Due Diligence

Regulatory and technical risk is among the main sources of post-completion value destruction in pharma and medtech M&A. It is also the discipline most often underweighted during the deal process. Financial, commercial, and legal due diligence are standard practice. Regulatory, CMC, and quality due diligence are frequently compressed, deferred, or delegated to generalists who lack the industry context to know what they are looking at.

This page is about what good regulatory due diligence looks like, where it commonly falls short, and how to structure the process so it protects the deal rather than simply documenting what went wrong.

The Problem With Treating Regulatory Due Diligence as a Formality

Most deal teams understand, in principle, that regulatory risk matters. The problem is in practice. Regulatory and technical due diligence is often brought in too late, scoped too narrowly, and treated as a confirmation exercise rather than an investigative one.

Three patterns show up repeatedly.

Regulatory comes in after the economics are already set.

The investment thesis is built on commercial projections. The valuation is modelled. The deal team has committed time and reputation. By the time regulatory specialists are brought in to "check the dossier," the economics are already anchored. Findings that should have reshaped the deal structure instead get filed as "manageable risks" because nobody wants to reopen the model. Early, even lightweight, regulatory screening before serious capital commitment can catch the most obvious red flags at a fraction of the cost.

The scope is too narrow for the actual risk.

A common pattern: the deal team commissions a regulatory due diligence focused on marketing authorisation status. Are the products approved? Are the approvals current? Yes and yes. But nobody reviewed the post-approval commitments that the MAH has not yet fulfilled. Nobody checked whether recent regulatory changes (new impurity guidelines, updated safety reporting requirements, revised MDR classification rules) have been implemented. Nobody assessed whether the manufacturing process described in Module 3 matches what is actually happening at the production site. These are the gaps that cost money after completion, and they sit outside a narrow scope.

CMC and quality risk is underestimated.

Financial and commercial DD teams can read a P&L. They cannot read a stability protocol or a process validation report. CMC risk is technical and specific: it involves understanding whether a manufacturing process can be transferred, whether analytical methods are lifecycle-managed, whether the dossier accurately reflects the current process, and whether the supply chain can survive a site change. These assessments require specialists. When CMC is left to generalists, the findings are superficial, and the real risks are invisible until they materialise as costly remediation programmes post-close.

The common thread across all three patterns is the same: regulatory and technical DD is treated as a downside risk exercise, rather than as a core input to valuation and deal structure. But good regulatory due diligence is not only about identifying risk. It is also about identifying opportunity: lifecycle extension strategies, 505(b)(2) or hybrid application pathways, new indications or markets that the seller has not pursued, and development opportunities that could increase the asset’s value beyond the seller’s base case. A DD that only looks for problems misses half the picture.

What a Phased Approach Actually Looks Like

The most effective due diligence processes are phased, not because phasing is a best practice on paper, but because information arrives in stages and the questions that matter change at each stage. Starting with a full-scope technical review before you have VDR access wastes effort. Waiting until post-VDR to involve regulatory specialists wastes time you cannot get back.

On larger transactions, investors often work a year or more ahead of a formal process, building an outside-in perspective on potential targets based on publicly available financial and commercial data. Regulatory due diligence should be part of this early view. Pipeline status, marketing authorisation history, inspection track record, and development opportunities are all commercially relevant and all assessable from public sources. We support this kind of pre-process screening, giving investors a regulatory perspective on an asset before they enter a formal transaction.

Phase 1: Early screening (pre-process/1st Round Bid/LOI or pre-VDR)

Purpose: Identify disqualifying risks or major pricing concerns before committing significant time and capital.

What is available: Publicly accessible information. Marketing authorisation databases (EMA, FDA, national CA registers), published inspection outcomes, safety signal databases (EudraVigilance, FAERS), patent registers, clinical trial registries, published regulatory guidance changes.

What to look for: Products with lapsed or restricted authorisations. History of serious GMP non-compliance (warning letters, import alerts, manufacturing suspensions). Significant safety signals or ongoing referrals. Orphan or conditional approvals with unfulfilled commitments. Products in therapeutic areas subject to imminent regulatory change.

Output: A screening memo that identifies deal-breakers or flags areas requiring deeper investigation once VDR access is granted. This should take days, not weeks, and should cost a fraction of a full DD engagement. It is the cheapest insurance in the deal process.

Phase 2: EU AI Act: the AI overlay.

Purpose: Detailed technical and regulatory review once full documentation access is granted.

What is available: Product dossiers (CTD modules), quality system documentation, inspection and audit reports, pharmacovigilance files, clinical study reports, manufacturing records, supply agreements.

What to look for: The specifics depend on the asset type and the questions raised in Phase 1. For a marketed portfolio, the focus is typically on dossier compliance, post-approval commitment status, variation history, manufacturing process accuracy, and PV system readiness. For pipeline assets, the focus shifts to clinical development plan credibility, CMC scale-up readiness, and the regulatory strategy underpinning the probability-of-approval case.

Output: A structured risk report with findings classified by severity, likelihood, and financial impact. Each finding should be framed in deal terms: does it affect valuation, does it affect integration timeline, does it require pre-close remediation, or can it be managed post-close?

Phase 3: MDR: the device framework.

Purpose: Verify what cannot be assessed from documents alone. Manufacturing reality does not always match the dossier.

What to look for: QMS implementation and documentation practices on the ground. Equipment and facility condition relative to regulatory requirements. Personnel competence and capacity. Process adherence versus process documentation. Supply chain dependencies that may not be visible in the VDR.

Important clarification: On-site visits during DD are not formal audits. They are time-constrained, exploratory assessments. A site visit during DD can form a preliminary impression and identify areas requiring formal audit post-close, but it cannot replace a full GMP audit scope. Deal teams should be clear about what a site visit can and cannot deliver.

Phase 4: EU AI Act: the AI overlay.

Purpose: Translate technical findings into deal language.

Output: A consolidated risk report, typically structured as a "red flag" report, that presents regulatory and technical findings in the context of their impact on deal value, deal structure, and integration planning. The best DD reports do not simply list findings. They quantify the cost of remediation where possible, estimate the timeline for resolution, and flag which risks are manageable versus which fundamentally change the investment case.

What Makes a Product Portfolio "Investable" Versus "Problematic"?

Not every DD finding is a deal-breaker. Most are quantifiable risks that affect terms, not decisions. The skill in regulatory DD is distinguishing between the two.

Findings that typically affect terms but not the deal itself:

  • Documentation gaps in the dossier that can be remediated with known effort and cost. A Module 3 that needs updating to reflect a process change is a project, not a crisis.
  • Post-approval variations that are overdue but not yet escalated by the authority. These represent compliance debt: quantifiable and resolvable.
  • PV systems that are functional but underdocumented. The system works; the paperwork needs catching up.
  • Manufacturing processes that are validated but approaching lifecycle milestones (revalidation, technology refresh). These are foreseeable costs that should be factored into the deal model.
  • Single-source supplier dependencies. Real risk, but manageable with secondary sourcing strategies and appropriate timeline.

Findings that change the investment case:

  • Outstanding clinical commitments imposed by regulators that have not been fulfilled. These are not documentation exercises. They may require new studies, and the outcomes are uncertain. Unlike CMC gaps, which are usually a question of time and money, clinical commitments carry genuine outcome risk.
  • Regulatory changes that the MAH has not implemented and that fundamentally affect the product's compliance status. For example: an impurity guideline update that the dossier has not incorporated, where the assessment may reveal levels above newly established limits. Or an MDR transition obligation for a device that has not been actioned, leaving the product's market access on a ticking clock.
  • Data integrity concerns in clinical or manufacturing data. If the data cannot be trusted, the entire regulatory position built on that data is unreliable. This is the category that kills deals outright.
  • Products whose regulatory strategy depends on assumptions that do not hold up under scrutiny. Orphan designations with challenged exclusivity. Accelerated approvals where confirmatory commitments are unlikely to be met. Conditional MAs where the conditions may not be satisfiable.

The practical takeaway: most DD findings are "cost of ownership" items that should be priced into the transaction. A smaller number are genuine risks that change the risk-reward calculation. The difficulty is to separate one from the other, clearly and early.

How Global Transactions Introduce Complexity

Multi-country portfolios bring a specific set of challenges that single-market transactions do not.

Marketing authorisations are jurisdiction-specific. A product may be fully compliant in its reference market and non-compliant in secondary markets where variations have not been filed or post-approval commitments differ. Reviewing MA status in the reference market alone does not give a complete picture.

Regulatory expectations vary by region. What constitutes an acceptable stability programme, an adequate pharmacovigilance system, or a compliant manufacturing dossier differs between EMA, FDA, Swissmedic, MHRA, and national competent authorities in Asia, Latin America, and the Middle East. A DD that applies EU assumptions to a global portfolio will miss region-specific risks.

This is where a global regulatory network becomes operationally important. Assessing a 20-market portfolio requires local expertise in each market: not just knowledge of the regulations, but familiarity with how the local authority interprets and enforces them. Through regulanet®, we coordinate local regulatory assessments across 90+ countries under a single engagement, consolidating findings into one integrated report. The client deals only with one team, one contract, and one set of conclusions, rather than managing separate experts in each market.

Due Diligence for Different Transaction Types

The focus and scope of regulatory DD shifts depending on the type of transaction.

Marketed Portfolio Acquisitions

Focus on compliance status, post-approval obligations, manufacturing and supply chain integrity, and the operational cost of maintaining the portfolio. The question is: what does it cost to keep these products on the market, and are there risks that could interrupt supply or trigger regulatory action?

Pipeline and Early-Stage Asset Deals

Focus on the credibility of the regulatory strategy and the probability of approval. CMC readiness, clinical development plan design, and alignment with current regulatory expectations are more important than compliance history (which may be minimal). The shift toward earlier-stage M&A in recent years has made this type of assessment increasingly critical: over half of pharma M&A activity now targets assets at Phase II or earlier, where the regulatory risk is less about what has been approved and more about what might never be.

Sell-Side and Divestment Mandates

The goal is to identify and remediate gaps before buyers find them, and to present the regulatory and quality position in a way that supports efficient buyer evaluation. A well-prepared vendor DD package shortens the transaction timeline and reduces the risk of price adjustments driven by buyer findings.

Licensing and Distribution Agreements

Require a different scope again: product-specific dossier review for the target market, assessment of whether the existing dossier is fit for submission or requires adaptation, and evaluation of the regulatory pathway in the destination market.

Consumer Healthcare and Adjacent Sectors

Due diligence is not limited to prescription pharma and medtech. Transactions involving food, food supplements, cosmetics, and borderline products require product compliance and formulation review against the applicable regulatory framework (EU Food Law, Cosmetics Regulation, Novel Food requirements). We have supported DD mandates in these sectors through our Nutra Compliance division.

What We Bring to Due Diligence

We have supported regulatory due diligence in pharma and medtech transactions consistently for over a decade, completing multiple major DD engagements each year across buy-side, sell-side, and licensing mandates. Our team brings direct experience across marketed portfolios, pipeline assets, devices, combination products, and consumer health products.

A few things that might distinguish our work in DD:

We do the technical work ourselves.

Our regulatory, CMC, clinical, PV, and quality specialists review the materials, assess the findings, and write the risk reports. The same people who identify a Module 3 gap or a PV system deficiency during DD are available to remediate it post-close if the deal proceeds.

We cover the full technical scope.

A single engagement can span regulatory compliance, CMC and manufacturing, quality systems, clinical and preclinical data, pharmacovigilance, and market access assessment. Clients do not need to coordinate separate specialist firms for each discipline.

We operate globally through regulanet®.

For multi-country assessments, we coordinate local regulatory experts in 90+ countries. Each local assessment feeds into a single consolidated report. One contract, one point of contact, one set of conclusions.

For the operational detail of how DD engagements are structured, including workstreams, deliverables, timelines, and engagement types, see the Due Diligence Support service page.

Planning a Transaction That Involves Regulatory, Technical, or Operational Risk?

Whether you are on the buy side, sell side, or evaluating a licensing opportunity, tell us about the deal and we will outline how we can support it.

Speak with an Expert

Frequently Asked Questions (FAQ)

When in the deal process should regulatory DD start?

As early as possible, even at a light-touch screening level. A preliminary regulatory scan based on publicly available data (MA databases, inspection records, safety signals, clinical trial registries) can be completed in days and costs a fraction of a full DD engagement. It identifies obvious disqualifiers and shapes the scope for detailed review once VDR access is granted. The worst outcome is discovering a regulatory deal-breaker after months of financial and legal DD have already been completed.

What is the difference between regulatory DD and a compliance audit?

Regulatory DD is a transaction-specific risk assessment: it asks "what are the regulatory and technical risks that affect this deal?" A compliance audit is a systematic evaluation against a defined standard (GMP, ISO 13485, GDP). DD is scoped to the deal; an audit is scoped to the standard. DD findings are framed in deal terms (valuation impact, integration cost, timeline risk). Audit findings are framed in compliance terms (observation, major/minor non-conformance). Both are valuable, but they serve different purposes and should not be confused.

How does DD differ for pipeline assets versus marketed products?

For marketed products, DD focuses on the current compliance position: are the approvals valid, are commitments fulfilled, is the dossier current, is the supply chain robust? For pipeline assets, DD focuses on the future: is the regulatory strategy credible, is the clinical development plan aligned with current agency expectations, is CMC ready for the next milestone, and what is the realistic probability of approval? The shift toward earlier-stage deals in recent years has made pipeline DD more complex, because there is less documentation to review and more judgment required about what the data means.

Can regulatory findings actually change a deal's valuation?

Routinely. CMC remediation programmes, post-approval commitment backlogs, PV system overhauls, and manufacturing site upgrades all have quantifiable costs. A DD that identifies a two-year, multi-million-euro remediation programme for a manufacturing site transfer should directly affect the price. The issue is that these costs are often invisible to financial DD teams, who may not know to ask the right questions. This is why regulatory and technical DD should feed directly into the valuation model, not sit in a separate report that the deal team reads after the price is agreed.

What is the biggest risk of not doing technical DD properly?

Inheriting problems you did not price. The most common post-close surprises in pharma transactions are not dramatic regulatory crises. They are accumulations of compliance debt: post-approval commitments that were never fulfilled, manufacturing process changes that were never reflected in the dossier, PV system deficiencies that require structural remediation, and quality system gaps that surface during the first post-acquisition inspection. Individually, each is manageable. Collectively, they consume resources, delay integration, and erode the value that justified the deal.

How do you handle DD across multiple countries simultaneously?

Through regulanet®, our global network of independent regulatory consultancies. For each target market, we engage local experts who assess market-specific regulatory requirements, MA status, and post-approval obligations. We coordinate the overall assessment and consolidate findings into one integrated report. This model means the client has one contract and one point of contact, rather than managing separate advisors in each jurisdiction.