The UK government's decision to block Nvidia's acquisition of ARM underscored that technology sovereignty is a national security issue. For CNI organisations, the implications extend to supply chain assurance and specialist talent.
← Back to Insights
When the UK government blocked Nvidia's £29.4 billion acquisition of ARM, it sent a clear signal: technology sovereignty is a national security issue. ARM designs the chip architectures used in over 60% of the world's mobile devices. Its technology sits inside everything from smartphones to military systems, automotive controllers to industrial sensors. The company employs over 2,000 people in Cambridge, and its intellectual property underpins supply chains that critical national infrastructure depends on daily. That made the acquisition more than a commercial transaction — it became a security decision.
The government's intervention, led by then-Secretary of State Oliver Dowden, wasn't about blocking foreign investment for its own sake. It was about recognising that certain technologies are so deeply embedded in national infrastructure that their ownership and governance have security implications beyond commercial review.
Semiconductors are one of those technologies. As Cambridge MP Daniel Zeichner argued at the time, they underpin critical national infrastructure. Relinquishing control of a company with global architectural dominance carries risks that standard competition reviews cannot fully assess.
The Competition and Markets Authority conducted a phase one investigation examining whether the acquisition would substantially lessen competition. But the deeper concern was strategic: in a world where supply chain disruptions cascade through entire sectors, who controls the foundational technology matters as much as who manufactures the end product.
The ARM case exemplified a broader pattern. Across CNI sectors — energy, telecommunications, defence, transport — organisations depend on technology supply chains that extend far beyond their direct control. A vulnerability in a chip architecture, a compromised firmware update, or dependency on a single foreign supplier can create systemic risk.
This is why UK CNI security has increasingly expanded beyond perimeter defence and incident response to encompass supply chain assurance. The NCSC's Cyber Assessment Framework explicitly addresses supply chain risk. NIS2 regulations are tightening requirements for essential service operators to assess and manage their technology dependencies.
Supply chain security, technology assurance, and vendor risk management aren't traditional cyber security disciplines. They require professionals who understand procurement, geopolitics, hardware engineering, and software integrity — alongside conventional security expertise.
Finding people who operate across these domains is one of the more acute talent challenges facing CNI organisations today. Professionals who can assess whether a technology supplier poses a strategic risk, design assurance frameworks for complex supply chains, or advise boards on sovereignty considerations are in exceptionally high demand and short supply.
The ARM episode wasn't an isolated event. Governments worldwide are reassessing technology dependencies, and the UK is no exception. The National Security and Investment Act 2021 formalised the government's power to scrutinise and intervene in transactions affecting national security across seventeen sensitive sectors.
For CNI organisations, the implications are practical. Technology procurement decisions increasingly require security input. Vendor assessments need to consider geopolitical risk alongside technical capability. Boards need advisors who understand the intersection of technology, security, and national interest.
The lesson from ARM is straightforward: in critical infrastructure, technology choices are security choices. Organisations that recognise this — and build teams capable of navigating it — will be better positioned to protect both their operations and the national infrastructure they serve.
The demand for experienced CISOs in critical national infrastructure far outstrips supply. We examine what's driving the gap, how organisations can compete for scarce talent, and why traditional hiring approaches are failing.
AI spending on network automation will reach $20 billion by 2028. For CNI operators, deploying AI effectively requires professionals who understand both the technology and the operational context of critical infrastructure.
Trusted by security leaders at
"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix
