Artificial intelligence is becoming a key driverof value in many M&A transactions. Unlike traditional software businesses, AI-focused companies depend heavily on data, training processes, system designand the ability of their models to continuously learn. This creates a distinct set of legal, regulatory and commercial risks that need to be addressedcarefully during due diligence and in transaction documents.

An important starting point is to distinguishbetween companies that develop or sell AI-based products and those that merely use AI tools internally, for example for HR or finance purposes. While internal use of AI often creates limited additional risk, AI-producing companies raise more complex issues around data ownership, intellectual property, regulatory compliance and potential liability. The EU Artificial Intelligence Act (“AI Act”) significantly increases the importance of these topics. As a result, deal readiness today goes beyond classic IP and data protection checks and increasingly depends on whether AI-related risks are understood, managed and insurable.

The AI Act follows a risk-based approach. Depending on how an AI system is used, it may be classified as prohibited, high-risk or subject to lighter transparency and governance requirements. For buyers, this classification is critical. High-risk AI systems trigger extensiveobligations, including risk management, data governance, documentation, human oversight and ongoing monitoring. If a target company is not prepared for these requirements, this can lead to higher post-closing costs, regulatory exposure and limitationsin W&I insurance coverage.

_{AI Due Diligence and W&I Insurability}

In this environment, AI-related due diligenceserves two closely connected purposes. First, it identifies regulatory and operational risks under the AI Act. Second, it determines whether AI-related warranties can be insured under a warranty and indemnity (“W&I”) policy. Buyers and insurers will look closely at whether the target has already implemented AI governance structures or at least has a realistic and documented plan to achieve compliance.

Due diligence should therefore go beyond listing AI systems and data sets. Key questions include: Which AI systems are used and for what purposes? How were training and input data obtained, and are the usagerights clearly documented? Are governance, monitoring and documentation processes in place that align with the AI Act? Weaknesses in these areas are often treated as known risks and may result in exclusions or reduced coverageunder a W&I policy.

From an insurance perspective, particular attention is paid to the origin of training data, web scraping practices and the use of third-party AI components. If lawful data usage or proper governance cannot be demonstrated, insurers will typically require knowledge qualifiers orcarve-outs in AI-related warranties.

_{AI Warranties, Risk Allocation and Insurance}

These findings increasingly shape the drafting of transaction documents. AI-specific warranties typically address compliance with AI-related laws, lawful data usage, the absence of prohibited AI practices and the existence of appropriate governance and security measures. However, the wording of these warranties must reflect what has been confirmed in due diligence.

From a W&I perspective, absolute statements such as guarantees of error-free operation or future compliance are usually difficult to insure unless they are limited by knowledge or materiality qualifiers. Where a target company demonstrates strong AI Act readiness,insurers may be more willing to provide broader coverage or to remove certain seller knowledge qualifiers through synthetic enhancements. In this way, AI Act readiness can directly improve the risk transfer achieved in a transaction.

_Conclusion

The EU AI Act is becoming a key factor inM&A transactions involving AI-driven businesses. Successful deals require an integrated approach that combines focused AI due diligence, clear and realistic warranties and early dialogue with W&I insurers. Companies that are well prepared for the AI Act are better positioned to achieve effective risk transfer, smoother deal execution and greater certainty after closing.

_{Checklist: EU AI Act Deal Readiness (Simplified)}

1. AI Systems
- Identify all AI systems relevant to the transaction
- Classify them under the AI Act (prohibited, high-risk or other)
- Identify use in regulated or safety-critical areas

2. Data and Training
- Document where training and input data comes from
- Confirm lawful rights to use proprietary, licensed and scraped data
- Ensure data sources can be audited and explained

3. Governance and Oversight
- Clear responsibilities and internal rules for AI use
- Risk management and human oversight for critical systems
- Monitoring and processes to address issues

4. Technology and Security
- Explainability and traceability where required
- Protection against manipulation of data or models

5. Contracts and Insurance
- Alignment between due diligence results and AI warranties
- Avoid overly broad or forward-looking guarantees
- Clear treatment of known risks and W&I exclusions

6. Deal and Integration
- Clear plan to address gaps before or after closing
- Early discussion with W&I insurers on AI-related risks