Trends in Life Sciences M&A: Cybersecurity and AI take center stage

Cybersecurity compliance in Belgian healthcare M&A 

Belgium has taken a leading role in the EU by being the first Member State to transpose the NIS2 Directive into national law. This move has significantly raised the bar for cybersecurity compliance, particularly in the healthcare and life sciences sectors. The legislation is expected to impact over 2,500 entities, including hospitals, pharmaceutical manufacturers, and research organisations. While distributors are generally exempt, manufacturers and R&D entities are firmly within scope. The NIS2 Directive introduces a broad set of obligations that go beyond technical safeguards. It embeds cybersecurity into the legal and governance frameworks of qualifying organisations, making it a key consideration in M&A transactions.  

Key M&A implications: 

• Legal due diligence must now assess: 
  • Whether the target qualifies as an “essential” or “important” entity under NIS2. 
  • Registration status with the national cybersecurity regulator. 
  • Existing cybersecurity certifications (e.g. ISO 27001). 
  • History of reportable incidents, disputes, or regulatory actions. 
  • Cybersecurity clauses and liability provisions in key contracts, especially in the supply chain.
• Management boards are under increased scrutiny: 
  • They must approve and oversee cybersecurity risk management measures. 
  • Regular training is required to ensure they understand the risks and legal obligations. 
  • Non-compliance can lead to personal liability, including temporary bans from executive roles. 

Strategic considerations for buyers: 

Acquiring a smaller target that was previously out of scope may trigger full NIS2 compliance post-acquisition, especially if IT systems are integrated. The cost and complexity of bringing a non-compliant target up to standard can materially affect deal valuation and integration planning. Buyers should consider whether the target’s cybersecurity posture aligns with group-wide standards and regulatory expectations. In short, cybersecurity is no longer a peripheral issue in Belgian healthcare M&A—it is a central legal and strategic concern that can influence deal structure, timing, and risk allocation. 

AI Regulation in Swiss healthcare transactions 

Switzerland is emerging as a key jurisdiction for innovative companies using artificial intelligence (AI) in healthcare. While the country has not yet enacted a dedicated AI law, it is taking significant steps to address the legal implications of AI technologies used in diagnostics, drug development, and medical devices. The Swiss government’s signature of the Council of Europe’s Convention on AI and Human Rights signals a clear intention to align with international standards while maintaining Switzerland’s reputation as an innovation-friendly hub. 

Although the regulatory framework is still evolving, several existing laws already impose meaningful obligations on companies deploying AI in healthcare settings. 

 Key legal considerations: 

• AI systems must comply with: 
  • The Swiss Data Protection Act, which mandates fair and transparent processing of personal data. 
  • Anti-discrimination provisions under the Swiss Constitution and Gender Equality Act. 
  • Product safety and liability rules under the Therapeutic Products Act and Medical Devices Ordinances. 
  • Unfair competition laws, particularly in relation to deceptive AI-generated content. 

• Companies may face civil or criminal liability for: 
  • Discriminatory or biased AI outputs. 
  • Defective AI-enabled products. 
  • Infringement of third-party intellectual property rights. 

 M&A impact and strategic considerations: 

• Due diligence in Swiss healthcare M&A now routinely includes
  
  • Assessing the target’s use of AI systems and associated legal risks. 
  • Reviewing compliance with data protection and safety regulations. 
  • Evaluating exposure to liability for past or ongoing AI-related practices.
    
    
• Buyers are increasingly: 
• • Negotiating enhanced representations and warranties around AI compliance. 
  • Factoring regulatory uncertainty into valuation and integration planning. 
  • Monitoring the forthcoming Swiss AI framework, expected by the end of 2026. 

In a jurisdiction known for its liberal regulatory approach, Switzerland is striking a balance between fostering innovation and ensuring accountability. For investors and acquirers, this means AI is no longer just a technological differentiator—it’s a legal and strategic variable that must be carefully managed in any transaction. 

Conclusion 

Belgium and Switzerland are setting the pace for regulatory developments in life sciences M&A, each in their own way. Belgium’s proactive implementation of the NIS2 Directive has made cybersecurity a legal cornerstone of healthcare transactions, while Switzerland’s evolving approach to AI regulation is reshaping how due diligence is conducted in tech-driven healthcare deals. 

For legal professionals, investors, and corporate decision-makers, understanding these jurisdiction-specific dynamics is essential. Cybersecurity and AI are no longer peripheral concerns—they are central to risk assessment, deal structuring, and long-term value creation in the life sciences sector.