Proposal for changes to the security act – wide ranging implications for M&A transactions

by Kaare M. Risung


Closeup of staircase
In October 2022, the Ministry of Justice and the Ministry of Defense (together the “Ministries”) issued a consultation paper and proposed draft amendments (the “Proposal”) to the Security Act 2018 (the “Security Act”). Such Proposals would increase the number of businesses falling under screening requirements relating to changes to control and increase the effectiveness of such screening. Similar legislation has been passed in EU countries subject to EU Regulation (EU) 2019/452 on screening of foreign direct investments (the “EU Regulation”). Whilst the EU Regulation falls outside the scope of the EEA agreement Norway has decided to propose similar legislation but with considerably stricter rules on a number of key issues. 28 parties in total submitted their comments to the Ministries by the deadline of 10 January, but surprisingly only 2 commercial enterprises and 4 NGOs did so. This indicates that few have grasped the practical implications of the Proposal. Please find below a brief explanation of the content of the Proposal.

The proposal

Which businesses will be subject to notification?

Under the existing Security Act, the acquirer of at least 1/3 control over certain businesses (“Targets”) is obliged to notify the relevant ministry under which the Target is regulated. Targets falling under the current scope are those who (according to a translation of the Security Act published by the ministry of Justice):

Such entities may include sub-suppliers and any other parties who, "have insight into information sensitive to contingency preparedness, vital infrastructure, political decision making processes, or in any other manner come in a position to perform actions threatening security."

The Ministries have found that this scope is too limited and as such, the proposal is to amend the wording in sub-paragraphs b) and c) from "vital" importance to "material" (Norw: vesentlig) importance. Under the existing Security Act, the Ministries have an obligation to "identify and maintain an overview of undertakings of material importance to fundamental national functions". Such overview lists 250-300 businesses. Note that any "suppliers of goods or services in connection with classified procurements" are in addition to and not included in the 250-300 listed businesses.

The Security Act does not contain a definition on what "fundamental national functions" are, but guidance may be found in the definition of "national security interest", which lists, in section 1-5, "Norway’s sovereignty, territorial integrity and democratic system of government, and general political security interests related to a) the activities, security and freedom of action of the highest state bodies; b) defence, security and contingency preparedness; c) relations with other states and international organisations; d) economic stability and freedom of action; e) fundamental societal functions and the basic security of the population."

Further guidance on what sort of companies could fall under the new legislation may be found in Article 4.1 of the EU Regulation, which provides examples of factors that affect "security or public order". Among those relevant to the TMT industries are:

"a) critical infrastructure, whether physical or virtual, including […] health, communications, media, data processing or storage, aerospace, […] financial infrastructure, and sensitive facilities, as well as land and real estate crucial for the use of such infrastructure; (b) critical technologies and dual use items as defined in [Regulation 428/2009], including artificial intelligence, robotics, semiconductors, cybersecurity, aerospace, defence, energy storage, quantum and nuclear technologies as well as nanotechnologies and biotechnologies; (c) supply of critical inputs, including energy or raw materials, as well as food security; (d) access to sensitive information, including personal data, or the ability to control such information; or (e) the freedom and pluralism of the media."

In view of these broad categories and the number of activities that are likely to be considered as "influencing national security", the number of Norwegian businesses affected by the proposed change of control provisions will grow considerably. This will be due not only to changes in the security climate, but also the increased focus on the role the Security Act plays in transactions. The Ministries have provided no guidance other than to state that it is "uncertain" how many businesses would fall under the extended scope. Note that any companies falling under the Security Act will have knowledge of this fact, as they should be provided with prior notice of any decision to bring them under the act.

When must one notify? – Threshold and Timing

The Ministries propose a considerable broadening of the definition of a "qualified ownership interest", from 1/3 control to each of the following 5 thresholds: 10%, 1/3, 50%, 2/3 and 100%. Even acquisitions below the 10% threshold could trigger an obligation to notify, if the transaction will give the acquirer "significant influence over the management of the company otherwise". For example, companies that have an ownership structure with many different owners each holding small stakes (e.g. considerably less than 10% ownership) could still lead to such owner having "significant influence".

The Ministries are retaining the current wording that the obligation to notify is triggered upon the "wish to" transact. This is not to be taken literally as a simple desire is not sufficient to trigger the obligation. The Proposal adds the words "in advance" (Norw: på forhånd) and specifies that this would be the time at which "the seller has reached agreement with a potential purchaser to proceed with negotiations". In the context of a structured M&A process, this would typically be the invitation to a phase 2 of a transaction after submission of indicative bids. As will be further explained in section 2.3, notification would however have to take place prior to the sharing of any non-public information, which would in effect prevent due diligence and signing of a definitive SPA. The parties could, at most, sign an SPA subject to due diligence. But, as the seller could at this stage have no access to non-public information, little information may be shared in an investment memorandum and the buyer would have little information on which to agree commercial terms.

The notification – Non implementation/stand-still

No amendments are proposed to the content of a notification, which will therefore still contain details on the acquirer, company registration details, management information, board information, accounts etc, as well as relationships, other interests in the sector and "other circumstances which the acquirer considers to be potentially significant in the assessment of whether the acquisition can be approved pursuant to section 10-2 of the Security Act". After submission of the notification, the authorities have 60 business days, i.e. at least 12 weeks, to clear the transaction or to determine that the matter shall be subject to decision by the King in council (Norw: Kongen i Statsråd). The 60 day period may be extended by the number of days used to respond to any written request for further information submitted in writing by the authorities within 50 working days.

According to the Proposal, a notification will automatically trigger an obligation of non-implementation. During the notification period, the parties would be prevented from not only completing the transaction, but also from exchanging "information on the business which is not publically available". The objective is to prevent "knowledge transfer to the potential purchaser". This requirement would seem to be stricter that the concept of non-implementation under competition law and would effectively prevent any meaningful due diligence process from being conducted.

The relevant ministry or the national security authority may (subject to application) grant a full or partial exemption from the obligation of non-implementation. The Ministries offer no guidance on how this exemption would be used beyond the obvious that the decisive issue would be whether the acquisition process in itself creates, or would lead to, risk.

Who is responsible for notifying?

The Ministries have found that a notification obligation on a foreign purchaser who may not have knowledge of the Security Act is not sufficient and therefore proposes to extend the notification obligation also to the seller as well as to "the business’ leader, if such person is aware of the acquisition". The "business" referenced here is the Target. The term "leader" (Norw: virksomhetens leder) is by contrast not entirely clear. In the explanatory sections of the Proposal, the Ministries refer to the "board of directors and/or the CEO." Our hope is that this definition will be made clearer in the version of the Proposal sent to Parliament.

Case handling – timeline and test applied

The authorities shall according to section 10-2 of the Securities Act "ask relevant bodies to comment on the potential risks associated with the acquisition and the acquirer’s reliability in security terms". This would include relevant ministries, as well as various security agencies.

The threshold applied under the EU Regulation is "likely to affect security or public order". The threshold applied under the Securities Act is however much lower, being a "not insignificant risk of a threat to national security interests". This very low threshold makes it difficult to make an accurate assessment of the potential outcome. It is also worth noting that in a period of consolidation of a sensitive market, a transaction coming late in such a process may be assessed differently from an earlier transaction due to concerns over access to essential resources. Such access could be threatened if the number of potential sellers is restricted. This threshold of market concentration could appear well before any market concentration concerns under competition law. England has, for example, implemented a 25% concentration threshold for national security issues, which is at the very low end of competition law concerns. Additionally merger control authorities may consider only economic efficiency and not national security issues resulting from the nationality of the players in the market.

What sort of players may be restricted from acquiring control of Norwegian companies?

It seems clear that the purchasers from nations subject to international embargos would be hard pressed to pass the threshold of a "not insignificant risk of a threat to national security interests". The concerns would however also extend to any nations with which Norway does not have security policy cooperation. This would include purchasers from large economies such as India. A full list of countries with which Norway has such cooperation is not public. It is worth noting that the obligation to notify does not depend on the nationality of the purchaser, and therefore even Norwegian buyers would be under an obligation to notify.

Consequences of not notifying – criminal offence

The current section of the Security Act would be extended to include breaches of the duty of notification: "A penalty o[r] a fine or imprisonment for a term not exceeding one year, or both, would be applied to any person who intentionally or with gross negligence [our translation: breaches a duty of notification], unless the matter is covered by a stricter penal provision".

Further issues under consideration

The Ministries have considered, but made no proposal for addressing the need for prior consultation or pre-clearance of a potential transaction. There would seem to be a strong need for such a process in order to be able to conduct an ordinary structured international transaction process. The Ministries express concerns that such a process would exhaust resources within the government and indicate that, if implemented, would be reserved for control over 25 % and transactions in which "there may be a risk that national security interests are directly or indirectly threatened". The requirement that security risks have already been identified as a condition to qualify for assessment of pre-clearance would render this process quite useless.

Concluding remarks

If passed with the current wording the Proposal would have a material impact on transactions concerning Targets with a potential of more than non-significant effects of national security. We therefore recommend that sellers, Targets and potential buyers of such businesses follow this legislative process closely. 

Due to the possible criminal sanctions if such duty is breached, sellers would be advised to thoroughly assess any security issues prior to planning a sales process. At the very least it would be advisable to conduct a vendor's due diligence on the potential for restrictions on a due diligence process, and also to allow for a potential delay in the transaction process due to the 12 week standstill period.  

Do you have any questions?