error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content
Submit RFP

      Introduction

      On 12 March 2026, the UK Government issued its formal response to the proposed changes to the sectors in scope under the National Security and Investment Act 2021 (NSIA) and accompanying regulations. The proposed changes, which will be made by secondary legislation issued later this year will see an uptick in the number of sectors currently covered by the regime - increasing from 17 to 19 sectors in total. The Government’s response follows the proposed changes which were set out in the 12-week consultation which concluded in October 2025.

      The NSIA is a broad regime which provides the UK Government with the tools to review transactions (both third party M&A and reorganisations) which it considers could constitute a national security risk. In particular, the regime imposes a mandatory notification obligation on businesses that fall in one or more of the (current) 17 sectors set out in the National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021 (NAR). Failure to obtain clearance where a mandatory notification is triggered can result in significant penalties (financial and criminal) as well as risking the validity of the transaction itself.

      Lisa Navarro
      Lisa Navarro

      Head of Regulatory Law, KPMG Law

      KPMG in the UK

      The proposed changes to the NAR are intended to clarify the rules, focus the regime more effectively on genuine national security risks, and reduce notifications that do not raise substantive concerns. They are also designed to improve overall efficiency by cutting down on unnecessary filings in the relevant sectors, given that fewer than 5% of the 1,143 notifications submitted under the NSIA in 2024-25 were called in for further review (a full breakdown of the notification statistics is available in the latest NSIA annual report, which is available here).

      However, questions remain as to whether these aims will be achieved in practice. For instance, the opportunity to remove internal reorganisations from the scope of the regime (see press release) has been missed. Whilst the scope of some sectors has been refined, a new sector has been added (water) and Critical Minerals will form its own schedule. This will increase the number of mandatory sectors to 19.

      • Water (new)

        Water will be included as a new notifiable sector. The government intends to include New Appointments and Variations in scope with a minimum size threshold, such that only larger businesses will be covered. Only a handful (1-5) notifications are anticipated under this schedule per year. 

      • Critical minerals (new / re-scoped)

        Critical Minerals will be carved out from the existing Advanced Materials schedule to create a standalone sector. The list of critical minerals will be harmonised with the Critical Mineral Intelligence Centre’s latest criticality assessment. The schedule will also specify which activities are relevant to critical minerals, adding new definitions for exploration, extraction, processing and recycling into the new schedule. The Government expects approximately 1-10 more notifications under this schedule per year.

      • Semiconductors (new / re-scoped)

        Semiconductors will be merged with the computing hardware schedule to create a standalone semiconductor schedule. The Government will seek to clarify how ‘packaging’ is defined and make it clear that the provision of all designs, materials, parts or products that are qualified or certified are covered. The number of notifications is expected to remain the same.

      • Artificial Intelligence (AI) (rescoped)
        • the AI schedule will be narrowed such that “low-risk” uses of AI are not captured. As a result, the revised draft regulations will:
        • exclude the use of non-consumer AI systems for routine business activities;
        • exclude the use of licensed third-party AI systems; and
        • exclude certain modifications made to AI systems and testing of AI systems as part of routine business deployment activities and IT policies.

        AI was the fourth highest sector in 2024/2025 under which a notification was submitted. The Government expects the change to result in 1-10 fewer notifications per year.

      • Communications (rescoped)

        the schedule is being refined with respect to how the turnover threshold is applied (and indeed, disapplied, with respect to certain services). The Government expects there to be approximate 1-5 fewer notifications per year. 

      • Critical suppliers to government (rescoped)

        changes will be applied to the scope of services that can trigger a notification requirement, adding five new notifiable services: accounting or financial services, facilities management, human resources or recruitment, IT or security. The list of departments in scope will however be amended by way of reference to a list of 24 government departments (which is currently listed in the Data Infrastructure Schedule). Of the notifications made last year, critical suppliers to government made up approximately 20% of all notifications – and the  government anticipates the proposed changes will increase the number of notifications overall. 

      • Data infrastructure

        the data infrastructure schedule was previously tied to the provision of services to a list of government departments. Under the revised rules, this requirement will be removed (particularly as the services should be captured under the critical suppliers to government schedule). The list of services has also been expanded to include third party operated data centres, including data processing and storage facilities, in addition to those offering peering/interconnection or subsea cable connections. This includes cloud service providers and manages service providers. Whilst a materiality threshold was considered, the government has ultimately determined that could exclude mission critical providers. The Government expects approximately 1-10 more notifications under this schedule per year.

      • Energy

        the energy schedule will be updated to add provisions in multi-purpose interconnectors and large cumulative capacity threshold. The Government does not expect the changes to impact the number of notifications in scope.

      • Suppliers to the Emergency Services

        the government has added an additional element to the schedule such that sub-contractors that hold a certain level of security clearance (NPPV2 or higher). The Government expects approximately 1-10 more notifications under this schedule per year.

      • Synthetic biology

        the Government has proposed clarifications and simplifications to the schedule. The number of businesses in scope should remain unchanged but decrease the volume of notifications.

      The Government expects to lay the secondary legislation before Parliament later in 2026, with the reforms coming into force thereafter.

      These proposed changes reinforce that whilst the objective of the NSIA is to scrutinise and manage security-related risks, the net cast by Government to find the ‘problem’ transactions is a wide one. These reforms will not change the reality that for many businesses engaging in M&A, or simply restructuring internally, NSIA screening and notifications will remain a key part of transaction planning for the foreseeable future.

      For further information on the application of the NSIA regime, or support with screening or notifications, please reach out to Lisa Navarro or Annalie Grogan.

      Our legal insights

      Something went wrong

      Oops!! Something went wrong, please try again
      MTD TEST

      Get in touch

      Discover why organisations across the UK trust KPMG to make the difference and how we can help you to do the same.

      Contact us