State of M&A Data Rooms — Q2 2026 Read the report →
Peony LogoPeony

Cross-Border M&A in 2026: A Field Guide for Your First Deal Abroad

Co-founder at Peony. Former M&A at Nomura, early-stage VC at Backed VC, and growth-equity / secondaries investor at Target Global. I write about investors, fundraising, and deal advisors from the deal-side perspective I spent years in.

Cross-Border M&A in 2026: A Field Guide for Your First Deal Abroad

Last updated: July 2026 · Last verified: July 2026

I'm Sean Yu, co-founder of Peony. I watch cross-border deal teams run diligence across time zones on Peony — a US corp dev team reviewing a Frankfurt target's contracts at 7am Eastern while the seller's advisers in London are back from lunch — and one pattern repeats: first-time cross-border buyers budget carefully for lawyers, then get surprised by the things lawyers don't put a line item on. The perimeters.

Here is the composite scenario this guide is built around. You are the VP of Corporate Development at a US company, roughly $150M in revenue, three people on your team, a couple of US bolt-ons behind you. You have just signed an LOI on a software company in the UK — or maybe Germany — at a $45M enterprise value. The board asked for a risk memo, a 90-day exclusivity clock is running, you expect two regulatory filings, and you have euro or pound exposure on the purchase price for the first time. You know how to run a deal. You do not yet know what is different about running one across a border. This guide is that difference.

Quick answer: A cross-border deal is a domestic deal plus three new perimeters. First, a regulatory perimeter: at a $20-100M enterprise value you are usually below the antitrust floors (the US HSR threshold is $133.9M effective February 17 2026; the EU merger test is turnover-based and enormous) but squarely inside FDI national-security screening (the UK's NSIA has 17 mandatory sectors at a 25% threshold with no deal-value floor; CFIUS has mandatory triggers; Australia screens from $0). It is not antitrust that bites at this size — it is screening. Second, a data perimeter: the diligence itself is a regulated cross-border data transfer, so moving the target's EU personal data to you needs a lawful mechanism (SCCs, or adequacy for UK data), employee data should be redacted, and competitively sensitive or export-controlled material belongs behind clean-team walls. Third, a mechanics perimeter: European deals run on locked-box pricing (54% of European deals per CMS), W&I insurance, works-council consultation, and split signing/closing. First-timers budget for the lawyers; the surprises are the perimeters — and the data room is where the second one is either enforced or breached.

What actually changes when your deal crosses a border?

Three things change, and none of them is "the deal gets bigger." A cross-border deal is the same negotiation, diligence, and integration challenge you know — wrapped in three perimeters a domestic deal does not have. Get them right and it is very doable; miss one and you get a timeline blowup, a stalled clearance, or a data-protection problem that surfaces after you have already shared the file. The three, in order, are the regulatory perimeter (merger control and, at this size more importantly, FDI national-security screening), the data perimeter (the diligence data flow is a regulated cross-border transfer under GDPR, and the data room is where it is enforced or breached), and the mechanics perimeter (European conventions — locked-box, W&I, works councils, split signing/closing — that reprice risk and reshape the timeline versus US practice).

The three perimeters of a cross-border deal: regulatory screening, the data perimeter, and European deal mechanics

The macro backdrop is favorable. Global M&A ran hot in 2025 — LSEG puts total deal value at $4.6 trillion (up 49%), Bain, on a different methodology, at $4.8 trillion — and cross-border specifically reached $1.24 trillion, up 46% (LSEG), with the mid-market cross-border share rising to 39% from 33% in 2024 (Vlerick / Moore Global Compass Report; mid-market being €10M-€200M deals). A first cross-border deal at $45M is not exotic — it is where a large, growing share of the market now lives. But the walls are going up: per UNCTAD's World Investment Report 2025, the number of countries running national-security FDI screening has more than doubled to 46 since 2015, and over 40% of restrictive investment measures in 2024 were screening-related. That is perimeter one, and the one first-timers underestimate most.

Is a $45M software acquisition big enough to trigger UK NSIA or German FDI review?

For antitrust, almost certainly not; for national-security screening, quite possibly yes — and internalizing that split is the single most useful thing a first-time cross-border buyer can do. At mid-market size you are usually below every merger-control floor and squarely inside the FDI screening nets. In that order:

Merger control (antitrust) — you're probably under the floor. The US HSR minimum size-of-transaction threshold is $133.9 million effective February 17 2026 (up from $126.4M — always check the current year). A $45M deal is below that, so generally no US HSR filing, subject to aggregation rules. The EU Merger Regulation is turnover-based — its primary test needs combined worldwide turnover above €5 billion and EU-wide turnover above €250 million for each of two parties — so a $45M deal essentially never reaches it. Even the UK CMA's target-turnover threshold was raised to £100 million by the DMCC Act 2024, with a safe harbour where each party's UK turnover is below £10 million — though the CMA also gained a share-of-supply test and a new acquirer test (33% UK share plus £350M UK turnover), so check overlap even under the floor. Net: a $20-100M deal typically faces zero to a small handful of merger-control filings, often none.

FDI screening — size does not save you. This is the perimeter that surprises people, because national-security screening has no deal-value floor. The UK's National Security and Investment Act imposes mandatory pre-completion notification across 17 sensitive sectors — advanced computing, AI, data infrastructure, defence, and more — at a 25% shareholding or voting threshold, with no minimum deal size, and a software target can easily fall inside one. Germany reviews a non-EU/EFTA buyer acquiring 25% of voting rights cross-sector, with lower 10-20% thresholds for around 27 sensitive activities. And in the US, CFIUS mandatory declarations turn on critical technology and whether a US export authorization would be needed to export the tech to the investor — not on deal size. Australia's FIRB regime screens a 10% stake in a national-security business from a $0 threshold. The slogan worth remembering: it's not antitrust that bites at this size, it's screening. Before you assume you have no filing, map your target's activities against the mandatory sector lists in every relevant jurisdiction.

UK NSIA vs German FDI vs CFIUS — how do the regimes compare?

The three regimes your composite deal is most likely to touch, side by side:

FeatureUK NSIAGermany (AWG/AWV)US CFIUS
Trigger25% (also 50/75% + material influence) in 17 sectors25% voting (10-20% for ~27 sensitive activities)Control, or non-controlling in TID business; mandatory triggers for critical tech
Deal-value floorNoneNoneNone
Mandatory filing?Yes, for the 17 sectors (deal void if not cleared)Yes, for sensitive activitiesMostly voluntary; mandatory for specific critical-tech / gov-stake cases
Initial clock30 working days to call in~2 months typical (case-dependent)45-day review, +45-day investigation

(Sources: NSIA Annual Report 2025-26; Pinsent Masons on Germany; White & Case on CFIUS.) One piece of good news for a UK or allied-nation buyer into the US: the 2025 "America First Investment Policy" memorandum directs CFIUS toward a more favorable posture for allied-nation investors, so an ally-to-ally deal generally sits in friendlier territory than the headlines suggest.

Can UK or German FDI screening actually block a $45M software deal, or just delay it?

In practice it far more often delays than blocks — but "just a delay" is not "nothing," and in the mandatory sectors an un-cleared deal is legally void, which is worse than either. The base rates are reassuring. The UK NSIA 2025-26 annual report records 1,324 notifications (1,135 mandatory, 147 voluntary, 42 retrospective), of which only 60 were called in and just 9 ended in a final order — 1 blocked or unwound, 8 cleared with conditions. So the modal outcome is clearance, often without conditions. Call-ins hit 16 of the 17 mandatory sectors (only synthetic biology drew none), and defence was the largest share — telling you where scrutiny concentrates.

So the realistic risk for a mid-market software deal is not a block but three softer outcomes: (1) delay, because clearance is a pre-completion condition and the clock runs regardless of your exclusivity; (2) conditions, where clearance comes with undertakings (governance ring-fencing, security commitments, limits on data access); and (3) the void trap — in the UK's mandatory sectors, completing without clearance does not just risk a fine, it makes the transaction legally void, so this is not a filing you can skip and clean up later. To keep screening in the "delay, not derail" column, notify early and structure the SPA so clearance is a clean condition to completion with a realistic long-stop date.

How do we legally transfer due diligence data from an EU target to a US buyer under GDPR?

You put a lawful transfer mechanism in place before the target's EU personal data moves to you or your US advisers — because the moment that data crosses to a non-EEA recipient, GDPR treats it as a restricted "transfer," and diligence is full of exactly that kind of data. This is perimeter two, where the data room stops being logistics and becomes the compliance surface. A target's EU personal data — employee records, customer lists, the cap table, management CVs — cannot be dropped into a room a US buyer opens without a Chapter V mechanism. For a US buyer, two routes are live:

  • The EU-US Data Privacy Framework (DPF). If your receiving US entity is DPF-certified, transfers to it are covered — and a point that trips up first-timers who half-remember the news: the DPF is still valid. The EU General Court dismissed the Latombe challenge on 3 September 2025, upholding it. Do not confuse it with the old Privacy Shield, struck down in 2020. A CJEU appeal is pending, so treat the DPF as live-but-appealed, not defeated.
  • Standard Contractual Clauses (SCCs). The workhorse under Article 46 — EC-approved clauses signed between the data exporter (the target) and importer (you), backed by a transfer impact assessment and, where needed, supplementary measures after Schrems II.

Do not run a structured diligence flow on Article 49 derogations (one-off consent, "necessary for a contract") — regulators treat those as last-resort for occasional transfers, not a substitute for SCCs. And the standout advantage for UK-side deals: EU-to-UK transfers need no SCCs at all, because the EU renewed UK adequacy through 27 December 2031 (confirmed December 2025). If your target is British and your flows are EU-UK, one whole layer of transfer paperwork disappears — an underappreciated edge for UK deals.

Now the honest part: no data room makes an unlawful transfer lawful. The transfer mechanism — the SCCs your counsel signs, or the adequacy decision you rely on — is legal work no software substitutes for. The room does the other half: it enforces and evidences the mechanism, recording who accessed which personal-data file, when, and under what permission, so the SCCs you signed are respected rather than quietly breached the first time someone shares a link. Legal work makes the transfer lawful; the room makes it provable.

The tax side — withholding, transfer pricing, permanent establishment — is its own discipline; see our international tax due diligence guide.

Should diligence data live in an EU-hosted or US-hosted data room?

Where the server sits is one input to your GDPR analysis, not the answer. Keeping EU personal data in an EU-hosted room keeps it physically in the EEA — but the instant a US buyer or adviser opens a document, that access is itself a transfer to the US needing a mechanism, wherever the file lives. An EU-hosted room does not remove the SCC/DPF question; it just changes where the bytes rest.

Here is where Peony's own setup fits, stated plainly. Standard Peony plans are US-hosted (AWS us-east-1) and rely on SCCs for EU personal data — a legitimate, common arrangement for cross-border diligence, defensible provided your mechanism is in place and your access log is complete. For buyers who need the data to stay in-region, custom UK or EU data residency, bring-your-own-key (BYOK), and self-hosted deployment are available on Enterprise plans only — do not assume in-region residency on a standard plan. Peony is SOC 2 Type II. The decision rule: if your EU seller or its counsel requires in-region residency, use an EU/UK-residency option (Enterprise); otherwise a US-hosted room with SCCs plus a full access log is defensible. Either way, the room does not make the transfer lawful; your mechanism does. The room proves the mechanism was honored.

How do I run due diligence across time zones without leaks?

You make the data room the compliance surface rather than a shared folder, and let named access plus a complete log do what email cannot. Time zones make the leak problem worse: when your team logs off in New York, the advisers in London and reviewers in Frankfurt are still working, and a shared password or forwarded link leaks quietly while nobody watches. The controls that hold up:

  • Named-viewer links, never a shared password. Every reviewer — your team, your advisers, the seller's advisers, in every city — gets a link tied to their own email. "Who can see this" becomes a list you control, not a link that forwards itself overnight. See personalised links.
  • Granular, folder-level permissions. A reviewer sees only what their role requires. Your tax adviser does not need the HR folder; your commercial team does not need the source code.
  • Staged disclosure. Release less sensitive material early and hold the most sensitive datasets — customer-level data, margins, controlled technology — for confirmed bidders late. "Less detail earlier, more detail later" is the clean-team norm, and it maps onto folder permissions and release timing.
  • Per-viewer dynamic watermarks. Every page a reviewer sees carries their own identity, so a screenshot or photo is attributable to the person who took it — turning a silent leak into a traceable one. See watermarks.
  • The access log as the audit trail. A timestamped record of who opened which document, when, and from where. Across time zones it is your operational dashboard — is the other side actually reviewing, or stalling? — and in a regulated transfer it is your regulator-ready audit trail, the evidence that the transfer mechanism you signed was respected in practice.

Clean teams and deemed-export folder segregation. Two special cases sharpen the wedge. For competitively sensitive information (pricing, customer-level data, margins), the norm is a clean team: a defined group — often outside advisers — sees the raw data in a separate "clean" room and reports back to the deal team only in aggregated form, under a clean-team agreement. The room solves that permissions-and-segregation problem directly. The second case is export control — I'll keep to the data-room mechanics, since the export-law depth belongs in dedicated defense coverage. Every cross-border buyer should know one thing: a deemed export happens inside a data room. If a foreign bidder opens a document containing controlled technical data, that access is itself an export that may need a license — even if the file never leaves the country. It also carries successor liability: acquirers have been held liable for a target's pre-closing violations, with the Meggitt-USA matter (a roughly $25M penalty) the cautionary tale. The room's job is to segregate controlled data into folders open only to US-person or licensed reviewers, and to log every access — so the exposure is prevented by permission and provable by the log.

I run Peony, a data room company, and this permission-plus-log pattern is exactly what it is built for. More than 5,900+ companies use Peony, and Great Britain is our second-largest market with 140+ customers across Europe, so cross-border rooms — US buyers into UK and EU targets, and the reverse — are a large part of what runs on the platform.

One honest concession: for a genuinely two-party, domestic-style deal with no controlled technology and no EU personal data, a general-purpose file share may be perfectly defensible. You do not need a data room to sell a small business to the buyer next door. The room earns its keep the moment the parties, jurisdictions, and regulators multiply — precisely what a cross-border deal does. If your deal has a foreign bidder, an EU personal-data flow, or a regulator who may one day ask "who saw what, when," that is when the log stops being nice-to-have and becomes the point.

Should we use locked-box or completion accounts for a European target?

Neither is categorically better — they allocate the value of the business between signing and closing in opposite directions, and the right choice depends on how your target trades in that gap. This is where US instincts and European convention diverge most sharply.

  • Locked box. The price is fixed at a past balance-sheet date, and you buy the economics from that date forward. There is no post-closing adjustment; you are protected only by leakage covenants (promises that value did not leak to the seller before completion), and you take the risk of ordinary trading in the gap.
  • Completion accounts. The price adjusts after closing on actual cash, debt, and working capital at completion. You are protected from a business that weakens in the gap, but the final number stays open for weeks of post-closing dispute.

The regional split is real: per the CMS European M&A Study 2026 (601 deals CMS advised across Europe in 2025), locked box was used in 54% of deals where price adjustments were not used, while purchase-price adjustments (the completion-accounts family) featured in 48%. Locked box is a European convention; US buyers instinctively reach for completion accounts. So expect your UK or German seller to propose a locked box. The buyer's rule of thumb: on a fast-trading, seasonal, or cash-generative target, completion accounts protect you from value shifting in the gap; on a stable business, a locked box removes dispute risk and lets you diligence one fixed number. Whichever you pick, the balance-sheet evidence behind it must be complete and access-logged in the room — that dataset is what a later price dispute gets fought over.

What else about European deal mechanics will surprise a US buyer?

Three things beyond the pricing mechanism, each reshaping your risk allocation or your timeline.

W&I insurance is the norm, and it changes your recourse. In Europe, warranty and indemnity (W&I) insurance is well established, the UK is the most W&I-comfortable market, and per CMS 2026 the use of separate security for warranty claims fell to 20% as buyers leaned on insurance instead. In the US the same product is called RWI and is used in roughly 20-25% of private-company acquisitions, standard in most middle-market deals. On a cross-border deal W&I is often worth more than on a domestic one: it lets you take clean warranty recourse from an insurer instead of chasing a foreign seller across borders, where enforcing a judgment is slow and uncertain.

W&I insurance vs traditional escrow

The two ways to secure your warranty recourse, contrasted:

W&I insuranceTraditional escrow
Who pays a valid claimInsurerHeld-back purchase price
Cross-border enforcementAgainst the insurer (easier)Against a foreign seller (harder)
Cost~2.5-3% of the policy limit (US, 2025)Opportunity cost of held-back cash
Seller appealClean exit, no holdbackMoney tied up for the survival period

On a cross-border deal the enforcement column is the decider: escrow only helps if you can reach the money.

Works councils and TUPE are on the critical path, not the sidelines. European employee-representation duties are real and time-consuming, and consulting late is a classic first-timer blowup. In France, the CSE must be informed and consulted before signing a binding agreement affecting organisation or management. In Germany there is no general duty to consult on a share sale itself, but operational changes trigger consultation and the economic committee should be informed pre-signing. In the Netherlands the works council has a formal right of advice before a major decision is finalized (typically 4-6 weeks; a decision made without it can be voided). And in the UK, TUPE automatically transfers employees on their existing terms in a business/asset transfer, with consultation duties of its own. Build it into the timeline and the conditions to completion — do not discover it two weeks before your signing date.

Signing and closing split apart. Because FDI clearance, any merger filing, and works-council consultation take time, cross-border deals almost always exchange (sign) and complete (close) on separate dates, with conditions precedent satisfied in the gap. US buyers used to simultaneous sign-and-close must plan for this gap — it is where currency risk lives, where the target keeps trading, and where a MAC clause (present in 14% of European deals per CMS, versus near-universal in larger US deals) either does or does not protect you. Earn-outs, incidentally, hit a study-high 27% of European transactions in CMS 2026 — useful when you cannot agree on value, but a fresh source of post-closing dispute you will now be litigating across a border.

Should we hedge our euro or pound exposure now, or wait until close?

For most first-time cross-border buyers, hedge the deal-price exposure at signing rather than leave it open to completion — because in the gap between signing and closing you are carrying an uncompensated currency bet on top of the deal itself. 2025 made the point vividly: EUR/USD moved from about 1.02 to about 1.18 (roughly 14%) between January and September. On a €40M purchase price, a 10% move is €4M of value swing that has nothing to do with how the target performs — and earlier in the cycle, euro weakness created effective 10-20% discounts for US buyers of European assets. FX moves reprice deals whether you manage it or not.

The complication that makes cross-border hedging its own skill: between signing and closing, your deal is conditional — FDI clearance might not come; a condition might fail — so a plain vanilla forward leaves you over-hedged and forced to unwind, possibly at a loss, if the deal breaks. The standard M&A instrument is the deal-contingent forward (DCF): it locks your FX rate but falls away at no cost if the deal does not close, with the walk-away optionality priced into a slightly worse rate you pay only on completion — usually a better M&A fit than a vanilla forward (unwind risk) or a plain option (upfront premium). The framing that keeps a board comfortable: this is deal-structuring, not speculation. You are fixing the price you already agreed, in your own currency.

Why do cross-border deals take 6-9 months, and is 90 days of exclusivity enough?

They take longer because a cross-border deal adds regulatory and consultation steps that run on their own statutory clocks — and no, 90 days of exclusivity is generally not enough to reach an unconditional closing, but that is the wrong target. You use exclusivity to reach signing, and you close after clearance.

A comparable US domestic deal can close in roughly 3-4 months; a cross-border deal commonly runs several months longer, with regulatory complexity pushing many into 6-12 months. The additions are the perimeters: FDI screening (UK NSIA's initial 30 working days plus a 30-working-day assessment extendable by 45; Germany's parallel review), any national merger filing, works-council consultation, and diligence that itself runs longer because of GDPR transfer set-up, translation, and time-zone coordination. These are statutory processes — start them early and run them in parallel, but you cannot make a 30-working-day clock finish in 10.

So: sign the SPA inside your 90 days, then satisfy the conditions precedent in the gap before completion, under a realistic long-stop date several months out, with the SPA allocating who bears regulatory risk. What kills deals in this window is rarely the clock itself. It is drift: a room that opens slowly so diligence starts late; a works council consulted too late; a target trading in ways that trip a MAC or leak value before the locked-box date; a transfer mechanism unsigned, so EU personal data can't move. The antidote is front-loading — a fully populated, access-controlled room on day one, the transfer mechanism signed before data moves, and screening notifications filed as early as the terms allow, so every clock runs concurrently.

What should go in a board risk memo for a first cross-border acquisition?

A board risk memo for a first cross-border deal should do one job: tell the board, on one page, which of the three perimeters could stop or reprice this deal and what you are doing about each. It is not a diligence report; it is a risk map. Here is a skeleton you can lift — seven lines, each a heading the board can interrogate:

  1. Deal at a glance — target, jurisdiction(s), enterprise value ($45M), structure (share vs asset), currency of the purchase price, and the proposed sign-then-close timeline.
  2. Regulatory perimeter — which FDI regimes apply (UK NSIA mandatory sector? German review? CFIUS?), whether filing is mandatory, expected clearance timing, and the void/penalty risk of getting it wrong. Note that antitrust is below the floor if it is.
  3. Data perimeter — the transfer mechanism for the target's EU personal data (SCCs, DPF, or UK adequacy), where the diligence room is hosted and why, and how access is controlled and logged. Flag any controlled-technology / deemed-export exposure.
  4. Deal mechanics — pricing mechanism (locked box vs completion accounts) and why, W&I insurance in place or not, works-council/TUPE consultation duties and their timeline impact.
  5. Currency risk — the FX exposure in dollar terms, the hedging approach (e.g., a deal-contingent forward), and the residual swing the board is being asked to accept.
  6. Timeline & long-stop — the expected close window (6-9 months), the long-stop date, and the top three things that could delay it.
  7. What could kill it, and the walk-away — the two or three break scenarios (clearance blocked or over-conditioned, a diligence red flag, an FX or value shock), the break-fee/cost exposure if it dies, and the recommendation.

If your board reads only lines 2 and 3, they will have grasped the two things that make this deal different from your last domestic one. For the surrounding process, the M&A process guide and the due diligence process guide are the companions to this memo.

What do first-time US acquirers of European companies always miss?

The same handful of things, in my experience watching these deals run — every one a perimeter a domestic playbook has no slot for:

  • They screen for antitrust and forget FDI. They check the HSR threshold, see they are under it, and conclude "no filing" — missing that NSIA or German FDI screening can be mandatory at their size with no value floor. The number-one miss.
  • They email the diligence data. They treat the target's employee and customer data like any other file and share it before a transfer mechanism is in place — exactly the unlawful transfer the GDPR regime exists to catch.
  • They consult the works council too late. They set a signing date, then discover a French CSE or Dutch works council must be consulted first, and the date slips by weeks.
  • They price like a US deal. They expect completion accounts, are surprised when the seller proposes a locked box, and negotiate the wrong protections.
  • They leave FX open. They agree a euro price and carry it unhedged to close, treating a 10-15% swing as noise instead of the material value shift it is.
  • They budget for lawyers but not for the clock. They plan a US-speed 3-4 month close and are unprepared for the 6-9 month reality.

None of these is exotic — just perimeter-two and perimeter-three surprises a domestic deal never presented. Knowing they exist is most of the fix.

What's the all-in cost of a first cross-border acquisition?

Beyond the purchase price, budget for an advisory-and-compliance stack meaningfully heavier than a domestic deal — you are now paying for two or three jurisdictions of legal advice, a screening filing or two, and an FX hedge you did not need at home. Exact numbers vary widely, so treat the table as a planning frame, not a quote:

Cost itemTypical basisNotes for a $45M cross-border deal
M&A advisory / banker% of deal value (tiered)Sell-side usually pays; buy-side advisory optional at this size
Legal (multi-jurisdiction)Hourly / cappedThe big one — US + target-country counsel, sometimes a third for a filing
W&I insurance~2.5-3% of the policy limite.g., ~$300K on a $10M limit; buy-side, one-time
FDI filingGovernment fee + counselUK NSIA has no filing fee; counsel time to prepare is the cost
Currency hedgePriced into the forward rateDeal-contingent forward; cost only crystallizes on completion
Data room / VDRFlat admin-seat subscriptionPeony: Business $30/admin/mo; Data Room $52/admin/mo; viewers are free

Two things stand out. First, legal is where the cross-border premium concentrates — you are buying advice in two or three legal systems, and the FDI and data-transfer work is specialized. Second, the data room is the one line that does not scale with headcount: Peony charges per admin seat, and every reviewer — your team, the seller's advisers, both sides' counsel across every time zone — views for free. On a deal with thirty named reviewers across three countries, per-viewer pricing would punish you for running a thorough process; per-admin does not. That is not the reason to run a controlled room — the compliance surface is — but it makes the perimeter-two control close to the cheapest line in the stack, and it is what lets a team on any of the 5,900+ companies using Peony add the seller's third adviser without a second thought.

For the acquirer's fundamentals beyond the cross-border layer, our siblings shipping alongside this guide cover the ground: how to acquire a company for the first-time buyer, and corporate acquisition strategy for the repeat acquirer building a program. Our own State of M&A Data Rooms report — drawn from real deal activity on the platform — found that US targets overtook European ones by deal count in the most recent period, a reminder that the EU-to-US direction of this guide is as live as the US-to-EU one.

This guide is general information for a first-time cross-border buyer, not legal advice. Every figure is sourced, but your specific filings, thresholds, transfer mechanisms, and consultation duties turn on facts only your counsel in each jurisdiction can confirm — get that advice early, because the perimeters are exactly where early advice pays for itself.

Frequently asked questions

Locked-box vs completion accounts for a cross-border acquisition — which is better for the buyer?

Neither is categorically better for the buyer — they allocate the value of the business between signing and closing in opposite directions, and which one favors you depends on how the target trades in that gap. With a locked box, the price is fixed at a past balance-sheet date and you buy the economics from that date, so the seller carries no completion-accounts adjustment but you take the risk of what happens to the business between the locked-box date and closing (protected only by leakage covenants). With completion accounts, the price adjusts after closing based on actual cash, debt, and working capital at completion, which protects you from a business that weakens in the gap but leaves the final number open for weeks of post-closing dispute. Locked box is the European convention — per the CMS European M&A Study 2026, locked box was used in 54% of deals — while US buyers instinctively reach for completion accounts and post-closing working-capital true-ups. On a fast-trading, seasonal, or cash-generative target a completion-accounts mechanism protects the buyer; on a stable business a locked box removes dispute risk and lets you diligence one fixed number. The data-room implication is the same either way: whichever mechanism you choose, the balance-sheet evidence behind it must be in the room, complete and access-logged, because that dataset is what a later price dispute will be fought over.

Is a $45M software acquisition big enough to trigger UK NSIA or German FDI review?

For antitrust, almost certainly not; for national-security screening, quite possibly yes — and that distinction is the whole point. A $45M software deal sits far below the merger-control floors: the US HSR minimum size-of-transaction threshold is $133.9 million effective February 17 2026, the EU Merger Regulation is turnover-based (combined worldwide turnover above €5 billion) and a deal this size will essentially never reach it, and even the UK CMA target-turnover test is £100 million. So on antitrust, a $45M deal is usually below the floors everywhere. FDI screening is different: it does not care about deal size. The UK's National Security and Investment Act imposes mandatory pre-completion notification across 17 sensitive sectors at a 25% shareholding threshold with no minimum deal value, and 'advanced computing,' AI, data infrastructure, and defence-adjacent software can all fall inside those sectors. Germany's regime reviews a non-EU/EFTA buyer taking 25% of voting rights (10-20% for around 27 sensitive activities), again with no deal-value floor. And in the US, CFIUS has mandatory declaration triggers tied to critical technology and export-controllability, not size. So the honest answer for a first-timer: it is not antitrust that bites at this size — it is screening. Map your target's activities against the mandatory sector lists before you assume you have no filing.

How do we legally transfer due diligence data from an EU target to a US buyer under GDPR?

You need a lawful transfer mechanism under Chapter V of the GDPR before the target's EU personal data — employee files, customer lists, the cap table — moves to you or your US advisers, because sharing that data with a non-EEA recipient is itself a 'transfer' that GDPR restricts. For a US buyer the two live routes are: (1) the EU-US Data Privacy Framework, if your receiving US entity is DPF-certified — the framework is still valid, the EU General Court dismissed the Latombe challenge on 3 September 2025, though a CJEU appeal is pending; or (2) Standard Contractual Clauses under Article 46, the workhorse mechanism, signed between exporter and importer and backed by a transfer impact assessment plus supplementary measures after Schrems II. Do not build a structured diligence data flow on Article 49 derogations like one-off consent — regulators treat those as last-resort for occasional transfers, not for a running data room. A crucial nuance for UK-side deals: EU-UK transfers need no SCCs at all, because the EU renewed UK adequacy through 27 December 2031. And be honest about what the data room does here: no data room makes an unlawful transfer lawful. The transfer mechanism (SCCs or adequacy) is legal work your counsel does; the room's job is to enforce and evidence it — who accessed which personal-data file, when, under which permission — so that the mechanism you signed is actually respected in practice.

Is 90 days of exclusivity enough for a cross-border deal with two regulatory filings?

Usually not enough to reach an unconditional closing, but that is the wrong test — 90 days is enough to get you to signing, and you close after clearance. The standard structure for a cross-border deal with regulatory filings is a split exchange and completion: you negotiate and sign the SPA inside exclusivity, then satisfy conditions precedent (FDI clearance, any merger-control filing, works-council consultation) in the gap before completion, which can run for weeks or months afterward. Trying to force both filings to clear inside 90 days is unrealistic — UK NSIA clearance alone can run 30 working days for the initial call-in decision and then a 30-working-day assessment extendable by a further 45. So use exclusivity to lock the deal terms and reach signing; build the regulatory conditions into the SPA as conditions to completion, with a realistic long-stop date (often several months out) and clear allocation of who bears regulatory risk. What kills deals in this window is not the exclusivity clock itself but drift: a diligence data room that opens slowly, a works council consulted too late, a target that keeps trading in ways that trip a MAC or leak value before the locked-box date. Keep the room fully populated and access-logged from day one so diligence runs in parallel with, not after, the legal drafting.

How do I run due diligence across time zones without leaks?

Treat the data room as the compliance surface, not a file-drop, and let named access plus logging do the work that email cannot. Concretely: give every reviewer — your team, your advisers, the seller's advisers, in London, Frankfurt, and your own office — a named-viewer link tied to their own email, never a shared password, so 'who can see this' is a list you control rather than a link that forwards itself overnight while you sleep. Set granular, folder-level permissions so a reviewer sees only what their role requires, and stage disclosure — less sensitive material early, the most sensitive datasets released only to confirmed bidders late. Turn on per-viewer dynamic watermarking so every page a reviewer sees carries their own identity, which deters the screenshot-and-share and makes any leak attributable to the person who took it. Above all, rely on the access log: a timestamped record of who opened which document, when, and from where. Across time zones that log is both your operational dashboard (is the other side actually reviewing?) and, in a regulated transfer, your regulator-ready audit trail proving the transfer mechanism you signed was respected. I run Peony, a data room company, and this permission-plus-log pattern is exactly what it is built for; more than 5,900+ companies use it, and Great Britain is our second-largest market with 140+ customers across Europe, so cross-border rooms are a big part of what runs on it.

Do we need to consult the German works council before signing the SPA?

There is no general German duty to consult the works council on the sale of shares itself, but there almost certainly are related consultation and information duties you must plan around — so the practical answer for a first-timer is: assume consultation is on the critical path and confirm the exact trigger with German counsel early. Selling the shares of a company does not, on its own, require works-council consultation in Germany. What does trigger duties is operational change — carve-outs, relocations, planned redundancies, or a restructuring — and separately the economic committee (Wirtschaftsausschuss) should be informed of the planned transaction before signing. Contrast this with France, where the CSE (works council) must be informed and consulted before you sign a binding acquisition agreement that affects organisation or management, and with the Netherlands, where the works council has a formal right of advice before a major decision like an acquisition is finalized (typically 4-6 weeks, and a decision made without it can be voided). The cross-border lesson: European employee-representation duties are real, jurisdiction-specific, and time-consuming, and they belong in your timeline and your conditions to completion — not as a surprise two weeks before your target signing date.

How much does W&I insurance cost as a percentage of deal value?

Warranty and indemnity insurance is priced on the policy limit you buy, not on the whole deal value, and in 2025 that premium ran roughly 2.5-3% of the limit in the US market (down from around 5% in 2022 as the market softened). So the headline percentage is of the coverage amount: if you insure a $10 million limit on your $45M deal at ~3%, the premium is on the order of $300,000, not a percentage of the full $45M. W&I (called RWI in the US) is used in roughly 20-25% of US private-company acquisitions and is standard in most middle-market deals, with buy-side policies dominating; it is available for deals as small as around $25M, so a $45M cross-border deal is squarely in range. In Europe, W&I usage was broadly flat from 2024 to 2025, the UK is the most W&I-comfortable market, and per the CMS European M&A Study 2026 the use of separate security for warranty claims fell to 20% as buyers leaned on insurance instead. The buyer's practical takeaway: W&I lets you take clean warranty recourse from an insurer rather than chasing a foreign seller across borders for a breach, which is often worth more on a cross-border deal than on a domestic one precisely because cross-border enforcement against the seller is harder.

Should we hedge our euro or pound exposure at signing, or wait until close?

For most first-time cross-border buyers the right instinct is to hedge the deal-price exposure at signing rather than leave it open to closing, because between signing and completion you are carrying an uncompensated currency bet on top of the deal itself — and 2025 was a reminder of how large that bet can get, with EUR/USD moving roughly 1.02 to 1.18 (about 14%) between January and September. On a €40M purchase price, a 10% move is €4M of value swing that has nothing to do with how the business performs. The complication is that between signing and closing your deal is conditional — FDI clearance might not come, a condition might fail — so a plain forward leaves you over-hedged if the deal breaks. The standard M&A answer is a deal-contingent forward: it locks your FX rate but falls away at no cost if the deal does not close, with the walk-away optionality priced into a slightly worse rate that you only pay on completion. That is usually a better fit than a vanilla forward (which you would have to unwind, possibly at a loss, on a broken deal) or a plain option (which costs an upfront premium). This is deal-structuring, not speculation: the goal is to fix the price you agreed in your own currency, not to bet on the exchange rate.

Why do cross-border M&A deals take 6-9 months when US domestic deals close in 3-4?

Because a cross-border deal adds regulatory and consultation steps that run on their own statutory clocks and often cannot be compressed, no matter how fast your deal team moves. A comparable US domestic deal can close in roughly 3-4 months; a cross-border deal commonly runs several months longer, with regulatory complexity pushing many into the 6-12 month range per practitioner guidance. The specific additions: FDI screening in one or more jurisdictions (UK NSIA's initial 30 working days plus a 30-working-day assessment extendable by 45 more; Germany's parallel review), any national merger-control filing, works-council information and consultation on the European side (which cannot simply be waived to save time), and cross-border diligence that itself takes longer because of GDPR transfer set-up, translation, and time-zone coordination. These steps are largely sequential-or-parallel statutory processes, not negotiation you can accelerate — you can start them early and run them in parallel, but you cannot make a 30-working-day clock run in 10. The way to protect the timeline is to front-load: open a fully populated, access-controlled data room on day one, get the transfer mechanism signed before EU personal data moves, and file screening notifications as early as the deal terms allow, so the clocks run concurrently rather than one after another.

Should diligence data live in an EU-hosted or US-hosted data room under GDPR?

Where the server sits matters less than whether you have a lawful transfer mechanism and can evidence access — hosting location is one input to your GDPR analysis, not the whole answer. Keeping the target's EU personal data in an EU-hosted room can simplify the analysis because the data stays in the EEA, but the moment a US buyer or US adviser opens a document, that access is itself a transfer to the US that needs a mechanism (SCCs or DPF) regardless of where the file physically lives. Conversely, a US-hosted room is entirely workable for EU data provided the transfer is covered by SCCs (or DPF) and you can demonstrate control over who accessed what. Peony's honest position: standard Peony plans are US-hosted (AWS us-east-1) and rely on SCCs for EU personal data, which is a legitimate, common arrangement for cross-border diligence; custom UK or EU data residency, bring-your-own-key, and self-hosted deployment are available on Enterprise plans for buyers who need the data to stay in-region as a matter of policy or counterparty requirement. Peony is SOC 2 Type II. The decision rule: if your EU seller or its counsel requires in-region residency, use an EU/UK-residency option (Enterprise); otherwise a US-hosted room with SCCs and a complete access log is defensible. Either way, the room does not make the transfer lawful — your mechanism does — but the room is what proves the mechanism was honored.

How long does UK NSIA or German FDI clearance take for a software acquisition?

Plan for two to four months from a complete notification to clearance in a straightforward case, and longer if the deal is called in for detailed assessment. Under the UK NSIA, once the Investment Security Unit accepts a mandatory notification it has 30 statutory working days to decide whether to call the deal in; if it does not, you are cleared to complete. If it calls the deal in, a separate assessment period of 30 working days runs, extendable by a further 45 working days (plus scope for a voluntary extension). So a clean deal can clear in roughly the initial 30-working-day window, while a called-in deal can run several months. Context from the NSIA 2025-26 annual report: of 1,324 notifications, only 60 were called in and just 9 ended in a final order (1 blocked, 8 cleared with conditions) — so most notified deals clear without conditions, though defence and advanced-technology deals draw the most scrutiny. Germany's cross-sector review runs on its own timetable, typically a couple of months for a non-problematic case and longer where the target touches sensitive activities. The buyer's takeaway: notify early, because these are pre-completion conditions — the deal cannot lawfully close until clearance lands, and in the UK's mandatory sectors a deal completed without clearance is legally void.