Gearing up for exit or making a strategic acquisition can be a daunting task, and it is important to be prepared. This briefing highlights the key legal due diligence issues to arise in relation to software businesses in the UK and EU, focussing on intellectual property and trading arrangement aspects.
While we touch on certain watchouts from a regulatory perspective, other regulatory and tax due diligence considerations are beyond the scope of this briefing.
The value of a software business is largely based on what IPRs it owns. Accordingly, it is crucial to establish what IPRs are material to the business and who owns those IPRs. They can take the form of trade marks (for business names or the names of software products), patents (in the software's functionality), copyright (in the software code), and sometimes database rights and designs. Other rights that are not "intellectual property" in a strict sense, such as domain names and confidential information, are likely to be important to the business too.
It will be easier to identify and check title to registered IPRs than unregistered rights: trade marks and designs may exist as registered or unregistered rights, patents only exist as registered rights, and in the UK and EU (unlike in the US), copyright is not registrable. The buyer will usually conduct searches of trade mark and patent registers for all relevant jurisdictions and a WHOIS database search for domain names.
As well as identifying registered IP, given that material IP in a software business will be copyright and not registered, the seller should be required to list its material unregistered rights. It is important to check that there is a clear chain of title to all material software products. The seller should be required to identify how, when and by whom each key software product was developed and whether the software was developed by external consultants or employees. Unless there are relevant provisions in a consultancy agreement, external consultants will own the IP they create, and so the seller will need to evidence an effective assignment of all IPRs in the software to the business. Although copyright created in the course of employment will belong to an employer under English law, this is not necessarily the case in other jurisdictions, and it is good practice also to include assignment provisions in employment contracts. Local advice should be sought (e.g. in jurisdictions in which key software products have been developed) as laws differ across European jurisdictions – it is common for one law firm to coordinate the obtaining of this advice across the relevant jurisdictions.
If there is know-how which is important to the target business, it is important to ensure that this is adequately documented, has been protected by strict obligations of confidentiality and that, on receipt of such information, the buyer will be in a position to use it to operate the target business (otherwise transitional arrangements may need to be put in place to facilitate the effective transfer of know-how).
The business may have failed to register key IPRs in respect of key markets, providing only limited protection over their use. These could be as material as the business name and its logo.It is essential that any major issue raised in the IP due diligence process is remedied before or on completion (e.g. via confirmatory assignments) to allow a buyer to operate the business effectively following the transaction. If issues are discovered, further protection can be sought through the warranties and specific indemnities given in the transaction documents, and in some cases a reduction in price can be negotiated.
The seller should be required to identify where IP material to the business has been licensed in from third parties and the buyer will need to carefully review the terms of those licences to check, for example, that the licence is granted to the correct licensee and is sufficiently broad to enable the business to exploit the software in all key markets (including, where appropriate, to sublicense the business' customers) and that the licence cannot be terminated as a result of the transaction (i.e. there is no change of control or equivalent provision).
A common risk area in software M&A is OSS, the use of which may not always be known to the sellers, even though the vast majority of code bases include some form of OSS. Certain OSS licences include terms under which the licensee is required to make the source code to derived works (i.e. works that incorporate, or are based on, modified or unmodified copies of the particular OSS) freely available under the terms of the OSS licence (aka "copyleft" terms). This can be a fundamental problem where the business is selling software to customers. OSS risks (and how to avoid them) are considered in more depth in this briefing.
If an important component of the target's key software products is provided in object code form or as software as a service (SaaS), a buyer should check that there's a robust escrow arrangement in place to ensure that the business has access to the source code to the third-party software (and other necessary supporting technical information) if, for example, the third-party supplier becomes insolvent or is in material breach of the licence or support arrangements.
A seller wants to be able to demonstrate to potential buyers that it has a reliable revenue stream, and any potential buyer wants to know that the business is profitable and has growth potential.
Contracts with the business' customers should be carefully reviewed during the due diligence process.
The buyer will want to know whether the IP position gives rise to any exposure to disputes. Information on disputes will largely be gleaned from the seller's responses to the due diligence questionnaire (and data room copies of correspondence etc), but may also be gathered from searches (e.g. searches for similar trade marks), and the buyer's review of IP licences, including the OSS position. This earlier briefing in the series looks at how to manage infringement risks, and a number of these strategies will also be relevant in a due diligence context.
A detailed explanation of the regulatory risks relevant to M&A in respect of software businesses (including competition law, export control, cybersecurity and data protection risks) is beyond the scope of this briefing. However, it is important to note that the regulatory risks associated with software businesses are on the rise, with the coming into force of the EU's Artificial Intelligence Act (AI Act) (see our briefing here). The AI Act, which has a staged application, will be relevant to software businesses engaging with AI systems that are either established in the EU or are established outside the EU but operate in the EU. The AI Act bans outright certain AI systems and categorises others according to risk tiers, with the most onerous obligations applying to AI systems categorised as "high-risk"; it also sets out a separate regime for general-purpose AI systems.
NSIA potentially impacts software business M&A. It requires parties to notify the UK government about investments in sectors which may give rise to national security risks. NSIA captures a wide range of assets, including for example acquisitions of certain types of licences or transfer of relevant software or data, even where the software or data itself is situated outside the UK. There are 17 mandatory sectors where parties are not able to close a transaction without having received approval from the UK government. Failure to comply with the mandatory notification regime will result in the non-notified transaction being automatically void and could also lead to substantial civil and criminal penalties. Transactions that are not caught by the mandatory notification regime can be called in for investigation by the Secretary of State for up to six months from the date that they become aware of the transaction, subject to a longstop of five years after completion. For briefings setting out an overview of the NSIA, as well as how it applies to software businesses, see here and here.
For data protection considerations relevant to software businesses, see here .
For information about cybersecurity obligations and incident notification requirements that apply to certain businesses providing digital infrastructure, ICT management and digital services under the EU's NIS2 and under the UK's Network and Information Systems Regulations 2018 (which the new UK government is looking to reform and expand), see here.
