Due Diligence in Mergers and Acquisitions

Legal due diligence is the process by which an acquirer, investor, or merger party investigates the legal, regulatory, and contractual position of a target company before committing to a transaction. In India’s M&A market — which encompasses listed and unlisted domestic transactions, cross-border acquisitions, private equity investments, and distressed asset purchases — legal due diligence serves two distinct functions: it identifies risks that may affect the transaction structure or pricing, and it generates the information base required to negotiate appropriate representations, warranties, and indemnities. This article sets out the key workstreams in a legal due diligence exercise and the specific Indian regulatory considerations that counsel must address.

Corporate and Regulatory Review

The starting point is a review of the target’s constitutional documents, statutory registers, board and shareholder resolutions, and filings with the Registrar of Companies. Counsel should verify that the company’s share capital is consistent with its financial statements and that there are no unauthorised allotments, preferential rights, or share encumbrances not reflected in the cap table. Sector-specific regulatory licences — SEBI registrations, RBI authorisations, TRAI licences, FSSAI approvals, pharma manufacturing licences — must be confirmed as current and transferable, since many approvals are not automatically transferred on a change of control and may require fresh application.

Commercial Contracts and Litigation Exposure

A review of the target’s material commercial contracts should identify change of control provisions triggered by the transaction, consent or novation requirements that must be managed before closing, and exclusivity, non-compete, or most-favoured-nation clauses that survive the transaction. In technology M&A, software licensing — particularly open-source licence compliance and SaaS contract assignability — requires particular attention, as violations can extinguish the IP value that underpins the transaction thesis. A consolidated litigation summary should cover active court proceedings, arbitral proceedings, tax disputes (income tax, GST, customs), and labour tribunal proceedings, with counsel assessing whether the target’s provisions in audited accounts are consistent with actual risk.

Data Protection and Technology Risk

Under the Digital Personal Data Protection Act, 2023, the acquirer must assess whether the target’s personal data processing is compliant, whether any personal data breaches have gone unreported, and whether data processing agreements with customers and processors are assignable or require fresh consent post-closing. Cyber risk and IT infrastructure diligence — covering security architecture, incident history, vulnerability assessments, and third-party vendor dependencies — has become a standard workstream in technology transactions and is increasingly required by institutional acquirers across all sectors.

Employment and Intellectual Property Review

Employment due diligence should cover POSH Act compliance (Internal Complaints Committee constitution, annual reports, pending complaints), EPFO and ESIC registration status, key employee retention risk, and pending employment disputes. IP due diligence should verify that core IP — trademarks, patents, copyrights, trade secrets, domain names — is registered in the target entity’s name, that IP assignments from founders, contractors, and employees are properly executed, and that no third-party infringement claims affect the target’s ability to use or licence its technology post-transaction.

Data Privacy and Cyber Risk Diligence

The Digital Personal Data Protection Act, 2023 (DPDP Act) has introduced data fiduciary obligations that must be assessed as part of any M&A exercise involving a data-processing business. Counsel should identify the categories of personal data processed by the target, the legal bases for processing, whether a Data Protection Officer or consent management framework is in place, and whether the business has suffered any reportable data incidents. Acquirers who take on a business with undisclosed data compliance failures assume exposure to regulatory penalties of up to ₹250 crore per breach category. The due diligence report should quantify this exposure and identify the remediation investment required to achieve compliance post-completion.

Cyber risk is now a standard component of M&A due diligence for technology-dependent businesses. This includes reviewing the target's information security policies, incident history, open vulnerabilities, third-party audit reports, and any CERT-In mandatory reporting obligations. Where the target operates critical information infrastructure, counsel should verify compliance with the CERT-In Directions of April 2022 — mandatory incident reporting within six hours, maintenance of designated contacts, and 180-day log retention. Unresolved cyber incidents or undisclosed breaches are material non-disclosures that can form the basis of post-completion warranty claims.

Closing Conditions and Post-Completion Obligations

The due diligence findings directly shape the transaction documents. Material risks typically inform the scope of representations and warranties, the structure of escrow or holdback arrangements, specific indemnities for identified liabilities (pending litigation, tax demands, PF arrears), and conditions precedent to completion. In share purchase transactions under Indian law, parties should ensure that change-of-control provisions in key contracts are identified and counterparty consents obtained before completion. Regulatory approvals — from the Competition Commission of India for combinations meeting the relevant thresholds, from the RBI for certain investments under FEMA, from SEBI for listed company acquisitions — must be secured on the critical path timeline agreed between the parties.