LegislationGB

National Security and Investment Act

UK law requiring mandatory notification and government approval for acquisitions in 17 sensitive sectors on national security grounds.

Last refreshed: 30 April 2026

Key Question

Can NSIA protect UK sovereign cryptography while permitting the Airbus–Ultra Cyber deal to close?

Timeline for National Security and Investment Act

#230 Apr

Airbus signs for Ultra Cyber from Cobham

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is the UK National Security and Investment Act?: The NSIA 2021 (in force January 2022) requires mandatory notification before completing acquisitions in 17 sensitive sectors including defence, cryptographic authentication, AI, and data infrastructure. The government can call in deals for national security review within 30 working days.Source: UK Government / Cabinet Office
Does the Airbus acquisition of Ultra Cyber require NSIA approval?: Yes. Ultra Cyber operates in the cryptographic authentication sensitive sector under the NSIA, providing MoD-cleared sovereign cryptography. Airbus, as a non-UK acquirer, must obtain government clearance. PRA and MoD review processes are the parallel gating events.Source: Lowdown
Which sectors require mandatory notification under NSIA in the UK?: The 17 NSIA sensitive sectors include: AI, advanced materials, advanced robotics, civil nuclear, communications, computing hardware, cryptographic authentication, data infrastructure, defence, energy, military and dual-use, quantum technologies, satellite and space, synthetic biology, transport, suppliers to government, and suppliers to emergency services.Source: UK Government
Has the UK government blocked any foreign acquisitions under NSIA?: The most prominent intervention was Newport Wafer Fab in 2023, where Nexperia was ordered to divest 86% of its UK semiconductor business. Most called-in transactions since 2022 have been cleared subject to conditions rather than blocked outright.Source: UK Government / Cabinet Office

Background

The National Security and Investment Act 2021 (NSIA) came into force on 4 January 2022, giving the UK Government the most expansive foreign investment screening powers it has held since nationalisation-era legislation. The Act applies to 17 sensitive sectors: advanced materials, advanced robotics, AI, civil nuclear, communications, computing hardware, critical suppliers to government, cryptographic authentication, data infrastructure, defence, energy, military and dual-use, quantum technologies, satellite and space technologies, suppliers to the emergency services, synthetic biology, and transport. Acquirers of entities active in these sectors must give mandatory notification to the Investment Security Unit (ISU) within the Cabinet Office (formerly BEIS/DBT) before completing a transaction; the government then has 30 working days to call in a deal for a national security assessment, extendable to 75 working days for complex cases.

The Act has been used across a broad range of deal types. The Newport Wafer Fab unwinding in 2023 (Nexperia ordered to divest 86% of acquired shares) established precedent for retrospective intervention. Telecoms, semiconductor, and data infrastructure deals have all attracted call-in notices. The cryptographic authentication sector definition is deliberately narrow: it covers entities providing cryptographic software, hardware, or services to UK Government bodies — meaning not all cybersecurity companies are in scope, but those whose products underpin government communications or infrastructure are. NSIA has been exercised over 100 times since commencement, with the majority of called-in transactions cleared subject to conditions rather than blocked outright.

In April 2026, Airbus signed a definitive agreement to acquire Ultra Cyber from Cobham, bringing UK Ministry of Defence sovereign cryptography and cyber-defence programme work under French-headquartered European defence prime ownership . The transaction is a live NSIA test case: Ultra Cyber operates directly within the cryptographic authentication sensitive sector, its programmes are MoD-cleared, and the acquirer is a non-UK entity from an EU ally state. The Prudential Regulation Authority and MoD clearance reviews are the gating events; NSIA call-in is the parallel government-level screening. The deal will establish whether NSIA's protections for sovereign cryptography capabilities can accommodate strategic European defence consolidation, or whether they require the acquirer to ring-fence UK-classified work under a separate legal entity.

Source Material

National Security and Investment Act 2021 — legislation.gov.uk National Security and Investment Act — UK Government

How the World Sees Them

UK Parliament

Cross-party concern about selling MoD-cleared cryptography to a non-UK entity, even an EU ally. The deal's treatment will shape how Parliament reads NSIA's effective scope in the defence-prime consolidation cycle.

Defence industry (BAE Systems, Cobham)

NSIA's mandatory notification regime adds 2-4 months to deal timelines in sensitive sectors. For Cobham, a strategic divestiture of a cleared cyber subsidiary to a European prime represents market consolidation under government scrutiny.

Foreign investors (Airbus, European primes)

Airbus's willingness to submit to NSIA process signals that European defence consolidation can proceed within UK regulatory constraints, though conditions may require UK legal entity separation for classified work.

UK Cabinet Office / Investment Security Unit

The Airbus–Ultra Cyber deal is the highest-profile cryptographic-sector test of NSIA since Newport Wafer Fab. A cleared-with-conditions outcome would demonstrate that European allies can acquire UK sovereign capability under a structured ring-fence.