Security & Compliance

May 2026 Compliance Landscape: New Regulations Impacting M&A and Fundraising

EU AI Act enforcement begins, SEC cyber disclosure evolution, UK Data Protection Act reforms, HIPAA Security Rule update, and the rise of AI governance in deal data. What deal teams need to know.

SR

Sophia Rahman

Head of Security · May 20, 2026 · 6 min read

May 2026 Compliance Landscape

The regulatory environment for M&A, fundraising, and corporate transactions is shifting faster than at any point in the last decade. Five regulatory developments from the past quarter are particularly relevant for deal teams. Here is what you need to know.

1. EU AI Act Enforcement Has Begun — And It Affects Deal Data

The EU AI Act's enforcement provisions began phasing in during 2025, with full enforcement now active for high-risk AI systems. For deal teams, the implications are concrete:

  • **AI-driven due diligence tools** used in M&A and credit decisions may now be classified as "high-risk AI" and subject to conformity assessments, transparency requirements, and human oversight mandates
  • **AI in VDR features** (auto-redaction, smart classification, anomaly detection) is subject to new transparency and documentation requirements
  • **AI in financial services** (including investment banking M&A advisory) is subject to additional sector-specific requirements
  • For VDR providers, this means: documented AI governance programs, model cards for AI features, and customer-facing transparency about how AI is used in the platform. For deal teams, it means: understanding which VDR features use AI, ensuring the provider has appropriate governance, and documenting your own AI usage in deal processes.

    2. SEC Cyber Disclosure Rules Are Evolving Through Enforcement

    The SEC's 2023 cybersecurity disclosure rules are now generating meaningful enforcement actions. The trend from recent cases:

  • **Materiality assessments are being scrutinized** — the SEC has challenged companies that downplayed incidents or delayed materiality determinations
  • **Third-party vendor incidents are in scope** — companies that experienced breaches via vendors (including VDR providers) have faced scrutiny for inadequate vendor risk management
  • **Internal controls are being tested** — the SEC is examining whether companies have adequate cybersecurity controls and disclosure procedures
  • Practical implications for deal teams:

  • Update your VDR incident notification procedures to align with 4-business-day disclosure timelines
  • Document vendor security due diligence as part of your internal controls
  • Ensure your VDR contract has clear incident notification SLAs and cooperation obligations
  • 3. UK Data Protection Reforms Are Reshaping Cross-Border M&A

    The UK's Data Protection and Digital Information Bill is progressing through Parliament, with expected enactment in 2026. Key changes for deal teams:

  • **Reduced compliance burden** for "low-risk" processing (but M&A due diligence and fundraising typically don't qualify)
  • **New legitimate interests basis** for some processing activities
  • **Updated international transfer mechanisms** that may diverge from EU GDPR over time
  • For cross-border UK-EU-US transactions, the picture is becoming more complex. The practical advice:

  • Maintain GDPR compliance as the baseline — UK and EU requirements are largely aligned
  • Plan for divergence — UK requirements may diverge from EU GDPR over time
  • Choose VDR providers with UK and EU data residency options so you can adapt as regulations evolve
  • 4. HIPAA Security Rule Update: What Healthcare Deal Teams Need to Know

    The HIPAA Security Rule update (NPRM) is in the final rule stage, with expected publication later in 2026. Key proposed changes that will affect healthcare M&A:

  • **Mandatory MFA** for all access to PHI (previously "addressable")
  • **Encryption requirements** strengthened for PHI at rest and in transit
  • **Annual technical risk analyses** required, not just addressable
  • **Asset inventory and network mapping** required, not just addressable
  • **Vulnerability scanning and penetration testing** required annually
  • **Incident response planning** with specific timelines
  • For healthcare deal teams: choose a VDR provider with HIPAA BAA, support for the updated Security Rule requirements, and documented technical safeguards. The days of "addressable but not implemented" security controls are ending.

    5. AI Governance Has Become a Material Deal Term

    AI governance is no longer just a technology question — it is a material deal term in M&A, fundraising, and corporate transactions. Diligence teams are asking:

  • **AI training data**: Where did the model weights come from? What data was used? Is there IP risk in the training data?
  • **Model documentation**: Are there model cards, performance benchmarks, and bias evaluations?
  • **AI governance**: Is there an AI governance program with documented policies, oversight, and audit trails?
  • **Regulatory exposure**: How does the company comply with EU AI Act, sector-specific AI regulations, and emerging AI laws?
  • For founders raising capital in 2026, expect AI governance to be a standard diligence topic. For acquirers, expect AI governance diligence to be a significant portion of technical and legal diligence work.

    For VDR providers supporting these transactions, expect the VDR to be a key part of the AI governance diligence trail: model cards, training data documentation, bias evaluations, and AI governance policies all need to be uploaded, organized, and accessible in the data room.

    Looking Ahead to H2 2026

    The regulatory environment is only getting more complex. Deal teams should:

  • **Build a regulatory radar** that tracks AI, privacy, and cybersecurity developments across jurisdictions
  • **Engage specialized counsel** for cross-border transactions involving multiple regulatory regimes
  • **Choose VDR providers with strong compliance** that can adapt as regulations evolve
  • **Document compliance posture** as part of the deal record
  • The VDR has become a critical compliance infrastructure component. The providers that win enterprise deals in 2026 are the ones that treat compliance as a core capability — not a checkbox.

    [Request a compliance review →](/demo) | [Read the VDR compliance FAQ →](/faq/vdr-compliance) | [See all VDR features →](/features)

    About the Author

    SR

    Head of Security, SpaceNexus

    Sophia leads security and compliance at SpaceNexus, ensuring the platform meets the rigorous standards required by regulated industries. She holds CISSP and CISM certifications and previously served as a security architect at a global investment bank for 9 years.

    CISSP (Certified Information Systems Security Professional)CISM (Certified Information Security Manager)Former Security Architect, Global Investment Bank

    Ready to set up your data room?

    Get started in under 24 hours. No credit card required.

    Talk to Founders →