Due diligence challenges in life sciences M&A: the need to focus on regulatory compliance, product liability and data integrity

Thursday 4 December 2025

Mathieu Gautier
SQUAIR, Paris
mgautier@squairlaw.com

Introduction

Merger and acquisition (M&A) transactions in the healthcare and life sciences sectors in France can involve the acquisition of companies that market health products, such as medical device manufacturers, or the purchase of equity interests in clinical groups and professional healthcare entities (La société d'exercice libéral à responsabilité limitée or SELARLS). These operations attract significant investor interest, but also demand a high degree of legal and regulatory scrutiny.

Because healthcare entities operate under distinct and often overlapping national and European regulatory schemes, legal practitioners must navigate a complex web of statutory and compliance obligations to structure secure and compliant acquisitions.

Three key elements must be taken into account during the due diligence process in order to understand the risks posed by an acquisition transaction in the healthcare and life sciences sector, which are:

  • Regulatory compliance: this consists of analysing whether the target company complies with all the laws, standards and obligations in force in its sector of activity. These checks cover, in particular, administrative authorisations; licences; compliance with the applicable health, environmental, tax and social standards; as well as the entity’s compliance with specific regulations (eg, the General Data Protection Regulation (GDPR), pharmaceutical law, the rules on medical devices).
  • Product liability: this refers to the assessment of risks associated with the products or services marketed by the target. In the healthcare sector, this aspect of due diligence is crucial because failures related to product liability can have serious financial, legal and reputational consequences for the buyer, affecting the success and sustainability of the transaction.
  • Data integrity: this concept refers to the reliability, accuracy and traceability of the information collected and exchanged between the parties during a merger or acquisition. It consists of ensuring that all the data used for the analysis, valuation and negotiation of the transaction corresponds to the operational, legal and financial reality of the target, without alteration, omission or manipulation.

Regulatory compliance: the needle in the haystack

As is well-know, French regulations are particularly dense and complex, which is even more true in the healthcare sector. Some companies that market healthcare products may only need to make simple declarations, while others, particularly those involved in healthcare activities, must secure specific authorisations in order to operate legally.

When acquiring a company that manufactures medical devices, regulatory due diligence focuses primarily on the reporting obligations to which the company is subject.

For a medical device manufacturer, counsel must verify the firm’s compliance with mandatory declarations made to the National Agency for the Safety of Medicines and Health Products (Agence nationale de sécurité du médicament et des produits de santé or ANSM) and confirm that the firm’s product portfolios are properly certified pursuant to the EU’s Medical Device Regulation (Regulation (EU) 2017/745 or MDR). This includes validating the firm’s CE markings, the accuracy of the risk classifications and the continuing validity of the relevant notified body certificates. These are not merely bureaucratic details, but conditions that guarantee the firm has secured lawful market access and, therefore, in the context of M&A, it is an accurate reflection of the asset’s integrity.

By contrast, when the transaction concerns a healthcare provider or nuclear medicine structure, lawyers must conduct exhaustive checks pursuant to the Public Health Code regarding the firm’s activity-related authorisations and healthcare equipment licences issued by the regional health agencies (ARS) and, where applicable, the Nuclear Safety Authority (Autorité de sûreté nucléaire or ASN).

These authorisations are not assets in the traditional sense, but administrative rights, which may not automatically transfer to a new acquirer. Due diligence counsel must therefore review each authorisation’s scope, duration, renewal conditions and the related compliance obligations.

This administrative complexity points to the importance of locating and assessing the real ‘needle in the haystack’ during the regulatory due diligence process, requiring specialised expertise in order to fully secure the acquisition.

Product liability: anticipating hidden legal exposure

In healthcare M&A, product and service liability represents a major axis of any risk assessment. The legal and financial exposure of the target depends on its historical claims record and its fulfilment of its statutory vigilance duties.

For manufacturers and distributors, a critical aspect is materiovigilance, the system for reporting and managing adverse incidents. French law requires manufacturers to maintain exhaustive incident records and notify the ANSM of any adverse event. Failure to do so constitutes a criminal offence.

Lawyers should systematically review the relevant vigilance reports, recall histories and pending or settled claims to determine potential future liability.

This is an essential indicator of the health of a company that markets medical devices.

On the provider side, legal responsibility extends beyond direct fault to include vicarious liability and professional misconduct by medical staff. While punitive damages are not recognised under French law, civil and disciplinary proceedings, particularly those initiated before the Conseil de l’Ordre des Médecins, the body responsible for regulating the medical profession, can have substantial reputational and operational consequences.

Each due diligence exercise should thus integrate a review of the relevant patient claims, insurance coverage, professional disciplinary files and quality management policies.

Data integrity: a legal and regulatory imperative

Data integrity forms another cornerstone of due diligence and intersects with both regulatory and privacy law. It ensures that the documents and information relied upon during the transaction, namely clinical, operational, compliance or financial data, are complete, accurate and unaltered.

In regard to life sciences transactions, the integrity of such information is partially safeguarded by the sector’s stringent regulatory framework. Under the MDR and the In Vitro Diagnostic Regulation (Regulation (EU) 2017/756 or IVDR), product data, certifications and adverse event records must be systematically recorded, validated and traceable.

Concealment or manipulation of such information may expose the company to administrative sanctions or criminal prosecution.

For healthcare providers, however, the high level of complexity mentioned above makes it difficult for firms to ensure that all the necessary data is complete during M&A transactions.

While it is essential to have access to all of the target’s operating licences, documentation relating to the relevant equipment and all of the service provider contracts, the occurrence of risks in the years following the acquisition cannot be ruled out.

Given the statutory ten year limitation period for patient claims following medical injury consolidation, incomplete data due diligence could result in post-acquisition exposure to concealed liabilities or non-disclosed incidents long after closing.

It is therefore incumbent on legal advisors to ensure comprehensive verification of all of the authorisations, contracts and technical documentation before the transaction concludes.

In addition, the performance derived from the revenue generated by the activity carried out by healthcare professionals depends on healthcare pricing, which changes each year when the national social security financing law is voted on. The financial data provided by the seller could therefore be impacted to a greater or lesser extent by these external changes. Such changes could affect the financial valuation of the company.

Towards multidimensional legal due diligence

The complexity of life sciences M&A demands that a multidimensional legal due diligence approach is taken. A purely financial review is insufficient. Legal teams must adopt a cross-functional methodology combining technical, regulatory and litigation analysis to identify latent risks.

A successful transaction depends on integrating legal, regulatory and operational expertise. By addressing the three pillars, namely regulatory compliance, product liability and data integrity, legal practitioners can provide acquirers with a holistic, secure and compliant framework in which to base their decisions. This comprehensive approach transforms due diligence from a procedural safeguard into a strategic instrument for value protection and long-term viability for the benefit of one of the most regulated sectors in the economy.

International Bar Association 2025 © Privacy policy Terms & conditions Cookie Settings Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.