M&;A: AI act compliance enters due diligence phase

We are therefore witnessing an evolution from technological due diligence to 'AI risk due diligence': it is therefore no longer enough to check whether the target uses artificial intelligence systems, but it is necessary to map their types, purposes, the role of the company (supplier, integrator or user), the technological supply chain, the models and datasets used, the rights of use and dependencies on third parties. This makes it possible to classify the systems according to the taxonomy of the AI Act (unacceptable, high, limited, minimal risk) and to estimate obligations, costs and compliance times, with a direct impact on the post-acquisition business plan.

In the light of this new regulatory environment, new 'red flags' therefore emerge: the use of AI systems in critical decisions without an adequate level of governance and human oversight; poorly documented historical datasets in terms of provenance, licences and quality; critical dependence on third-party suppliers without adequate contractual safeguards; and the absence of procedures for monitoring and managing AI-related incidents. These critical issues entail legal, reputational and operational risks and affect the valuation of assets, which may lead to price discounts or the total abandonment of an operation.

AI due diligence, including audits of training data, verification of consents, licences and analysis of code and documentation, is now indispensable and cannot be postponed to the post-closing phase.

The contractual side is also adapting accordingly and to the traditional Reps. and Warranties are now being added specific clauses such as the correct classification and compliance of systems under the AI Act (including the absence of prohibited practices under Section 5); ownership of rights to the data and technologies used, any hidden dependencies in the 'supply chain' and finally the absence of regulatory violations.

In the presence of compliance gaps, remediation covenants, conditions precedent, price adjustments or specific indemnities are therefore used to allocate regulatory risk, as well as pre-closing governance constraints to preserve compliance and transaction value.

The focus on 'AI readiness' is also growing in venture capital: enhanced disclosure rights, governance clauses and obligations to allocate resources to compliance appear in term sheets.

AI compliance is increasingly an indicator of management maturity of companies and a form of protection at the time of exit.

In conclusion, AI compliance takes on the role of a value lever: it reduces discounts and penalties, speeds up negotiations, increases attractiveness to investors, including cross-border investors, and enhances market confidence.

By now, the value of a tech company depends not only on the algorithm, but on the ability to develop it in a sustainable and compliant manner, transforming compliance from a regulatory obligation to a true competitive advantage.

Attilio Mazzilli - Managing Partner of Orrick Italia