Research Security · Analysis

Jurisdictional Triggers for Research Security Compliance

Across seven national frameworks, the obligation usually attaches to the funding source, not the researcher. The variations are where institutions get caught.

Published January 2026

The funding-based model dominates most frameworks

Six of seven frameworks studied primarily trigger compliance obligations through funding source rather than researcher nationality or institutional location. This creates a relatively clean jurisdictional model:

obligations attach to the money, not the person. A German researcher on an NIH grant follows US rules for that project; an American researcher on a DFG grant follows German rules.

The primary exceptions emerge through export controls (which apply territorially based on technology transfer) and the UK's National Security and Investment Act (which triggers based on acquisition of control over UK-connected assets, regardless of funding). These mechanisms can capture researchers who receive no funding from a jurisdiction but whose work involves controlled technologies or generates valuable intellectual property.

Framework

Primary Trigger

Secondary Triggers

Extraterritorial Reach

EU Horizon

Europe Art. 20

EU funding

Participation as beneficiary

None, institutional, not personal

Canada STRAC

Tri-Council/CFI funding

+ sensitive area

Named Research Organization affiliation

None

US NSPM-33

US federal R&D funding

Subaward flow-down

Through subawards to foreign entities

UK (multiple)

Varies by framework

NSI Act: control acquisition; ATAS: nationality + subject

NSI Act has significant extraterritorial reach

Australia (ARC/UFIT)

ARC funding; institutional coverage

Foreign Arrangements Scheme: institutional arrangements

Limited

Japan

KAKENHI funding; critical technology

Export controls

Limited (FEFTA Article 5)

Germany

DFG/BMBF funding

Export controls

None

EU Horizon Europe Article 20: funding triggers institutional obligations

Article 20 of the Horizon Europe Regulation establishes security requirements that apply exclusively to EU- funded research actions. The obligation is institutional, beneficiary organizations (the legal entities signing Grant Agreements) bear responsibility for ensuring compliance, with individual researchers bound through their employment relationships rather than personal certification requirements.

Non-EU participation does not change the trigger. Associated countries (including the UK, Switzerland,

Canada for Pillar II, and New Zealand) participate on equivalent terms to EU member states. Non-associated third country entities participating as beneficiaries or associated partners must comply with security provisions, but their involvement flows from the funding agreement, not their location. The Model Grant Agreement

requires beneficiaries to ensure affiliated entities, associated partners, and subcontractors all follow confidentiality and security rules.

Critically, Article 20 has no extraterritorial application. EU citizens working on non-EU-funded projects have no Article 20 obligations. The Council Recommendation on Research Security (May 2024) provides

broader guidance to member states but is non-binding. Restrictions on participation for security reasons under Article 22(5) may limit certain calls to EU-only participation or exclude entities controlled by ineligible third countries, but these operate at the project call level rather than as ongoing personal obligations.

Canada STRAC: a narrow but strict funding-plus-subject-matter trigger

Canada's STRAC policy, effective May 2024, has the most precisely defined jurisdictional scope among the frameworks studied. It applies only when three conditions are simultaneously met: (1) funding from Tri- Council agencies (CIHR, NSERC, SSHRC) or CFI; (2) research advancing one of 11 Sensitive Technology

Research Areas; and (3) a researcher with Named Research Organization affiliations. If any element is missing, STRAC does not apply.

Foreign-funded projects are explicitly outside STRAC's scope. A Canadian researcher participating solely in Horizon Europe or NIH projects has no STRAC attestation requirements for that research. However, if that researcher subsequently applies for Canadian federal funding in a sensitive area, their foreign affiliations

become relevant to that Canadian application. The policy makes clear that "while the new STRAC Policy only applies at present to federal grant applications from universities and affiliated research institutions submitted to the federal granting agencies."

Foreign researchers on Canadian grants face full STRAC requirements. Nationality is irrelevant, what matters is whether the researcher holds a named role on a covered grant application. Principal investigators bear responsibility for ensuring all team members with named roles provide attestations, though they need not verify affiliations of every member in large international consortia.

STRAC has no extraterritorial application whatsoever. Canadian citizens working abroad on non-Canadian- funded research have no STRAC obligations. Ontario has implemented parallel provincial requirements (MEGR) for Ontario Research Fund programs with somewhat different scope, illustrating the Canadian pattern of federal-provincial fragmentation in research security.

US NSPM-33: funding-triggered but with significant flow-down effects

NSPM-33 triggers through receipt of or application for US federal R&D funding, making it fundamentally funding-based. The framework applies to "covered individuals" (those contributing substantively to federally funded research, including PIs, senior/key personnel, and program officers) regardless of their nationality or where they are located.

The critical distinction from other frameworks lies in subaward flow-down provisions. When a US prime recipient issues subawards to foreign institutions, NSPM-33 disclosure requirements extend to senior/key personnel at those foreign institutions. NIH now requires foreign subrecipients to provide access to lab notebooks, data, and documentation supporting research outcomes. As of 2025, NIH prohibits foreign

subawards nested under parent grants, requiring foreign collaborators to receive independent but linked awards for transparency.

US citizenship abroad creates no direct NSPM-33 obligations unless the individual receives US federal funding. A US citizen at a German university with only DFG funding has no NSPM-33 duties. However, US citizens participating in "malign foreign talent recruitment programs" may be disqualified from current and

future federal funding under CHIPS and Science Act provisions, creating an indirect mechanism that reaches US citizens regardless of their funding source.

Agency-specific implementation varies significantly. NSF mandates research security training certification and annual malign foreign talent recruitment program certification. NIH requires detailed "Other

Support" disclosure and prior approval for any "foreign component" (significant scientific element performed outside the US). DOE prohibits personnel participation in foreign government talent recruitment programs. NASA maintains longstanding prohibitions on bilateral collaboration with China at both prime and subrecipient levels.

UK frameworks create a complex multi-layered system

The UK operates four distinct frameworks with different triggers, creating compliance complexity for international collaborators:

UKRI Trusted Research and Innovation (TR&I) triggers through UK public research funding.

The obligation is institutional, UKRI-funded organizations must cascade due diligence to all individuals on funded projects, including foreign collaborators.

Cross-border implications extend through expectations that all international partnerships undergo risk assessment, but TR&I has no direct extraterritorial application beyond export control provisions.

The National Security and Investment Act (2021) has the broadest extraterritorial reach among

frameworks studied. It triggers based on acquisition of control over UK-connected entities or assets, regardless of funding source or researcher nationality. For research, this captures: licensing agreements (including non-exclusive licenses), collaboration agreements where parties gain control over qualifying assets, sponsored research positions, funding agreements giving funders control over resulting IP, and university spin- outs. The government can issue final orders extending to conduct outside the UK for UK nationals, UK residents, UK-incorporated bodies, or persons carrying on business in the UK. Crucially, government-funded research is not automatically exempt.

ATAS (Academic Technology Approval Scheme) uniquely triggers on nationality combined with subject matter and UK territorial presence. Foreign nationals from non-exempt countries (a list excluding most Western allies) seeking to study or research sensitive subjects at UK institutions must obtain individual ATAS certificates. The obligation follows the individual, not the institution or funding. ATAS has no extraterritorial application, it applies only to activities conducted within the UK.

FIRS (Foreign Influence Registration Scheme), operational since July 2025, triggers through arrangements with foreign powers for activities in the UK. The Political Influence Tier covers

arrangements with any foreign power for political influence activities. The Enhanced Tier (currently covering Iran and Russia) applies more broadly to "relevant activities" including research. Registration depends on direction from foreign powers, not researcher nationality. Generic collaboration without direction does not trigger registration, nor does unrestricted funding without conditions on use.

Australia combines funding-based and institutional approaches

Australia's three-framework system creates different obligations depending on the compliance mechanism:

ARC requirements trigger exclusively through ARC funding. All researchers named on National Competitive Grants Program applications, regardless of nationality, must disclose foreign affiliations in Research Management System profiles. Disclosure requirements include foreign financial support, talent program participation, associations with foreign governments or military, and employment/education history.

Foreign researchers at Australian institutions receive equal treatment: same eligibility, same

obligations.

The Foreign Arrangements Scheme operates on an institutional trigger separate from funding. It applies to written arrangements between Australian public universities and foreign government entities or foreign

universities lacking institutional autonomy. Most university-to-university partnerships do not require notification because most foreign universities have comparable institutional autonomy to Australian universities. The scheme does not apply to arrangements with international organizations (EU Commission, UN) or purely commercial corporate arrangements.

UFIT Guidelines apply universally to all Australian universities regardless of funding source, making them the broadest Australian framework. However, they are guidelines rather than legally binding regulations, implemented through institutional policies. Universities conduct due diligence on all staff and research students at risk of foreign interference, requiring annual Foreign Engagements Declarations.

The practical effect is that foreign funding sources must be disclosed even for non-ARC research.

None of these frameworks has explicit extraterritorial application to Australian citizens abroad, though researchers maintaining ARC grants while overseas remain subject to grant conditions.

Japan emphasizes institutional autonomy over regulatory mandates

Japan's approach differs fundamentally from Western allies by emphasizing institutional self-governance over binding disclosure requirements. The framework is built on funding-based triggers with minimal nationality- based restrictions.

KAKENHI requirements apply to all researchers at eligible Japanese institutions applying for JSPS/MEXT competitive funding, foreign and Japanese researchers are treated identically. Since FY2021, applicants must

declare all research funding (domestic and foreign), all concurrent positions (including foreign recruitment programs and honorary professorships), and effort allocation. However, participation in foreign-funded projects is not prohibited, it merely requires disclosure when applying for Japanese funding.

The Economic Security Promotion Act (2022) operates on technology-based triggers rather than funding source. Its secret patent system applies to inventions created in Japan in specified technological areas,

regardless of researcher nationality or funding. Designated critical technologies may involve Public-Private Cooperation Councils with associated obligations. The ESPA does not create blanket foreign collaboration restrictions but does require security considerations for designated technologies.

Export controls under FEFTA (Foreign Exchange and Foreign Trade Act) have the broadest application, triggering on technology transfer to non-residents or abroad regardless of funding. The "deemed export" concept treats technology transfer to non-residents within Japan as exports requiring potential licensing. FEFTA

Article 5 provides limited extraterritorial application to corporations with principal offices in Japan and persons with domicile in Japan.

Germany prioritizes academic freedom over security mandates

Germany maintains the least restrictive framework among the seven jurisdictions, reflecting constitutional protections for academic freedom (Wissenschaftsfreiheit). The approach emphasizes "as open as possible, as closed as necessary" with case-by-case risk assessment rather than categorical prohibitions.

DFG requirements trigger through DFG funding and focus on risk assessment rather than mandatory disclosure. Applicants must address "explanations regarding any possible safety-related aspects" and dual-use research implications, but there are no general "red lines" regarding specific countries, partner institutions, or research topics. Foreign researchers at German institutions can receive DFG funding if institutionally eligible, with the same requirements applying regardless of nationality.

BMBF policy applies to federally-funded research and introduces heightened scrutiny for China cooperation, requiring "evidence-based benefit and risk assessment." However, Germany has no formal

foreign funding disclosure requirements comparable to US FFDR. The focus remains on risk assessment rather than mandatory disclosure forms.

The China Strategy (July 2023) signals intent to withhold federal support for projects with China where "knowledge drain" is likely, but implementation details remain unclear between ministries.

German scientists have sought clearer export control laws for AI and quantum technologies, highlighting gaps between policy aspiration and operational guidance.

HRK Guidelines are voluntary for member universities and emphasize institutional self-governance. They provide guiding questions for China cooperation (military research involvement, data interception risk, IP protection) but leave implementation to individual institutions.

Germany has no extraterritorial research security requirements for German nationals abroad.

This creates asymmetric obligations: a German researcher on an NIH grant must comply with

extensive US disclosure requirements, while an American researcher on a DFG grant faces only risk assessment expectations.

Cross-border scenarios reveal compliance gaps and overlaps

Scenario 1: Researcher from Country A participates in project funded by Country B

In most cases, the researcher must comply with Country B's requirements and has no obligations to Country A unless also receiving Country A funding. A Canadian researcher on a Horizon Europe project follows EU

Article 20 requirements (institutional compliance through their participating organization) with no STRAC obligations. A German researcher on an NIH grant must comply with US disclosure requirements with no German obligations triggered.

The exception is the UK's NSI Act, which can capture transactions regardless of funding source if they involve acquisition of control over UK-connected assets. A US company funding research at a UK university that results in IP transfer may trigger mandatory NSI Act notification even though no UK public funding is involved.

Scenario 2: Foreign researcher at domestic institution on domestic grant

All frameworks apply domestic requirements equally regardless of researcher nationality. A Chinese researcher at a German university receiving DFG funding faces identical requirements to German colleagues. A French researcher at an Australian university on an ARC grant must provide the same foreign affiliation disclosures as Australian researchers. This consistency reflects non-discrimination principles embedded in most frameworks.

Scenario 3: Domestic citizen working abroad on foreign-funded research

Most frameworks have no extraterritorial reach in this scenario. German, Canadian, Australian, and EU

frameworks impose no obligations on their citizens conducting research abroad with foreign funding. The US creates indirect extraterritorial effects through malign foreign talent recruitment program prohibitions that can affect future federal funding eligibility. The UK's NSI Act has the broadest extraterritorial provisions but

focuses on control over UK assets rather than researcher location.

Scenario 4: Multi-country consortium with mixed funding

This creates the most complex compliance landscape. A project funded by both NSF and Horizon Europe with partners in Germany, Canada, and Australia requires simultaneous compliance with US NSPM-33 (for the US- funded portion and any subawards), EU Article 20 (for EU-funded activities), and potentially ARC, DFG, or

STRAC requirements if those partners hold parallel domestic funding. Export controls add another layer, with each jurisdiction's rules applying to technology transfers originating from its territory.

Conclusion: toward a multi-jurisdictional compliance map

Research security compliance has become a jurisdictional patchwork requiring careful mapping of which

frameworks apply to specific activities. The dominant pattern is funding-triggered obligations that follow the money rather than the researcher, with notable exceptions for export controls (territory-based), UK investment screening (asset-based), and ATAS (nationality-based).

For researchers and institutions navigating this landscape, three principles emerge. First, identify all funding sources and trace the compliance requirements attached to each. Second, assess technology sensitivity under export control frameworks regardless of funding source. Third, examine whether any control acquisition might trigger UK NSI Act or equivalent investment screening reviews, particularly for collaborations that

involve IP licensing, spin-out creation, or sponsored research positions.

The asymmetries between frameworks create both gaps and overlaps. German researchers face minimal

domestic requirements but substantial US obligations when collaborating on NIH projects. UK researchers must navigate four distinct frameworks with different triggers. The lack of harmonization means that multi-national

collaborations require jurisdiction-by-jurisdiction compliance analysis rather than reliance on any single framework.

Back to all articles

Facing a decision like this?

Every engagement opens with a free scoping consultation.

Start a conversation