chones - stock.adobe.com

The National Security and Investment Act: What datacentre operators and investors need to know

The incoming National Security and Investment Act will give the UK government enhanced powers to pre-screen and intervene on datacentre M&A deals, prompting concerns it could dampen the sector's soaraway growth rates

Industry watchers are already predicting another record-breaking year of take up for the European datacentre market, as demand for colocation capacity – particularly in London – continues to soar.

As is the often the case for any market that is going through a sustained period of productivity and growth (as the UK datacentre sector certainly is), any shift in the legislative or economic landscape that could potentially disrupt the status quo is bound to be greeted with caution. And that is certainly the case for the UK government’s incoming National Security and Investment Act.

This new law is set to come into effect later this year. It will give the UK government greater powers to intervene and pre-screen business transactions involving domestic and overseas investors on national security grounds. And data infrastructure providers are among the firms included within its scope.

The act secured Royal Assent in late April 2021, and could be subject to further tweaks before it officially comes into force later this year, but it is already dividing opinion among market watchers about how disruptive it could be for datacentre investors and operators.

Real estate consultancy CBRE saw fit to briefly flag a concern about the potential impact the act could have on datacentre merger and acquisition (M&A) activity in London in its most recent quarterly update on the state of the European colocation market.

Technology trade body TechUK has suggested that the act’s pre-screening elements could have a “chilling effect” on the UK’s high-growth tech market as a whole, and create unnecessary delays to business transactions involving datacentre operators.

The onset of the Covid-19 pandemic resulted in many operators seeing the lead times on their new datacentre builds lengthen due to supply chain disruption and staffing issues, which many of them bounced back from unscathed.

Even so, the sector remains under constant pressure to ensure there is sufficient datacentre capacity available as demand from UK enterprises for cloud and internet-hosted services continues to rise.

“We are concerned the legislation may slow the movement of investment capital and add disproportionate delays to datacentre developments which are under intense time pressure to meet capacity demand,” TechUK’s associate director of datacentres, Emma Fryer, tells Computer Weekly.

Datacentre development and building development timescales are unbelievably short, so adding [at least a] month’s delay to that is non-trivial,” she added.

Caught in the act

The data infrastructure sector, which includes datacentres, is one of 17 sectors covered by the act, but there are other tech-related ones as well. They include artificial intelligence, communications, computing hardware, cryptographic authentication and quantum technologies.

Some of these technology sectors, namely AI and quantum, have been flagged in the past by the government as being critically important to the UK’s future prosperity from an innovation perspective.

Other sectors, such as communications, computing hardware and data infrastructure, have a more fundamental role to play in keeping the wheels of our increasingly digital economy turning.

Crypto authentication technologies, meanwhile, are an essential for ensuring sensitive data remains off limits to unauthorised parties and cannot be tampered with.

In all cases, it is not difficult to see why the government is introducing an act that seeks to ensure the business assets and intellectual property of the companies in these sectors do not fall into the wrong hands.  

The act aims to achieve this by making it mandatory for domestic and overseas investors to notify the government of any M&A they are planning that involve companies from any of these 17 sectors.

Specifically, investors will need to notify the Investment Security Unit within the Department for Business, Energy and Industrial Strategy (BEIS) before the transaction takes place, and failing to do could result in that deal being ruled null and void.

And that is not all – failing to comply with the terms of the act could result in the individuals involved facing up to five years in prison, and the possibility of sizeable financial penalties.

On this point, the entity responsible for breaching the act could face a fine of up to £10m or 5% of their worldwide turnover, depending on which sum is higher.

In light of these penalties, TechUK’s Fryer says there is a concern that deal completion deadlines could be pushed back because of the sheer volume of notifications BEIS ends up having to wade through.

“There is a concern that there could be a lot of precautionary reporting when it is not really necessary from over-cautious investors not wanting to fall foul of the law, although we need to absolutely make sure those who need to notify do so,” she says.

And while the government has shared details of how the act will work in practice, until it comes into force there is no real way of knowing how disruptive its implementation will prove to be. 

“The point we’ve made to government is that you don’t want the UK to get a reputation for having a difficult system that people and investors find unwieldy to use and that puts people off [investing in datacentres], but we won’t know about any of that until we really know how [the act] will be operated in practice,” Fryer’s colleague Neil Ross, head of policy at TechUK, tells Computer Weekly.

For this reason, Fryer says it would be useful for the government to share some example deals that are liable to raise red flags once this new investment screening regime comes into play.

“If you’re divesting seven large sites in Docklands, then I suspect that’s obvious that is going to need reporting, but if you’re divesting a legacy site in Wolverhampton that stores people’s shoe sizes from 1972, maybe you’ll be in the clear,” she says.

“And those are the things that [investors] need to be able to see: where do I fit into this landscape, because having examples that people can point to and say, ‘Oh he’s like me, therefore…’ is always much more helpful in this type of scenario.” 

Narrowing the scope

In response to industry feedback on an early draft of the legislation, shared during a three-month consultation that ran from November 2020 until January 2021, the range of datacentre entities in-scope of the act has markedly narrowed – a development that has been warmly welcomed by TechUK, among others.

In its previous form, the proposed legislation included datacentre landowners, property investors and leaseholders as entities within the data infrastructure sector whose activities should be monitored by the act.

Their inclusion is known to have been widely contested by respondents to the government consultation on the grounds that none of these entities would have access to the data stored within a facility nor would they have any involvement in the way they were managed or operated.

Another feature of the draft legislation that was also contested was the suggestion that datacentre service providers and operators always know what kind of data is stored within their facilities.

“The scope was initially set so wide and what wasn’t clear was what the government were trying to prevent happening. Were they trying to prevent unauthorised access to sensitive data or trying to prevent somebody being able to compromise access to that data through some form of denial of service attack?” says TechUK associate director of datacentres, Emma Fryer.

“The second major concern was that the operators have not necessarily any means of knowing the sensitivity of the data that is being processed by their customers, and they don’t ask those questions.”

The consultation garnered a total of 94 responses, 45 of which were supplied by members of the data infrastructure community, prompting the government to exclude leaseholders and landowners from the entities considered in-scope of the data infrastructure sector.

“An entity is now captured only if it knows by virtue of a direct contractual relationship with a critical sector entity it stores, processes or transmits relevant data,” states the government in its consultation response.

“We have also narrowed the number of sectors considered to hold relevant data in the draft definition. These changes will make it easier for businesses to self-access whether they are subject to mandatory notification.” 

In terms of what that means, Marc Israel, a partner at international law firm White & Case, says: “[It means] there needs to be a direct contractual relationship with a critical sector entity, so that could be with the Ministry of Defence or the police or something like that, whereas before it could have been potentially any datacentre where they might have been storing some of that information, and sometimes you might not even know.

“[As the] freeholder of a datacentre, you don’t necessarily know what data is in there. So, at least with the consultation they’ve narrowed it down and so there needs to be a contractual relationship, which is good.”

The government already has the power to scrutinise M&A deals on national security grounds through the Enterprise Act 2002, but changes to the technological, economic and geopolitical landscape in recent years mean they are long overdue a revamp, in the government’s view.

So much so, the act is billed by the government as the biggest shake-up of the UK’s investment screening regime in two decades.

“This landmark law not only significantly upgrades our decades-old investment screening powers, but gives investors additional certainty and clarity as we enshrine our status as a global champion of free trade and investment,” says Kwasi Kwarteng, secretary of state at BEIS.

“The UK faces continued and broad-ranging hostile activity from those who seek to compromise our national security and that of our allies. Such behaviour left unchecked can leave Britain vulnerable to disruption, unfair leverage and espionage. It is crucial that the government has the tools at our disposal to combat these threats coming from ever more determined overseas actors.

“We’re sending a crystal clear message to overseas investors: the UK is open for business, but if you seek to threaten the safety of the British people we will move to protect our interests.”

Aligning with its allies

The UK government is far from alone in wanting to update its national security investment screening regime, as the US, Australia, Japan and Germany have all made similar moves in recent times.  

Therefore, the introduction of the National Security and Investment Act is an action the government is taking to ensure its investment screening procedures are in line with the precautions other countries are taking.

“There is a general trend towards much greater control of foreign direct investment across the world. This act is really just one example of that,” Marc Israel, a partner at international law firm White & Case, tells Computer Weekly.

“There is definitely a trend towards greater oversight of these sorts of deals. There used to be [a government focus on the] ownership of critical or important manufacturing sites. Now, of course, everything’s data-driven and big tech because data is the key to everything.”

As well as making it mandatory for investors to flag transactions involving companies operating within the 17 sectors covered by the act, entities outside these sectors will be encouraged to voluntarily supply the government with details of any deals that might pose a national security risk.

Greater regulatory focus on datacentres

The data infrastructure sector’s inclusion in the National Security and Investment Act comes hot on the heels of a series of other developments that point to a growing awareness within government of how important datacentres are to the UK economy.

These developments include the creation of the Data Infrastructure Resilience Team (Dirt) within the Department of Digital, Culture, Media and Sport (DCMS) during the early stages of the Covid-19 coronavirus pandemic back in Spring 2020.

This was a significant milestone for the datacentre community, as prior to this point there was no one specific government department tasked with ensuring the sector got a say on policy-related matters.

Around the same time, the government also expanded the key worker list of occupations to include data infrastructure workers, meaning those employed in the sector could continue to access childcare during lockdown despite the widespread closure of educational facilities across the UK.

While these developments have been hugely welcomed by the datacentre community, it is somewhat inevitable that a by-product of this increased visibility within government would result in more regulation for the sector, says Fryer.

“It is inevitable as night follows day and in a way that’s welcome because it means the government recognises that datacentres do something useful, so we had to anticipate a much greater level of scrutiny. I think that was just a matter of time,” she says. “Covid-19 might have been the catalyst, but it was always on the cards.”

That’s a view shared by Israel, who makes the point that the National Security and Investment Act was first mooted several years before the onset of the pandemic in “2016 to 2017”, so it is likely that the datacentre sector would have found itself within its scope regardless.

“Governments and regulators are well aware that there’s so much information and data out there and how important it is, and there are high-profile hacking and data leakage cases that have made everyone very aware [of that too],” he told Computer Weekly. “So we would have ended up here with or without the pandemic.”

Furthermore, the act also will confer powers on Kwarteng to “call in” non-notified deals on national security grounds that concern takeovers of land and tangible movable property, as well as the acquisition of ideas, information and techniques that have industrial, commercial or economic value. 

There are three types of “trigger events” described in the legislation that could compel Kwarteng (or whoever holds the role of secretary of state for BEIS in the future) to call in such a deal.

The first depends on the “nature of the target” being acquired and whether this entity operates in an area of the economy where a risk to national security is more likely to arise.

The second concerns the type and level of control being acquired and how this is likely to be used in practice, while the final trigger event centres on how much of a risk the acquirer is thought to pose to the UK’s national security overall.

“Whether or not the parties have given a voluntary notification, the secretary of state has the power to call in a trigger event which has taken place up to six months after they became aware of it, so long as it is done within five years of the trigger event occurring,” says the government in its policy statement. “Where the acquisition was subject to mandatory notification, the five-year time limit does not apply.”

Another thing investors and acquirers of datacentre assets need to take note of is that the act is retrospective in nature. Meaning any deals that have closed between 12 November 2020, which is the date the National Security and Investment Bill was first introduced to Parliament, and the act’s final commencement date will be within its scope.

“People doing deals in the datacentre space today need to be thinking about this because, if you are a buyer, your deal could be looked at retrospectively once the law comes into force,” says Israel.

Computer Weekly understands that, while the BEIS Investment Security Unit is still under development, investors or businesses can contact the department to inquire about any deals they may have closed since November 2020.

This is an offer that datacentre operators would be wise to take up in the interests of getting a bit of “comfort and insight” in the meantime, says Israel, but doing so now may stand investors in good stead in the long term too.

“While the legislation provides for a five-year retrospective cooling period, which is a very long time, if the government is aware of the deal then that process cuts down to six months,” he says.

“So not only do you get a bit of comfort by speaking to it about your deal now, but it might say, ‘This is not something we’re going to be interested in [scrutinising further]’, but they might be – and you can prepare for that.”

The government projects that each deal that is flagged to the Investment Security Unit will be processed within 30 working days, and has gone on record to say that it expects the “vast majority of acquisitions” will require no intervention.

There is going to be a big change, but I don’t think that there’s going to be lots of intervention
Marc Israel, White & Case

This is reinforced elsewhere in the act’s Statement of Policy Intent, where the government states the use of the secretary of state’s call-in powers will be governed by the “principles of necessity and proportionality” and will not be used to “arbitrarily to interfere with investment”.

It also goes on to say: “[The secretary of state’s powers are not] designed to limit market access for individual countries; the transparency, predictability, and clarity of the legislation surrounding the call-in power is designed to support foreign direct investment in the UK, not to limit it.”

Israel is similarly confident that there will be no significant delay to deal completion dates for any datacentre acquirers or investors whose deals are considered notifiable under the terms of the act, based on feedback he’s received from individuals who have already flagged their deals to the team at BEIS.

“What we’ve heard from the department is that out of the 60 to 70-odd inquiries they’ve had so far, they haven’t identified a single case where they’ve thought, ‘Oh yes. We’re going to want to investigate that one afterwards’,” he says. “There is going to be a big change, but I don’t think that there’s going to be lots of intervention.”

Even so, investors need to prepare themselves for one of three outcomes once they have notified BEIS about a deal, or had a transaction called in by the secretary of state.

The deal they are planning could be blocked from proceeding or could be allowed to proceed providing certain conditions are met. In the best-case scenario, it could be given the go ahead to complete as planned with no interruptions.

So while trade associations and legal type await details of when exactly the National Security and Investment Act will come into force, for the datacentre investor community it is very much a case of “business as usual” in terms of their continued appetite for M&A deals.

Steve Wallage, managing director of datacentre strategy consultancy Danseb Consulting, says the act is not “very high” on the investor agenda at the moment, but is being talked about with “hope” that the “vast majority of deals” would be of no concern to national security.

“It tends to be lumped in with other potential threats to UK competitiveness to be aware of, which also includes areas such as future UK laws and regulations in relation to the European Union, such as the General Data Protection Regulation [GDPR] and the prospect of Scottish independence,” he says.

“The UK is considered very attractive at the moment by global datacentre investors, and – generally – the invest view of the UK is that it is a fairly light touch economy when it comes to regulation, and that Brexit is likely to make it even more business-friendly.”

Read more about datacentres

Read more on Datacentre capacity planning