legal due diligence in M&A

Legal Due Diligence in M&A

On 10 September 2024, India’s merger-control regime changed shape. The Ministry of Corporate Affairs switched on the Deal Value Threshold, and any acquisition worth more than 2,000 crore rupees, where the target has real business in India, now needs the Competition Commission’s nod before it can close. For anyone running the legal due diligence process for M&A, that single notification rewrote the risk map overnight. A profitable-looking startup with thin turnover, once comfortably below the radar, could suddenly be a notifiable deal.

Here’s the thing about that shift. It didn’t make the lawyers nervous. It made them busy.

Every serious acquisition in India now moves through a data room before money changes hands, and someone has to sit inside that room and read: the board minutes, the shareholder agreements, the customer contracts with their quiet change-of-control clauses, the pending tax notices nobody mentioned at the term-sheet stage. That someone is increasingly a corporate lawyer or a company secretary working from Pune or Gurugram, sometimes for a domestic acquirer, sometimes for a US private-equity fund buying an Indian software company over a video call. The work is document-heavy, deadline-driven, and remarkably portable.

Consider what a single missed clause can do. A buyer agrees to pay a headline price for a services company, largely for its marquee client. Then diligence surfaces a termination-on-change-of-control clause buried in that client’s master agreement. The client can walk the day the deal signs. Suddenly the “marquee client” is a liability, the valuation drops, and the deal either gets repriced or dies. That’s not a rare horror story. It’s Tuesday, in transaction practice.

And this is where the opportunity sits for professionals reading this on SkillArbitrage. Deal volume in India keeps climbing, cross-border interest keeps growing, and the regulatory surface keeps expanding: the four labour codes came into force on 21 November 2025, and the Digital Personal Data Protection Rules landed in November 2025 with obligations phasing in through 2027. Every one of those developments adds a workstream to legal diligence. The people who can run that review cleanly, spot the red flags, and translate them into contract protection are the people deal teams fight to keep. Some of them bill Indian rupees. A growing number bill dollars, remotely, for deals they never fly to.

This guide walks through the full legal due diligence process for M&A in an Indian context: what it is, who runs it, the step-by-step workflow, a complete document checklist mapped to the governing law, the red flags that break deals, and how findings flow into the final agreement.


The legal due diligence process for M&A is the buyer’s structured legal review of a target company before signing. It examines the target’s corporate records, share capital, contracts, litigation, regulatory compliance, employees, intellectual property, property, tax and data practices to surface legal risks. Those findings then shape the price, the warranties, the indemnities, and the conditions in the purchase agreement.

The sections below break each of those pieces down, starting with what legal diligence covers and where it sits in the life of a deal.



Buying a company is not like buying a product. You inherit its entire legal history: every contract it signed, every case filed against it, every regulatory promise it made and possibly broke. Legal due diligence is how a buyer reads that history before committing, so the price reflects reality rather than the seller’s pitch deck.

Legal due diligence in M&A is the systematic investigation of a target company’s legal position, run by or for the acquirer, to identify liabilities, confirm the seller genuinely owns what it claims to sell, and price legal risk into the deal. It answers three blunt questions. Does the target own its assets cleanly? What can come back to bite the buyer after closing? And which of those risks can be fixed, insured, priced out, or walked away from?

A deal moves in a fairly predictable sequence, and diligence has a fixed slot in it. First comes the non-disclosure agreement, then a letter of intent or term sheet that sets the indicative price and exclusivity. Due diligence runs next, usually over four to eight weeks. Only after diligence does the definitive agreement get negotiated: a share purchase agreement (SPA) for a share deal, or a business transfer agreement for an asset deal. Signing and closing follow, sometimes simultaneously, often with a gap for regulatory approvals.

The timing matters because diligence is the buyer’s leverage window. Findings that land during the review can reset price and terms. Findings that surface after signing become disputes, and disputes are expensive. So the review has to be thorough before the ink dries, not after.

Legal is one lane of a wider diligence exercise, and confusing the lanes causes gaps. Financial diligence tests whether the numbers are real. Tax diligence quantifies exposure to the Income Tax Department and GST authorities. Commercial diligence asks whether the business makes sense in its market. Legal diligence, by contrast, focuses on rights, obligations, compliance and disputes.

Diligence stream Core question Typical lead
Legal Does the target own its assets, and what liabilities attach? Law firm / in-house counsel
Financial Are the reported numbers accurate and sustainable? Chartered accountants / audit team
Tax What direct, indirect and withholding-tax exposure exists? Tax advisors
Commercial Is the market position and demand real? Strategy / management

In practice, these streams overlap and must talk to each other. A pending tax demand is a tax finding and a legal liability and a hit to the financial statements. The best deal teams run the streams in parallel but reconcile findings weekly, so nothing falls between the desks.

A common question professionals raise is whether legal diligence is even necessary for a small private deal. The honest answer is that scope can shrink, but the exercise rarely disappears. Even a modest acquisition can carry an unregistered trademark, an unpaid statutory due, or a promoter loan that quietly encumbers the company. Skip the review, and you inherit all of it.

Advertisement

Where deals go wrong most often is scoping. Set the review too narrow to save fees, and the risks you chose not to look at become the risks you own. We’d treat legal diligence as insurance, not overhead: the cost of the review is almost always a fraction of the liability it catches.

The four due diligence streams in M&A

Legal is one lane of a wider review, and the lanes must talk to each other

Stream
Core question
Typical lead
Financial
Are the reported numbers accurate and sustainable?
Chartered accountants
Tax
What direct, indirect and withholding-tax exposure exists?
Tax advisors
Commercial
Is the market position and demand real?
Strategy / management
Legal stream highlighted  ·  SkillArbitrage

Why spend four weeks and real money reading someone else’s paperwork? Because in a share purchase, the buyer steps into the target’s shoes entirely. Every unpaid dues, every defective title, every non-compliant filing travels with the company into the buyer’s hands. Diligence is the only stage where the buyer can find these problems while it still has the power to do something about them.

The stakes split by side. For the buyer, diligence protects the price and builds the case for warranties and indemnities. For the seller, a smart seller runs its own review first (vendor diligence, covered below) to fix problems before a buyer’s team finds them and uses them to negotiate the price down.

How findings flow into price, warranties and indemnities

Diligence findings are not filed away. They convert directly into deal terms. A confirmed liability of a known amount usually comes off the price or goes into an escrow account. A risk that might crystallise later, say a pending tax appeal, gets covered by a specific indemnity where the seller agrees to reimburse the buyer if the liability lands. A general assurance that the company is compliant becomes a warranty in the SPA.

Think of it this way. Diligence produces the facts, and the SPA allocates who carries each risk. The clearer the finding, the more precisely the contract can push that risk back onto the seller. That’s why a vague diligence report is worse than useless: it leaves the buyer’s lawyers negotiating protection for risks they can’t quite describe.

What goes wrong when diligence is rushed

Rushing diligence has a way of compounding. Skip the litigation search and you might close on a company facing an injunction that freezes its main asset. Miss a change-of-control clause and a key contract terminates on completion, gutting the value you paid for. The second-order damage is worse than the first: a liability that surfaces post-closing not only costs money, it triggers indemnity claims, sours the relationship with the sellers you now depend on to run the business, and can drag both sides into arbitration that runs for years.

There’s a quieter downstream effect too. Regulators and courts increasingly expect acquirers to have done their homework. Weak diligence can undercut a buyer’s later defence that it acquired liabilities in good faith, especially in regulated sectors. Doing the work protects more than the price. It protects the buyer’s position if things later go to a tribunal.

In our view, the strongest argument for rigorous diligence is simple leverage. Before signing, a serious finding gives the buyer room to renegotiate or exit. After signing, the same finding is just a problem the buyer now owns.

Who sits in the data room reading all this? Rarely one person. Legal diligence on any sizeable Indian deal is a team exercise, and understanding the roles helps whether you’re hiring the team or trying to join one.

At the centre sits the acquirer’s legal counsel, usually an external law firm instructed to run the review and produce the report. Alongside them, the buyer’s in-house legal team and company secretary set the scope, flag commercially sensitive areas, and act as the bridge to management. On larger transactions, specialist advisors join for discrete workstreams: intellectual property counsel, employment specialists, competition-law experts for the merger-control analysis, and environmental consultants for industrial targets.

Buy-side versus sell-side (vendor) diligence

Diligence runs from two directions. Buy-side diligence is the classic exercise: the acquirer’s team investigates the target to protect the buyer. Sell-side or vendor diligence flips the perspective: the seller commissions a review of its own company, often before going to market, to identify and fix problems early and to hand buyers a credible report that speeds up the process.

Vendor diligence has grown popular in competitive auctions, where a seller wants several bidders moving fast. A clean vendor report reduces the surprises that slow a buyer down. That said, buyers still run their own confirmatory review. No serious acquirer relies solely on a report the seller paid for.

Here’s where the work has quietly globalised. Legal diligence is document-driven and runs almost entirely inside a virtual data room, which means it does not require anyone to be physically present. Indian corporate lawyers, company secretaries and paralegals increasingly run or support diligence for cross-border deals: an Indian target being bought by a foreign acquirer, or an Indian team reviewing an offshore target as part of a larger firm’s global bench.

For professionals building this skill, the arbitrage is real. The same review that bills at Indian rates for a domestic deal can bill in dollars when a US or Singapore acquirer needs India-side diligence, or when a global firm outsources first-level document review. Structured training in cross-border transactions and international business law, like SkillArbitrage’s international business law and cross-border transaction programmes, is one route professionals use to move from domestic support work toward globally billable deal roles.

A recurring question on professional forums is whether company secretaries, not just lawyers, can lead legal diligence. In practice, they routinely do, especially on the corporate-records, statutory-compliance and secretarial-audit workstreams, which sit squarely within a CS’s training. The strongest diligence teams pair legal and secretarial expertise rather than treating them as rivals.

The pitfall here is fragmentation. When five specialists each review their slice and nobody owns the whole picture, cross-cutting risks slip through: an IP assignment gap that’s also an employment issue, or a related-party contract that’s also a governance red flag. Someone senior has to hold the full map. Without that, the report reads as ten good chapters with no story.

Not every deal needs the same depth of review, and matching the type of diligence to the deal is itself a skill. Over-scope a small acquisition and you burn fees the deal can’t justify. Under-scope a complex one and you miss the risk that matters. So what are the main types, and when does each apply?

Full-scope diligence is the comprehensive review: every category, every material document, a detailed report. It suits large deals, regulated targets, and any acquisition where the buyer is taking on the whole company with all its history.

Limited-scope or red-flag diligence narrows the review to high-risk areas and reports only material issues rather than cataloguing everything. It fits smaller deals, early-stage bids, and situations where the buyer wants a fast read on whether to proceed before committing to full-scope fees. The report is shorter and blunter: here are the deal-breakers, here’s what needs fixing.

Confirmatory diligence happens late, after the main review, to verify that nothing material changed between signing and closing and that conditions have been met. Think of it as the final check before the money moves.

Reverse or vendor diligence, as covered earlier, is the seller reviewing itself. It belongs on this list because it changes how the buyer’s team works: when a credible vendor report exists, the buyer often runs a lighter confirmatory review rather than starting from zero.

In practice, most Indian deals blend these. A private-equity buyer might start with red-flag diligence to decide whether to bid, move to full-scope on the categories that matter once exclusivity is granted, then run confirmatory diligence before closing. The mistake we see most often is treating the choice as fixed at the start. Scope should flex as the deal reveals itself: expand where diligence finds smoke, contract where a category proves clean.

A frequent question from first-time acquirers is whether red-flag diligence is “enough.” It can be, for the go or no-go decision. But it is rarely enough to negotiate detailed warranties and indemnities, because those need the granular findings only a fuller review produces. Use red-flag diligence to decide whether to keep going, not as the basis for the final contract.

The legal due diligence process for M&A follows a recognisable sequence, whether the deal is a 50-crore founder exit or a 5,000-crore cross-border acquisition. The depth changes; the steps do not. Here is the workflow deal teams run, in order.

Step 1: Scoping, the NDA, and engagement

Before a single document is read, the buyer and its counsel agree on scope: which categories to review, the materiality thresholds (the value above which a contract or liability must be examined), and the timeline. A non-disclosure agreement is signed so the seller can share sensitive information safely. The engagement letter records who does what.

Getting materiality right is where experienced teams earn their fee. Set the threshold too low and the team drowns in trivial contracts. Set it too high and a deal-relevant liability slips under the bar. The threshold should track the deal size and the target’s business, not a generic number copied from the last transaction.

Step 2: Issuing the due diligence request list

Counsel sends the seller a due diligence request list (also called a checklist or questionnaire): a structured document asking for everything the review needs, organised by category. Corporate records, contracts, litigation, licences, employee data, IP registrations, property papers, tax filings, and so on. The India checklist section below maps these categories in full.

The quality of the request list sets the quality of the whole review. A vague list produces a vague data room. A precise, well-sectioned list signals to the seller that the buyer’s team knows exactly what it’s looking for, which tends to produce faster, cleaner disclosure.

Step 3: Setting up the virtual data room

The seller populates a virtual data room (VDR): a secure online repository where documents are uploaded, indexed and access-controlled. Gone are the days of physical rooms full of files. Today the VDR is the workspace, and its index becomes the backbone of the review.

A well-organised data room speeds diligence dramatically. A chaotic one, where contracts sit unlabelled in a single folder, slows everything and hides risk. Worth flagging: the state of the data room is itself a signal. A disorganised room often means disorganised compliance underneath.

Step 4: Document review and independent verification

This is the core. The diligence team works through every material document against the request list, recording findings, gaps and questions. Crucially, key facts get verified independently rather than taken on the seller’s word: title documents checked against land records, litigation searched on court and tribunal portals, charges verified on the Ministry of Corporate Affairs registry, trademark status confirmed on the IP registry.

Independent verification is what separates real diligence from a reading exercise. The seller’s representation that “there is no pending litigation” means little until counsel has searched the relevant court records. The register says what the register says. Trust it over the disclosure letter.

Step 5: Management interviews and clarifications

Documents rarely tell the whole story. The team raises follow-up questions through the data room’s Q&A function and, on bigger deals, interviews management on specific areas: the status of a disputed contract, the reason a licence renewal is pending, the background to a related-party arrangement. Answers get documented and cross-checked against the paperwork.

Step 6: Red-flag identification and risk rating

As findings accumulate, the team sorts them by severity. A common approach is a red-amber-green rating: red for deal-breakers or major liabilities, amber for issues needing protection or fixing, green for minor or resolved items. This rating is what turns a pile of findings into something the deal team can act on.

The findings become a written report: an executive summary of the material risks, then a category-by-category account of issues, evidence and recommendations. The report is the deliverable the deal team, the board, and often the lenders rely on. Its structure gets its own section below.

Step 8: Feeding findings into the agreement

Finally, the findings flow into the definitive agreement. Confirmed liabilities adjust price or route to escrow. Contingent risks get specific indemnities. Compliance gaps become conditions precedent that the seller must fix before closing. General assurances become warranties. This is the payoff step: diligence only creates value if its findings change the contract.

The typical timeline runs four to eight weeks for the core review on a mid-market deal, longer where regulatory approvals or messy records intervene. A rhetorical question worth sitting with: what’s the rush that would justify skipping any of these steps? On almost every deal, the honest answer is none. The cost of compressing diligence shows up later, at a worse moment, in a bigger number.

The legal due diligence process for M&A

Eight steps from scoping to signing

1

Scoping, NDA and engagement

Agree the review scope, materiality thresholds and timeline; sign the non-disclosure agreement.

2

Issue the due diligence request list

Send the seller a structured, category-by-category request for documents and information.

3

Set up the virtual data room

The seller uploads documents to a secure, indexed, access-controlled VDR.

4

Document review and verification

Read every material document and verify facts against registers, court portals and land records.

5

Management interviews and clarifications

Raise follow-up questions and cross-check the answers against the paperwork.

6

Red-flag identification and risk rating

Sort findings into red, amber and green by severity.

7

Prepare the legal due diligence report

An executive summary plus a category-by-category account of findings and recommendations.

8

Feed findings into the agreement

Convert findings into price adjustments, indemnities, conditions precedent and warranties.

Typical core review: 4 to 8 weeks on a mid-market deal, longer where regulatory approvals apply.
SkillArbitrage

This is the section most readers come for: what, concretely, does a legal diligence team examine on an Indian target? The checklist below organises the review by category, with the key documents and the governing law for each. Treat it as a working request list, not a one-size template. Every deal drops some items and adds others.

# Review area What the team examines Key governing law
1 Corporate records Certificate of incorporation, MOA and AOA, board and shareholder resolutions, statutory registers, MCA filings Companies Act, 2013
2 Share capital and ownership Cap table, share transfers, ESOPs, share pledges, shareholders’ and share-subscription agreements Companies Act, 2013; SEBI rules for listed targets
3 Material contracts Customer, supplier, distribution and financing contracts, and change-of-control, exclusivity and termination clauses Indian Contract Act, 1872
4 Regulatory approvals and licences Sector licences, environmental consents, FDI approvals, RBI filings FEMA, 1999; sector-specific laws
5 Litigation and disputes Pending suits, arbitrations, tax appeals, notices, contingent liabilities Code of Civil Procedure; Arbitration Act
6 Employment and labour Employment contracts, PF and ESI compliance, POSH policy, contract-labour records Four Labour Codes (in force 21 Nov 2025)
7 Intellectual property Trademark, patent and copyright registrations, assignments, IP created by employees Trade Marks Act, 1999; Patents Act, 1970; Copyright Act, 1957
8 Real estate and assets Title documents, leases, encumbrances, charges Transfer of Property Act; Registration Act
9 Tax and statutory dues Direct-tax and GST filings, TDS, pending demands, tax litigation Income-tax Act, 1961; CGST Act, 2017
10 Data protection and IT Data-handling practices, privacy policy, DPDP readiness DPDP Act, 2023; DPDP Rules, 2025

Let’s walk through the categories that most often hide risk.

Corporate records and share capital

The review starts with the company’s constitutional documents: the memorandum and articles of association, the statutory registers, and the full set of board and shareholder resolutions. Under the Companies Act, 2013, a private company must maintain specific registers and file specific returns, and gaps here are common in founder-run businesses. The team also pulls the company’s filing history and registered charges from the Ministry of Corporate Affairs portal, because a charge on the register is a lender’s claim on the company’s assets.

Share capital deserves special care. The cap table must reconcile with the share-transfer records, the ESOP grants, and any shareholders’ agreement. A single unrecorded transfer or an ESOP pool that doesn’t match the board approvals can throw the entire ownership picture into doubt. And ownership is the one thing the buyer is paying for.

Material contracts and change-of-control clauses

Contracts are where value lives and where it leaks. The team reviews material customer, supplier, distribution and financing agreements, hunting for a specific set of clauses: change-of-control provisions that let a counterparty exit on acquisition, exclusivity that limits the buyer’s freedom, onerous termination or penalty terms, and assignment restrictions. The change-of-control clause is the classic deal-repricer, and it hides in exactly the contracts the buyer values most.

Employment, PF, ESI and the new labour codes

Employment diligence changed materially in late 2025. The four labour codes, the Code on Wages, 2019, the Industrial Relations Code, 2020, the Code on Social Security, 2020, and the Occupational Safety, Health and Working Conditions Code, 2020, came into force on 21 November 2025, consolidating 29 earlier central laws, per the Ministry of Labour and Employment. The team checks employment contracts, provident-fund and ESI compliance, gratuity provisioning, contract-labour arrangements, and the prevention-of-sexual-harassment (POSH) policy and committee.

Because the codes are new and the detailed rules are still settling across states, compliance is a live risk area rather than a settled one. We’d treat any target’s labour compliance as something to verify against the current code position, not the old Factories Act and Industrial Disputes Act framework that many HR manuals still reference.

Intellectual property and employee-created IP

For technology and brand-led targets, IP is often the main asset, so the review confirms the company genuinely owns it. The team checks trademark, patent and copyright registrations on the official registries, verifies that assignments are properly executed, and looks hard at IP created by employees and contractors. The recurring gap: code or designs built by a contractor whose contract never assigned the IP to the company, which means the company doesn’t own its own product.

Tax, statutory dues and data protection

Tax diligence overlaps with legal diligence on liabilities: pending demands, TDS defaults, and unpaid statutory dues all become the buyer’s problem in a share deal. Under Section 281 of the Income-tax Act, 1961, certain asset transfers made while tax proceedings are pending can be treated as void against the tax authority’s claim, which is why counsel checks for pending proceedings before a transfer, referencing the Income Tax Department position.

Data protection is the newest workstream. With the Digital Personal Data Protection Rules, 2025 notified in November 2025 by the Ministry of Electronics and Information Technology, and substantive obligations phasing in through May 2027, buyers now assess a target’s data-handling practices, consent mechanisms and breach history as part of diligence. For any consumer-facing or data-heavy target, this is no longer optional (the privacy and data-protection skills covered in SkillArbitrage’s data protection and privacy programmes are increasingly part of the diligence toolkit).

The pitfall across the whole checklist is treating it as a box-ticking exercise. A checklist tells you where to look. It doesn’t tell you what a finding means for this deal, in this sector, at this price. That judgment is the actual work.

Legal due diligence checklist for M&A in India

Ten review areas and the law that governs each

Corporate records
Companies Act, 2013
Share capital and ownership
Companies Act / SEBI
Material contracts
Indian Contract Act, 1872
Regulatory approvals and licences
FEMA, 1999 + sector laws
Litigation and disputes
CPC; Arbitration Act
Employment and labour
Four Labour Codes (2025)
Intellectual property
Trade Marks / Patents / Copyright
Real estate and assets
Transfer of Property; Registration
Tax and statutory dues
Income-tax Act; CGST Act
Data protection and IT
DPDP Act, 2023
10 review areas  ·  adapt the scope to each deal
SkillArbitrage

Regulatory framework governing M&A due diligence in India

Legal diligence in India runs against a specific statutory backdrop, and knowing which law governs which question is half the skill. Which laws matter most? Five frameworks carry most of the weight.

Companies Act, 2013

The Companies Act is the foundation. Mergers and amalgamations by way of a court-sanctioned scheme run through Sections 230 to 232, which require National Company Law Tribunal (NCLT) approval. Section 233 provides a faster route for mergers between small companies or between a holding company and its wholly-owned subsidiary. Section 234 enables cross-border mergers. The Act also governs the corporate records, registers and filings that diligence verifies at the outset.

SEBI regulations for listed targets

When the target is listed, a second layer applies. Acquiring 25% or more of the voting rights of a listed company triggers a mandatory open offer to public shareholders under the SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 2011 (the Takeover Code). An existing holder above 25% who acquires more than 5% of voting rights in a financial year triggers the same obligation (the creeping-acquisition limit), and the mandatory open offer must be for at least 26% of the target’s shares. Acquiring control triggers an open offer regardless of the shareholding percentage. Listed-company diligence also covers the SEBI listing and insider-trading regulations.

Competition Act, 2002 and CCI merger control

Large deals need clearance from the Competition Commission of India (CCI) before they close. Beyond the traditional asset and turnover thresholds under Section 5, which the government raised by 150% in March 2024, the Competition (Amendment) Act, 2023 introduced the Deal Value Threshold. Since 10 September 2024, any transaction valued above 2,000 crore rupees, where the target has substantial business operations in India, requires CCI approval, per the Competition Commission of India. A “small target” (de minimis) exemption exists for targets with India assets below 450 crore rupees or turnover below 1,250 crore rupees, though the government revises these thresholds periodically and they do not apply where the Deal Value Threshold is met. Deal teams should confirm the notification current at the deal date.

FEMA and foreign investment

Where a foreign buyer is involved, the Foreign Exchange Management Act, 1999 governs the transaction. Diligence checks sectoral FDI caps, whether the deal falls under the automatic or government-approval route, pricing-guideline compliance, and the reporting filings with the Reserve Bank of India. Getting FEMA compliance wrong on a past transaction is a classic inherited liability: the target’s earlier foreign-investment filings are squarely within scope.

IBC, stamp duty and other cross-cutting laws

Several further laws recur. The Insolvency and Bankruptcy Code, 2016 matters where the target is distressed or where an acquisition happens through the insolvency process. Stamp duty applies to share transfers and deal instruments, now at largely uniform rates for securities under the amended Indian Stamp Act, 1899. Sector-specific regulators (the RBI for NBFCs, IRDAI for insurance, and others) add their own approval requirements. The mistake to avoid is assuming the Companies Act covers everything. It sets the base. The sector and the deal structure decide what else applies.

What kills or reshapes deals? After enough transactions, the same red flags recur. Knowing them is what lets an experienced reviewer scan a data room and sense trouble before the detail confirms it.

Undisclosed litigation and contingent liabilities top the list. A pending suit that could freeze a key asset, a tax appeal with a large exposure, a regulatory notice the seller “forgot” to mention: these are the findings that reset price or send buyers to the exit. Contingent liabilities are especially dangerous because they don’t show on the balance sheet until they crystallise.

Defective title and encumbered assets come next. If the target doesn’t cleanly own the property, plant or IP it claims to, the buyer is paying for something the seller can’t fully deliver. A charge on the MCA register that nobody disclosed, a lease that’s expired, a trademark registered in a founder’s personal name rather than the company’s: each undermines the asset base.

Change-of-control triggers deserve their own mention because they’re so easily missed. A single clause in a major customer or financing contract can let the counterparty terminate on the acquisition, destroying the value the buyer paid for. This is why contract review reads every material agreement for the exit clause, not just the commercial terms.

Related-party transactions and governance gaps signal deeper problems. Loans to promoters, contracts with entities the founders own, resolutions passed without proper approvals: these raise both a valuation question and a governance red flag, and they often point to more that hasn’t surfaced yet.

IP ownership gaps round out the list, particularly for tech targets. When the product’s code or design was built by contractors or employees whose agreements never assigned the IP, the company doesn’t own its core asset. The fix, proper assignment deeds, becomes a condition the seller must complete before closing.

A question that comes up often is whether a red flag automatically kills a deal. It usually doesn’t. Most red flags get managed: priced down, indemnified, escrowed, or fixed as a condition precedent. The deal-breakers are the risks that can’t be quantified or contained, an existential regulatory breach, a title defect on the only asset that matters. The reviewer’s job is to tell those two categories apart.

The report is where diligence earns its keep. A pile of findings helps no one. A clear, prioritised report tells the deal team exactly what it’s buying and what to do about each risk. So what does a good one contain?

What the report includes

A well-built legal due diligence report opens with an executive summary: the material risks, up front, in plain language, so a board member can grasp the deal’s legal shape in five minutes. Then comes a category-by-category account: for each area (corporate, contracts, litigation, employment, IP, and so on), the issues found, the supporting evidence, the severity, and a recommendation. The best reports don’t just describe problems. They say what to do about each one.

The red-amber-green risk matrix

Most reports carry a risk matrix that rates each finding. Red flags are deal-breakers or major liabilities needing price adjustment or a walk-away. Amber items need protection through indemnities, warranties or conditions. Green items are minor or already resolved. This matrix is what lets a busy deal team triage: fix the reds, protect against the ambers, note the greens.

From findings to contract protection

The report’s real output is contract language. Each material finding maps to a mechanism in the definitive agreement. A quantified liability adjusts the price or funds an escrow. A contingent risk gets a specific indemnity. A compliance gap becomes a condition precedent the seller completes before closing. A general assurance becomes a warranty, backed by the seller’s disclosure letter.

Here’s what that looks like in practice. Diligence finds a pending tax appeal with a 12-crore exposure. The report rates it amber. The SPA then carries a specific tax indemnity: if the appeal goes against the company, the seller reimburses the buyer up to the exposure, often backed by an escrow holding part of the price for a defined period. The finding didn’t kill the deal. It reshaped the risk allocation.

The mistake we see most often at this stage is a report that catalogues everything at equal weight, burying the three findings that matter under three hundred that don’t. Prioritisation is the value. A reviewer who can’t tell the board which three things to worry about hasn’t finished the job.

How diligence findings are rated

The red-amber-green risk matrix that drives the deal terms

RED
Deal-breaker or major liability
Action: reprice or walk away
AMBER
Manageable risk
Action: indemnity, warranty or condition precedent
GREEN
Minor or already resolved
Action: note only
SkillArbitrage

Even experienced teams slip, and the same mistakes recur across deals. Spot them early and the review gets sharper. Here are the ones worth guarding against.

Scoping too narrow to save fees. The risks you decide not to review are the risks you silently agree to own. Scope should be driven by the target’s actual risk profile, not by a fee budget. If a category is material to this business, it gets reviewed, full stop.

Over-relying on the data room. Documents show what the seller chose to upload. Independent verification, against court records, the MCA registry, land records and the IP registry, catches what the disclosure omits. Treat the seller’s representations as claims to be tested, not facts to be recorded.

Ignoring regulatory-approval timelines. A deal that needs CCI clearance or RBI approval runs on the regulator’s clock, not the parties’. Teams that discover a mandatory approval late find their closing timeline blown apart. Map the approvals at the start, during scoping, not at the end.

Setting materiality thresholds mechanically. Copying last deal’s threshold onto this one produces either a drowning team or a missed liability. The threshold should reflect this deal’s size and this target’s business.

Losing the cross-cutting view. When specialists each own a slice and nobody owns the whole, risks that span categories (an IP gap that’s also an employment issue, a related-party deal that’s also a governance flag) fall through the cracks. Someone senior has to hold the full picture and reconcile findings across streams.

In our view, the single highest-leverage habit is independent verification. The registers, the court portals and the land records don’t have an incentive to make the target look good. The disclosure letter does. When the two disagree, believe the register.

How M&A due diligence is evolving: technology and the 2026 outlook

Diligence in 2026 looks different from diligence a decade ago, and the direction of travel matters for anyone building a career in this work. Where is it heading?

The scope has widened steadily. Twenty years ago, legal diligence focused on corporate records, contracts and litigation. Data protection barely featured, ESG was a fringe concern, and merger control caught only the largest deals. Today the review spans all of these. The arrival of the DPDP framework, the four labour codes, and the Deal Value Threshold in the space of two years added three substantial workstreams to the standard diligence exercise. The job keeps getting broader, not narrower.

Technology is reshaping the how. AI-assisted contract-review tools now scan large document sets for specific clauses, change-of-control provisions, assignment restrictions, unusual indemnities, far faster than manual review, flagging them for a human to judge. Early signals suggest these tools compress the first-pass review on high-volume contract sets, though the judgment calls, what a clause means for this deal, remain firmly human. The reviewer’s edge is shifting from reading speed toward interpretation.

Remote and outsourced diligence is the structural shift most relevant to readers here. Because the work lives in a virtual data room, it travels. Indian legal professionals increasingly run first-level document review and India-side diligence for global deals, billing internationally for work they’d once have needed to be in a foreign office to do. This is the practical face of skill arbitrage in the legal profession: the same expertise, delivered remotely, priced against a global market. For professionals mapping this path, SkillArbitrage publishes guides on building a global remote career across legal, finance and compliance work.

On the regulatory horizon, the near term is about bedding in what’s already arrived. The DPDP Rules phase their substantive obligations through May 2027, so data-protection diligence will sharpen as enforcement approaches. The labour codes’ detailed rules continue to settle across states through 2026. Professionals expect the merger-control net to keep widening rather than loosening. The safe assumption for anyone building diligence skills: the surface area of legal risk in an Indian deal is more likely to grow than shrink.

What does this mean for you? The demand for people who can run a rigorous, current legal diligence process is rising, the work is increasingly location-flexible, and the regulatory complexity that makes it hard is exactly what makes the skill valuable. That’s a good combination to be building toward.

Frequently asked questions

What is legal due diligence in M&A? Legal due diligence in M&A is the buyer’s systematic review of a target company’s legal position before an acquisition. It examines corporate records, contracts, litigation, compliance, employees, IP, property, tax and data practices to identify liabilities and confirm the seller owns what it’s selling. The findings then shape the price and the protections in the purchase agreement.

How is legal due diligence different from financial and commercial due diligence? Legal diligence focuses on rights, obligations, compliance and disputes: does the target own its assets, and what liabilities attach? Financial diligence tests whether the numbers are accurate, and commercial diligence assesses the market position. The streams overlap (a tax demand is both a legal and a financial issue) and are usually run in parallel by different specialists.

How long does legal due diligence take in an M&A deal? The core review typically runs four to eight weeks on a mid-market deal, though it varies with the target’s size, the state of its records, and the categories in scope. Deals needing regulatory approvals such as CCI clearance run longer overall, because the approval timeline sits on top of the review.

What documents are required for legal due diligence in India? The standard set covers corporate records (MOA, AOA, resolutions, statutory registers), the cap table and share-transfer records, material contracts, licences and approvals, litigation details, employment and PF/ESI records, IP registrations, property title documents, tax filings, and data-protection documentation. Counsel issues these as a structured due diligence request list at the start.

What is a due diligence request list? A due diligence request list (also called a checklist or questionnaire) is the structured document the buyer’s counsel sends the seller, asking for every document and piece of information the review needs, organised by category. The seller responds by uploading the material to the data room. The quality of the request list largely determines the quality of the review.

What is a virtual data room? A virtual data room (VDR) is a secure online repository where the seller uploads the target’s documents for the buyer’s team to review, with controlled access and an audit trail. It has replaced the physical document rooms once used in deals, and its index typically forms the backbone of the diligence review.

Which laws govern M&A due diligence in India? The main frameworks are the Companies Act, 2013 (corporate records and merger schemes), the SEBI Takeover Code for listed targets, the Competition Act, 2002 for CCI merger clearance, FEMA, 1999 for foreign investment, and the Income-tax Act, 1961 for tax. Employment (the four labour codes), IP, property, and data-protection laws (the DPDP Act, 2023) apply by category.

When is CCI approval required for a merger in India? CCI approval is required when a deal crosses the asset or turnover thresholds under Section 5 of the Competition Act, or, since 10 September 2024, when it exceeds the Deal Value Threshold of 2,000 crore rupees and the target has substantial business operations in India. A small-target exemption can apply below certain asset and turnover levels, unless the Deal Value Threshold is triggered.

Is legal due diligence mandatory for M&A in India? No law forces a buyer to conduct diligence, but no serious acquirer skips it. In a share purchase the buyer inherits all of the target’s liabilities, so diligence is the buyer’s only chance to find problems while it still has the leverage to price, protect against, or walk away from them.

What is the difference between buy-side and sell-side due diligence? Buy-side diligence is run by the acquirer’s team to investigate the target and protect the buyer. Sell-side (vendor) diligence is commissioned by the seller on its own company, usually before going to market, to fix problems early and give buyers a credible report. Buyers still run their own confirmatory review even when vendor diligence exists.

What is red-flag due diligence? Red-flag diligence is a limited-scope review that focuses only on high-risk areas and reports material issues rather than cataloguing every document. It suits smaller deals or an early go or no-go decision. It’s rarely enough on its own to negotiate detailed warranties and indemnities, which need the granular findings of a fuller review.

What are common red flags found in legal due diligence? The recurring ones are undisclosed litigation and contingent liabilities, defective or encumbered title, change-of-control clauses in key contracts, related-party transactions and governance gaps, and IP ownership gaps where the company doesn’t cleanly own its core assets. Most are managed through price, indemnities or conditions rather than ending the deal.

What does a legal due diligence report contain? A legal due diligence report contains an executive summary of the material risks, a category-by-category account of findings with evidence and recommendations, and usually a red-amber-green risk matrix rating each issue. Its purpose is to let the deal team prioritise: fix the reds, protect against the ambers, and note the minor items.

How do due diligence findings affect the share purchase agreement? Findings convert directly into deal terms. A quantified liability adjusts the price or funds an escrow, a contingent risk gets a specific indemnity, a compliance gap becomes a condition precedent the seller must complete before closing, and general assurances become warranties backed by a disclosure letter. Diligence creates value only when its findings change the contract.

Can legal due diligence be done remotely? Yes. Because diligence runs almost entirely inside a virtual data room, it doesn’t require physical presence, and remote diligence is now standard. This is why Indian legal professionals increasingly support cross-border deals for foreign acquirers, running India-side or first-level document review remotely and, in many cases, billing at international rates.

References

Official guidance and regulations

  1. Companies Act, 2013 (Ministry of Corporate Affairs), Government of India
  2. SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 2011, last amended 5 December 2025, Securities and Exchange Board of India
  3. Competition Act, 2002 and combination notifications, Deal Value Threshold, Competition Commission of India
  4. Foreign Exchange Management Act, 1999, Reserve Bank of India
  5. The four Labour Codes, Ministry of Labour and Employment, Government of India
  6. Digital Personal Data Protection Rules, 2025, Ministry of Electronics and Information Technology
  7. Income-tax Act, 1961, Income Tax Department, Government of India

This article is for educational purposes only and does not constitute professional, financial, legal, or immigration advice. For guidance specific to your situation, consult a qualified professional.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *