 1986: this captures the owners and operators of GB’s Gas Distribution Networks (GDNs)
  • holds a Gas Interconnector licence or exemption under the Gas Act 1986: this captures the owners and operators of gas interconnectors. For these purposes, a gas interconnector means any pipeline used to transfer gas between GB and another country or territory
  • owns or operates a gas processing facility: this captures the operators and owners of onshore facilities in GB that treat imported gas and bring it within the prescribed quality specifications for safe use in homes and businesses. This only applies if the gas processing facility has the technological capacity to carry on gas processing operations in relation to greater than 6 million cubic metres of gas per day
  • owns or operates a Liquefied Natural Gas (LNG) import or export facility: this captures the owners and operators of onshore terminals in GB which are used for the importation, offloading, re-gasification or export of Liquid Natural Gas. This only applies if the export facility which has the technological capacity to carry on the importation, regasification or liquefaction of greater than 6 million cubic metres of gas per day

Example

Company B plans to acquire Company C. Company C operates a gas processing facility in the East of England. The facility is able to process up to 10 million cubic metres of gas per day. Therefore, Company C’s facility has the technological capacity to carry on gas processing operations in relation to greater than 6 million cubic metres of gas per day. Company B must submit a mandatory notification to government.

Electricity

Electricity activity refers to the onshore and offshore generation, storage, aggregation, transmission or distribution of electricity across GB (but not Northern Ireland). It contributes, either directly or indirectly, to the supply of power to homes and business.

You are legally required to submit a mandatory notification if the qualifying entity you are acquiring holds any of the following types of licence or exemption under the Electricity Act 1989:

  • a transmission licence or exemption: this captures owners and operators of GB’s electricity transmission networks which transport electricity from onshore or offshore generators to onshore substations, regional distribution networks or directly to large industrial users
  • a distribution licence or exemption: this captures the owners and operators of GB’s Electricity Distribution Networks, which transport electricity from the transmission network to domestic and commercial properties. It includes smaller networks owned and operated by Independent Distribution Networks Operators (IDNOs) which are located within the areas covered by the larger distribution networks
  • an interconnector licence or exemption this captures the owners and operators of electricity interconnectors that allow the transfer of electricity across GB borders, or
  • a Generation licence or exemption this includes all technology types capable of generating or storing electricity for the purpose of enabling supply

You are also legally required to submit a mandatory notification if the qualifying entity you are acquiring conducts the following activity:

  • aggregates electricity this activity includes combining multiple customer loads or generated electricity for sale, purchase or auction in the electricity market of GB

The mandatory notification requirement only applies to substantial generators or aggregators of electricity. These activities are therefore subject to the following thresholds:

  • the qualifying entity you are acquiring owns or operates a single generating asset (onshore or offshore) with a capacity of 100MW or more or
  • you, your group companies and the qualifying entity you are acquiring together have a cumulated generation or aggregation capacity of 1GW or more

Example

Company D holds a generation licence and owns several power generating assets in Wales with a total generation capacity of 800MW. Company E manages the demand of 500MW of customer load for sale in the GB electricity market. Therefore, Company E is carrying on aggregation. The combined “relevant capacity” of Company D and Company E is 1,300MW which is greater than one gigawatt. A mandatory notification must be submitted to the government if Company D acquires Company E or if Company E acquires Company D.

Downstream oil

Downstream oil sector activity is that which is carried out in the UK and which contributes, either directly or indirectly, to the supply of crude oil-based fuels to UK consumers.

You will be legally required to submit a notification if the qualifying entity you are acquiring meets all the following three requirements:

  • it supplies petroleum-based road, aviation or heating fuels (including liquefied petroleum gas) to persons in the UK
  • it carries on any downstream oil activity, i.e. any one of import, storage, production, distribution or delivery of oil and / or certain oil products
  • the qualifying entity or its facility meet the relevant capacity threshold

Each of the 3 requirements are detailed below.

Supply of petroleum-based fuels to persons in the UK

The qualifying entity you are acquiring must supply petroleum-based road, aviation or heating fuels (including liquefied petroleum gas) to entities or individuals in the UK. This includes qualifying entities not based in the UK that supply petroleum-based fuels to entities or individuals in the UK.

Downstream oil activities

The qualifying entity you are acquiring must conduct one or more type of downstream oil activity, which are defined as the following:

  • import of any of crude oil, intermediates, components and finished fuels. This includes but is not limited to the importation of crude oil, intermediates, components and finished fuel into the UK via oil refineries or terminals
  • storage of any crude oil, intermediates, components and finished fuels
  • production of intermediates, components and finished fuels through refining or blending processes. This includes activities such as the conversion of crude oil or oil feedstocks into finished products through large scale processing plants (including refineries)
  • distribution of petroleum-based fuels to storage sites. This includes the transport of petroleum-based fuels by road through road tanks, by sea or via waterways, via rail and via the network of underground pipelines across the UK
  • delivery of petroleum-based fuels to retail sites (for example forecourts), airports or end users. This will primarily be conducted in road tankers, generally by haulage firms, but can also include other means of delivery

Capacity threshold

The qualifying entity you are acquiring must also:

  • have a capacity in excess of 500,000 tonnes, that is, have carried out any downstream oil activity in the UK in relation to 500,000 tonnes or more of oil in at least one of the 3 calendar years before the acquisition
  • or own a facility in the UK that has capacity in excess of 50,000 tonnes, that is, a facility that was used for any downstream oil activity in relation to at least 50,000 tonnes of oil in at least one of the 3 calendar years before the acquisition

Examples

Company F intends to gain control of Company G. Company G supplies petrol to the UK market. To determine whether a mandatory notification is required you need to look at the volume of petrol handled in the UK by Company G over a 3-year period:

  • in 2020, it imported 300,000 tonnes of finished fuel
  • in 2021, it imported 400,000 tonnes of finished fuel and produced a further 200,000 tonnes of finished fuel through blending
  • in 2022, it imported 100,000 tonnes of finished fuel

In 2021, Company G therefore had a capacity of 600,000 tonnes, so a mandatory notification must be submitted.

Military and Dual-Use

Military and dual-use items can, in the wrong hands, pose immediate and direct threats to the UK.

Military items are goods, software and technology (including for example documents and diagrams) and include arms, military and paramilitary equipment used for a military purpose. Dual-use items are goods, software and technology which can be used for both civil and military applications. Dual-use items can range from raw materials to components to complete systems, for example aluminium alloys, bearings, or lasers. Dual-use items could also be used in the production or development of military goods or chemical, biological or nuclear weapons, for example machine tools, chemical/manufacturing equipment and computers.

The Military and Dual-use part of the regulations purposefully relates to goods and technology which are already ‘controlled’ due to their military or dual-use characteristics under the export control regime.

The Department for Business and Trade maintains the Strategic Export Control Lists, which form the basis for determining whether any products, software or technology intended for export are ‘controlled’ and therefore require an export licence. A “Consolidated list of strategic military and dual-use items that require export authorisation”’ can be found on the gov.uk website (see link below). It is compiled from several lists of controlled goods from a number of legislative sources.

Am I in scope of the Military and Dual-use part of the regulations?

You are legally required to submit a mandatory notification if you are seeking to acquire a qualifying entity that researches, develops or produces restricted goods or technology that are controlled by the aspects of the export control legislation which concern national security controls.

The relevant lists are:

  • UK Military List [taken from Schedule 2 to the Export Control Order 2008]
  • UK Dual-Use List [taken from Schedule 3 to the Export Control Order 2008]
  • UK Radioactive Sources List [taken from the Schedule to the Export of Radioactive Sources (Control) Order 2006]
  • Dual-Use List [taken from Annex I to Council Regulation (EC) No. 428/2009].

You do not need to submit a mandatory notification if the activities of the qualifying entity concern goods or technology which appear on the Human Rights Strategic Export Control Lists and the Non-Military Firearms List - unless they also appear on the Military and Dual-Use Lists.

Technology

The Military and Dual-Use regulations adopt the definition of technology which is used within the export control regime.

Technology means specific ‘information’ necessary for the development, production or use of goods or software.

‘Information’ may take forms including, but not limited to: blueprints, plans, diagrams, models, formulae, tables, ‘source code’, engineering designs and specifications, manuals and instructions written or recorded on other media or devices (for example disk, tape read-only memories).

‘Source code’ (or source language) is a convenient expression of one or more processes which may be turned by a programming system into equipment executable form.

‘Information’ is not Restricted Technology where it is in the public domain, i.e. when it is realistically accessible to a member of the general public.


Quantum Technologies

The increasing understanding and control of what are known as ‘quantum effects’ (for example superposition and entanglement) are leading to a new wave of advances in areas such as sensing, data transmission and encryption, timing and computing that have significant civil, defence and national security applications. These are often referred to as ‘second generation’ quantum technologies.

All areas of second generation quantum technology production and development are of potential importance for national security. This is predicated on the dual-use potential that all quantum technologies hold.

Am I in scope of the quantum technologies part of the regulations?

To determine if the qualifying entity you are seeking to acquire is in scope of the quantum technologies part of the regulations, you need to consider whether the qualifying entity develops or produces a quantum technology.

If the qualifying entity you are seeking to acquire is in scope then you are legally required to submit a mandatory notification to the UK government.

For the purposes of these regulations, development and production mean as follows:

  • development’ means all stages prior to production, including design, design research, design analyses, design concepts, assembly and testing of prototypes, pilot production schemes, design data, process of transforming design data into goods or software, configuration design, integration design, layouts and
  • production’ means all production stages, including product engineering, manufacture, integration, assembly (mounting), inspection, testing and quality assurance

Quantum technologies’ employ the mathematical theory of quantum mechanics to describe the physical world and process information in new ways. Quantum technologies cover the following technology groups:

  • quantum communications
  • quantum connectivity
  • quantum imaging, sensing, timing or navigation
  • quantum resistant cryptography
  • quantum information processing, computing or simulation

Quantum communications

This includes:

  • transmitting information using quantum effects, such as superposition (the fundamental principle of quantum mechanics allowing a single quantum property to be in more than one quantum state at the same time), entanglement (when two quantum objects – an object at the atomic scale which is described by the physical laws of quantum mechanics, such as an electron or photon - are entangled together, their state can only be described as a whole system not for the components separately), or conjugate variable technologies (technologies that store, process or transmit information using the quantum effect of conjugate variables, meaning pairs of variables which are subject to the uncertainty principle in quantum mechanics)
  • using a communication network to send information that is encoded in a quantum state (a mathematical representation of a physical system, such as an atom, that provides the basis for processing quantum information)
  • the use of quantum effects to create and send a digital key that can then be used to encrypt data, as well as to create truly random (i.e. unpredictable) numbers to secure and authenticate data

Quantum connectivity

This covers the preservation of a quantum superposition state (see definition above) as it is shared between separate devices. In this context, coherence refers to the time a quantum superposition state can survive before beginning to degrade.

Quantum imaging, sensing, timing or navigation

This includes devices that use quantum effects to offer, for example, increased resilience, enhanced situational awareness, higher sensitivity, accuracy and speed, to perform a function. This function could include:

  • creating images of objects
  • sensing the size, shape or movement of an object
  • establishing the location of and guide objects
  • providing a timing signal

In the case of imaging, ‘the phase or amplitude properties of quantum mechanics’ refers to the measurement of the properties of the wave-like characteristics of quantum objects – such as an electron or a photon. Quantum imaging includes ‘sub-Poissonian sources or detectors’, which are quantum light sources such as those capable of emitting single photons, or detectors (devices capable of detecting single photons and their properties).

Quantum information processing, computing or simulation

This covers systems that harness quantum effects to perform computation. This includes all levels or layers of software (operating system, system utilities, development tools and software tools, e.g. mathematical functions) as well as quantum emulation (a classical computer representing the operation of a quantum computer) and the hosting of quantum computing as a cloud-based service.

Quantum resistant cryptography

This covers methods of securing information or data with the purpose of protecting against the threat of quantum computers to break current encryption techniques.

If you are seeking to acquire a qualifying entity that ‘develops’ or ‘produces’ one of the above quantum technologies, then you are legally required to submit a mandatory notification to the government

Example 1

Company A is considering acquiring company B, which designs and builds quantum sensors for the purposes of underground surveying. Company A is required by law to notify the government of this acquisition, as company B is a qualifying entity that develops and produces a specified quantum technology.

What is not in scope of the Quantum Technologies part of the regulation?

If you are seeking to acquire a qualifying entity which fits into the following, then you are unlikely to fall within the scope of the mandatory notification requirement in relation to quantum technology:

  • an entity undertaking solely fundamental research into quantum information science
  • an entity which uses use quantum goods or services provided by others, without having played a part in developing or producing the technology. For example, an energy company that purchases a quantum sensor to detect emissions of greenhouse gases
  • an entity that supplies a component for use in a quantum technology system, for example a company that provides a dilution refrigerator for use in the development of quantum computing technology. Please note, however, that the Advanced Materials regulations capture technology with relevance to quantum, such as photonics and semiconductors. You are advised to review the Advanced Materials guidance

Example 2 Company A, a pharmaceutical company, is developing a new drug. It procures the services of Company B to access its quantum computer to speed up the processing of information. If Company C acquires Company A at a future date, it would not be required by law to notify the government as Company A would in scope of mandatory notification.

Example 3

Company A, a bank, employs the services of Company B, a quantum company, to explore the use of quantum computing technology to improve its operations. Company A has an in-house team that is tasked with developing an algorithm to run on a quantum computer to help speed up financial trading. If Company C acquires Company A at a future date, it would be required to notify the Government, as Company A has played a role in the development of a quantum technology (namely quantum algorithms that enable the functionality of the overall system).


Satellite and Space Technology

Space is a rapidly developing sector that delivers a broad range of services and capabilities. By nature, all space-based services have crossover and affect other Critical National Infrastructure (CNI) sectors. The range of products and technologies available can vary hugely depending on the service (for example, earth observation, position, navigation, and timing).

The ease with which satellite and space technology can be used for both civilian and military purposes – either in the UK or internationally – is a growing concern and is something that the government will continue to monitor closely. This concern is nuanced, and the main issue is the potential for adversaries to use what seem to be predominantly civil capabilities to meet military objectives.

Am I in scope of the Satellite and Space Technology part of the regulations?

‘Carrying on activities’ in the Satellite and Space Technology part of the regulations means the qualifying entity you are acquiring is carrying on activities that consist of or include operating, developing, producing, creating, or using any of these activities:

  • space debris management
  • in-orbit activities
  • satellite communication links
  • secure facilities
  • manufacture or testing
  • space-derived data for any defence purpose
  • space infrastructure operational control facilities
  • provision or processing of space situational awareness data (SSA)

Space debris management

This includes ‘clean-up services’ - sending an object into outer space to remove or manage space debris or using an object that is already in outer space to remove or manage space debris.

In-orbit activities

This covers servicing and robotic activities carried out while the satellite is in orbit. This includes:

  • making satellites that are already in orbit last longer (for example, by repairing or refuelling them)
  • inspection services (for example, checking a satellite to see what condition it is in)
  • performing maintenance
  • moving a satellite while it is in orbit
  • any technology or system that could be used to disrupt, change or interfere with other satellites. Changing a satellite includes, but is not limited to, repairs, relocation and refuelling of a satellite

Satellite communications links are the links that enable and facilitate communication between various objects in space and from space to earth. This includes radio frequency and optical links. Optical links are communications links that provide a data connection between two points and that use optical (light) signals instead of traditional radio frequencies. Satellite communications links are provided:

  • between satellites that are in orbit
  • between spacecraft and satellites that are in orbit
  • between satellites and celestial bodies (for example the Moon and Mars), or
  • from earth to outer space, and from outer space to earth

Secure facilities

Secure facilities (including secure ground infrastructure, such as command-and-control stations and ground sites, and secure systems) are required for the smooth operation of satellite and space technologies. Any of these secure facilities and systems that relate to space activity or sub-orbital activity, or to services that are derived from space activity, are in scope of the mandatory notification requirement.

Any operation or maintenance of the capability of these secure facilities is covered by mandatory notification. Capability covers anything that ensures the safe and secure access to services that are derived from space activity. For example, services such as general cleaning services would not be in scope, because they would not contribute to maintaining the secure nature of the facilities – but control rooms would be, because they provide and maintain the secure capability of the facilities that allow secure access to services derived from space activity.

‘Space activity’ has the same meaning as set out in section 1(4) of the Space Industry Act 2018.

Manufacture or testing

If the qualifying entity you intend to acquire is involved in testing or manufacturing any of the below, then you are legally required to submit a mandatory notification. This includes the manufacturing or testing of:

  • spacecraft (the meaning of which can be found in Section 2(6) of the Space Industry Act 2018)
  • launch vehicles
  • satellites
  • planetary probes (spacecrafts that explore outer space and planets/bodies other than Earth – for example the Moon or Mars)
  • orbital stations (space stations), or
  • ground support equipment (ground support means all ground-based parts of a spacecraft system – so for example, ground stations or launch facilities)

Included are any materials, component parts or materials used for the manufacturing and/or testing of any of the items listed above.

‘Testing’ means that the qualifying entity provides quality assurance assessments of equipment or systems for space activity (including engines, component parts, radio frequency, software and systems), launch site equipment and facilities and equipment and facilities for the transport of satellites, launch vehicles or their major parts between sites.

Space-derived data for any defence purpose

Space-derived data are data that are obtained from space activity, or from ground stations that receive data from outer space, or from both space activity and ground stations receiving data from outer space, and include:

  • position, navigation and timing services
  • earth observation
  • space situational awareness (which includes space surveillance tracking, space weather monitoring and forecasting, mapping or detection of near-earth objects and space debris)
  • telecommunications
  • signal intelligence (this means the gathering of intelligence through the interception of signals – for example, through radar or electronic systems)
  • remote sensing (this is the science of gathering data about objects (for example, satellites or planetary bodies) from a distance using remote sensors)
  • research and development

If the qualifying entity that you are seeking to acquire uses space-derived data for defence purposes, then you are legally required to submit a mandatory notification. You must notify the government regardless of how you wish to use the data as an acquirer.

‘Defence’ has the same meaning that is given to it in the Official Secrets Act 1989 in Section 2(4).

Space infrastructure operational control facilities

If the qualifying entity you intend to acquire provides space infrastructure operational control facilities, then you are legally required to submit a mandatory notification. Here, ‘infrastructure’ includes:

  • command and control stations
  • ground stations, ground sites and ground segment equipment
  • software (which includes any analysis software)
  • information technology and telecommunications networks (including fibre cables)
  • uplink and downlink terminals (uplink is the portion of the link that transmits signals from earth to space, and downlink is from space to earth)
  • data processing and storage facilities (which includes databases)
  • satellites
  • technological systems or equipment that are deployed either in space or on earth

Provision/processing of space situational awareness data (SSA)

Space situational awareness includes:

  • the mapping or detection of near-earth objects and space debris
  • space surveillance and tracking
  • space weather monitoring and forecasting

If the qualifying entity you are seeking to acquire provides or processes any of these SSA data, either on earth, or by space activity, you are legally required to submit a mandatory notification.

You are also legally required to notify the government if the qualifying entity provides or processes SSA data for any of the following:

  • orbital or sub-orbital activity (the definition for which can be found in section 1(4) of the Space Industry Act 2018)
  • the mapping or detection of near-earth and space weather events
  • defence purposes

Suppliers to the Emergency Services

The emergency services are essential to the safety and security of citizens in the UK. They use a wide variety of tools, goods and services to achieve their goals. The government believes that there are certain services provided within the sector that are sufficiently sensitive that inclusion is justified in the mandatory notification requirement.

The government does not seek to include goods and services that, while important, are non-essential to the execution of key emergency service functions, such as general office supplies or non-emergency IT infrastructure.

Am I in scope of the Emergency Services part of the regulations?

If you are acquiring all or part of a qualifying entity that supplies the emergency services with one or more of the goods and services which are used for the operational delivery of that emergency service, you are legally required to submit a mandatory notification to the government.

The Emergency Services include:

  • Border Force
  • The British Transport Police Force
  • The Civil Nuclear Constabulary
  • a fire and rescue authority
  • the Ministry of Defence Police
  • the National Crime Agency
  • a police body, including a Police Force

Ambulance Service Providers are only covered in the sections that relate to electronic communications networks or electronic communications services.

Unmanned aircraft

If the qualifying entity you are acquiring provides unmanned aircraft, or drones, and their associated technology and equipment to the Emergency Services, then you are required to submit a mandatory notification to the government. Unmanned aircraft for these purposes means “any aircraft operating or designed to operate autonomously or to be piloted remotely without a pilot on board”.

This includes associated technologies such as (but not limited to):

  • Global Positioning Systems (GPS)
  • transmission equipment
  • cameras
  • software related to the control or operation of unmanned aircraft
  • remote controls
  • technology designed to detect, track and identify drones
  • equipment designed to disrupt the systems of unmanned aircraft

Unmanned aircraft, such as drones, supplied to the general public are not covered.

Firearms

This category covers firearms and ammunition that are subject to mandatory notification. The College of Policing has helpful summaries of the legal definition of firearms in the Authorised Professional Practice for Armed Policing.

If the qualifying entity you are acquiring provides any of the following you are legally required to submit a mandatory notification:

  • firearms, defined in section 57(1) of the Firearms Act 1968:
    • prohibited weapons
    • any equipment that attaches to firearms or has been designed to diminish the noise and the flash by firing the weapon, for example sound moderators (silencers) and flash suppressors.
  • ammunition, defined in section 57(2) of the Firearms Act 1968:
    • specialist munitions – including those designed to have a non-lethal effect on an individual, or those munitions where there is no designed effect on an individual, but collateral damage may occur

Items that are not covered include (but are not limited to):

  • telescopic truncheons
  • batons (straight, side-handled or friction-lock)
  • pepper sprays and other self-defence sprays

Other Goods and Services

If you are acquiring a qualifying entity that provides the below goods and services to the Emergency Services, you are legally required to submit a mandatory notification.

Maintenance and Supply

Supply, maintenance or support in the following categories:

  • Border Force vessels, including the supply of electronic aids to navigation, repairs and certification, and
  • unmanned aircraft, including any component, part or product of an unmanned aircraft as well as any electronic device relating to the unmanned aircraft

Entities that supply or maintain the following services are not covered:

  • any other marine vessels used by the emergency services
  • other emergency services vehicles including police vehicles, and
  • any parties who provide maintenance and repairs of unmanned aircraft for the general public are outside the scope of the regulations

Fuel cards

You are legally required to submit a mandatory notification if the qualifying entity you are acquiring supplies any card to the emergency services which is specifically designed to enable the holder to pay for fuel, discharging their obligation to a supplier of fuel in respect of payment for that fuel with the supplier being reimbursed by a third party.

Security access to buildings

You are legally required to submit a mandatory notification if the qualifying entity you are acquiring provides an access control system to a building used by the emergency services.

This could be in the form of (but is not limited to):

  • pin access keypad
  • proximity card/card readers (key fobs)
  • fingerprints and other biometrics and
  • covert systems used to secure entry and egress from buildings.

Security alarms designed to detect intruders are not included.

Communications and Storage of Electronic Data

The emergency services use a variety of electronic systems which can be split into two broad categories:

  • electronic communications, which refers to any information sent between parties over a phone line or internet connection. This includes phone calls, faxes, text messages, video messages, emails and internet messaging
  • a range of physical infrastructure, cloud-based solutions and platforms that store electronic data

If you are acquiring a qualifying entity that supplies any of the following you are legally required to submit a mandatory notification:

  • a private electronic communications network that is used by the emergency service for the purposes of:
    • the prevention or detection of crime
    • fulfilling the functions of a fire and rescue authority
  • maintenance to a private electronic communications network that is used by the emergency service for the purposes of:
    • the prevention or detection of crime and
    • fulfilling the functions of a fire and rescue authority.
  • hardware, systems or platforms to facilitate the storage of electronic data, used exclusively or primarily by the emergency service for the purposes of:
    • the prevention or detection of crime
    • fulfilling the functions of a fire and rescue authority or
    • the storage of personal data, including personnel data.

This may include:

  • private networks, their connections and devices used by individual police force and law enforcement organisations’ systems, national policing systems and force-managed systems for the policing community
  • communication and processing devices and network infrastructure, including information exchange communication services
  • information systems and data centres
  • systems which hold and store local and national emergency services records and crime and intelligence records and
  • the resilience direct system, helplines, and email for assisting in crime investigation holding personal information.

The following are not covered:

Ambulance Service Providers

The only notification required in relation to Ambulance Services Providers is where a qualifying entity is acquired that supplies an Ambulance Services Provider with:

  • an electronic communications network or electronic communications service that:
    • is not a public electronic communications network or a public electronic communications service and
    • is used by the ambulance services provider for the purposes of fulfilling its functions
Contingency labour against strike action

If you are acquiring a qualifying entity which has a contract with a fire and rescue authority to provide frontline personnel in the event of a strike, then you are legally required to submit a mandatory notification.

The provision of any other contractual service to the emergency services during a strike is not included.


Synthetic Biology

Synthetic biology is a rapidly evolving and developing technology that delivers an increasingly broad range of services and capabilities. It has high dual use potential and overlaps with other Critical National Infrastructure (CNI) sectors. The range of products and technologies available varies hugely depending on the application.

Synthetic biology can be used for both civilian and military purposes. The challenge is identifying an offensive capability interest over legitimate industry and research. It is the capability that the synthetic biology technology may enable that decides a national security concern rather than the specific approach. Undertaking the activities listed in the scope section below may appear innocuous but given their dual-use potential, they could present a national security concern in the wrong hands. There are increasingly lower barriers to entry as the enabling technology and knowledge becomes more accessible, meaning that identifying offensive capabilities in the synthetic biology sector is a concern.

Am I in scope of the Synthetic Biology part of the regulations?

You are legally required to submit a mandatory notification if you are acquiring a qualifying entity that carries out any of the activities described in the regulations:

  • carrying out basic scientific research into synthetic biology
  • involved in the development of synthetic biology
  • produces goods using synthetic biology
  • uses synthetic biology to enable the degradation of materials, or
  • the provision of services that enable these activities

Synthetic biology is defined in the regulations as the process of applying engineering principles to biology to design, redesign or make biological components or systems that do not exist in the natural world.

Synthetic biology includes but is not limited to the following:

  • the design and engineering of biological-based parts of:
    • enzymes
    • genetic circuits and cells
    • novel devices and systems
  • redesigning existing natural biological systems
  • using microbes to template materials
  • cell-free systems
  • gene editing and gene therapy
  • the use of DNA for data storage, encryption, and bio-enabled computing. This includes approaches which may be adapted to permit cryptography. It also includes using nucleic acids as part of an overall computing system alongside, for example, silicon and quantum computing approaches

Definitions

“Basic scientific research” means experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts and not primarily directed towards a specific practicable aim or objective.

“Core” synthetic biology refers to those activities without which experiments cannot be conducted, such as DNA synthesis and cloning.

“Medicine” means:

  • any substance or combination of substances presented as having properties of preventing or treating disease in human beings or animals
  • any substance or combination of substances that may be used by or administered to human beings or animals with a view to:
    • restoring, correcting or modifying a physiological function by asserting a pharmacological, immunological or metabolic action
    • making a medical diagnosis

“Services” are the routine synthetic biology processes that are outsourced to specialist providers for completion before being re-integrated into the original workstream to assemble into an experiment or product. This includes making a specific strand of DNA or running a proprietary algorithm on a dataset but does not include maintenance of equipment.

Exempt activities in the Synthetic Biology part of the regulations

You don’t need to submit a mandatory notification if the qualifying entity you are seeking to acquire carries out activities in one of the following areas:

  • general services and servicing not related to core synthetic biology
  • the use of microorganisms to remove harmful contaminants, pollutants, and toxins from the environment (known as bioremediation), including bio-based reagents that allow for testing for contaminants
  • gathering clinical information for the purpose of making a clinical decision or making a diagnosis, known as diagnostics. However, the storage or ownership of sensitive human genetic information that enables the identification of an individual is not exempt and is in scope of mandatory notification
  • industrial biotechnology research, development and production using enzymes or organisms that have not been modified through the application of systematic biodesign techniques, including the approaches described in the synthetic biology definition
  • the production of substances ordinarily consumed as food or used as feed, including any ingredient or component thereof. However, delivery systems employing synthetic biology approaches to deliver compounds including chemicals, drugs or nucleic acids to multiple plants or animals in the environment simultaneously, are in scope of mandatory notification
  • gene therapy where it is used solely for the purpose of replacing missing or defective genes to restore phenotypes to achieve a therapeutic effect. However, the addition of new genes (beyond the replacement of missing or defective genes), and deleting or inactivating genes are not exempt
  • cell therapy where cells are modified by genetic engineering and then introduced into a patient to treat disease or
  • the ownership, including of intellectual property, or development of both human or veterinary medicines and immunomodulatory approaches that employ synthetic biology at any stage of development or production. However, these are not exempt from mandatory notification if they have a synthetic biology technology that could be employed or modified to produce and/or deliver:

For example, a company developing antibody-drug-conjugates would not be exempt from mandatory notification since these products contain highly potent toxins and use a linker technology that enable antibodies to deliver toxins to specific tissues. However, a company developing standard monoclonal antibody therapies would be exempt from submitting a mandatory notification.


Transport

The transport sector keeps the country moving and is an enabler of increased prosperity, security and a higher quality of life. Our transport sector therefore needs to be secure.

Only certain entities are sensitive enough to be subject to mandatory notification, therefore we have not included all transport-related entities. The transport part of the regulations focuses on key transport infrastructure in the maritime, aviation and air traffic control sectors. In some cases, the regulations supplement existing notification requirements under the existing regulatory regimes, in which notification to the government is already either a requirement or unavoidable due to public ownership.

Am I in scope of the Transport part of the regulations?

The regulations apply to:

  • ports and harbours
  • airports
  • air traffic control

Ports and harbours

You are legally required to submit a mandatory notification to the government if either:

  • the qualifying entity you are acquiring owns or operates a port or harbour in the United Kingdom that handled at least 1 million tonnes of cargo in the year preceding the year in which the acquisition is due to be completed, or
  • the qualifying entity you are acquiring owns and operates terminals, wharves or other infrastructure situated in a port or harbour in the United Kingdom that handled at least 1 million tonnes of cargo in the year preceding the year in which the acquisition is due to be completed

A port refers to an area of land and water made up of infrastructure, facilities, and equipment that permits the following activity:

  • the receiving and departing of ships
  • the loading and unloading of ships
  • the storage of cargo
  • the receipt and delivery of cargo, or
  • the embarkation and disembarkation of passengers, crew and other persons

A harbour refers to estuaries, navigable rivers, piers, jetties, and other works in, via or at which ships can obtain shelter or ship and unship goods or passengers. This meaning is set out in section 313(1) of the Merchant Shipping Act 1995.

Airports

You are legally required to submit a mandatory notification to the government if the qualifying entity you are acquiring owns or has overall responsibility for the management of an airport in the UK that handled either:

  • 6 million passenger movements or more in 2018, or
  • 100,000 tonnes of freight or more in 2018

To help assess whether your qualifying entity is in scope, you can:

2018 figures are used as a benchmark due to reduced demand for travel since 2020 due to the COVID-19 pandemic.

The definition of airport is the same as set out in section 66(1) of the Civil Aviation Act 2012. In summary an airport comprises an aerodrome which contains other land, buildings and structures used for the purposes of:

  • the landing and taking off of aircraft
  • the manoeuvring, parking, or servicing of aircraft
  • the arrival or departure of persons as passengers, together with their baggage
  • the arrival or departure of cargo
  • the processing of such persons, baggage, and cargo between their arrival and departure and
  • the arrival or departure of persons who work at the airport

The meaning of aerodrome is set out in section 105(1) of the Civil Aviation Act 1982. An aerodrome includes any area of land or water designed, equipped, set apart or commonly used for affording facilities for the landing and departure of aircraft.

For the purposes of the regulations the entities that are to be regarded as owning an airport are the company which owns the airport as well as any parent undertaking of that company. Parent undertaking has the same meaning as in section 1162 of the Companies Act 2006.

Air traffic control

You are legally required to submit a mandatory notification to the government if the qualifying entity you are acquiring either:

  • provides en route air traffic control services in the UK or
  • owns a provider of en route air traffic control services in the UK

A provider of these services will hold a licence for air traffic services under section 6 of the Transport Act 2000 and will be providing en route air traffic control services pursuant to that licence.

Air traffic control services, means the giving of instructions or advice to aircraft, whether in flight or on the manoeuvring area or apron of an aerodrome, for the purpose of: (a) preventing, or assisting in the prevention of, collisions between aircraft and (b) managing the flow of air traffic for the purpose of expediting and maintaining an orderly flow of air traffic. (See further the definition of air traffic control services in condition 1 interpretation and construction of the air traffic services licence for NATs (En Route) Plc).

For the purposes of the regulations the entities which are to be regarded as owning a provider of en route air traffic control services are the company which owns the provider as well as any parent undertaking of that company. As noted above parent undertaking has the same meaning as in section 1162 of the Companies Act 2006.