The naive assumption that compliance requirements for AI software could always be addressed later has proven to be a costly mistake. In current transaction practice, we are witnessing a shift in the valuation of technology companies. The focus is shifting from pure technical feasibility to the legal resilience of the AI architecture.
A superficial review falls short. Anyone who disregards the regulatory requirements of the EU AI Act, ignores data protection principles during training, or overlooks complex licensing chains, is not acquiring a valuable asset. Instead, they are buying into significant rollback obligations and strategic dependencies.
AI-specific legal due diligence (AI Legal DD) is a mandatory prerequisite for a valid purchase price determination. Below, we analyze the four most critical pitfalls that regularly lead to a revaluation or even the failure of tech transactions in practice.
1. The Classification Trap Under the AI Act: The “Wolf in Sheep’s Clothing”
At the heart of the new regulation is the risk-based approach. Correctly classifying the target system is crucial to the success of the transaction.
The scenario: The blanket “low-risk” classification
Sellers (targets) naturally tend to classify their AI systems as “low-risk systems” or mere “transparency cases” in the run-up to a transaction. This is often not done with malicious intent, but rather due to the high complexity of the AI Act. The goal is clear: to avoid burdening the sales process with the extensive compliance requirements for high-risk systems.
The danger: Flying blind from a regulatory perspective
If, upon in-depth review by the buyer, the system is objectively found to be a high-risk AI system (e.g., in HR, critical infrastructure, or creditworthiness assessment), the target will not be sustainably “marketable” within the EU at the time of closing. The following are missing:
A completed conformity assessment.
An implemented risk management and quality management system.
The required technical documentation and logging.
The costs of achieving compliance retroactively can be immense and delay post-merger integration by months. In the worst-case scenario, the product’s core functionality turns out to be a “prohibited practice” under Article 5 of the AI Act. In this case, the product is not legally marketable in the EU - its asset value approaches zero.
The Crucial DD Question
On what robust technical and legal analysis is the risk classification based, and is there comprehensive documentation that would withstand regulatory scrutiny?
2. The Data Protection “Dead End”: Machine Unlearning and the Right to Be Forgotten
AI models are data-hungry. But the origin of this data (“data provenance”) can become a deal-breaker in an M&A context.
The scenario: “Tainted” training data
A startup has trained its core model over the years using vast amounts of personal data. During DD, it turns out that the original consents were legally vulnerable under the GDPR, the purpose limitation was exceeded, or the consenting parties have since effectively revoked their consent.
The danger: The irreversibility of training
The fundamental problem lies in the nature of neural networks: data is not stored in a database but instead alters the model’s weights. While the selective “erasure” of individual pieces of personal data - so-called machine unlearning - is a field of technological research, it is often not yet reliably possible in practice.
If a data protection authority determines that the training dataset was unlawful, it may, in extreme cases, order the deletion of the entire model. Civil injunctions sought by the affected individuals are also a possibility. The intangible assets would be destroyed overnight.
The Crucial DD Question
Can “data provenance” be fully and GDPR-compliantly verified for the entire training dataset? Does the necessary removal of a data source due to a withdrawal technically lead to a collapse in model performance?
3. The “Wrapper Risk”: Lack of Intellectual Property and Strategic Dependency
Not everything marketed as an “AI company” actually possesses its own AI technology.
The scenario: A thin layer over third-party IP
Many supposed AI solutions turn out to be mere “wrappers” during technical due diligence. This means the company has not trained its own base model. The value creation consists almost exclusively of a connection to third-party APIs (such as OpenAI, Anthropic, or Google), as well as a specific user interface and a collection of system prompts.
The danger: Strategic worthlessness
In this scenario, the buyer acquires no significant intellectual property (IP) regarding the critical model weights or architecture. The target is completely dependent on the API providers’ terms of service. If the provider changes its prices, restricts the terms of use, or discontinues the specific model, the target’s business model collapses. Furthermore, the technical barrier to entry for competitors is extremely low. You are effectively buying a specialized agency, not a technology company.
The Crucial DD Question
What exactly constitutes the proprietary, protectable technical contribution? Does the target company hold its own rights to the model weights, or merely to the prompt structure and the UI?
4. The License Trap: From Copyleft to “Behavioral Use Restrictions”
The use of open-source components in the AI sector is standard practice, but the associated licensing risks are more complex than ever.
The scenario: Unchecked integration of Hugging Face & Co.
Under time pressure, development teams integrate pre-trained models, datasets, or libraries from platforms like Hugging Face without thoroughly reviewing the sometimes highly complex license chains.
The danger: Viral effects and new usage restrictions
The risks are manifold and can make commercialization impossible:
Copyleft effect (e.g., AGPL): If a component is used under a strict copyleft license, this can result in the entire proprietary code that interacts with it having to be disclosed and placed under the same open-source license. Commercial exclusivity is lost.
Non-Commercial (NC) clauses: Many powerful models are released for research purposes only. Integration into a commercial B2B product constitutes a copyright infringement.
Behavioral Use Restrictions (e.g., RAIL licenses): Modern AI licenses include ethical usage restrictions. A violation of these (e.g., use in certain industries) results in the automatic termination of usage rights.
The Crucial DD Question
Is there an automated, comprehensive “Software Bill of Materials” (SBOM) for the entire AI pipeline that captures not only standard licenses but also specific usage restrictions for the models and training data?
Conclusion: Legal Integrity as a Value Driver in M&A
By 2026, specialized AI due diligence will be far more than a defensive risk assessment aimed at avoiding warranty claims. It will be a catalyst for corporate value.
For startups and founders: A clean “model provenance” and a transparent, documented licensing structure are strong arguments for a high valuation in funding rounds or at exit. Those who have done their homework on AI compliance signal genuine “investment readiness.”
For investors and buyers: A thorough AI audit is the crucial tool for distinguishing between sustainable technology and regulatory liability. It ensures the scalability of the business model and protects against “toxic” assets that incur immense costs after closing.
We support you in your AI transaction
Our law firm specializes in the intersection of tech law, M&A, and AI regulation. We conduct thorough due diligence reviews for buyers and provide optimal preparation for sellers (vendor due diligence) ahead of their exit.