Before signing, you need to know what you are buying: systems, contracts, teams, and sometimes risks. IT and cyber due diligence turns those unknowns into negotiation leverage.
Four angles of analysis, one goal: give negotiators and the board a costed view of what the target's IT is worth, what it costs, and what it risks.
Applications, infrastructure, cloud, technical debt: what is modern, what is end-of-life, what is entangled with the seller's group and will need to be separated or rebuilt.
Supplier contract transferability, change-of-control clauses, under-provisioned or non-compliant licenses: hidden costs that surface at closing if no one looked for them before.
Security posture, past incidents, material vulnerabilities, NIS2, DORA and ISO 27001 exposure: cyber liabilities come with the company. Better to know them before setting the price.
Key skills, critical suppliers, single holders of essential knowledge: the value of an IT landscape often rests on a few individuals who must be identified and secured.
An IT landscape deeply entangled with the seller's group can double the cost and duration of the carve-out. Costed before signing, it is a negotiation argument. Discovered after, it is your budget.
An old undetected compromise, non-existent NIS2 compliance, poorly protected personal data: the buyer inherits the liability and the accountability that comes with it.
Without a dependency map, there is no way to know which transitional services to request, for how long and at what price. The seller, on the other hand, knows.
IT due diligence is not a cost of the deal: it is insurance on its price.
Analysis perimeter aligned with the deal's stakes and the level of access available: data room only, management interviews, or access to the environments.
Document review, targeted interviews, structured questionnaires, technical analysis where authorized. Every finding is sourced and ranked by criticality.
Findings, remediation and separation or integration costs, points of attention for the SPA and the TSA. A document made for deciding, not for filing.
The due diligence feeds directly into the separation or integration plan: those who analyzed the target are best placed to run what follows. See the carve-out practice
Mapping the target's systems, infrastructure and applications; analyzing contracts and licenses (transferability, supplier dependencies); assessing teams and key skills; estimating separation or integration costs; and evaluating cyber and compliance risks.
From 2 to 6 weeks depending on the target's size and access to information, often under the constraints of the deal timeline and the data room. The method adapts: document review, targeted interviews, and environment analysis when access is granted.
Because acquiring a company means acquiring its cyber liabilities: vulnerabilities, undisclosed incidents, NIS2, DORA or ISO 27001 non-compliance. A material cyber risk found before signing weighs on the price or the warranties; found after, it becomes your cost.
A report the board and negotiators can act on: findings ranked by criticality, costed remediation and separation or integration estimates, points of attention for the SPA and the TSA, and recommendations for the post-closing plan.
One 30-minute call and you know what IT and cyber due diligence would bring to your deal, in what timeframe and under what conditions.
→Book a qualification callFirst call free, no commitment.