In recent years, the security situation in Europe has been marked by increasing geopolitical tensions, particularly due to Russia’s invasion of Ukraine and more offensive cyber and intelligence activities by state and non-state actors. This has led to the tightening of security legislation in several Western countries, including Norway. As part of this development, in June 2023 the Norwegian Parliament passed an amendment to the Security Act, focusing on ownership control and expanding of the scope of the Security Act.
The Amendment Act of 2023 has laid the foundation for the proposed new Ownership Control Regulation, which the Ministry of Justice and Public Security has now put out for consultation. The purpose of this regulation is to operationalise and clarify how the provisions of Chapter 10 of the Security Act are to be implemented. At the time of this consultation, several of the amendments to the Security Act from 2023 have yet to enter into force.
The consultation paper proposes regulatory provisions that specify:
- what must be included in a notification of acquisition under Section 10-1 of the Security Act,
- what constitutes «significant influence» under Section 10-1 (b) of the Security Act,
- the processing of notifications regarding business acquisitions,
- prohibitions on information sharing,
- consent for information sharing during an acquisition process.
Additionally, the proposal includes provisions setting an upper limit for administrative fines under Section 11-3 of the Security Act.
The proposed regulation is intended to provide Norwegian authorities increased control over investments and acquisitions in businesses that are critical to national security and to prevent critical infrastructure and technology from falling into unwanted hands. In developing the proposal, particular reference was made to Denmark’s regulation of investment screening.
Key aspects of the Ownership Control Regulation – what is new?
Stricter notification requirements for ownership changes
Section 10-1 et seq. of the Amendment Act of 2023 specifies that the acquirer must notify the Ministry if there is a direct or indirect acquisition of an enterprise subject to the Security Act when the acquisition will lead to the acquirer directly or indirectly obtaining a total of at least 10% of the share capital, the share or the votes in the enterprise (a qualified ownership stake). The same applies when:
- Qualifying ownership stakes are increased to 20%, one third, 50%, two thirds or 90% of the share capital, shares or voting rights (Section 10-1 (a)).
- The acquirer obtains significant influence over the management of the business in another way (Section 10-1 (b).
- The acquirer, together with his/her close associates, obtains a qualified ownership stake or position as mentioned in items a) or b) (Section 10-1 (c)).
Acquisitions that fall within these categories may not be carried out until the Ministry has reviewed and possibly approved the transaction. The Ministry has the authority to approve, impose conditions or deny an acquisition if it is considered a risk to national security, pursuant to the proposed regulation Section 6. This will ensure that investments do not pose a risk to national security. It should be noted that the notification requirement also applies to the seller and the company being acquired if it is a direct acquisition, as stipulated in Section 10-1(2) of the Security Act.
The regulation proposes provisions further specifying what constitutes «significant influence» under Section 10-1 (b) of the Security Act through Section 1. The definition of «significant influence» is inspired by Section 17 (3) of the Competition Act, which regulates the concept of «control» over an enterprise. Under this provision, «control» can be established through «rights, agreements or any other means that, individually or together, considering factual or legal circumstances, confer the possibility to exercise decisive influence over an undertaking’s operations, in particular ownership or the right to use all or part of the assets of an undertaking, and rights or agreements which confer decisive influence on the composition, voting or decisions of the organs of an undertaking».
The determination of whether an acquirer attains «significant influence» will therefore depend on a specific overall assessment in which all legal and factual circumstances are taken into account. Influence means real and substantial influence. The Ministry further emphasises that the influence must be linked to an acquisition in order to be notifiable under Section 10-1. However, unlike Section 10-1 (a), there are no clear thresholds triggering notification for this assessment under Section 10-1 (b). The proposal thus introduces a broader assessment of control and influence, ensuring that structures not directly resulting in majority shareholdings, but still impacting business decisions, are also covered by the regulation.
Furthermore, the regulation specify what must be included in a notification of acquisition from the buyer, seller and the enterprise pursuant to Section 10-1 of the Security Act in the draft regulation Section 2. The proposed Section 2 first paragraph letters a) to v) lists various types of information that a notification must contain as a minimum. The notification will only be deemed received once it contains sufficient information to assess whether the acquisition poses a significant risk of threat to national security.
Prohibition on information sharing prior to approved transaction
The new regulation Section 10-4 introduces a prohibition on sharing information that can be used for security threatening activities before an acquisition is approved. However, publicly available information is not covered by the restrictions.
Section 7 of the proposed regulation governs the prohibition on sharing information in connection with acquisitions. Depending on the circumstances, this may include:
- Information and knowledge about the company’s own employees, customers, suppliers and strategic matters that may be of significance to national security interests;
- objects, information systems and infrastructure as well as protective measures for these;
- technology and knowledge;
- technical descriptions, production methods and operations;
- internal security and emergency preparedness; and
- Norwegian and allied military activity.
The restriction applies to information that has a potential for harm related to national security interests below the threshold for classification, or information that has a potential for harm that is more derived and cannot be directly linked to national security interests. An example of the latter, as highlighted by the Ministry in the consultation paper, may be information about technology that can be used in a more indirect way to build the defence capability of another state.
Processing time and sanctions
The Ministry is granted a deadline of 60 days to process notifications of ownership changes, with the possibility of an extension if the case requires further assessment, cf. Section 10-2 of the Security Act. The Norwegian Security Authority (NSM) and relevant sector ministries may be involved in the review process.
It is worth noting that the deadline under Section 10-2, first paragraph, of the Security Act, which requires the recipient to assess the notification “as soon as possible,” and the processing deadline under Section 10-2, third paragraph, regarding the receipt of a notification, do not start running until a complete notification has been received.
Violations of the notification obligation are subject to administrative fines under Security Act Section 11-3. The regulation proposes an upper limit for fines imposed under Section 10-1 notification breaches, which will apply per violation. The proposed maximum fine for state, regional, and municipal authorities is 25 times the base amount (G) (Nw.: “Folketrygdens grunnbeløp (G)”). For other entities, the fine is proposed to be 4% of the company’s total turnover for the last fiscal year or an alternative cap based on the base amount (G). Serious breaches may result in criminal liability.
What does this regulation mean for your business?
The changes to the Security Act that are operationalised through the proposed regulation grant authorities greater influence over strategic businesses, especially in the defence and technology industry. While this can prevent unwanted foreign acquisitions, it may also lead to increased bureaucracy and regulatory obstacles for businesses. The changes to the Security Act from 2023 have already ensured that more businesses will fall under the Security Act compared to previously.
Companies considering mergers, acquisitions or capital increases must include a thorough assessment of the notification obligation in their due diligence process. Consequences of the proposed regulation are that the authorities need more capacity and resources to handle more notifications. Investors and companies should expect longer processing times for ownership changes and greater requirements for documentation in transaction processes. Although a 60-day deadline has been set, the regulation allows for extensions, which can create uncertainty in time-sensitive acquisitions. What information is actually covered by the information sharing prohibition under section 7 of the regulation remains unclear in practice. This ambiguity can create challenges in terms of what business data, such as due diligence materials, can be shared without violating the prohibition.
The regulation closely algins with existing sanctions and export control frameworks, particularly in preventing the transfer of economic and technological resources to actors that may pose a security risk. While export control traditionally focuses on physical goods and technology, this regulation extends these principles to ownership control and strategic investments. Together with existing export control and sanctions regulations, the new framework strengthens national security by ensuring that both material assets and ownership structures remain protected.
Simonsen Vogt Wiig AS has extensive experience with national security law, export control and regulatory requirements for acquisitions and investments. We offer:
- Preliminary assessments of notification requirements and regulatory risks.
- Due diligence and risk assessments for investors and acquisition targets.
- Strategic legal advice for businesses in defense, technology, and critical infrastructure.