Yet another UK Competition and Markets Authority (CMA) merger referral for in-depth investigation, this time in the healthcare sector confirming the CMA’s willingness “to ensure that the NHS does not pay significantly more than it should” for products/services.[1]   The merging parties, Imprivata and Isosec, provide similar Identity and Access Management (IAM) solutions that allow staff of healthcare customers (incl. NHS entities) to access sensitive patient data – in particular, that gives them access to NHS Spine (the IT infrastructure for health and social care in England).

The CMA’s referral decision relies on classic grounds (eg reduction in customer choice, closeness of competition between the merging parties, etc.), but it is of interest for healthcare tech companies on three important aspects:

  • Lower jurisdiction threshold for healthcare tech deals: the UK introduced in 2018 a lower (£1 million) turnover threshold for transactions raising national security concerns. This specific regime applies to firms that develop or produce items for military use, computer hardware, quantum technology but also since June 2020 to firms active in the artificial intelligence, cryptographic authentication or advanced materials[2] sectors and it would seem that the lower threshold applies to this deal as the Parties provide cryptographic authentication services;
  • Risk of BEIS concurrent review for healthcare tech deals: the CMA brought the deal to the attention of the Secretary of State for Business, Energy and Industrial Strategy (BEIS) under section 57(1) of the Enterprise Act 2002 (EA02), as it considered that the transaction may raise “public interest considerations” under section 58 EA02. Under the revised section 58 EA02, the “need to maintain in the United Kingdom the capability to mitigate the effects of, public health emergencies” is considered a public interest since 23 June 2020.[3] Once the National Security and Investments Act, which was enacted on 29 April 2021, come into force (expected by Autumn 2021), this will constitute a much more rigorous FDI control tool, potentially subjecting deals such as this one to a new, additional mandatory pre-completion notification and clearance FDI regime enforced by the new Investment Security Unit at the BEIS Department.
  • No de minimis exception for start-up deals: even where the CMA does decide, at Phase 1, that a merger may give rise to a Substantial Lessening of Competition (SLC) warranting a referral for an in-depth (Phase 2) review, the CMA has a discretion to nevertheless clear the deal (the so-called de minimis discretion) where the UK market size in question is under £15 million. Here, the CMA considered the market size for IAM solutions for access to NHS Spine to be sufficiently small for the de minimis exception, however, it decided not to exercise the de minimis discretion as projections show that the size of the market is likely to increase substantially in the next few years.

The merging parties now have a 5 working day window to offer to the CMA sufficient Phase 1 remedies (so-called “undertakings in lieu of a reference” or UILs), to secure Phase 1 clearance, failing which, this transaction will be referred to Phase 2.

Healthcare Tech companies or potential investors in them, considering M&A deals, should be therefore well advised to consult with antitrust/competition/FDI lawyers to factor in the risk of CMA and BEIS investigations in their timeline. Although the UK merger control regime is “voluntary” (in that buyers are not legally required to seek CMA pre-clearance – although may be obliged to seek BEIS clearance once the NSIA comes into force), this case illustrates the risks of doing so, even for small deals (here the parties wisely sought CMA pre-clearance).

This case also illustrates that the tech and healthcare sectors will continue to be priority sectors for the CMA/BEIS and the CMA’S increasingly hard line in seeking to identify so-called “killer acquisitions” of start-ups in dynamic and fast-paced markets, as recently flagged by the CMA in its joint statement (with the Australian and German competition authorities) on the need for more assertive merger control enforcement.[4]


[2] Section 23A EA02.


[4] Available at: