Search
Contact
07.07.2023 | KPMG Law Insights, KPMG Law Insights

Why AI compliance is part of every due diligence process

Artificial intelligence (AI) is already in use in most companies. Not only applications like ChatGPT and other Generative AI tools are used to write texts, presentations and concepts. AI also automates processes and analyzes data. It can revolutionize business models and accelerate growth. That’s why it’s important for potential corporate buyers and investors to consider AI technologies as part of their due diligence process. After all, AI harbors risks and challenges, not least in terms of legal and regulatory aspects.

AI Act will force companies into AI compliance

Probably the biggest regulatory challenge is the EU’s expected AI Regulation, in English AI Act, and the associated AI Liability Directive. The regulation is expected to take effect at the end of 2023. It aims to minimize the risks of AI. Violations of the regulation’s provisions could cost a lot of money: fines could amount to up to 40 million euros or 7% of total global annual turnover – more than under the GDPR.

The proposed AI Act has both supporters and opponents. In recent months, a number of prominent voices have warned of the dangers of AI. These are likely to be helped by the regulation of these technologies. To that end, more than 100 executives from prominent companies recently expressed concerns about the AI Act. They fear a threat to Europe’s competitiveness and technological sovereignty. Nevertheless, it could be that other countries will take the EU as a model and that regulation of AI will also occur at the international level.

The EU Commission’s draft available to date divides AI systems into different risk classes. These range from minimal risk to high risk, as well as unacceptable AI with risks deemed unacceptable. The draft proposes several measures to regulate artificial intelligence and, in particular, high-risk AI. Examples of measures in the regulation include transparency requirements, a catalog of prohibited actions, particularly through the discriminatory use of AI, and information obligations to users of AI.

In addition to the AI Act, there are a number of other laws that must be considered in connection with AI. These include, for example, the GDPR and other planned regulations as part of the European digital strategy. Questions of liability, copyright and intellectual property must also be considered and answered separately in connection with AI.

These topics should be part of the AI due diligence process

Legal due diligence involving AI will always be tailored to the individual case, depending on the level of use and type of activity of the target company (user or provider of AI), but will typically address the following topics:

  • Usage status: Extent to which the company’s AI systems are systematically used, either as a user or as a provider.
  • Liability: Liability as a user and in particular as a provider of AI systems.
  • Contracts and Licenses: Scope of contracts and licenses the company has in relation to its AI systems, including software licenses, data licenses, and service contracts.
  • Copyright and intellectual property: intellectual property in the works created by the AI owns and preserves third-party rights by the target company.
  • Malfunctions: Response plan in the event of (reportable) incidents and malfunctions
  • Quality management & conformity assessment: Quality management system with regard to the AI systems used as users or providers, as well as documentation on intended conformity assessment procedures.
  • Transparency: Transparency of the company with regard to AI systems used or offered.
  • AI & privacy/security: status of the target company’s collection, storage, and use of personal data when using or offering AI systems, the target company’s compliance with the requirements of the GDPR and other relevant data protection laws, the company’s data security practices related to AI systems, and the target company’s ability to manage cyber threats.

What should definitely be considered in due diligence with regard to AI

The use and offering of AI in the target company should be examined closely and in a specialized manner as part of legal due diligence.

In this context, it is important to understand AI from a technical perspective as well as to be able to classify the legal risks associated with using or offering AI. Only then is the legal due diligence an appropriately robust basis for the entrepreneurial decision on the pros and cons of the planned transaction. To the extent that an existing AI system is deemed legally risky, that doesn’t have to mean the deal is off. Rather, the extent to which the AI application can be adapted to legal requirements can now be examined.

Conclusion

AI should be a separate audit topic in legal due diligence today. This is because legal violations through the use of artificial intelligence will be able to result in heavy fines after the AI Act comes into force at the latest. But even today, AI harbors risks, the correct legal assessment of which is essential for a well-founded purchase or investment decision.

 

 

Explore #more

14.10.2025 | Deal Notifications

KPMG Law and KPMG advise Bühler Motor GmbH on the sale of Bühler Motor Aviation GmbH to Astronics Germany GmbH

KPMG Law Rechtsanwaltsgesellschaft (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) have advised Bühler Motor GmbH on the sale of all shares in Bühler Motor Aviation…

10.10.2025 | In the media

KPMG Law guest article in NZG: Compliance due diligence in SMEs: Minimum scope and contractual mapping of compliance risks of the target company

In the context of M&A transactions, compliance usually still plays a subordinate role in legal due diligence. The purpose of this article is, on…

10.10.2025 | In the media

KPMG Law honored at the M&A Award Night 2025

KPMG Law has been awarded the “M&A Transaction Advisory” prize at this year’s M&A Award Night of the Bundesverband Mergers & Acquisitions e.V. (BM&A) and…

10.10.2025 | In the media

KPMG Law guest article in CCZ: The guide for compliance management systems in small and medium-sized enterprises (DIN SPEC 91524)

Compliance in SMEs is challenging: the legal responsibility for compliance is undisputed, but the specific tasks are unclear and depend on the specific situation of…

10.10.2025 | KPMG Law Insights

Transformation in legal departments in 2026 – the most important trends and best practices

Three topics in particular are currently driving the transformation of the legal department: AI, the rapid increase in regulation and geopolitical developments. There has always…

08.10.2025 | Deal Notifications

KPMG advised Adiuva Capital GmbH with Fact Books on the sale of KONZMANN Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Adiuva Capital GmbH, a Hamburg-based private equity firm (“Adiuva“), in connection with the…

06.10.2025 | KPMG Law Insights

What the Green Claims Directive means for companies – an overview

With the Green Claims Directive, the EU will introduce extensive regulations on the requirements for permissible environmental claims. The aim is to prevent greenwashing so…

03.10.2025 | Deal Notifications

KPMG Law and KPMG support the restructuring of Groupe CAT in Germany

KPMG Law Rechtsanwaltsgesellschaft (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Groupe CAT on comprehensive restructuring measures with a cross-service team. Over a period of…

02.10.2025 | Deal Notifications

KPMG Law advises Epitype GmbH and MDG Molecular Diagnostics Group GmbH on the acquisition of significant assets of oncgnostics GmbH

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) provided comprehensive legal advice to Epitype GmbH, a company of the Dresden-based MDG Group, on the formation and subsequent…

02.10.2025 | In the media

KPMG Law Statement in ZEIT for entrepreneurs: We’ll take the 500 billion!

German construction companies are asking themselves: how quickly will the money come from the government? And they are worried that only the giants will benefit.…

Contact

Dr. Daniel Kaut, LL.M.

Partner
Solution Line Head Legal Deal Advisory
Head of Corporate Law, M&A

Bahnhofstraße 30
90402 Nürnberg

Tel.: +49 911 800929952
dkaut@kpmg-law.com

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll