Technology-focused deals are driving many of the largest global M&A and strategic transactions—whether digital infrastructure, artificial intelligence (AI), digital services or gaming. The successful execution of these transactions and ultimate success of the business opportunities promised by them, depends on understanding how emerging technology, regulation and market norms are evolving. In this three-part blog series, from an EU and a UK perspective, we will cover: (1) the new regulatory landscape for tech, (2) the evolving antitrust and foreign investment screening environment and (3) recommendations for planning, structuring and executing technology-focused M&A and other strategic transactions.
Tech as a regulated sector
The view that the technology sector is an unregulated “wild west” is well and truly antiquated —the technology sector is increasingly subject to a dizzying array of new requirements. In the EU, this now includes the Digital Markets Act (DMA) (2022), the Digital Services Act (DSA) (2022), the Data Act (2023) and the AI Act (2024). In the UK, the Online Safety Act (2023), Digital Markets Competition and Consumers Act (DMCCA) (2024) and Data (Use and Access) Act (DUAA) (2025) all create new obligations for technology businesses. Executing a technology-focused M&A or strategic deal in this context means not only understanding how to locate the key commercial value in an asset or business model, but also how that value is likely to be impacted by the regulatory environment.
Key regulatory developments
Whilst each technology is different, we see five primary risk areas from a technology-focused regulatory perspective: privacy and cybersecurity, data access and sharing, digital markets, product liability and (of course) AI. Additionally, there’s increasing attention from an antitrust and foreign direct investment perspective, which we cover in part 2 of our blog series (see here).
The table below summarises some key sources of regulation and associated deal considerations. Note — where a technology does not meet relevant standards, the key questions to consider are: (1) can the issue be remediated effectively and efficiently, (2) what is the timeline for doing so, (3) what does good risk allocation look like in the deal (and, in particular, the risk of regulatory fines or action prior to closing) and (4) are there reputational issues that cannot be contractually allocated, but which can otherwise be mitigated or assumed?
| Regulatory Area | Sources | Value Impacting Considerations |
| Privacy and cybersecurity | GDPR NIS 2 Cyber Resilience Act DORA (Financial Services) | If the technology involves the large-scale use of personal data, including for the development or application of AI tools to make decisions in relation to individuals, has development and deployment of the technology been done in accordance with legal requirements? The technology may be subject to a range of cybersecurity standards —do the core products/services meet the applicable cybersecurity requirements? Are the cybersecurity and technology practices (including as currently implemented and as may be required by regulation) compatible with the envisaged business model? If not, is there still a deal? |
| Data access and sharing | Data Act Data Governance Act European Health Data Space | Are key sources of data likely to be subject to any requirements of sharing or access, and does that change the value of the potential opportunity? If providing a cloud service, do switching and interoperability rules prevent or limit the intended business model? For example, health sector, cloud and Internet of Things (IoT) / connected device deals require careful analysis of these requirements. |
| Digital markets | Digital Markets Act Digital Services Act | Does the deal involve the acquisition of a “gatekeeper”? The deal might be subject to notification and additional scrutiny. Does the technology rely on key protections under the DSA? Do content moderation obligations or other obligations (e.g. reporting) apply to the technology, and have the costs and risks of these obligations (e.g., the implementation of appropriate policies and procedures) been factored into the business case? |
| Product liability | Product Liability Directive | Digital products, including software and AI systems, are subject to an enhanced no-fault liability regime. Are appropriate design controls and procedures in place, along with relevant contract terms for both customers and any third-party suppliers, to mitigate PLD risks? |
| AI | AI Act General Purpose AI Models Code of Practice | Has the technology been developed in compliance with AI Act requirements? Is there a pattern of compliance demonstrated by impact assessments and/or other policies and procedures that provides confidence to any acquirer/counterparty? Is the technology likely to be used in any “high risk” scenario? |
Implications for dealmakers
Tech dealmakers in the EU and UK must understand the regulatory landscape, and how any contemplated transaction and intended commercial value will be shaped by it, to properly assess the opportunity and structure transactions.
For example, a proper understanding of the value of a technology business or an asset requires an understanding of the following:
- Is the technology, in its current or planned form, post-acquisition, subject to regulatory or compliance requirements?
- Was the technology developed to operate in compliance with regulatory requirements, and, if so, how was compliance achieved? For example, has an AI-focused business been designed to adhere to the requirements of the EU AI Act or GDPR.
In the rest of our series, we will consider key antitrust and FDI issues and then provide practical insights to smoothly structure M&A and other strategic transactions.