May 2026 Compliance Landscape
The regulatory environment for M&A, fundraising, and corporate transactions is shifting faster than at any point in the last decade. Five regulatory developments from the past quarter are particularly relevant for deal teams. Here is what you need to know.
1. EU AI Act Enforcement Has Begun — And It Affects Deal Data
The EU AI Act's enforcement provisions began phasing in during 2025, with full enforcement now active for high-risk AI systems. For deal teams, the implications are concrete:
For VDR providers, this means: documented AI governance programs, model cards for AI features, and customer-facing transparency about how AI is used in the platform. For deal teams, it means: understanding which VDR features use AI, ensuring the provider has appropriate governance, and documenting your own AI usage in deal processes.
2. SEC Cyber Disclosure Rules Are Evolving Through Enforcement
The SEC's 2023 cybersecurity disclosure rules are now generating meaningful enforcement actions. The trend from recent cases:
Practical implications for deal teams:
3. UK Data Protection Reforms Are Reshaping Cross-Border M&A
The UK's Data Protection and Digital Information Bill is progressing through Parliament, with expected enactment in 2026. Key changes for deal teams:
For cross-border UK-EU-US transactions, the picture is becoming more complex. The practical advice:
4. HIPAA Security Rule Update: What Healthcare Deal Teams Need to Know
The HIPAA Security Rule update (NPRM) is in the final rule stage, with expected publication later in 2026. Key proposed changes that will affect healthcare M&A:
For healthcare deal teams: choose a VDR provider with HIPAA BAA, support for the updated Security Rule requirements, and documented technical safeguards. The days of "addressable but not implemented" security controls are ending.
5. AI Governance Has Become a Material Deal Term
AI governance is no longer just a technology question — it is a material deal term in M&A, fundraising, and corporate transactions. Diligence teams are asking:
For founders raising capital in 2026, expect AI governance to be a standard diligence topic. For acquirers, expect AI governance diligence to be a significant portion of technical and legal diligence work.
For VDR providers supporting these transactions, expect the VDR to be a key part of the AI governance diligence trail: model cards, training data documentation, bias evaluations, and AI governance policies all need to be uploaded, organized, and accessible in the data room.
Looking Ahead to H2 2026
The regulatory environment is only getting more complex. Deal teams should:
The VDR has become a critical compliance infrastructure component. The providers that win enterprise deals in 2026 are the ones that treat compliance as a core capability — not a checkbox.
[Request a compliance review →](/demo) | [Read the VDR compliance FAQ →](/faq/vdr-compliance) | [See all VDR features →](/features)