In the context of an increasingly complex geopolitical environment, institutions and academics must consider any potential security-related issues and take necessary steps to manage these in order to protect the security of international collaborations.

Trusted Research is a UK government initiative that aims to protect the research and innovation sector from threats such as theft, misuse, and exploitation. Jointly developed by the National Protective Security Authority (NPSA) and the National Cyber Security Centre (NCSC), the UK Government's Trusted Research guidance was created in collaboration with the research and academic community. It aims to help the UK’s world-leading research and innovation sector maximise the benefits of international partnerships while protecting intellectual property, sensitive data, and personal information.

The primary goal of Trusted Research is:

To raise awareness of the risks to research collaborations which may occur when working with organisations or research partners with links to nations whose democratic and ethical values are different from our own.

National Protective Security Authority

NPSA Trusted Research video

Before engaging in international collaborations, institutions and researchers are responsible for assessing any Trusted Research considerations in order to identify and mitigate any security risks that could arise from:

• • Espionage: foreign states or entities seeking to steal data or intellectual property;
  • Misuse: research being repurposed for harmful applications, such as the development of weapons of mass destruction (WMDs), other military or defence uses or tools that could be used for the suppression of civilian populations; or
  • Reputational damage: collaborating unknowingly with organisations linked to unethical or other questionable practices.

Familiarity with the NSPA Trusted Research Guidance for Academia and Trusted Research Countries and Conferences Guidance is essential for researchers engaged in international collaborations. These resources offers practical steps to help to:

• • Identify risks: evaluate potential threats and make informed decisions on how to mitigate them;
  • Collaborate securely: build international partnerships with confidence while maintaining safety and compliance;
  • Protect assets: safeguard intellectual property, sensitive data, and personal information;
  • Prevent exploitation: protect research from theft, misuse, or unethical applications.

By staying vigilant and adopting these practices, researchers can protect their work while fostering responsible international partnerships.

The key components of Trusted Research that researchers should consider are:

1. Protecting Intellectual Property (IP)

• • Identify valuable IP early in the research process and ensure proper safeguards are in place;
  • Use appropriate legal agreements, such as non-disclosure agreements (NDAs) and intellectual property rights (IPR) agreements, when sharing research;
  • Be aware of risks posed by foreign entities seeking to acquire sensitive research.

2. Managing security risks

• • Assess the potential security risks of research projects, particularly in areas like artificial intelligence, biotechnology, and materials science;
  • Mitigate risks of espionage or theft by ensuring your research environments (both physical and digital) are secure.

3. Ensuring ethical international collaborations

• • Ensure appropriate due diligence has been completed on your international collaborators and their affiliations;
  • Avoid partnerships with organisations linked to unethical practices, corruption, or human rights abuses.

4. Safeguarding data

• • Protect personal information of researchers, participants, and collaborators by adhering to data protection regulations like GDPR (General Data Protection Regulation);
  • Secure your research data and communication channels against cyber threats.

5. Compliance with legal and regulatory requirements

• • Understand and comply with regulations such as Export Control legislation, the National Security and Investment Act (NSIA), and other relevant legislation;
  • Use tools and training guidance from bodies like the Export Control Joint Unit (ECJU) and the Higher Education Export Controls Association (HEECA).

The National Security and Investment Act (NSIA) came into force on 4 January 2022. The NSIA gives the UK Government the authority to call in an acquisition for assessment and scrutinise certain dealings in shares and intellectual property (IP) if it reasonably suspects these collaborations give risk to a risk to national security. It is possible to call in and assess acquisitions made since 12 November 2020 and applies to whether the acquisition has been completed or is still in progress. 

Qualifying acquisitions

The NSI Act only applies to qualifying acquisitions. An acquisition qualifies if all of the following apply:

• the acquisition is of a right or interest in, or in relation to, a qualifying entity or asset  (see paragraph below)
• the entity or asset being acquired is from, in, or has a connection to the UK
• the level of control acquired over the qualifying entity or asset meets or passes a certain threshold
  • shareholding or voting rights cross certain percentage thresholds
  • voting rights permit you to pass or block resolutions governing the affairs of the entity
  • you are able to materially influence the policy of the entity (for example by acquiring the right to appoint members of the board which enables you to influence strategic direction)
  • you are able to use a qualifying asset, or direct or control its use, or do so more than prior to the acquisition.

Details on the NSIA thresholds are available: here 

Qualifying entities and assets

In the higher education and research-intensive sectors, a qualifying entity could include a:

• University
• Trust
• University subsidiary
• University spin-out
• Unincorporated association, such as a research consortium
• Research organisation
• Private company or corporation doing contractual work with a higher education institution or research organisation

Qualifying assets include land, tangible, moveable property, and ideas, information or techniques which have industrial, commercial or other economic value (intellectual property), so this could be:

• Designs
• Plans, drawings and specifications
• Software
• Patents
• Trade secrets
• Databases
• Source code
• Algorithms
• Formulae
• Land
• Laboratory equipment

So if, for example, a third party sponsors research or a research position and acquires rights over intellectual property in or close to one of the 17 sensitive areas likely to give rise to national security risks (see below), this is a qualifying acquisition under the NSI Act and may be called in by the government.

The government has provided general guidance and guidance for academia which includes case studies.

Notifications

Subject to certain criteria, you are legally required to tell the government about acquisitions of certain entities in 17 sensitive areas of the economy (called 'notifiable acquisitions'). If you are entering into activity in any of these areas, it could put you in scope of the NSIA and you may be legally required to tell the government about it (know as a 'mandatory notification'). 

Notifications can take three forms:

• • Mandatory notifications
  • Voluntary notifications
  • Retrospective validations

Following the notification, an initial review period of 30 working days, followed by an assessment period of 45 working days will apply before the results are announced. The outcome will be one of the following: 

• • Acquisition permitted to go ahead;
  • Full national security assessment required;
  • Request for further information; or
  • In-person 'attendance notice' meeting being requested.

Researchers, with the support of their Schools, are advised to read the UK Government NSIA guidance and contact Research and Innovation in order to determine whether their collaboration will fall within this legislation and may need to be put forward for assessment. 

The Academic Technology Approval Scheme (ATAS) is a UK government security clearance system for international students and researchers. It applies to those from certain nationalities who are coming to the UK to study or work in sensitive subjects related to advanced technology, particularly those that could have military applications.

Who needs ATAS clearance?

You will need an ATAS certificate if:

• • You are a non-UK, non-exempt nationality student applying for a postgraduate research course (e.g. Master’s, PhD, or research-based study) in certain sensitive subject areas.
  • You are a researcher applying for a skilled worker visa in relevant fields.

Exemptions apply to certain nationalities, including those from the EU, EEA, USA, Canada, Australia, New Zealand, Japan, and others.

ATAS approval must be acquired before applying for a UK work or study visa.

Which subjects require ATAS?

ATAS applies to courses and research areas related to science, technology, engineering, and mathematics (STEM) that could have dual civilian and military use. These include:

• • Engineering (e.g. aerospace, nuclear, robotics)
  • Physics (e.g. quantum technologies, nuclear physics)
  • Mathematics & Computing (e.g. cryptography, cybersecurity)
  • Materials Science
  • Biotechnology & Chemical Sciences

The UK government provides a list of Common Aggregation Hierarchy (CAH3) codes to determine whether your course needs ATAS.

When you don't need an ATAS certificate

If you’re studying for a postgraduate diploma or PGCE, you do not need an ATAS certificate.

You do not need to apply for an ATAS certificate if:

• • you have Indefinite Leave to Remain (ILR) in the UK
  • you are exempt from UK Immigration Control

Visit the UK government guidance for the full list of ATAS exemptions and instructions on how to apply - Academic Technology Approval Scheme (ATAS) - GOV.UK

UK Export Control legislation regulates the transfer of sensitive goods, technology, and knowledge outside the UK to protect national security, international stability, and prevent misuse (e.g. in military or weapons development or Weapons of Mass Destruction (WMD) programmes). The legislation applies to physical goods, intangible technology, and knowledge transfer, including when researchers collaborate internationally.

Academic activities that may fall in scope of UK Export Control legislation include: 

• • Formal and informal academic interactions
  • Overseas visits
  • International conferences
  • Data sharing
  • Exchange of research materials, information, and equipment
  • Hosting of short and long-term visitors
  • Supervision of international studentships

The UK Government has provided guidance on how the UK strategic export controls apply to academics, university researchers and their institutions, and when an export licence is needed.

1. What is covered under UK Export Control legislation?

UK export controls apply to:

A. Military and dual-use goods & technology

• • Military items – weapons, ammunition, military vehicles, or technology designed for defence use.
  • Dual-use items – civilian-use goods that could also be used for military applications (e.g., cybersecurity, encryption, artificial intelligence, aerospace, drone technology, and advanced materials).
  • Software & data – exporting encrypted software, advanced AI models, or nuclear-related data may require approval.

B. University research & technology transfers

• • Researchers must comply with Export Control legislation if their work involves sensitive STEM subjects (e.g., advanced physics, cryptography, aerospace, quantum computing, synthetic biology).
  • Sending research data, technical designs, or knowledge to restricted destinations may require an export licence.
  • Even sharing controlled technology via email, cloud storage, or presentations at overseas conferences is subject to controls (this is called an "intangible transfer").
  • Sharing controlled research as part of the publication process (such as with a reviewer overseas or peer review before publication) may require an export licence.

C. Countries of concern & sanctions

• • Exports to sanctioned countries (e.g., Russia, Iran, North Korea) face strict controls.
  • Collaboration with institutions linked to foreign militaries or governments may be restricted.

2. Key regulations & licensing

A. Export Control Act 2002 & UK Strategic Export Control Lists

• • The UK government classifies controlled goods and technology in the Consolidated Strategic Export Control List.
  • Researchers should check if their work falls under these restrictions.

B. Export licences

If your research or technology is controlled, you may need an export licence from the UK’s Export Control Joint Unit (ECJU). Common licence types include:

• • Standard Individual Export Licence (SIEL) – specific to a single recipient and project.
  • Open General Export Licence (OGEL) – covers certain low-risk items for multiple exports.
  • Open Individual Export Licence (OIEL) – long-term, flexible licence for frequent exports of specific controlled goods.

3. Consequences of violating Export Control legislation

• • Criminal penalties – breaching export control laws can lead to fines or imprisonment (up to 10 years)
  • Reputational damage – reputational damage to individuals and the organisation.
  • Project & funding risks – non-compliance could result in loss of research grants, visa denials, or institutional bans.

Exemptions for some areas of academic research

Whilst an export control licence is not usually required under the circumstances listed below - the legislation is complex and there are some scenarios where an export control licence may still be necessary; if you consider your work falls under an exemption you should contact R&I or trustedresearch@abdn.ac.uk to confirm this assessment.

1. The technology is already in the public domain

Technology or software that is freely available without restrictions on its further dissemination is considered to be in the public domain.

For most undergraduate-level courses, export controls are not a concern. The vast majority of information and technical data used in teaching is already publicly available, meaning this exemption would typically apply.

Research is not considered to be in the public domain until it is published and publicly accessible. If controlled research is sent overseas for peer review or publication, it is not yet in the public domain and will require an export licence. Once the research is formally published, the licence requirement lapses, as it is now considered public domain.

2. Basic scientific research

Export controls do not usually apply to research in the pursuit of basic scientific knowledge.

This is experimental or theoretical work. It is undertaken to solely obtain new knowledge of the fundamental principles of phenomena or observable facts. It is not directed towards a specific practical aim or goal.

However, this exemption applies only to controlled dual-use technologies. It does not apply if:

• • There are concerns about end-use, end-user, or destination country risks.
  • The research involves military-listed technology, which is inherently directed towards a specific application.
  • The destination country is subject to UK sanctions or embargoes.

3. Patent applications 

For non-nuclear, dual-use technology, export controls do not apply to the minimum technical information required to support a patent application.

The UK Government has powers to require an export licence for items even if they are not on the UK Strategic Export Control List. These are generally referred to as ‘end-use’ or ‘catch-all’ controls.

Key factors to consider

1. End-use controls

Export controls are not solely based on whether the technology appears on the UK Strategic Export Control List. The end-use of the technology is a critical factor. Under end-use controls, a licence may be required if:

• • The technology could be used in the development, production, or use of weapons of mass destruction (WMDs).
  • The technology may have military applications, even if it is not explicitly listed as controlled.
  • You have been informed or suspect that the recipient institution may use the technology for military purposes.

2. Catch-all controls

Even for non-listed items, the UK imposes "catch-all" controls that require a licence in the following scenarios:

• • The export is intended for a military end-use in a country subject to an arms embargo or other restrictions.
  • There is a risk the technology could be repurposed for military or security use contrary to UK interests.

3. Military links of the partner institution

• • If the partner institution is known to have military affiliations, an assessment must be made on whether the technology could indirectly support military activities.
  • Institutions with military connections in certain countries (e.g., those subject to sanctions or arms embargoes) are likely to trigger additional scrutiny and potential licensing requirements.

U.S. export controls have extraterritorial reach, meaning they can apply to activities outside of the United States.

Important implications to consider:

• • Items made in the US remain subject to US export laws, even if they are exported to a foreign country.
  • If an organisation outside of the US re-exports a product of US origin, it may still need US government approval.
  • If a product made outside of the US contains more than a minimum amount (usually 25%, or 10% for certain restricted countries) of US components, it may be subject to US export laws.
  • US citizens must comply with US export laws, even when operating outside the US.
  • The US restricts dealings with certain entities or countries (e.g., China, Russia, Iran) and can impose penalties on non-US organisations that engage in prohibited transactions with sanctioned entities.

If you think your planned activity may be in scope of US export controls, please get in touch via trustedresearch@abdn.ac.uk.

A TRL (Technology Readiness Level) is a tool to allow estimation of what stage of development a particular technology
is at. The TRL scale consists of nine subdivisions. The higher the TRL, the more developed the technology
already is.

The nine possible TRLs are:

• • TRL 1 – Basic principles observed
  • TRL 2 – Technology concept formulated
  • TRL 3 – Experimental proof of concept
  • TRL 4 – Technology validated in lab
  • TRL 5 – Technology validated in relevant environment (industrially relevant environment in the case of key enabling
    technologies)
  • TRL 6 – Technology demonstrated in relevant environment (industrially relevant environment in the case of key enabling
    technologies)
  • TRL 7 – System prototype demonstration in operational environment
  • TRL 8 – System complete and qualified
  • TRL 9 – Actual system proven in operational environment (competitive manufacturing in the case of key enabling
    technologies)

If research concerns technology with a low TRL of 1 or 2, it is more likely to fall within the area of ‘basic scientific research’. To qualify for this exemption any technology generated by the research must be solely to add to the sum of human knowledge, not be aimed at a specific (short-term) practical aim, and not address a specific technical problem. Whilst an export control licence is not usually required under these circumstances - the legislation is complex and there are some scenarios where an export control licence may still be necessary; if you consider your work falls under an exemption you should contact R&I or trustedresearch@abdn.ac.uk to confirm this assessment. 

Research on technology with a TRL of 3 or 4 must be evaluated on a case by case basis.

Technology with a TRL higher than 4 would never be considered basic scientific research.