Cybersecurity in M&A: why the cyber resilience demands its own seat at the deal table

The CRA and NIS2: a dual regulatory force

The CRA, adopted in late 2024, introduces mandatory cybersecurity requirements for products with digital elements (‘PdE’). It applies to manufacturers, importers, and distributors, demanding secure-by-design principles, vulnerability management and post-market surveillance. These obligations will be enforced from December 2027, with reporting duties beginning in 2026. 

NIS2, meanwhile, targets essential and important service providers across sectors such as energy, transport, manufacturing and digital infrastructure. It requires organisations to implement robust risk management practices, report incidents swiftly and coordinate with national authorities. Though effective since January 2023, many Member States are still finalising their transpositions, creating a patchwork of national implementations. 

Together, CRA and NIS2 form a comprehensive cybersecurity regime—one focused on product integrity, the other on operational resilience. For M&A practitioners, this duality introduces new layers of complexity and risk.

Annexes with reach: the CRA’s broad scope

The CRA’s annexes define product categories subject to varying levels of scrutiny. Annex IV, for instance, lists critical products such as operating systems, credential managers, and industrial firewalls, which require third-party certification. By mid-December 2025, the European Commission will publish detailed technical descriptions for these categories. 

This matters in M&A. Targets producing or integrating digital products must demonstrate compliance—or face regulatory exposure. Yet in early-stage transactions, we rarely see CRA obligations addressed. Technical diligence often focuses on architecture and scalability, while product-level security is overlooked.

The compliance blind spot in early-stage deals

Despite the CRA’s significance, cybersecurity compliance remains underrepresented in initial transaction phases. This is especially true for targets whose products fall within CRA scope but lack formal documentation or lifecycle security protocols.

We’ve seen this repeatedly in recent client engagements. Queries often arrive late—after term sheets are signed and integration plans drafted. Buyers ask whether the CRA applies, what documentation is needed, and how to assess compliance. By then, the opportunity to shape warranties or indemnities around cyber risk may be limited.

This is why we proactively flag CRA and NIS2 concerns early. We advise clients to treat cybersecurity not as a technical silo but as a strategic risk—one that affects valuation, deal structure, and post-merger integration.

NIS2 and the governance imperative

NIS2 adds another dimension. It imposes governance and reporting obligations on entities deemed essential or important. These include not only infrastructure providers but also manufacturers and distributors supporting critical sectors. The directive’s extraterritorial reach means that even non-EU companies operating in the EU market must comply. 

Sanctions under NIS2 are significant—up to €10 million or 2% of global turnover. Management bodies may also be held personally liable. For acquirers, this raises questions about board-level accountability, incident response readiness, and cross-border compliance strategies. 

What clients are asking and what they’re missing

In recent months, we’ve received a surge of queries from clients in industrial and technology sectors. They want to know whether CRA and NIS2 apply to their targets, how to assess compliance and what documentation is required. These questions often stem from concerns about post-deal exposure, reputational risk, and regulatory enforcement.

These queries should be raised as early as possible. Cybersecurity cannot be a secondary concern—it should be addressed right after the financials, together with IP and commercial synergies. An opportunity that should not be missed. CRA and NIS2 introduce not only technical obligations but also care and reporting duties. These should be embedded into the deal process from the outset.

Cybersecurity as a strategic asset

CRA and NIS2 are not just regulatory hurdles. Properly addressed, they become strategic assets. Companies that embed security into their products and operations are better positioned to access markets, build trust and scale responsibly.

In M&A, this means cybersecurity compliance should be viewed not only as a risk mitigator but also as a value driver. Buyers who understand the implications of CRA and NIS2 can make more informed decisions, negotiate better terms and avoid costly surprises.