The NSI Act 2021 is a self-contained, sector-agnostic foreign-investment-screening regime that deliberately decoupled national-security review from the general public-interest merger-control regime in Part 3 of the Enterprise Act 2002. Section 22 of the NSI Act amended the Enterprise Act so national security ceases to be a public-interest consideration triggering intervention notices in CMA mergers; instead, every transaction with a national-security dimension is funnelled into the NSI process, and SI 2021/1465 preserved Enterprise Act 2002 cases that were already underway when commencement took effect on 4 January 2022.
The regime operates on two parallel tracks. The MANDATORY track captures acquisitions of control over qualifying entities that carry on activities within the 17 sensitive sectors specified across Schedules 1-17 of SI 2021/1264 (advanced materials, advanced robotics, AI, civil nuclear, communications, computing hardware, critical suppliers to government, cryptographic authentication, data infrastructure, defence, energy, military and dual-use, quantum, satellite and space technologies, suppliers to emergency services, synthetic biology, transport). Non-notification renders the acquisition void as a matter of law and exposes parties to criminal offences and civil penalties up to the higher of £10 million or 5% of worldwide turnover, with turnover calculated under SI 2021/1262 on a controlled-business basis that aggregates parent and subsidiary turnover and applies bespoke rules for credit institutions, financial institutions and insurance undertakings. The VOLUNTARY track allows parties to notify any acquisition (within or outside the 17 sectors) where they are concerned the call-in power under s.3 may be exercised, with a five-year retrospective call-in window for non-notified transactions.
The doctrinal architecture layers on top of pre-existing UK regimes rather than displacing them. Acquisitions can simultaneously trigger CMA merger review under the Enterprise Act 2002, FCA/PRA change-in-control approvals under FSMA 2000 Part XII, Ofcom or Ofgem licence-transfer consents, and (in the nuclear sector) Nuclear Site Licence transfer approvals under the Nuclear Installations Act 1965. The Cabinet Office-CMA MoU formalises how parallel-filing cases are coordinated; comparable formal arrangements for other regulators are not visible in the corpus. The regime also overlays sector-specific export-control regimes (Export Control Order 2008) and, in defence supply-chain cases, List X security clearance regimes — Schedule 7 of SI 2021/1264 specifically captures critical suppliers to government holding SECRET/TOP SECRET material or with List X accreditation.
Decision-making sits with the Secretary of State, but the May 2023 Transfer of Functions Order (SI 2023/424) made all NSI functions concurrently exercisable with the Chancellor of the Duchy of Lancaster, formalising the Investment Security Unit's relocation from BEIS to the Cabinet Office. The s.3 statement (refreshed May 2024) sets out three families of risk factors — target risk, acquirer risk, control risk — that frame public expectations of how the call-in power will be exercised, without binding the Secretary of State to a closed list.
What the regime does NOT do is equally important. It does not impose a foreign-ownership prohibition or a country-of-origin filter (the regime is deliberately agnostic of nationality, endorsed by the Foreign Affairs Committee's July 2021 report). It does not pre-clear transactions for competition purposes — CMA review continues to run in parallel. And it does not capture corporate restructurings that fall below the s.8 control thresholds even where the underlying activities sit in the 17 sectors.