Corporate Law Update: 27 February - 5 March 2021

05 March 2021

In this week’s update: more detail on the National Security and Investment Bill, confirmation of the position for UK companies operating in the EU, the fifth Hampton-Alexander report, new FRC guidance on reporting against the UK Corporate Governance Code, the Kalifa Review of FinTech is published, the gender pay-gap reporting deadline is extended, Companies House is resuming strike-offs, the IA publishes its Good Stewardship Guide for 2021, ESMA publishes its Q&A on crowdfunding in the EU and the EU publishes the legislation for the new Recovery Prospectus.

Covid-19 is affecting the way people conduct their business, retain their staff, engage with clients, comply with regulations and the list goes on. Read our thoughts on these issues and many others on our dedicated Covid-19 page.

National Security and Investment Bill: more detail emerges

The Government has issued three important new updates on the forthcoming National Security and Investment Act, currently at Bill stage in Parliament.

The Bill, if enacted, will allow the Government to screen transactions that pose a risk to the UK’s national security. In broad outline, the Government would be able to “call in” a transaction if a “trigger event” occurs. If the transaction poses a risk to national security, the Government would have a wide range of powers, including to impose conditions on the transaction or to block it entirely.

The regime will operate across all sectors. As a general rule, parties will not be required to notify the Government in advance, although they will be able to do so voluntarily in order to seek clearance. However, in certain sectors, notification will be mandatory. In these sectors, failure to notify the Government and obtain clearance before completing a transaction will render it null and void.

For more detail on how the regime will work, see our previous Corporate Law Update.

Mandatory notification

The Government published a consultation in November 2020 on 17 sectors it was proposing to include within the mandatory notification regime, along with detailed definitions for each one.

The proposed sectors – which are informally being referred to as “sensitive sectors” – were advanced materials, advanced robotics, artificial intelligence, civil nuclear, communications, computing hardware, critical supplies to the Government or emergency services, cryptographic authentication, data infrastructure, defence, energy, engineering biology, military and dual-use products, quantum technologies, space and satellite technologies, and transport.

The consultation prompted a remarkable 94 formal responses. Several responses took the opportunity to comment not just on the proposed sensitive sectors, but on the regime more generally.

The Government has now published its own formal response to the consultation. It has used the responses to its consultation to “refine” its definitions for the proposed mandatory sectors. The Government is not consulting formally on the new definitions but will engage with stakeholders directly as it continues to develop and refine them.

In response to feedback, the Government has (in its words) “significantly narrowed” the definitions for the proposed sensitive sectors to ensure that the regime is “targeted and proportionate”. As with the initial consultation, there is a significant amount of detail in the revised definitions and it is not practical to cover all the changes in this Corporate Law Update. However, the following are worth noting:

  • The Advanced Materials sector definition has been substantially re-worked and now extends to an impressive 11 pages. It continues to employ the same core categories (advanced composites, metals and alloys, engineering and technical polymers and ceramics, technical textiles, metamaterials, semiconductors, photonics and optoelectronics, graphene and related materials, nanotechnology and critical materials). However, the list is much more extensive and there have been changes. Businesses operating in this sector should consult the new list.
  • The definition of Advanced Robotics, which previously was very broad and referenced indiscriminately to artificial intelligence, has been made significantly more detailed. The definition now concentrates on autonomous and semi-autonomous machines and contains important carve-outs for consumer products (such as robotic toys and “smart” vacuum cleaners), industrial automation systems and immobile devices.
  • The Artificial Intelligence sector has been significantly scoped down. Previously this effectively captured any goods or software that incorporated AI to perform complex tasks. Now, the definition is limited to products designed to identify or track objects, people or events, advanced robotics (see above) and cyber-security.
  • The Communications sector, which previously captured providers of electronic communications networks and systems (although not broadcasters) and associated facilities, has been significantly refined. Network and system providers are caught only if their revenue from providing those services is £50 million or more. Internet providers are caught only if they have a 30% or greater market share or provide a top-level domain name registry servicing a minimum frequency of queries from UK devices. The new definition also clarifies which cable services are within scope.
  • The definition of Critical Suppliers to Government has been substantially narrowed following feedback, including by removing criteria referenced to volumes of personal data and the design and construction of Government property.
  • The Cryptographic Authentication sector has been amended to remove products that are ordinarily sold to consumers.
  • The definition of Data Infrastructure has been amended to remove entities that merely own the site or building that houses data infrastructure, rather than the infrastructure itself. In addition, most data infrastructure will fall within the definition only if it is the subject of a contract with a critical sector entity. Finally, whereas this sector was previously cross-linked to all other 16 sensitive sectors, now it is linked to only seven.
  • The Energy sector definition has undergone a few technical changes. More significantly, whilst electricity generation and transmission and gas importation and distribution remain within scope, the mere supply of energy to retail customers has been removed. Electricity aggregators have been included. Finally, the capacity threshold above which a downstream petroleum facility will fall within scope has been increased from 20,000 tonnes to 50,000 tonnes.
  • The definition of Quantum Technology has been stripped back. Whilst “developing” and “producing” quantum tech remain within scope, pure research into quantum tech is now outside the mandatory regime, as are entities that merely use quantum tech to supply services.
  • The Space and Satellite Technologies sector has been narrowed to remove the provision of telecommunications and internet services via satellite from scope.
  • The Engineering Biology sector has been re-named Synthetic Biology, with what was previously defined as “engineering biology” having been removed. The original definition of “synthetic biology” remains broadly the same, but gene editing, gene therapy and DNA manipulation are now included. There is also now a series of exceptions for non-critical activities, including bioremediation, clinical diagnostics, food production and therapeutic gene therapy.

The new definitions remain in draft and may change as the legislation continues its passage through Parliament. The final definitions will be set out in regulations in due course.

The Government will then keep the mandatory sectors under review and update them over time to account for emerging technologies and changing national security risks.

Policy statements

Separately, the Government has published policy statements covering how it intends to use its delegated powers under the Bill (once it becomes law). The key points are as follows:

  • Call-in power. The Government previously published a draft policy statement in November 2020 covering how it intends to use its new call-in power. For more information, see our previous Corporate Law Update. This remains unchanged, but the Government intends to consult on the statement once the Bill becomes law.
  • Mandatory notifications. Although the focus has been on specific sectors within which notification will be mandatory, the Bill would actually give the Government much broader powers to mandate notification by reference to the entity or asset being acquired. However, the Government has confirmed that it will focus solely on sectors when the regime begins.
  • Form of notification. The Government intends to require parties to provide certain information as part of a mandatory or voluntary notification, but not to make their own assessment of whether a national security risk will arise. It will take the same approach for an application for retrospective validation of a transaction that completed without mandatory notification.
  • Penalties. Once the Bill becomes law, the Government intends to lay regulations setting out how an entity’s turnover will be calculated for the purposes of levying penalties on organisations for contravening the regime. It expects to base this on the UK’s existing merger control regime.

Investment Security Unit factsheet

Finally, the Government has published a factsheet on the new Investment Security Unit (ISU), the new operational unit of the Department for Business, Energy and Industrial Strategy which will administer the new regime.

The factsheet confirms that the ISU is currently being set up in preparation for the new regime commencing by the end of the year. However, businesses are already able to contact the ISU for advice on the regime by sending an email to

It also makes the following points:

  • The Government expects fewer than 10% of transactions notified to the ISU to face a detailed national security assessment, and that most transactions will be cleared quickly. Even then, it expects that only a “small proportion” of assessments will result in Government intervention.
  • All transactions will be suitably screened using cross-government expertise. Detailed assessments will take full account of the range of security risks of investment into the UK.
  • The Bill will give the Government a retrospective power to call in acquisitions that occur on or after 12 November 2020. However, the mandatory notification regime is not retrospective; parties do not need to notify the ISU of a transaction before the regime begins. The Government will provide guidance on how the process will work before the regime begins.
  • Although the Bill is not yet law, the ISU will, where possible, provide an initial view of whether a transaction is likely to be within the scope of the regime when it begins.

EU re-confirms position for UK companies operating in the EU

The European Commission has published an updated notice to stakeholders on the consequences of the UK’s withdrawal from the European Union on company law.

The updates to the notices are mainly functional to reflect the fact that the UK/EU “transition period” (or “implementation period”) has come to an end and that arrangements are now governed by the UK/EU Trade and Cooperation Agreement (the TCA).

One point the note continues to emphasise is the treatment of UK companies whose central administration or principal place of business is within an EU member state.

While the UK was a member of the EU and during the transition period, the EU principle of freedom of establishment operated to ensure that the limited liability of UK companies (and the consequent protection for shareholders) would be automatically recognised in other EU member states.

The UK is now a “third country”, and so UK companies no longer benefit from freedom of establishment. As a result, where a UK company’s central administration or principal place of business is within an EU member state, the national rules of that EU member state will apply.

In some cases, this may mean that the company’s limited liability status is no longer recognised.

The precise consequences of this will vary depending on the EU member state in question and the degree of activities carried on by the UK company. Companies that merely supply goods or services into an EU member state, or have a branch or local facilities, therefore, should not be affected.

However, UK companies whose operations are based substantially in an EU member state may be affected. If they have not already done so, these companies should seek legal advice on their position regarding their shareholders’ liability.

Fifth annual report on FTSE female board representation published

The Hampton-Alexander Review, led by Sir Philip Hampton, has published its fifth annual report on gender balance on the boards of FTSE companies. The report provides a summary of improvements FTSE companies have made over the last five years.

The Review had originally established a target of 33% female representation on FTSE 350 boards by 2020. The report reflects on that target and sets some ambitious new recommendations for further improving gender balance on FTSE boards.

The key points coming out of the report are as follows:

  • As a mark of progress made, women now make up around 40% in aggregate of non-executive directors on FTSE 350 boards, and there are no longer any all-male boards.
  • Despite this, 32 FTSE 100 companies and 139 FTSE 250 companies had yet to achieve the target of 33%, and so the challenge of compliance remains.
  • Women account for only 14% of executive directors, highlighting a continuing underrepresentation of women among senior executives.
  • Women also made up only 39 chairs, 89 senior independent directors (SIDs) and 17 CEOs across the FTSE 100, again suggesting that work is required to promote women in leadership positions.

The Review Steering Group has made the following recommendations moving forward into 2021:

  • As a matter of best practice, a company should have a woman in at least one of the four roles of chair, CEO, SID and CFO.
  • Companies should publish a gender pay-gap for their board and their executive committee in order to “shine a light” on the structural subordination of women on most boards and excoms.
  • The Government should conduct an annual review with the Investment Association and other investor groups of any voting sanctions applied to listed companies that fail to meet the gender targets they have set.

Some members of the Steering Group also support raising the existing target of 33% to a new target of 40%. The Group stops short of making a formal recommendation along these lines, but Sir Philip notes that a goal of 40% may well be the right target for any successor review over the next three years.

The fifth report marks the end of the formal Hampton-Alexander Review. Sir Philip notes that whether another Review is established will be a matter for Ministers, and that, if there is to be a successor review, it should focus strongly on the executive level.

EU publishes draft UK data protection adequacy decision

The European Commission has published a draft adequacy decision to establish that the UK’s data domestic protection regime provides an adequate level of protection for the transfer of personal data out of the European Economic Area (EEA).

If adopted, the decision will clear the way for organisations to continue to transfer personal data from the EEA into the UK.

Transfers of personal data are common on corporate transactions, such as share or business sales, private equity investments, joint ventures, and internal restructurings and reorganisations. Where the transaction involves a company or branch in the EEA, personal data may need to be transferred as part of due diligence, transaction documentation or completion arrangements.

Until 11:00 p.m. on 31 December 2020, despite having left the European Union, the UK was treated in most respects as if it were still a member. In particular, transfers of personal data from an EEA member state to the UK were effectively regarded as still occurring within the EEA.

From 11:00 p.m. on 31 December 2020, that arrangement ceased and the UK become a “third country” in relation to the EU. The default position under EU law is that personal data cannot be transferred from within the EEA into a third country unless adequate safeguards are first put in place. These include so-called “standard contractual clauses” and “binding corporate rules”.

However, under the current UK/EU Trade and Cooperation Agreement (TCA), for a period of at least four months, transfers of personal data from the EEA to the UK continue to be permitted. Effectively, this “grace period” is designed to allow the EU and the UK to attempt to reach a suitable arrangement.

If passed, the adequacy decision will be a significant milestone. It will replace the current transitional arrangements under the TCA and ensure that the UK is treated as though it were an EEA member state for the purposes of data transfers for a period of four years.

The draft decision will now be considered by the European Data Protection Board (EDPB) for its non-binding opinion, following which the Commission will request approval from EU member states and, if all goes well, adopt final adequacy decisions.

Until then, personal data transfers into the UK remain governed by the TCA.

New FRC guidance on reporting against UK Corporate Governance Code

The Financial Reporting Council (FRC) has published new guidance on how to improve the quality of reporting against the UK Corporate Governance Code (the Code).

Companies with a premium listing in the UK are required to comply with the Code and explain any respects in which they diverge from it – the so-called “comply or explain” approach.

Other UK companies, including standard-listed companies, AIM companies and very large private companies, are required explain their corporate governance arrangements, but they do not need to so by reference specifically to the Code (although, by way of best practice, many publicly traded companies do).

Key recommendations arising out of the guidance include the following:

  • Clarity. A company’s corporate governance statement should state whether the company has fully complied with all elements of the Provisions of the Code or departed from any of those Provisions. If the latter, it should cite which Provisions of the Code the company has not complied with and where in their annual report an explanation can be found.
  • Comprehensiveness. A company should state and explain every departure from the Code. The FRC reports that it encountered some companies that claimed full compliance with the Code but which, on further investigation, had not acknowledged departure from one or more of its Provisions. The guidance cites several Provisions of the Code where this was a particular problem.
  • Meaningful explanations. Where a company departs from a Provision of the Code, it should provide a “full and meaningful explanation” of why an alternative arrangement is “more appropriate and beneficial in upholding high standards of governance”. The guidance provides detailed tips on how to achieve this.

Report from Kalifa Review into FinTech published

HM Treasury has published a final report by the Kalifa Review, headed by Ron Kalifa OBE. The Review was initiated by the Treasury in July 2020 to identify priority areas to support the UK’s fintech sector.

The report makes recommendations in a number of areas to support the growth and widespread adoption of UK fintech and maintain the UK’s global fintech reputation.

Among other things, the report makes recommendations in relation to the UK’s listing regime, following on from the Treasury’s call for views in November 2020. For more information on that call for views, see our previous Corporate Law Update.

In this regard, the report makes the following recommendations:

  • Free float requirement. The requirement for at least 25% of a premium-listed issuer’s shares to be in public hands (the “free float requirement”) should be reduced to 10% for a limited time after its initial public offering (IPO). Alternatively, the free float should be calculated by reference to a minimum monetary threshold. The review cites the NYSE and NASDAQ as examples of this.
  • Dual-class structures. The review notes that the inability for premium-listed issuers to list two classes of share with different voting rights may result in UK investors and the fintech ecosystem losing key company listings that wish to mature gradually. It notes that other exchanges, including the NYSE, NASDAQ, Euronext, Deutsch Börse, HKEX and the Singapore Stock Exchange all permit dual-class structures.
  • Pre-emption. The review recommends re-instating the temporary relaxation for non-pre-emptive share issues put in place by the Pre-emption Group in April 2020 to deal with the economic effects of Covid-19. Under that extension, the regular 5% and 5% limits for non-pre-emptive share issues were raised to 20% in certain circumstances. The relaxation ended in November 2020. For more information, see our previous Corporate Law Update.
  • Share indices. Finally, the review suggests that the current stock indices produced by FTSE Russell do not cater fully for the technology sector and recommends the creation of a new FinTech index specifically for FinTech companies.

Also this week…

  • Gender pay-gap reporting deadline extended. The Equality and Human Rights Commission has confirmed that, due to on-going disruption caused by Covid-19, it will wait until 5 October 2021 before taking enforcement action against organisations that have not published their gender pay-gap metrics for the 2020/2021 reporting year. The announcement effectively gives organisations an additional six months to publish their data.
  • Companies House to resume strike-offs. Following a pause as a result of Covid-19, Companies House has confirmed that it will resume activity for both voluntary and compulsory strike-offs from 8 March 2021.
  • IA publishes Good Stewardship Guide 2021. Following the publication of its Shareholder Priorities in January (see our previous Corporate Law Update), the Investment Association has published its Good Stewardship Guide 2021. The Guide sets out issues of focus for 2021, including climate change; diversity in leadership; employees, customers and the community; transparency and accountability; and executive and employee pay.
  • ESMA publishes Q&A on crowdfunding in the EU. The European Securities and Markets Authority (ESMA) has published its first Q&A on the EU Crowdfunding Regulation. The Regulation creates a regulatory framework for providers of crowdfunding within the European Union. These Q&A relate specifically to establishing a special purpose vehicle (SPV) to provide crowdfunding services. The Q&A will be of interest to business looking to crowdfund within the EU.
  • EU Recovery Prospectus legislation published. The legislation for the new EU Recovery Prospectus has been published. It will come into effect on 18 March 2021. The new regime will allow seasoned regulated and SME growth market issuers to publish a simplified prospectus when carrying out a secondary issuance. The regime will not apply in the UK but will be relevant to UK issuers who wish to extend their secondary issuance into the EU.

Get in touch