research 10 min

Compliance-First M&A: NIS2, DORA, and the GDPR Discovery Problem

Post-merger GDPR violations are a £20M+ risk. NIS2 brings operational technology into scope. DORA applies to financial services. Here's what acquirers need to discover about compliance exposure before signing.

ACQI Research ·

The Compliance Discovery Gap

Every M&A deal has a legal/compliance workstream. That workstream reviews the target’s GDPR compliance posture, NIS2 applicability, and DORA requirements.

The problem: legal/compliance workstreams review documents. They don’t scan infrastructure. They can tell you what the target’s privacy policy says. They cannot tell you whether the target’s Active Directory has 400 former employee accounts with personal data access that haven’t been deprovisioned in 18 months.

The compliance discovery gap is the difference between what the legal workstream reviewed and what the actual compliance posture is. In our experience, that gap is significant in 80% of deals.

GDPR Article 17: The Right to Erasure That Breaks Migrations

When a company is acquired, the acquiring entity becomes the data controller. The target’s personal data inventory becomes the acquiring entity’s liability.

Most targets don’t have a complete personal data inventory. They don’t know which SaaS applications have personal data in them. They don’t know which third-party apps have Graph API access to their M365 tenant. They don’t know which service accounts have access to personal data in their databases.

Post-close, the acquiring entity inherits this inventory gap. When a data subject exercises an Article 17 request, the acquiring entity has to be able to respond — even if they don’t know where the data is.

NIS2: The OT Discovery Problem

NIS2 came into force in October 2024. It significantly expanded the scope of organizations covered, adding medium and large companies in sectors including energy, transport, water, healthcare, and digital infrastructure.

For M&A, NIS2 creates a new finding category: operational technology (OT) discovery.

Most IT due diligence doesn’t include OT. OT systems are managed by facilities or engineering, not IT. They may not appear in any IT system of record. They may be managed by a third-party vendor under a service contract that wasn’t disclosed in the data room.

The GDPR Deal-Breakers We Find

Finding 1: Third-party Graph API access not disclosed

A target’s M365 tenant had 40+ third-party apps installed. Some had Graph API access — meaning they could read all email, all SharePoint files, all Teams messages. Under GDPR, this is a personal data processing activity that requires a lawful basis.

Risk: The acquiring entity inherits the liability for whatever these apps are doing with the personal data. Post-close, this becomes an immediate GDPR remediation requirement. Cost: £200K-800K.

Finding 2: Service accounts with personal data access

Service accounts in AD have access to databases and applications that process personal data. Those service accounts weren’t managed — passwords weren’t rotated, access wasn’t reviewed, accounts weren’t deprovisioned when the service was decommissioned.

Risk: Orphaned service accounts with access to personal data are a GDPR breach notification risk. If those accounts are compromised, the acquiring entity has 72 hours to notify the supervisory authority.

ACQI runs compliance discovery sprints in 48-72 hours, with findings mapped to GDPR, NIS2, and DORA requirements. Book a demo

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team