research

Anti-Trust IT Review: How DOJ/FTC Examine Technology Infrastructure in Big Tech M&A

When regulators review tech acquisitions, they request network diagrams, data flows, vendor contracts, and integration plans. Here's what they're actually looking for.

Luna ·
antitrust regulation doj ftc m-and-a tech

The DOJ, FTC, and their international counterparts (EC, CMA, ACCC) have significantly expanded their technical capabilities for reviewing technology infrastructure in M&A. When the FTC reviews a tech acquisition, they’re not just looking at market share and revenue — they’re examining the technology architecture, data flows, and integration plans in granular detail.

This is a new reality for tech M&A due diligence. The IT infrastructure that the acquirer plans to merge is now a regulatory document.

What Regulators Actually Request

In a Second Request (US) or Phase 2 Investigation (EU), the following IT-related documents are commonly requested:

Technical Architecture Documents: Network diagrams, data flow diagrams, system architecture documents for the target and the combined entity post-merger. These show what systems exist, how they connect, and what data flows between them.

Integration Plans: Specifically, plans for how the acquirer intends to integrate the target’s systems post-merger. Regulators look at whether the integration plan would eliminate a competitor’s product, consolidate data assets in ways that create barriers to entry, or create the ability to foreclose rivals from critical infrastructure.

Vendor and Supplier Contracts: Contracts with cloud providers, data center operators, and critical technology vendors. These show what dependencies exist and whether switching costs are high enough to create lock-in.

Data Sharing Agreements: Any agreement between the target and the acquirer (or potential acquirer) for sharing data — including customer data, usage data, and technical data. If the acquirer already has access to the target’s data pre-merger (through a commercial relationship, investment, or board seat), this is a significant regulatory concern.

API Documentation: Regulators look at the target’s API surface — what APIs exist, what data they expose, whether those APIs are available to third parties or are restricted. This is particularly relevant for acquisitions of companies with platform business models.

What They’re Actually Analyzing

Data Concentration: The core concern in most tech M&A from a regulatory standpoint is data. If the combined entity would have access to data assets that no competitor could replicate, this creates a durable competitive advantage that regulators view as a barrier to entry. The IT discovery phase reveals what data assets exist and how they’re used.

Interoperability and Switching Costs: Regulators examine whether the acquisition would increase switching costs for customers. This includes technical switching costs — whether the target’s systems are integrated with the acquirer’s in ways that make it difficult for customers to move to a competitor. A deep technical integration with the acquirer’s products would raise this concern.

Access to Essential Facilities: If the target’s technology infrastructure serves as an essential input for competitors (a platform, an API, a data feed), regulators examine whether the acquirer would have the ability and incentive to foreclose competitors’ access. This is the “essential facilities” doctrine applied to tech.

Network Effects: Regulators model how the acquisition would affect network effects in the market. This requires technical understanding of how the target’s product generates network effects — which requires access to the technical architecture and data flows that only the IT discovery reveals.

The Document Production Reality

Preparing IT documents for a regulatory submission is not trivial. The typical document set for a Second Request includes:

  • 500,000-2,000,000 documents (inclusive of all business and technical documents)
  • 3-6 week production window from receipt of the request
  • Documents must be authenticated — IT documents need to be certified as accurate representations of the systems as of the review date

This means that pre-merger IT documentation — if it exists in organized, accurate form — can significantly reduce the burden of regulatory compliance. If the target doesn’t have current network diagrams, data flow maps, and system architecture documentation, the company must produce them under regulatory deadline — which is expensive and time-consuming.

ACQI’s IT discovery report produces exactly these documents — the technical architecture map, data flow documentation, and system inventory — in a format that is regulator-ready. The discovery platform becomes part of the regulatory compliance infrastructure.

The Integration Plan as a Regulatory Document

The most important insight for practitioners: the integration plan, in many jurisdictions, becomes a document that regulators receive and analyze. What the acquirer says they’re going to do with the target’s technology — specifically whether they’re going to integrate it in ways that affect competition — is directly relevant to the regulatory review.

This has direct implications for how integration plans are written. A plan that describes “full technical integration of the target’s platform into our existing infrastructure” will look very different to a regulator than a plan that describes “maintaining the target’s platform as a standalone product with open API access.”

The first plan is more operationally efficient and creates more synergy value. The second plan is more likely to pass regulatory review. The regulatory strategy needs to inform the integration plan from the beginning — not be an afterthought when the deal closes.

The Technical Due Diligence Pre-Filing Checklist

For any tech acquisition where regulatory review is anticipated:

Architecture (3 items)

  1. Produce current network diagrams covering all data centers, cloud environments, and significant network interconnections
  2. Document all external API surfaces — what data is exposed to third parties, under what authorization model
  3. Map all data flows between the target’s systems and third-party systems, customers, and the acquirer (if a pre-existing relationship exists)

Contracts (2 items) 4. Inventory all vendor contracts with terms greater than 12 months or with switching costs greater than $500K 5. Identify all contracts with competitors — if the target has contracts with competitors of the acquirer, this is a document regulators will want

Integration (2 items) 6. Draft the integration plan with regulatory implications in mind — describe planned integration as achieving customer benefits and maintaining competitive markets, not eliminating a competitor 7. Identify any technical integration that would make it difficult for the target’s customers to switch to a competitor post-merger — these will be scrutinized

Data (2 items) 8. Map all customer data assets: what data is collected, where it’s stored, who has access, how it’s used 9. Identify any pre-existing data sharing arrangements between the target and the acquirer (including through a common investor or board member)

The technical due diligence is no longer just about integration risk. In regulated and large tech M&A, it’s about regulatory risk — and the regulators are reading the IT documents.

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team