What Is Due Diligence? A 2026 Hub Guide to All 7 Types

Quick answer: Due diligence is the structured investigation a buyer runs on a target before signing — review the documents, interview management, validate the claims, surface the risks, and translate findings into purchase-price adjustments, escrow, indemnities, or a walk-away. Modern M&A DD covers 7 universal workstreams (financial, legal, tax, IP, HR, IT/cyber, commercial) plus 2 sector-gated bonus types (environmental, AI). Mid-market DD runs 8-14 weeks at 0.2-4% of deal value in advisory costs. 30-50% of signed LOIs collapse during DD per Acquisition Stars 2026 — making it the highest-leverage stage in the deal lifecycle.

Last updated: May 2026

Why I wrote this

I'm Deqian Jia, co-founder of Peony and a former VC at Backed and Target Global. I have run buy-side and sell-side due diligence on hundreds of deals — venture-stage acqui-hires that closed in two weeks, mid-market carve-outs with eight workstreams running in parallel for three months, and a handful of cross-border platform deals where the HSR clock and the R&W underwriting process dictated the entire critical path. At Peony we now serve more than 4,300 customers, and the pattern that shows up across our deal benchmarks is the same pattern I have seen on every deal team I have worked with: the buyers who close are the ones who scope DD against a written thesis. The buyers who walk away after 60 days and $250K in advisory fees are the ones who skipped that step.

This post is the definitional hub for Peony's 16+ post DD cluster. It does not try to replace any of the deep posts — the process guide, the 174-document checklist, the 14-week timeline, the workstream cost breakdown, the hard-vs-soft DD 5-frame playbook, and the type-specific deep posts on financial, legal, tax, IP, HR, IT, cyber, commercial, environmental, AI, vendor, real estate, and third-party DD each own their own depth. What this post does is sit on top: give one clean answer to "what is due diligence?", map the 7 types in a 3-axis routing grid, and point you to the deep post you actually need. If you're new to DD, read this end-to-end. If you have a specific question, the Related Resources section at the bottom lists every deep post by topic.

What is due diligence (quick answer)?

Due diligence is the structured investigation a buyer (or investor, or lender) runs on a target before a deal closes. The mechanics: the buyer reviews documents, interviews management, runs independent analyses, and pressure-tests the seller's claims. The output: a decision to close at the headline price, close at an adjusted price, close with structural protections (escrow, indemnities, R&W insurance), or walk away.

The legal origin of the term is the Securities Act of 1933, Section 11, which created an affirmative defense for securities underwriters who could prove they had conducted a "reasonable investigation" of an issuer. The modern usage has expanded far beyond securities — every M&A transaction, every venture financing, every LP fund commitment, every commercial real estate purchase, every vendor onboarding, and every IPO syndicate now runs some flavor of DD against the same underlying logic: the buyer carries asymmetric information risk, and DD is the structured process that closes the gap.

In a 2026 mid-market M&A deal, DD typically takes 8-14 weeks LOI-to-close, runs 6-8 parallel workstreams (financial, legal, tax, IP, HR, IT/cyber, commercial, sometimes environmental), costs 0.2-4% of deal value in advisory fees per Bain, and culminates in a Purchase Agreement that translates findings into reps, escrows, indemnities, and pre-close covenants. For a venture financing, DD compresses to 1-4 weeks and weights team-and-market over historical financials. For LP-on-fund DD, the workstream weight inverts again — operations, track-record attribution, governance, and key-person clauses replace target-company analysis.

The data anchor every dealmaker should know: 30-50% of signed LOIs collapse during DD per Acquisition Stars and Wharton meta-analyses, and 70-90% of completed M&A deals fail to create shareholder value. DD is the only stage in the deal lifecycle where the buyer can re-price or walk without paying a break fee — which is why it carries disproportionate weight relative to time spent on it.

Why does due diligence matter (and what kills deals when it's skipped)?

DD is the highest-leverage stage of the deal lifecycle because it is the only point where the buyer can convert ambiguity into one of three outcomes — a price, a protection, or a plan — without owning the asset. The mechanics: every red flag surfaced during DD maps to either a purchase-price adjustment, a structural protection (escrow, indemnity, R&W insurance, special indemnity), or a pre-close remediation covenant. Findings that sit in a diligence memo but never reach the Purchase Agreement are wasted work.

The Walk-Rate Collapse Pattern. Across the 2024-2026 cohort, between 30% and 50% of signed LOIs collapse during DD per Acquisition Stars 2026 and the Wharton meta-analysis on why M&A deals fail. Within the deals that do close, 70-90% fail to create shareholder value over a 3-5 year horizon. The 50% LOI walk rate sets the upper bound on what a seller should invest in market preparation; the 70-90% completed-deal failure rate sets the upper bound on what a buyer should invest in post-LOI DD rigor. Both numbers point at the same conclusion: DD is the single most consequential stage in any deal, and most dealmakers underinvest in it.

The deal killers cluster in five buckets:

1. Quality of Earnings adjustments that materially change normalized EBITDA. Revenue recognition disputes under ASC 606, aggressive add-backs, related-party transactions surfaced late, and customer-credit-loss patterns that don't match the financials. The 84% of lenders who now require detailed QoE documentation per DueDilio's 2025 QoE Analysis Guide make QoE the hardest-to-skip workstream in any leveraged deal.

2. IP assignment chains that never closed. Contractor-built code where the contractor never signed a work-for-hire agreement. Patent applications filed under an individual inventor's name without subsequent assignment. Open-source license violations that propagate through derivative works. On one deal I supported, the buyer discovered during Phase 4 that three key engineers had never signed IP assignment agreements — closing was delayed five weeks while the seller obtained retroactive assignments.

3. Undisclosed cybersecurity incidents. Unpatched critical vulnerabilities, no formal incident response plan, expired penetration tests, or worse — undisclosed breaches in the historical record. 73% of dealmakers would walk away from a deal with undisclosed cyber issues per Forescout's M&A Cybersecurity Survey, and IBM's 2025 Cost of a Data Breach Report puts the average breach at $4.44M globally and $10.22M in the US.

4. Working capital disputes that move the price. The seller's estimated balance sheet diverges from the buyer's calculation, often by 5-15% of the deal value. Per SRS Acquiom's 2025 Working Capital PPA Study covering 1,200+ private-target deals and $298B in aggregate transaction value, working capital adjustments now appear in >90% of private-target M&A.

5. Customer concentration tied to specific individuals. Top 5 customers >50% of revenue is a red flag; top 5 customers >50% of revenue AND loyalty tied to founders or specific account managers is a stop sign. This is the soft-DD overlay on commercial concentration — the issue isn't "is concentration high?" but "is loyalty transferable to a new owner?"

For the deeper red-flag taxonomy and walk-away triggers, see Due Diligence Red Flags and Due Diligence Mistakes That Kill Deals.

What are the 7 main types of due diligence?

The modern DD stack is 7 universal workstreams plus 2 sector-gated bonus categories. Each gets a sub-section below with a one-paragraph definition, one anchored stat, and a route-down link to the Peony deep post.

This is the DD Routing Map — Peony's proprietary 3-axis taxonomy. Every DD workstream below sits on three axes: (1) Hard (docs and math) vs Soft (people and patterns), (2) VDR-visible (the data room is the substrate) vs Off-sheet (interviews, surveys, primary research), (3) Universal (applies to every deal) vs Sector-gated (industrial, real estate, energy, tech). The Routing Map lets you scope DD against deal thesis instead of running the alphabet order regardless of why the deal is happening.

Financial DD

What it is: The workstream that reconciles reported EBITDA to normalized EBITDA through a Quality of Earnings (QoE) report, sets the working capital "peg" for the purchase price adjustment, validates revenue recognition, and tests cash flow conversion against reported earnings. Financial DD is the gating workstream for any leveraged deal — without a clean QoE, the lender will not fund.

Anchored stat: 84% of lenders now require detailed QoE documentation for all normalized EBITDA adjustments per DueDilio's 2025 QoE Analysis Guide.

Axes: Hard / VDR-visible / Universal.

→ For the full 8-workstream M&A playbook with phase-by-phase mechanics, see the M&A Due Diligence Process Guide. For the 174-document master list, see the Due Diligence Checklist.

Legal DD

What it is: The workstream that reviews corporate structure (cap table, governance, board minutes), material contracts (change-of-control termination rights, anti-assignment clauses, vendor exclusivity), litigation history (pending and threatened), IP ownership chains, regulatory compliance, and employment law. Legal DD takes 2-6 weeks and is typically run by outside M&A counsel with workstream specialists for IP, employment, regulatory, and tax.

Anchored stat: Change-of-control termination rights in material contracts are the most common 2024-2026 legal-DD red flag per Bloomberg Law's M&A DD Checklist.

Axes: Hard / VDR-visible / Universal.

→ For the broader phase-by-phase legal DD flow, see the M&A Due Diligence Process Guide and the Due Diligence Questionnaire for the document request structure.

Tax DD

What it is: The workstream that scopes federal, state, and international tax exposure — sales tax nexus (Wayfair exposure on remote sellers), transfer pricing (cross-border deals), NOL utilization and Section 382 limitations, R&D credit defensibility, employment-tax classification (W-2 vs 1099), and international tax (BEAT, GILTI). Tax DD typically takes 2-4 weeks and ties directly into R&W insurance scope — areas not professionally scrutinized get excluded from coverage.

Anchored stat: 65% of 2025 M&A respondents expected R&W insurance use to rise in 2026 per CBIZ's R&W Insurance trend study — and insurer scope tracks tax-DD rigor directly.

Axes: Hard / VDR-visible / Universal.

→ For the tax-specific request list and 2026 HSR thresholds, see the Tax DD Checklist.

IP DD

What it is: The workstream that verifies patent, trademark, and copyright ownership chains, employee and contractor IP assignment agreements, open-source software license compliance, trade secret protection procedures, and freedom-to-operate analysis. IP DD is the single most-skipped workstream relative to its deal-killing potential — especially in venture-stage acquisitions where contractor-built code lacks work-for-hire agreements.

Anchored stat: Missing or unsigned IP-assignment chains where contractor-built code lacks work-for-hire agreements are the most common deal-killing finding in 2024-2026 startup acquisitions per Herrera Partners' 2025 Legal DD analysis.

Axes: Hard / VDR-visible / Universal.

→ For the patent, trademark, and assignment-chain deep dive, see IP Due Diligence.

HR DD

What it is: The workstream that covers compensation benchmarking and total benefits cost, key-person identification (the question is not "will the CEO stay?" but "which individuals, if they left, would take customers with them?"), employee classification review (W-2 vs 1099), immigration and visa status, and pending or threatened employment claims. HR DD is the most-undervalued hard-DD-adjacent workstream relative to integration outcomes.

Anchored stat: 47% Year-1 turnover and 75% Year-3 turnover at acquired companies per PMI Stack and E2E Deal Insights 2024-2026 compilations. The WTW 2024 M&A Retention Study shows 72% of acquirers now set aside retention payments — median 75-100% of base salary for C-suite, 50% for senior leaders, 30% for rank-and-file.

Axes: Hard with Soft overlay / VDR-visible (docs) plus Off-sheet (key-person interviews) / Universal.

→ For the FTC non-compete rule changes and post-Ban scope rebalancing, see HR Due Diligence.

IT and Cybersecurity DD

What it is: The workstream that covers architecture review, security program maturity against NIST CSF 2.0, incident history and response capability, third-party vendor risk management, patch cadence and vulnerability management, penetration test results, and privacy compliance posture. The big 2025-2026 shift: cybersecurity migrated from sub-bullet under IT DD to standalone workstream — this is The 2026 Cyber-As-Standalone Shift.

Anchored stat: Cybersecurity reps were absent from 22% of 2025-cohort deals (up from 5% in 2024) per SRS Acquiom's 2025 Deal Terms Study covering 2,200+ private-target deals and $505B in aggregate transaction value — sellers increasingly refusing standalone cyber reps as breach severity climbs. 97% of senior bankers expect cyber to receive the greatest DD scrutiny per the SRS Acquiom + Mergermarket Q3 2024 senior banker survey. IBM's 2025 Cost of a Data Breach Report puts the average breach at $4.44M globally and $10.22M in the US.

Axes: Hard / VDR-visible plus Off-sheet (pen test results) / Universal in tech, sector-gated in industrials.

→ For the full cyber DD framework — Bain Test, 5-axis breach matrix, OAuth audit, regulatory map — see Cybersecurity Due Diligence. For broader IT scope, see IT Due Diligence.

Commercial DD

What it is: The workstream that covers market sizing and competitive landscape, pipeline quality and conversion analysis, customer retention, churn, and expansion metrics, top-customer concentration and contract terms, and pricing power assessment. Commercial DD typically runs 2-4 weeks and is the workstream most prone to scope creep.

Anchored stat: Any single customer >20% of revenue is the canonical 2024-2026 commercial-DD red flag per Buxton's Commercial DD Checklist and HSF Kramer's 2025 Global M&A Report. Top-5 concentration >50% triggers deeper customer interviews.

Axes: Hard with Soft overlay (customer interviews) / VDR-visible (contracts, pipeline reports) plus Off-sheet (primary customer interviews) / Universal.

→ For the workstream-by-workstream deep dive on market sizing, pipeline analysis, and customer DD, see Commercial Due Diligence.

Environmental DD (sector-gated)

What it is: The workstream that covers environmental liability assessment, permit compliance review, remediation obligations, Phase I and Phase II Environmental Site Assessments, and ESG reporting readiness. Environmental DD applies to industrial, real estate, energy, and any deal with material physical assets — it is not universal.

Anchored stat: The EU's CSRD/CSDDD Omnibus simplification entered force March 18 2026, narrowing CSDDD scope to companies >5,000 employees + €1.5B revenue (transposition deadline July 2029) and removing 85-90% of previously in-scope firms. CSRD threshold raised to >1,000 employees + €450M revenue per Gibson Dunn and Morgan Lewis 2026 analyses.

Axes: Hard / VDR-visible plus Off-sheet (site visits) / Sector-gated.

→ For the full environmental DD scope, Phase I/II ESA mechanics, and ESG reporting framework, see Environmental Due Diligence. For real estate-specific scope, see Real Estate Due Diligence Checklist.

AI DD (sector-gated, emerging 2025-2026)

What it is: The newest DD column, added to the canonical stack in 2025-2026. The AI-Defensibility Column scopes 4 vulnerability axes per Valutico's 2026 AI Vulnerability Framework: model redundancy plans (what happens if OpenAI prices change?), data provenance maps (where did training data come from?), workflow integration evidence (is AI a feature or a moat?), and talent retention plans (do the inventors stay?). AI DD applies to any target with material AI exposure — increasingly that means any modern SaaS, fintech, or data target.

Anchored stat: 70% of PE firms have walked away from a deal after identifying that generative AI could negatively impact the target's business model per Acquisition Stars 2026. 58% of M&A practitioners use generative AI in due diligence — the highest of any M&A workflow per Bain's 2025 Global Private Equity Report, with adoption more than doubling to 45% of practitioners in 2025.

Axes: Hard with Soft overlay (talent retention) / VDR-visible (model cards, data licenses) plus Off-sheet (engineer interviews) / Sector-gated to any AI-exposed target.

→ For the full 5-layer AI audit framework — data, model, infrastructure, output, governance — see AI Due Diligence.

Vendor / Third-Party DD (sector-gated)

What it is: Two distinct concepts share the word "vendor." (1) Third-party DD is the diligence run on intermediaries, suppliers, and agents — not on a deal target — covering FCPA (US, anti-bribery), UK Bribery Act, OFAC (US sanctions), UFLPA (US forced labor), and the EU's CSDDD. (2) Vendor DD is the diligence a SELLER commissions on themselves pre-market — QoE, IP audit, cyber pen test — to accelerate the eventual buy-side process and maximize competitive tension.

Anchored stat: Vendor DD compresses the typical buy-side timeline by 2-4 weeks and lifts deal multiples 0.5-1.5x on competitive auctions per industry benchmarks.

Axes: Hard / VDR-visible / Sector-gated to compliance-heavy industries (third-party) or seller-initiated (vendor).

→ For the 5-jurisdiction compliance framework on intermediaries, see Third-Party Due Diligence. For the vendor DD checklist on suppliers, see the Vendor Due Diligence Checklist. For seller-side pre-market prep, see Sell-Side Due Diligence.

How does the due diligence process work step-by-step?

M&A DD unfolds across six phases. Each phase has its own scope, deliverables, and decision gates — and each is owned by a different combination of buyer-side team, seller-side team, and outside advisors.

Phase 1 — Preliminary assessment (1-3 weeks). Buyer identifies the target, forms an investment thesis, conducts desktop research, and decides whether the opportunity is worth pursuing. Output: written thesis, teaser package, preliminary management calls.

Phase 2 — LOI and term sheet (1-2 weeks). Buyer submits a Letter of Intent with proposed valuation, deal structure, exclusivity period, and key conditions. Output: signed LOI with exclusivity, preliminary DD request list, NDA.

Phase 3 — Full DD launch (1 week). Data room goes live, DD team mobilizes, first wave of document requests and Q&A begins. Output: complete DD request list organized by workstream, data room index, Q&A protocol document.

Phase 4 — Deep dive by workstream (2-6 weeks, parallel). Specialist teams conduct detailed analysis across all 7-9 workstreams. This is where most deal-breaking issues surface.

Phase 5 — Negotiation and confirmatory DD (2-4 weeks). DD findings get translated into deal terms — purchase price adjustments, indemnities, escrows, reps and warranties. R&W insurance underwriting runs in parallel.

Phase 6 — Close (1-2 weeks). Final signing conditions satisfied, funds transfer, transaction closes. Data room transitions from DD tool to integration archive.

This is a compressed summary. For the full phase-by-phase playbook with workstream timelines, key documents, common mistakes, and how a data room supports each phase, see the M&A Due Diligence Process Guide. For the 14-week critical-path orchestration of 6+ parallel workstreams against the QoE → SPA → financing → R&W → HSR serial chain, see the DD Timeline. For the buyer-side prep checklist, see How to Prepare for Due Diligence.

What is hard vs soft due diligence?

The hard-vs-soft distinction is the most consequential modern DD frame. Hard DD is the document-and-math workstream — financial, legal, tax, commercial. The questions hard DD answers are the kind a CPA or a lawyer can audit against a document set: Does the EBITDA reconcile? Is the IP chain unbroken? Are the tax positions defensible? Is the customer concentration acceptable? All four pillars live mostly inside the data room.

Soft DD is the people-and-pattern workstream — HR/talent, culture, customer, brand, leadership. The questions soft DD answers cannot be audited against a document: Will the top 20 engineers stay? Does the acquirer's hierarchical culture clash with the target's flat decision-making? Are the customers loyal to the product or to the founder? Soft DD mostly happens outside the data room — through clean-team interviews, executive assessments, and customer reference calls.

The framing traces to David Harding and Ted Rouse's April 2007 Harvard Business Review article "Human Due Diligence" — both authors were Bain partners. The 2024-2026 data anchors the case: 50-75% of post-merger integrations fail on cultural clashes per McKinsey's 2023 Global Survey, KPMG 2026, and PwC 2023 — yet only 10-20% of acquirers apply similar rigor to cultural DD as to financial DD. Culture-aligned deals are 40% more likely to hit cost synergies and 70% more likely on revenue synergies per the McKinsey survey.

For the 5-frame working playbook — Cost-of-Skipping Index, Integration Failure Triple, Hard-to-Soft Reading Order, Soft DD Trigger Matrix, VDR-Visible vs Off-Sheet — see Hard vs Soft Due Diligence.

How does due diligence change by deal type and size?

DD scope, timing, and cost scale with deal size and shift by deal type. This is the DD-by-Deal-Size Matrix — Peony's universal reference grid for scoping DD against the right cost and timeline benchmark.

By deal type, the workstream weighting shifts:

• Strategic acquisitions (synergy-capture). Soft DD (culture, leadership, key-person) gates the deal — synergies die without people.
• PE platforms. Full 7-workstream DD with heavy QoE, working capital normalization, leadership assessment, and 100-day plan validation.
• PE add-ons. Compressed financial / legal / tax / commercial DD — IT/cyber and HR ride on the platform's existing diligence stack.
• Venture investments. 1-4 week DD weighting team and market over historical financials. Founder-CEO assessment replaces leadership DD on a full team. See Investment Due Diligence Checklist and Startup Due Diligence Guide.
• Search-fund / SBA buyers. Under-$10M DD compressed to 3-4 weeks. SBA 10% Rule (buyer must contribute at least 10% equity) is the gating constraint. See Small Business Due Diligence.
• Sell-side / vendor DD. Seller commissions own QoE, IP audit, and cyber pen test pre-market. See Sell-Side Due Diligence.
• IPO underwriter DD. 3-layer DD stack — underwriter (financial), legal (counsel comfort letter), auditor (independent registered public accounting firm). See Due Diligence for IPO.
• LP / fund DD. Operations, track-record attribution, governance, key-person clauses. See Private Equity Due Diligence.

What red flags does due diligence surface (and what's the walk rate)?

DD red flags cluster across the 7 workstreams and follow the Walk-Rate Collapse Pattern: 30-50% of signed LOIs collapse during DD per Acquisition Stars 2026. The most common deal-killing findings, ranked by 2024-2026 frequency:

1. QoE adjustments that materially change normalized EBITDA. Aggressive add-backs, revenue recognition disputes, related-party transactions. The single most common Phase 4 deal-killer.

2. Broken IP assignment chains. Contractor-built code without work-for-hire agreements; patents filed under individual inventor names without subsequent assignment. Especially common in startup acquisitions.

3. Undisclosed cybersecurity incidents. Unpatched critical vulnerabilities, expired pen tests, undisclosed breaches in historical records. 73% of dealmakers would walk away from a deal with undisclosed cyber issues per Forescout. IBM 2025: $4.44M global / $10.22M US average breach cost.

4. State tax nexus exposure. Sales tax not in disclosure schedules; remote-seller Wayfair exposure. Surfaces in tax DD and typically translates into special indemnities.

5. Customer concentration with non-transferable loyalty. Top 5 customers >50% of revenue AND loyalty tied to founders or specific account managers. Soft-DD overlay on commercial concentration.

6. Change-of-control termination rights in material contracts. Customer contracts that terminate or require renegotiation on acquisition. The most common 2024-2026 legal-DD red flag per Bloomberg Law.

7. Working capital disputes. Seller's estimated balance sheet diverges from buyer's calculation by 5-15% of deal value. Working capital adjustments now appear in >90% of private-target M&A per SRS Acquiom's 2025 Working Capital PPA Study.

8. Pending or threatened litigation. Employment claims, IP disputes, regulatory matters that weren't disclosed in disclosure schedules.

9. Key-person flight risk. One or more individuals controlling >10% of revenue who lack retention packages surviving close.

10. Quality of revenue. Front-loaded billings, deferred revenue patterns, customer-credit-loss trends that don't match the financials.

For the full red-flag taxonomy with severity scoring and recommended deal-term protections, see Due Diligence Red Flags. For the common DD mistakes that turn red flags into deal collapses, see Due Diligence Mistakes That Kill Deals.

What are the 2026 due diligence trends every dealmaker should know?

Five 2026 trends reshape the DD playbook. Each has a 2025-2026 data anchor and changes how dealmakers scope, time, and price diligence.

Trend 1 — Cyber-as-Standalone migration. Cybersecurity DD migrated from sub-bullet under IT DD (pre-2024) to standalone workstream (2025-2026). Cybersecurity reps were absent from 22% of 2025-cohort deals — up from 5% in 2024 — signaling sellers increasingly refusing to grant standalone cyber reps per SRS Acquiom's 2025 Deal Terms Study. 97% of senior bankers expect cyber to receive the greatest DD scrutiny over the next 12-24 months per the SRS Acquiom + Mergermarket Q3 2024 senior banker survey, with 84% anticipating increased cyber-DD investment. IBM's 2025 Cost of a Data Breach Report puts the average breach at $4.44M globally (down 9% YoY thanks to faster AI detection) and $10.22M in the US. For the full cyber DD framework, see Cybersecurity Due Diligence.

Trend 2 — AI Defensibility column added. Generative AI moved from "feature" to "moat-or-vulnerability" in 2025-2026 DD. 70% of PE firms have walked away from a deal after identifying that generative AI could negatively impact the target's business model per Acquisition Stars 2026. 1 in 5 strategic dealmakers have walked away over AI impact. On the offensive side, 58% of M&A practitioners use generative AI IN due diligence — the highest of any M&A workflow — per Bain's 2025 Global Private Equity Report, with adoption more than doubling to 45% of practitioners in 2025. The AI workstream uses Valutico's 2026 4-axis framework: model redundancy, data provenance, workflow integration evidence, talent retention. See AI Due Diligence.

Trend 3 — Sign-to-close lengthening continues. Deal timelines lengthened 64% for PE deals from 2023 to 2024 per Goodwin Procter's October 2025 analysis. 88% of dealmakers report sign-to-close has lengthened in the past 3 years, and 59% of senior bankers say 1-3 months added to DD timelines specifically. The drivers: increased regulatory scrutiny (HSR second requests, foreign investment review), expanded cyber and AI DD scope, R&W insurance underwriting bottleneck, and counterparty management bandwidth saturation.

Trend 4 — ESG / CSDDD bifurcation post-Omnibus. The EU's CSRD/CSDDD Omnibus simplification entered force March 18 2026, narrowing CSDDD scope to EU companies >5,000 employees + €1.5B turnover (transposition deadline July 2029) and CSRD threshold raised to >1,000 employees + €450M turnover. 85-90% of previously in-scope companies removed per Gibson Dunn's 2026 EU Omnibus analysis. The bifurcation: large-cap EU targets still carry full CSDDD scope; everyone else faces a far lighter ESG-DD load than the pre-2026 regime suggested.

Trend 5 — HSR Q1 2026 reset. FTC's January 2026 announcement set the 2026 HSR thresholds: size-of-transaction $133.9M (up 6% from $126.4M), top-tier filing fee $2.46M, effective February 17 2026. The combined effect: more sub-$133.9M deals fall below HSR notification (compressing antitrust DD scope on smaller deals), while larger filings face higher fees and continued second-request risk. Separately, the FTC's 2024-2025 expanded HSR filing form was vacated February 12 2026 by the Eastern District of Virginia, restoring the prior narrower filing requirements — collapsing one of the biggest DD-prep workstream burdens added in 2024-2025. For the full timeline and how HSR interlocks with R&W insurance and financing, see the DD Timeline and our coverage of the HSR second-request mechanic in the DD process guide.

How long does due diligence take and what does it cost?

Mid-market DD runs 8-14 weeks LOI-to-close at 0.2-4% of deal value in advisory costs per Bain. The full deal-size breakdown:

• Under $10M: 3-4 weeks, $25K-$75K advisory fees, $0-$500/month data room
• $10M-$50M: 4-8 weeks, $50K-$150K advisory fees, $500-$3,000/month data room
• $50M-$250M: 6-10 weeks, $100K-$300K advisory fees, $2,000-$10,000/month data room
• $250M-$1B: 8-14 weeks, $200K-$500K+ advisory fees, $5,000-$25,000/month data room
• Over $1B: 3-6 months, $500K-$2M+ advisory fees, $10,000-$50,000+/month data room

The 14-week mid-market benchmark assumes a clean process with 6+ parallel workstreams running against a serial critical path. The critical path: QoE finalization gates SPA negotiation gates financing commitment gates R&W insurance binding gates HSR clearance gates close. Any one of those serial gates can extend the deal by 2-4 weeks; the lengthening trend (88% of dealmakers report sign-to-close has lengthened in past 3 years per SRS Acquiom Q3 2024) reflects increased friction at multiple gates simultaneously.

For the full critical-path playbook with workstream timelines, R&W underwriting mechanics, HSR clock orchestration, and the Confirmatory-DD Cliff frame, see the DD Timeline. For the workstream-by-workstream cost ladder with 5-lever cost drivers and the 8-workstream cost wedge, see Due Diligence Costs in 2026.

How does Peony support due diligence workflows?

Peony is the data room infrastructure layer for buy-side and sell-side DD. We serve 4,300+ customers across venture financings, mid-market M&A, PE platform and add-on deals, and fundraises — and the same five capabilities show up across every DD workflow:

AI auto-indexing. Upload your documents and our AI sorts them into the standard 10-category DD checklist structure in under 3 minutes. This is the most common Phase 3 bottleneck — manually building folder structures across 5,000-50,000 pages of mid-market deal documents.

Page-level analytics. Track which counterparty stakeholders viewed which pages, for how long, and when. On a sell-side process, this tells you which bidders are seriously engaged and which are going through the motions. On a buy-side process, it shows the seller's advisor which workstreams need more support.

NDA gate and dynamic watermarking. Every viewer must accept the NDA before any document loads. Click-through is logged with IP, timestamp, and user-agent. Dynamic watermarks embed each viewer's identity into every rendered page — deters re-sharing and creates a forensic trail if leakage happens.

Smart Q&A with AI-drafted responses. Counterparty submits questions through the data room. AI drafts initial responses from your uploaded documents with cited page numbers. Your team approves through a structured workflow. Full audit trail of every question, answer, and revision.

Screenshot protection on crown-jewel documents. Block and log screenshot attempts on the most sensitive documents — customer contracts, source code architecture diagrams, founder cap tables. Used most often during the Phase 4 deep-dive on competitive-intelligence material.

For the broader DD workflow context, see Peony's DD solutions page and the M&A solutions page for sell-side and buy-side flows. For PE platform and add-on diligence rooms, see Private Equity Solutions.

Honest limitations: if your deal team or counterparty's counsel picks tools based on brand legacy rather than speed and capability, Peony may not be the right fit — and that is fine. For teams that care about how fast their data room is live, how granular their analytics are, and how much they are paying per month, we are the strongest option I have tested. We charge $40/user/month without per-page fees or storage caps, which makes us appropriate for venture-through-mid-market DD; mega-deal cross-border platforms with 200,000+ pages may still default to Datasite or Intralinks on tooling familiarity even where the feature set is comparable.

Frequently asked questions

What is due diligence in M&A?

Due diligence is the structured investigation a buyer (or investor, or lender) runs on a target before a deal closes. The buyer reviews documents, interviews management, runs analyses, and pressure-tests the seller's claims to validate value, surface risks, and translate findings into purchase price adjustments, escrows, indemnities, and walk-away decisions. Modern M&A DD covers 7 universal workstreams (financial, legal, tax, IP, HR, IT/cyber, commercial) plus 2 sector-gated workstreams (environmental, AI). Mid-market DD runs 8-14 weeks at 0.2-4% of deal value in advisory costs. 30-50% of signed LOIs collapse during DD per Acquisition Stars 2026 — making it the most consequential stage of any deal lifecycle. Peony data rooms support buy-side and sell-side DD with AI auto-indexing, page-level analytics, NDA gating, and dynamic watermarking.

I'm a sell-side founder preparing for an exit — what do buyers actually look for in DD?

Buyers look for three things in sell-side DD: (1) confirmation that the headline financials hold up under normalization (Quality of Earnings, working capital, revenue quality), (2) absence of hidden liabilities (litigation, tax nexus exposure, broken IP assignment chains, undisclosed cyber incidents), and (3) durability of the asset post-close (customer concentration, key-person flight risk, contract change-of-control termination rights). Cyber reps were absent from 22% of 2025-cohort deals (up from 5% in 2024) per SRS Acquiom's 2025 Deal Terms Study — sellers increasingly refusing standalone cyber reps. 70% of PE firms have walked away from a deal after identifying that generative AI could negatively impact the target's business model. Sellers who run vendor DD pre-market — commissioning their own QoE, IP audit, and cyber pen test — sell faster and at higher multiples. Peony data rooms let sellers stage access (teaser → NDA gate → deeper folders unlock per phase) and track which buyers actually engage with which documents.

What are the 7 main types of due diligence?

The 7 universal types of due diligence are: (1) Financial DD — Quality of Earnings, working capital normalization, EBITDA quality testing, cash flow review; (2) Legal DD — corporate structure, contracts, litigation, IP ownership, regulatory compliance; (3) Tax DD — federal/state/international exposure, sales tax nexus, transfer pricing, NOL utilization; (4) IP DD — patent, trademark, copyright assignment chain, open-source license compliance, trade secrets; (5) HR DD — compensation, benefits, key-person identification, employee classification, immigration; (6) IT and Cybersecurity DD — architecture, NIST CSF 2.0 maturity, incident history, vendor risk; (7) Commercial DD — market sizing, customer concentration, pipeline quality, pricing power. Two sector-gated bonus types apply when relevant: Environmental DD (industrial, real estate, energy) and AI DD (any target with material AI exposure). Peony's DD checklist covers 174 documents across these workstreams.

I'm a VC associate running fund or portfolio DD — how is investment DD different from M&A DD?

Investment DD compresses M&A's 8-week workstream stack into 1-4 weeks of forward-looking analysis. The biggest differences: VC DD weights team and market over historical financials (most targets are pre-profit), TAM-and-traction analysis replaces QoE, founder-CEO assessment replaces leadership DD on a full management team, and IP DD focuses on the assignment chain from contractor-built code rather than a patent portfolio. LP DD on a fund inverts again — operations, track record attribution, governance, and key-person clauses replace target-company analysis. Peony's investment DD checklist covers the 60-document standard for Series A through Series C diligence with NDA-gated rooms, watermarking, and page-level analytics.

I'm a PE associate scoping DD on a platform or add-on — what workstreams matter most?

PE DD workstream weight shifts by deal type. For platforms (the initial flagship acquisition in a roll-up thesis), full 7-workstream DD with heavy investment in Quality of Earnings, working capital normalization, leadership assessment, and 100-day plan validation. For add-ons (subsequent acquisitions under a platform), DD compresses to financial, legal, tax, and commercial workstreams — IT/cyber and HR ride on the platform's existing diligence stack. Confirmatory DD timing tightens to 1-2 weeks for add-ons. Goodwin Procter October 2025 reported that PE sign-to-close lengthened 64% from 2023 to 2024, with 59% of senior bankers citing 1-3 months added to DD timelines. Peony supports PE DD with multi-deal data rooms, page-level analytics that show which workstreams are getting reviewed, and AI Q&A for cross-portfolio query bursts.

How long does due diligence take and what does it cost in 2026?

DD timing and cost scale with deal size: under-$10M acquisitions close DD in 3-4 weeks at $25K-$75K advisory fees; mid-market $10M-$50M deals run 4-8 weeks at $50K-$150K; $50M-$250M deals run 6-10 weeks at $100K-$300K; $250M-$1B deals run 8-14 weeks at $200K-$500K+; mega-deals over $1B run 3-6 months at $500K-$2M+. The 14-week mid-market benchmark assumes a clean process with 6+ parallel workstreams running against a serial critical path (QoE → SPA → financing → R&W insurance → HSR clearance). Total DD spend runs 0.2-4% of deal value per Bain. For the full critical-path playbook, see the DD Timeline. For workstream-by-workstream cost breakdown, see Due Diligence Costs in 2026.

What are the 2026 due diligence trends every dealmaker should know?

Five 2026 trends every dealmaker should track: (1) Cyber-as-standalone — cyber reps were absent from 22% of 2025-cohort deals (up from 5% in 2024) per SRS Acquiom 2025 Deal Terms Study, signaling sellers increasingly refusing standalone cyber reps; (2) AI-defensibility column added — 70% of PE firms have walked away from a deal after identifying that generative AI could negatively impact the target's business model; (3) Sign-to-close lengthening — PE deal timelines lengthened 64% from 2023 to 2024 per Goodwin Procter October 2025; (4) ESG/CSDDD bifurcation — the EU's March 2026 Omnibus simplification narrowed CSDDD scope to >5,000-employee + €1.5B-revenue companies, removing 85-90% of previously in-scope firms; (5) HSR Q1 2026 reset — size-of-transaction threshold $133.9M (up 6%), top-tier filing fee $2.46M, effective February 17 2026 per the FTC. For the trends deep dive, see the DD Timeline Confirmatory-DD Cliff frame.

I'm a search-fund principal acquiring a sub-$10M business — what's different about my DD?

Search-fund and small-business DD compresses to 3-4 weeks with $25K-$75K in advisory fees. The mechanics: financial DD focuses on owner add-backs and SDE-to-EBITDA bridge (Seller's Discretionary Earnings translation), legal DD scope tightens to corporate structure and customer/vendor contracts, tax DD scrutinizes the SBA 7(a) loan requirements (10% buyer equity, personal guarantee), HR DD focuses on the 2-5 key employees who actually run the business, IT/cyber DD is usually a checkbox unless the target handles regulated data. The SBA 10% Rule (buyer must contribute at least 10% equity) is the single biggest constraint on small-business DD. For the full small-business playbook, see Small Business Due Diligence and our Startup DD Guide.

What is third-party or vendor due diligence?

Third-party DD (also called vendor DD when commissioned by a seller) is the diligence run on intermediaries, suppliers, agents, and counterparties — not on a deal target. The 5-jurisdiction compliance frame: FCPA (US, anti-bribery), UK Bribery Act / Failure to Prevent Fraud, OFAC (US sanctions), UFLPA (US forced-labor import), and the EU's CSDDD (now narrowed to >5,000-employee + €1.5B-revenue companies after the March 2026 Omnibus). Vendor due diligence is a different concept: a SELLER commissions their own QoE, IP audit, and cyber pen test pre-market to accelerate the eventual buy-side DD process. For the full third-party compliance frame, see Third-Party Due Diligence. For seller-side vendor DD prep, see Sell-Side Due Diligence.

What is a due diligence report and who writes it?

A DD report is the deliverable each workstream produces summarizing findings, red flags, recommended deal-term protections, and walk-away triggers. Standard structure: executive summary, scope and methodology, key findings (organized by issue severity), recommended SPA reps and indemnities, recommended purchase-price adjustments, recommended escrow or holdback sizing, and an appendix with supporting analysis. Reports are written by the workstream specialist — QoE report by the accounting firm, legal DD report by buy-side counsel, cyber DD report by the security consultant, leadership DD report by the executive-assessment firm. The integrated DD report — the cross-workstream synthesis that gates the go/no-go decision — is typically owned by the lead M&A advisor or PE deal partner. Peony data rooms house DD reports under separate workstream folders with page-level analytics that show which counterparty stakeholders have reviewed each deliverable. For the full DD report structure and DDQ scope, see Due Diligence Report and Due Diligence Questionnaire.

Related Resources

• M&A Due Diligence Process: The 6-Phase Playbook — the canonical 8-workstream process guide with phase-by-phase mechanics, common mistakes, and timeline benchmarks
• Hard vs Soft Due Diligence: A 5-Frame Working Playbook — Cost-of-Skipping Index, Integration Failure Triple, Hard-to-Soft Reading Order, Soft DD Trigger Matrix, VDR-Visible vs Off-Sheet
• DD Timeline: Critical-Path Playbook (2026) — the 14-week orchestration of 6+ parallel workstreams against the QoE → SPA → financing → RWI → HSR serial chain
• Due Diligence Costs in 2026 — the workstream cost ladder, 5-lever cost drivers, and 8-workstream cost wedge by deal size
• Due Diligence Data Room Checklist (174 Documents Buyers Actually Request) — the master document list organized by the standard 10 DD categories
• Due Diligence Red Flags — workstream-by-workstream red flag taxonomy with severity scoring
• Due Diligence Mistakes That Kill Deals — the 7 most common errors I see in buy-side and sell-side DD
• Due Diligence Questionnaire (DDQ) — the request-list structure and standard scope by workstream
• Due Diligence Report — the cross-workstream synthesis deliverable
• How to Prepare for Due Diligence — the seller-side prep playbook
• Cybersecurity Due Diligence (2026) — the Bain Test + 5-axis breach matrix
• IT Due Diligence — architecture review and technical debt assessment
• IP Due Diligence — patent, trademark, and assignment-chain deep dive
• HR Due Diligence — compensation, key-person, retention planning
• Tax Due Diligence Checklist — federal, state, international tax exposure
• Commercial Due Diligence — market sizing, customer concentration, pipeline quality
• Environmental Due Diligence — Phase I/II ESA, remediation, permit compliance
• AI Due Diligence — the 5-layer audit framework for AI-exposed targets
• Third-Party Due Diligence — FCPA, UK FTPF, OFAC, UFLPA, CSDDD on intermediaries
• Vendor Due Diligence Checklist — supplier and counterparty diligence
• Real Estate Due Diligence Checklist — property and CRE DD
• Sell-Side Due Diligence — VDD scope matrix + 8-week pre-market stack
• Small Business Due Diligence — SBA 10% Rule + 5-axis grid for under-$10M deals
• Startup Due Diligence Guide — both sides of the table for venture-stage deals
• Investment Due Diligence Checklist — the 60-document standard for VC DD
• Private Equity Due Diligence — platform vs add-on workstream weighting
• Due Diligence for IPO (2026) — underwriter, legal, and auditor comfort-letter DD stack
• Due Diligence Solutions — Peony's DD-specific feature stack
• M&A Data Room Setup — buy-side and sell-side DD workflow on Peony
• Private Equity Solutions — PE platform and add-on DD support