Typical tech M&A due diligence in Denmark

In Danish technology M&A transactions, the buyer’s due diligence typically includes a comprehensive analysis of the target company’s technology and related intellectual property to ensure that the target company is in fact the legal owner of all necessary rights and that they are adequately protected.

Typical due diligence scope for technology M&A transactions includes:

• Identify all relevant technology and intellectual property assets owned, used or licensed by the target company, including registered and unregistered intellectual property and trade secrets, and confirm the target company's ownership or rights and any applicable restrictions. This typically includes an overview of the target's IT infrastructure, including whether the software used is commercial off-the-shelf (COTS) or custom developed.
• Check IP rights by category and search IP rights in relevant public registers.
• Confirm that there are no pending or potential disputes with third parties regarding intellectual property rights.
• Clarify whether the target is subject to (industry) specific regulatory requirements, including whether the potential transaction triggers any regulatory notifications, approvals or other mandatory documents.
• Confirm that the target company’s employees, inventors, management, founders and/or shareholders do not personally own any intellectual property used by the target company in its business activities.
• Analyze the target company’s handling and processing of personal data and its overall compliance with applicable data protection legislation (including the General Data Protection Regulation), which includes reviewing internal data protection documentation (including policies, procedures, guidelines, risk assessments). In addition, the analysis of the target company’s compliance setup will also include understanding data flows, data processing activities, transfers to countries outside the EU/EEA, and the use of functionality to analyze customers or the use of new technologies, such as the generation of artificial intelligence tools or Internet of Things (IoT) devices.
• Assess the target's licensing targets and objectives, including whether and to what extent licensing is consolidated and whether third-party software licenses are sufficient to cover all affiliates.
• Identify risk exposures in commercial contracts (e.g. confirm whether there are relevant and customary limitations of liability).
• Assess any use of open source code in connection with the target’s proprietary software, including whether open source licenses with viral effects (copyleft) are used.
• Confirm whether the target has relevant IT and cybersecurity policies, procedures, plans, risk assessments and/or security assessments in place (e.g., IT security policy, incident policy, disaster recovery and contingency plan, cybersecurity assessment, ransomware policy, cybersecurity awareness training, etc.) ISO 27001 and ISAE 3000, ISAE 3402 or similar audit statements.
• Verify the target’s risk profile with respect to its IT setup, including whether the target has suffered any major and/or critical IT failures, security incidents and/or data breaches.
• Review licensing (internal and external) agreements (e.g., any third-party software components used in connection with the target’s proprietary software) and whether the target has undergone any licensing audits.

Potential buyers often conduct environmental, social and governance (ESG) due diligence. The ESG profile of a target company often has a significant impact on a transaction. Potential reputational risks can be difficult to incorporate into a transaction business case, although there may be more focus on pricing in a transaction model.

Verify that the target company has taken appropriate measures to protect its trade secrets, know-how, processes, methods and other commercially sensitive information (e.g., trade secret policies, confidentiality obligations, storage, access controls, records and/or standard operating procedures).

For companies with elements such as online shops, social media, etc., buyers will often focus on compliance with consumer protection legislation in a broad sense, including reviewing relevant disclaimers, general terms and conditions (and whether they are actually accepted by users), privacy policies, cookie policies, etc.