Digital Due Diligence: Why M&A Deals Fail on IT

⏱ 8 min Reading Time

Three out of four M&A deals miss their value-creation targets – and the most common culprit isn’t finance, but IT. Digital Due Diligence systematically examines architecture, tech debt, cybersecurity, and data quality before signing. Skipping this workstream means buying blind.

TL;DR

When IT Due Diligence Is Missing: Three Real Cases

The history of M&A disasters reads like a textbook on neglected IT due diligence. In 2011, Hewlett-Packard acquired UK software firm Autonomy for $11.1 billion – then wrote off $8.8 billion a year later. While financial due diligence had been conducted, the technological substance of the platform was insufficiently scrutinized.

Similarly, Microsoft’s 2013 acquisition of Nokia cost $7.6 billion – and resulted in a $7.6 billion write-off. The smartphone ecosystem was technologically noncompetitive – a finding a rigorous Technical Due Diligence should have surfaced. And since Broadcom’s $69-billion acquisition of VMware in 2023, the company has grappled with integration issues, customer churn, and license-cost increases of up to 400%.

What unites these cases? Finances were reviewed – but technology was not. And it is precisely this gap that Digital Due Diligence fills.

The 70% Trap: Why M&A Fails on IT

McKinsey, Bain and BCG have consistently reported similar findings for years: 70 to 90 percent of all M&A transactions fail to achieve their targeted value creation. The range varies slightly across studies and definitions of “success,” but the magnitude remains consistent.

What often gets lost in these analyses: The root cause is almost never financial valuation. According to a Deloitte M&A study, integration failures most commonly stem from cultural misalignment and technological incompatibility. When two companies merge, ERP systems must be consolidated, CRM databases migrated, networks integrated, and security architectures harmonized. Each such project typically takes 12-24 months – if it wasn’t planned in advance, timelines easily double.

Financial Due Diligence identifies balance-sheet risks. Legal Due Diligence uncovers regulatory pitfalls. But who identifies the technological time bombs? In most transactions: no one.

“Technology is the great hidden risk in M&A. Financial due diligence tells you what a company earned yesterday. Technology due diligence tells you whether it can earn anything tomorrow.”
– Andy West, Senior Partner, McKinsey & Company (McKinsey M&A Insights, 2024)

What Digital Due Diligence Examines: Six Dimensions

A professional Digital Due Diligence assesses six dimensions – each one capable of becoming a deal-breaker:

1. IT Architecture and Scalability. Monolith or microservices? Cloud-native or legacy? Documented – or reliant on tribal knowledge? Architecture dictates how quickly and at what cost integration can occur. A well-documented, API-driven stack can be integrated in months. An undocumented monolith may tie up an entire development team for years.

2. Technical Debt. Outdated frameworks, unpatched systems, missing test suites, duplicated code fragments without maintenance plans. McKinsey Digital estimates the tech-debt premium at 10-20% per IT project. In acquisition targets, this share is often significantly higher, as technical debt is frequently concealed. The Software Improvement Group found, in an analysis of 531 M&A projects, that 31% of acquired codebases exhibited severe technical debt.

3. Cybersecurity Maturity. Are penetration tests conducted? Is there an incident-response plan? End-to-end encryption? Since NIS2 and DORA, security gaps in acquisition targets are no longer just operational risks – they’re regulatory liabilities. A breach post-acquisition falls squarely on the buyer.

4. Data Quality and Compliance. Cleanliness of customer data, GDPR compliance, data portability. Acquiring customer data means assuming liability. Missing deletion mechanisms or undocumented third-party data flows can trigger regulatory fines.

5. Team and Knowledge Distribution. Key-person dependencies are the most underestimated risk. If three individuals hold 80% of system knowledge, every resignation becomes a crisis. Due diligence must clarify: How many employees are indispensable? What incentives would retain them? And how quickly could they be replaced?

6. Vendor Dependencies. Proprietary platforms, change-of-ownership clauses in SaaS contracts, license fees that triple upon ownership transfer. Oracle, SAP, and other enterprise vendors routinely include such clauses – failing to uncover them guarantees expensive surprises.

Spotting Red Flags – and Assessing Them Correctly

Red Flag 1: No Documentation. When architecture exists only in the heads of individual employees, any integration planning is pure speculation. In practice, this means the buyer’s team must invest months just to understand what it bought – before integration can even begin.

Red Flag 2: No Automated Testing. Absent test suites mean every change is a leap into the dark. Integration demands changes – to interfaces, data models, authentication. Without test coverage, each adjustment becomes a game of roulette with production stability.

Red Flag 3: Monolithic In-House Development on Outdated Technology. PHP 5.6, .NET Framework 2.0, Java 6 – such stacks appear more often than expected. They consume developer resources for years – just for maintenance. Migrating to modern technology is often costlier than building anew.

Each red flag should prompt a purchase-price adjustment. All three together constitute a deal-breaker – or demand a fundamental re-evaluation of the integration business case.

Planning Integration Before Signing

Phase 1: Pre-Signing. Digital Due Diligence quantifies integration costs. Reserve at least 5-15% of the purchase price for IT integration – as a dedicated budget line item, not a sub-line under operational spend. The CIO must sit on the deal team from Day One – not be briefed only after closing.

Phase 2: Between Signing and Closing. Develop a detailed integration roadmap: Which systems will be consolidated? Which will run in parallel? The buyer’s CIO collaborates directly with the target’s tech team. Identify critical people risks – and finalize retention packages before Day One, not after.

Phase 3: First 100 Days. Implement rapid security measures: network segmentation, consolidated access rights, harmonized incident-response plans. Then stabilize – no rushed replatforming. The golden rule: Acquire for value, not for integration speed. Rebuilding the platform within the first 100 days destabilizes exactly what you paid for.

What Digital Due Diligence Costs – and What It Prevents

A professional Digital Due Diligence costs €30,000-€150,000 – depending on the complexity of the target’s IT landscape. For a deal in the high- or mid-nine-figure range, that represents 0.1-0.3% of the purchase price.

What it prevents: Integration costs that blow past budget by multiples; security breaches costing millions; key-person departures delaying projects by years; and regulatory exposure from inherited compliance gaps. The ROI of Digital Due Diligence is typically 10:1 – or higher.

The alternative – buying without technical scrutiny – is like purchasing a house without a structural engineering report. The façade may gleam – but the pipes behind tell another story.

Further Reading Across the Network

• → CIO Agenda 2026: Between Cost Pressure and Innovation Imperative – Why IT Strategy Belongs on the Executive Board Agenda (Digital Chiefs)
• → Digital Supervisory Board: Board Competence in Technology – Why Tech Expertise on the Supervisory Board Is Mission-Critical (Digital Chiefs)
• → EU AI Act 2026: What Companies Must Implement Now – Regulatory Compliance as a Due-Diligence Factor (Digital Chiefs)
• → DORA and NIS2 Simultaneously: The Compliance Double Burden – Assessing Security Compliance in M&A Targets (SecurityToday)

Header Image Source: Unsplash / Sebastian Herrmann