The Norwegian Security Act – proposed amendments to the rules on ownership control

Norway has a long-standing tradition for welcoming foreign investments. Increased awareness concerning insight into sensitive information and access to technology and resources of strategic importance has however led to increased concerns related to foreign direct investments ("FDI"). The current Norwegian FDI regime is rather limited in scope, and on the basis of these developing concerns a legislative proposal was presented by the Norwegian Ministry of Justice and Public Security (the "Ministry") on 31 March 2023 (available here in Norwegian only). The proposed amendments are expected to be enacted by mid-2023 but it is still not clear when they will enter into force.

The proposed changes to the Security Act will impact foreign direct investments in Norway and raise legal and practical questions in many transactions. The background for the amendments proposed by the government has been to prevent foreign ownership of businesses key to national security. The legislative proposal nevertheless also reflect considerations of the importance of maintaining a profitable investment climate. In that regard, we note that the Ministry has placed large emphasis on having regulations that are similar to those in other jurisdictions, such as on EU level, in the other Nordic countries and the US and Canada.

The Norwegian FDI regime

The current Norwegian rules on ownership control is found in Chapter 10 of the Security Act and are based on the following main elements:

• A notification requirement only applies to certain transactions where the target company has been brought within the scope of the Security Act pursuant to an administrative decision. For such a decision to be adopted, a business must: Handle classified information, control information, information systems, objects or infrastructure which are of vital importance to fundamental national functions, and/or engage in activities which are of vital importance to fundamental national functions.

• The threshold for triggering a notification requirement is an acquisition of a qualified ownership interest, specified to be 1/3 of the share capital, participating interests or voting rights in the company or where significant influence over the company is acquired based on other means such as through specific rights placed upon the owner pursuant to a shareholders agreement or otherwise.
• The notification obligation apply irrespective of the nationality of the acquirer.
• A proposed transaction can only be prohibited if the acquisition may entail a risk that is not insignificant that interests of national security will be threatened.
• Within 60 working days from receipt of a notification, the relevant ministry or National Security Authority shall either inform the acquiror that the transaction has been approved or that it is referred to the King in Council (i.e. the government in plenary session) for further consideration and if a prohibition or conditional approval is considered. Where a case is referred for a decision by the King in Council, there are no statutory deadlines for the adoption of a final decision.

In the material review of a notified transaction the relevant authority shall determine whether the acquisition "may entail a risk that is not insignificant that interests of national security will be threatened." The criteria permit broad discretion in the authority's assessment. While there is limited guidance on the scope of review publicly available, the National Security Authority has on several occasions referred to a focus on whether the acquirer has ties to countries that Norway does not have a security cooperation with, such as e.g., non-NATO countries.

• The King in Council recently adopted a decision to approve an acquisition of a minority stake in Global Connect, a fiber company, by an Abu Dhabi based fund (Mubadala) on conditions. The conditions concern the protection of sensitive information from being accessed by unauthorized persons, ensuring prior control of future transactions and imposing certain restrictions on resales of shares in the target company.
• A decision to prohibit the sale of Bergen Engines, a supplier to civil and military sectors and holder of critical real-estate located at the port of Bergen, to TMH International, which had ties to the Russian government was adopted by the government in March 2021 based on Section 2-5 of the Security Act. That provision provides a wide discretion for the King in Council to adopt decisions to prohibit current and planned activities (including transactions) that threaten national security and the same threshold for intervention as under Section 10-3 applies. As demonstrated by the intervention against the sale of Bergen Engines to TMH, transactions that present with national security concerns, can be exposed to review and ultimately intervention also outside the scope of the rules on ownership control.

The proposed amendments to the security act

Expansion of the scope of businesses that are subject to rules on ownership control

The proposal includes an expansion of the range of businesses that shall or may be brought under the rules on ownership control in Chapter 10 of the Security Act. In addition, businesses holding supplier will be made subject to a filing obligation without a prior administrative decision.

• Businesses of vital importance to national security interests shall be brought within the scope of the Security Act (in whole or in part, e.g. only Chapter 10): May be relevant for businesses with operations within cutting-edge technology, including artificial intelligence, big data, 5G, cloud services, IoT etc.
• Businesses of significant importance to fundamental national functions or national security interests may be made subject to Chapter 10 of the Security Act: The authorities are given increased flexibility and an opportunity to ensure control with businesses where changes to market conditions or expected threats can lead to changes in the classification of a business.
• Transactions concerning businesses holding supplier clearance pursuant to Section 9-3 of the Security Act, for having access to information classified as CONFIDENTIAL or higher, are made subject to the rules on ownership control: Introduced to ensure a prior review of transactions that may trigger a need for proper protection of sensitive information, as the procedure to withdraw supplier clearance where security concerns arise may not be sufficient to prevent a prospective buyer from getting access to sensitive information.

Lowering the treshold for triggering events

The proposal includes a significant lowering of the threshold for notifications. Pursuant to the proposal, a notification is required for the acquisition of a direct or indirect ownership interest of at least 10 % of the share capital, participating interests or votes in a company that is brought within the scope of (Chapter 10 of) the Security Act or holds a supplier clearance pursuant to the Security Act. Recurring filing obligations is set to apply at 1/3, 50 %, 2/3 and 90 % or where the acquirer by other means gets significant influence over the management of the company, such as through strategic veto rights attached to the ownership interests. Ownership interests held by close associates (including e.g. close relatives and subsidiaries) are aggregated in the assessment of whether the triggering thresholds are met.

We expect that these amendments will result in a significant increase in the number of transactions being notifiable, in particular in connection with successive acquisitions of stakes over a period of time. Further, notification obligations may also become more relevant in connection with issuances of new shares in share capital increases where subscriptions often result in lower ownership interests.

Given the general principle of proportionality, the material assessment of an acquisition may differ based on the ownership interest being acquired, as different rights are attached to the ownership interest at different levels. While a prohibition may for example be warranted for an acquisition of 2/3 in a Norwegian private limited company, as the owner will then have the right to e.g. dissolve the company, it may well not be grounds to prohibit an acquisition of 20 % where the only particular right is to demand an extraordinary general meeting in which it can only vote for its share and not form a majority depending on the potential concerns that arise. It remains to be seen how these considerations play out in the review of notified transactions.

The initial legislative proposal from 2021 discussed the need for a voluntary filing regime for transactions not covered by the rules of ownership control, where there is still a direct or indirect risk of threat to national security interests, but was not included in the final proposal. Acquirers are nevertheless encouraged to seek guidance from relevant authorities where security implications of a transaction can be expected, which may be beneficial for deal certainty as intervention against current and future activities (including transactions) may take place outside the rules on ownership control pursuant to the general clause included in Section 2-5 of the Security Act.

Filing obligation for the seller and target company

Under the current regulation, the filing obligation lies only with the acquiring party. In the proposal, the Ministry has proposed to extend the notification obligation to the seller and the target company, in addition to the acquirer, to ensure that all notifiable transactions are in fact reported to the relevant authority for review.

While the filing obligation for the acquirer will be triggered for any transaction that exceed the filing thresholds, the seller and target company only have an obligation to submit a notification where the acquirer directly purchases a stake exceeding a threshold for notification. In other words, the seller and target are not subject to a notification obligation in instances where it cannot identify a filing obligation, typically where the threshold of 10 %, 1/3 etc. is met through an indirect acquisition in the company, in combination with prior interests held in the company by the acquirer or through a series of transactions from multiple sellers.

In the proposal that was subject to a public consultation in 2021, the Ministry noted that the notification obligation would be satisfied upon notification of the transaction by one of the parties that are subject to the notification obligation but did not reflect this in the proposed amended wording of the Security Act itself. While this is a welcomed clarification, it remains uncertain whether this interpretation will be accepted by the authorities in practice as it is not specified in the final proposal of the amendments to the Security Act. In the same vein, it is unclear at what time the statutory deadlines for review will be triggered where a seller or target submits a notification that does not satisfy the information requirements for a notification (e.g. the ownership structure of the acquirer etc.) and whether the authority will issue RFIs to the acquirer to complete the filing or demand separate notifications.

Introducing a standstill obligation and prohibition against sharing certain information

Pursuant to the initial proposal from the Ministry, a notification would have been required in advance of completion of the acquisition, including in advance of exchange of non-public information. The proposal was primarily based on the risk that sensitive information is transferred to potential buyers that may pose a threat to national security, and went further than protect information that is subject to confidentiality restrictions under the Security Act.

The proposed standstill obligation was heavily criticized in the consultation process, and subsequently amended in The Ministry's final proposition to take account of the procedures of regular bilateral and structured transaction processes. In the final proposal, the standstill obligation is a straightforward prohibition against completion of a notifiable transaction prior to receiving clearance. As the wording corresponds to the standstill obligation for mergers that are notified under the Competition Act, it can be expected that it will be interpreted in a similar manner. There are however no indications in the proposal on what to consider as completion in the context of the Security Act, resulting in some unclarity on the scope of the standstill obligation.

To prevent the transaction process itself from leading to a threat to national security, a separate provision with a prohibition against sharing information that can be used for security-threatening activities has been proposed. Such information may nevertheless be shared subject to consent from the relevant authority, and the Ministry has taken the view that such information sharing could under the circumstances take place subject to a clean team arrangement with the acquirers advisors based on which material findings may be reported to the prospective acquirer. While this is an important adjustment of the initial proposal, it remains unclear how far the prohibition will reach in practice. but the Ministry has noted that information that could be used for security-threatening activities may include:

• Assets and vulnerabilities to assets that the business or the business' customer's manage;
• Lists of customers, suppliers and employees;
• (Protection-worthy) objects, information systems and infrastructure as well as the protective measures for these; and
• Technical descriptions, production methods and development, technology and operation.

We expect to get further clarity on the scope of the prohibition based on informal consultations with the relevant authorities, but note that important factors in the assessment of consent to sharing potentially security-threatening information is the potential for harm from the information and potential acquirers' ties to other states, such as ties to states with which Norway does not have a security cooperation. This must however be balanced against the necessity of the information in the context of the transaction process.

Sanctions

To ensure a prior review of potentially harmful transactions, the Ministry has been proposed to introduce administrative fines for failure to notify. Non-compliance with decisions adopted pursuant to Section 2-5 or 10-3 of the Security Act (i.e. interventions against security-threating activities and transactions) may result in criminal liability, including fines and imprisonment. On the other hand, the proposal infringements of the standstill obligation and prohibition against sharing of security-threatening information is not made subject to sanctions.

Implications for transaction processes

If adopted, the amendments to the Security Act are expected to make the rules on ownership control relevant in many more transactions than under the current regime. The Ministry has to a large extent taken the multiple comments received form stakeholders during the public consultation into account and made adjustments to facilitate for the structure of transaction processes. Transactions in companies covered by the rules on ownership control in the Security Act will nevertheless be impacted by stricter regulations, in particular with regard to information sharing and the review process may have an impact on the overall transaction timeline. Acquirers and investors are therefore advised to plan ahead also for acquisitions of smaller ownership stakes in businesses exposed to national security concerns.