IT Due Diligence · Cyber · Pre-signing

What should weigh on the price
must not be discovered after closing.

Before signing, you need to know what you are buying: systems, contracts, teams, and sometimes risks. IT and cyber due diligence turns those unknowns into negotiation leverage.

SCOPING
Perimeter, data room
ANALYSIS
Systems, contracts, cyber
REPORT
Costed findings
NEGOTIATION
Price, warranties, TSA
POST-CLOSING
Execution plan
Scope

What IT and cyber due diligence examines.

Four angles of analysis, one goal: give negotiators and the board a costed view of what the target's IT is worth, what it costs, and what it risks.

Systems and architecture

Applications, infrastructure, cloud, technical debt: what is modern, what is end-of-life, what is entangled with the seller's group and will need to be separated or rebuilt.

Contracts and licenses

Supplier contract transferability, change-of-control clauses, under-provisioned or non-compliant licenses: hidden costs that surface at closing if no one looked for them before.

Cyber risks

Security posture, past incidents, material vulnerabilities, NIS2, DORA and ISO 27001 exposure: cyber liabilities come with the company. Better to know them before setting the price.

Teams and dependencies

Key skills, critical suppliers, single holders of essential knowledge: the value of an IT landscape often rests on a few individuals who must be identified and secured.

Without IT due diligence

What skipping it costs.

The separation cost explodes after closing.

An IT landscape deeply entangled with the seller's group can double the cost and duration of the carve-out. Costed before signing, it is a negotiation argument. Discovered after, it is your budget.

An inherited cyber incident becomes your crisis.

An old undetected compromise, non-existent NIS2 compliance, poorly protected personal data: the buyer inherits the liability and the accountability that comes with it.

The TSA is negotiated blind.

Without a dependency map, there is no way to know which transitional services to request, for how long and at what price. The seller, on the other hand, knows.

IT due diligence is not a cost of the deal: it is insurance on its price.


Let's talk about your deal
The method

An actionable deliverable, within the deal's tempo.

1

Scoping under the deal's timeline

Analysis perimeter aligned with the deal's stakes and the level of access available: data room only, management interviews, or access to the environments.

2

Systems, contracts, cyber and teams analysis

Document review, targeted interviews, structured questionnaires, technical analysis where authorized. Every finding is sourced and ranked by criticality.

3

Costed report for the board and negotiators

Findings, remediation and separation or integration costs, points of attention for the SPA and the TSA. A document made for deciding, not for filing.

4

Continuity into post-closing

The due diligence feeds directly into the separation or integration plan: those who analyzed the target are best placed to run what follows. See the carve-out practice

A standalone engagement, quoted separately, independent of any follow-on work: the report is yours and remains usable by whoever you choose.
Frequently asked questions

What I get asked about IT due diligence.

What does IT due diligence cover in an M&A context?

Mapping the target's systems, infrastructure and applications; analyzing contracts and licenses (transferability, supplier dependencies); assessing teams and key skills; estimating separation or integration costs; and evaluating cyber and compliance risks.

How long does IT due diligence take?

From 2 to 6 weeks depending on the target's size and access to information, often under the constraints of the deal timeline and the data room. The method adapts: document review, targeted interviews, and environment analysis when access is granted.

Why include cybersecurity in due diligence?

Because acquiring a company means acquiring its cyber liabilities: vulnerabilities, undisclosed incidents, NIS2, DORA or ISO 27001 non-compliance. A material cyber risk found before signing weighs on the price or the warranties; found after, it becomes your cost.

What deliverable does IT due diligence produce?

A report the board and negotiators can act on: findings ranked by criticality, costed remediation and separation or integration estimates, points of attention for the SPA and the TSA, and recommendations for the post-closing plan.

Sign with your eyes open.

One 30-minute call and you know what IT and cyber due diligence would bring to your deal, in what timeframe and under what conditions.

Book a qualification call

First call free, no commitment.