Emerging tech M&A and the due diligence process

How is the due diligence process different in an emerging tech deal?

Investment in any emerging technology, such as artificial intelligence, robotics, blockchain or quantum computing, comes with common challenges:

• The target business may lack a well-established operational or commercial track record on which to base projected revenue and growth;
• Even if there is a high degree of confidence in the technology itself (which may or may not be the case), the market can be very uncertain: it may only take one change in regulation, or one tariff increase, or one competing new platform, to materially alter growth trajectories; and
• Rapid pace of change means that the business case for the transaction and valuation markers may change even during the course of the deal process.

The purpose of the due diligence process is to test the investor’s expectations of the business whilst identifying risks. In an emerging technology deal, this means testing expectations and identifying risks relating to the technology itself. Careful evaluation of the technology from both a legal and technical perspective should enable the investor (1) to confirm that they are acquiring real value, and (2) to identify potential issues with the technology and/or business, such as limitations on scaleability, exposure to regulatory penalties, remediation costs or legal claims due to the use of third party software or data. There is often an overlap between technical and legal issues, and it is common for a technical review to take place alongside the legal due diligence.

Due diligence will usually play a limited role in valuation of an emerging technology business (which is usually driven by commercial judgment and the need to outbid other investors) but will inform a go/no-go decision and identify mitigating action needed to address issues if the investor decides to proceed.

Emerging technology transactions are often fast-paced, requiring due diligence to be completed within compressed timelines. This can be challenging: the subject matter is typically more complex, involving unfamiliar technical concepts and terminology, and the risk profile is often higher than in traditional M&A. To avoid delays and maintain momentum, it is essential to have advisers and decision-makers on hand who can act quickly, probe the right issues, and make informed, timely decisions.

Framing the due diligence: Clear objectives and realistic expectations

Different investors will have different perspectives which will shape the objectives of, and approach to, the due diligence process. Financial sponsors looking to operate the business on a self-standing basis will need to focus on operational aspects of the business and consider obstacles to successfully selling products in target markets. In contrast, investors looking to integrate the technology into their own businesses or combine it with other prospective acquisitions, will need to focus on constraints – both technological and rights based – on interoperability and integration. In this scenario, the business case for an acquisition as opposed to using the technology under a licence will need to be clear.

While an investor should fully understand the risks associated with the technology before entering into the transaction, it is equally important to have realistic expectations. The technology may have been developed without a clear path to a defined product or practical application, or an initial use case may have evolved significantly over time. Early‑stage businesses commonly lack the governance structures and supporting documentation typically expected of more mature organisations. The investor should adjust their expectations accordingly and focus on (1) whether issues with the technology are capable of remediation (and at what cost), and (2) whether, more generally, the acquisition aligns with the investor’s strategic objectives.

Key areas of evaluation

Emerging technology deals often require a departure from a standard due diligence questionnaire, based on the nature of the technology and what the investor plans to do with it. However, a methodical approach to due diligence should still be taken to ensure key areas of risk are covered. From a legal perspective, key areas to focus on include:

Intellectual property ownership and use

Investors and their lawyers may need to assess ownership and intellectual property risks more forensically than in other types of deals. When faced with a ‘black box’ AI system, for example, the question of who owns the system is often not straightforward. There may be different components to consider including algorithms, prompt architecture, training data, outputs, as well as software and interfaces (some of which will be protected by intellectual property, and some not).

Note that there is a distinction between what is protected, and what is valuable, and the two do not always overlap. Components of the technology that are considered the most valuable to the business may not necessarily be protected by intellectual property. For example, copyright will subsist in the source code and documentation of a software application, but the concept or idea behind a software application is normally unprotected. An investor therefore needs to consider how easily a competitor could create a similar (potentially better) product, and whether there are other assets (e.g. brand, data and customers) that make the technology valuable.

The investor will also need to consider whether there are third parties that may stake a claim in the technology because of the way in which it has been developed. This is where documentation (or the lack of it) can be problematic, since most jurisdictions will recognise individual creators or developers as the owner of intellectual property rights unless they have been expressly assigned. Any indication of potential future disputes will likely be a red flag for an investor.

Use of third party software will also need to be scrutinised to ensure that third party intellectual property rights are not being infringed. This includes an assessment of how open source software is used by the target business. The use of open source software is not, of itself, a red flag (the vast majority of developers use open source components in software development) but appropriate governance is required to ensure licence terms are complied with. Open source software licenced on copyleft terms (meaning that modified versions of the software must be distributed under the same license terms) presents a risk as it can have a ‘viral’ effect on proprietary source code, significantly undermining its value.

Data governance and usage

Emerging technology businesses are usually data rich; in fact, data may be the most significant asset of the business. The sources, collection methods, storage and processing of data should be carefully scrutinised.

Common issues include licence restrictions in third party datasets which may have been overlooked by the target business, or the use of publicly available data sources without relevant permissions (it is a common misconception that publicly available data is always free to use, which is not the case). It is a major issue for the target business if algorithms have been developed using third party data unlawfully (this may have been an innocent mistake) as it can be a challenging problem to rectify.

Identifying relevant data sources is also important to ascertain the quality of the data, since the use of unreliable data sources will clearly impact reliability of the product itself. Data quality issues can also lead to serious ethical concerns such as discrimination and unfair decision-making about individuals. There is a growing wave of class actions based on claims that AI systems have resulted in discriminatory outcomes particularly in areas such as employment, housing and benefits.

Regulation

A regulatory review should be undertaken as part of the due diligence process, taking account of relevant regulations including:

• Generally applicable frameworks such as data protection, cybersecurity, consumer protection and advertising regulations;
• Product / technology specific frameworks such as AI regulations, machinery regulations, platform regulations, product safety rules as well as export controls and sanctions; and
• Sector‑specific frameworks such as rules applicable to medical devices, financial services, telecoms and the automotive industry.

It is not always realistic to expect that an emerging technology business will be fully compliant with every regulation. It is more common than not to find at least some gaps in the data protection policies of a start-up business. However, the due diligence process should reveal any fundamental issues (for example, there are blanket prohibitions under the EU Artificial Intelligence Act for certain applications of AI) and also indicate how extensive remediation efforts will be to address less serious gaps.

It is not uncommon to find that a target business has addressed requirements under regulations applicable to its own business, without fully assessing relevant regulatory requirements applicable to its customers or end users. Understanding the wider regulatory landscape in relation to the technology and its application is critical as regulation can present an obstacle to distributing the technology in relevant markets.

If diligence reveals major gaps in compliance efforts in multiple areas, this can be a red flag for an investor and undermine their confidence in the business more generally.

Customers

In a traditional acquisition, the target business is likely to have revenue forecasts based on an established customer base. This is often not the case in an emerging technology deal, and the investor may have just a few, if any, customers on which to assess viability of the product and revenue potential.

Irrespective of revenue, diligencing customer relationships is important to identify problems that could become more prevalent as the business scales. Contractual terms should be reviewed to ensure that the target business has not granted rights or concessions that could impede growth, such as exclusivity undertakings. Ensure that obligations to customers are not unduly restrictive or onerous (e.g. preventing the target business from operating in certain markets, disposing of assets, or exposing the target business to unlimited liability) and check that the customer has not been granted access to the ‘crown jewels’ of the business.

Suppliers

Emerging technology businesses often have complex supply chains and may be reliant on multiple different software and hardware components to provide their product. It is common to find that suppliers (particularly in the case of off-the-shelf products) have been engaged on standard terms which include wide termination rights. Whilst this risk cannot always be fully mitigated, the target business should be in a position to explain what would happen if a key supplier were to terminate or enter insolvency.

People

Whatever the technology being acquired, it exists because of the people who design, build, and maintain it. An investor should identify the individuals within the target who truly understand the technology—how it works, how it is maintained, and where it can go next – then assess key-person risks:

• What would happen if key individuals were to leave?
• Does the investor already have, or can they recruit, people with the right expertise to operate and continue to develop the product?
• Are knowledge and processes sufficiently well-documented?

If the operation and development of the technology depend too heavily on a small number of key individuals, scalability and value creation may be constrained. Proactively addressing this risk through retention strategies, documentation and knowledge transfer can protect the investment and ensure the technology creates value for the investor in the long term.

From due diligence to concluding the deal

Emerging tech M&A demands tailored diligence that looks beyond traditional financials to the real engines of value: IP, data, regulatory environment, resilient supply chains, and the people who build and maintain the technology. There is a limit to how much comfort an investor should expect to attain from the due diligence process, and the objective is not to eliminate all risk but to understand where the risks lie and how gaps can be addressed.

Some issue uncovered in the die diligence process can be addressed by protections in the purchase agreement, such as tailored warranties and indemnities, price adjustments, and earn-outs, but the investor will need to weigh up the benefits of demanding contractual protections in the context of the deal as a whole – including how competitive the process is. Investing in emerging technology requires a recalibrated approach to take on more risk, provided that the acquisition aligns with the investor’s strategic goals.

Authored by Louise Crawford, Peter Watts, Alice Wallace-Wright, and Caitlin Weeks.