Proposed amendments to the Norwegian Security Act – expansion of the FDI rules

The proposals are likely to be discussed in the Norwegian Parliament before the summer. Although no date has been set for the changes to come into force, investors should already take the proposed rules into account when planning transactions.

Introduction

The purpose of the proposed amendments to the Security Act is to provide the Norwegian authorities with information about changes in ownership over entities that may have an impact on national security. The proposals are largely in line with changes proposed in a consultation paper from autumn 2021, and follow a global trend of increasingly stringent national rules over foreign investments in activities of importance to national security interests.

This article provides a short summary of the main changes being proposed. An overview of the changes in tabular form may be found at the end of the article.

Additional entities to be subject to FDI screening

The current rules mean that only legal entities that have been made subject to the scope of the Security Act by decision, ref. Section 1-3 of the Security Act are subject to FDI screening in Norway. In addition, the conditions for being made subject to the Act are relatively strict. So for example the possibility of making an entity subject to the Act because, for example, it is developing technology of possible security importance (e.g. artificial intelligence) is limited today. By contrast, investments in such entities are already subject to FDI screening in many other jurisdictions. Furthermore, suppliers in classified procurements (Chapter 9 of the Act) are currently subject to some of the provisions of the Security Act, but not the rules on FDI screening (Chapter 10 of the Act).

The Norwegian Security Act does not only cover foreign investments. Acquisitions of shares in entities subject to the Act by Norwegian persons or entities can still be subject to screening.

Significant changes to the Act are being now being proposed:

New entities may be made subject to the Security Act

Under the Security Act, entities that have control over information, information systems, objects or infrastructure that are of vital importance to fundamental national functions, or that carry out activities that are of vital importance to fundamental national functions, shall, by prior decision, be subject to the Security Act's regime for FDI screening. The Government propose several important expansions in the bill:

• Entities that carry out activities that are of vital importance to national security interests, or that have control over information, information systems, objects or infrastructure that are of vital importance to national security interests, shall also be made subject to the Act pursuant to section 1-3. This means that not only entities that are affiliated with providing a "fundamental national function" are within the scope of the Act. The Government mentions, inter alia, that "entities that have rights to or work with research and development in areas that can be exploited for security-threatening activities by foreign states", such as research and development activities in emerging technologies such as artificial intelligence, may be made subject to the Act. This could also apply to entities that control hazardous material, such as certain chemical substances, biological agents, radioactive substances, nuclear material and explosives with a high hazard potential ("CBRNE agents"). Unlike in many other jurisdictions, there is no proposal to automatically apply FDI screening rules to manufacturers of goods or technology subject to export control rules. A decision to make such entities subject to the FDI screening can therefore only be taken if the conditions of Section 1-3 are met, which the responsible ministry must consider on a case-by-case basis.
  
  
• The Government's proposal also entails that each ministry within its own area(s) of responsibility shall be able to make decisions pursuant to section 1-3, where entities with significant (but not necessarily critical) significance for fundamental national functions or national security interests can be made subject to the provisions of the Security Act regarding FDI screening. This is a somewhat lower threshold, although each ministry must concretely assess on an individual basis whether making an order to subject an entity to the Act is proportionate and necessary.

Suppliers in classified procurements with facility security clearance pursuant to section 9-3 are subject to FDI screening

Supplier clearance is used where a supplier may be granted access to information classified CONFIDENTIAL or higher, normally where the information is manufactured or stored at its own premises. In the event of a change of ownership in such entities, the clearance authority, i.e. the Norwegian National Security Authority for Norwegian suppliers, must already be informed. If changes in the ownership structure of the supplier entity may pose a security risk, the clearance authority may withdraw the suppliers' security clearance.

The acquisition of an equity interest in such an entity is therefore not strictly covered by the rules on FDI screening under Chapter 10 of the Act as of today. The proposals imply that the provisions of the Act regarding FDI screening will apply to acquisitions of equity interests in suppliers that have facility security clearance.

The obligation to notify will apply even if the entity concerned is not subject to the Act through a decision pursuant to section 1-3. However, the Government has emphasised that a decision to suspend the acquisition or to impose conditions for completion of the acquisition will not be the primary regulatory tool in such circumstances. The main tool shall continue to be the reconsideration, or withdrawal, of the facility security clearance itself.

The possibility of intervention against an acquisition is most likely for those suppliers holding long-term and complex contracts, where the supplier may have acquired expertise and information about the contracting authority, and which could pose a security risk if that expertise or information were to fall into the wrong hands.

In total, the changes will lead to an expansion of the FDI screening regime. In the future, entirely new categories of entities may be subject to the Act either in whole or in part. While entities with facility security clearance will be subject to FDI screening as soon as the changes enter into force, ministries will have to consider which entities should now be subject to the Act pursuant to section 1-3. It may therefore take some time before the scope of the changes becomes fully apparent.

New notification thresholds

Under the current Security Act, FDI screening only comes into play where there is an acquisition of a "qualified ownership interest", e.g., where the acquirer obtains at least one-third of the share capital, interests or votes in the undertaking, or the right to acquire this.

In the new proposals, this threshold is lowered to an acquisition of at least 10 percent of the share capital, units or votes in an entity subject to the Act. In addition, a new notification obligation will be triggered by an increase in an existing shareholding to at least 20%, one-third, 50%, two-thirds and 90% of the share capital, interests or votes in the entity subject to the Act.

This means that far more acquisitions than today may need to go through an FDI screening process. Furthermore, new notifications may be needed for successive acquisitions, even if the original investment was already notified and cleared. The proposal also clarifies that the acquisition of indirect ownership is also covered, and that ownership stakes held across related entities/individuals is aggregated when assessing whether the notification threshold is met.

Notification obligation for the seller and the entity in which an ownership interest is acquired

It currently follows from the first paragraph of Section 10-1 of the Security Act that it is the buyer who is obliged to notify when acquiring an ownership interest in an entity subject to the Act. The proposal amends this so that there is also a duty to notify for the seller and the undertaking in which an ownership interest is acquired/the target entity. For the seller and the target entity, however, the obligation to notify only applies to the direct acquisition of an ownership interest that triggers the obligation to notify, since the seller/target entity cannot be assumed to know the acquirer's underlying ownership structure. As far as the target entity is concerned, it is also a prerequisite that it has knowledge of the acquisition.

Standstill obligation and ban on sharing information that can be used for "security-threatening" activities

Today's Security Act contains no rules prohibiting the closing of a transaction until after notification and the subsequent approval by the authorities, as we know from, for example, competition law. In principle, a notifiable acquisition can therefore be carried out prior to approval, albeit with the risk of a retrospective reversal order.

The proposed amendments to the Act would establish a prohibition on early implementation for acquisitions of undertakings subject to the Security Act and which reach certain thresholds. Closing the transaction will not be possible until the relevant notification has been processed and the acquisition has been approved or approved on conditions. The prohibition against early implementation applies to all acquisitions covered by the obligation to notify pursuant to section 10-1 of the Security Act, regardless of whether the obligation to notify has been complied with.

In addition, an prohibition on information sharing is introduced, i.e. it is prohibited in an acquisition process for the entity subject to the Act to share information that can be used for security-threatening activities, unless the authorities consent to such information sharing. The prohibition applies to all acquisitions in undertakings covered by the FDI screening regime in Chapter 10.

Security threatening activities are intentional acts that may directly or indirectly harm national security interests. However, "information that can be used for security-threatening activities" is not limited to information protected by the provisions of Chapter 5 of the Security Act (critical national information and classified information). The ban goes further, in that it applies to all information that can be used for security threatening activities (although of course the prohibition does not apply to publicly available information).

It is envisaged that there will be more detailed rules on what information is covered by the information sharing prohibition in regulations and guidelines that will follow the amendments to the Act.

The information prohibition will have a major impact on the implementation of acquisitions of entities subject to Chapter 10 of the Security Act. It means that parties, in addition to notifying the acquisition, must apply to share information that can be used for security threatening activities, if this is necessary for the preparation and execution of the transaction. This assessment will probably need to be made at an early stage in the transaction timeline.

Penalties for violations and potential criminal liability

The Security Act currently contains rules on fines for violations of certain rules, as well as criminal liability for violations and attempted violations, cf. Section 11-4 of the Security Act.

However, for breaches of the rules on FDI screening there is no legal basis for imposing a penalty for violations. Nor is there any legal basis for criminal liability for breach of the duty to notify and breach of the duty to comply with section 1-3 decisions.

The proposals tighten these rules considerably, by proposing the following:

• Fines may be imposed for breaches of the notification obligation/breach of the standstill obligation; and
  
• Intentional or negligent violations of decisions pursuant to § 1-3 and § 10-3 may be sanctioned with criminal penalties.

Table – overview of changes