Navigating Cross-Border Risks in India’s IT Mergers and Acquisitions

India’s Information Technology (IT) sector stands as a global leader, driving digital consolidation through ambitious cross-border mergers and acquisitions (M&A). Indian IT firms pursue international deals to achieve scale, acquire specialised talent, and secure valuable intellectual property (IP), reshaping the global technology landscape. IT services giants like TCS, Infosys, and Wipro, alongside SaaS innovators like Zoho and Freshworks, and Global Capability Centers (GCCs), actively acquire targets in AI, cloud, cybersecurity, and healthcare tech. However, cross-border risks spanning legal, regulatory, and operational challenges emerge at every M&A stage, from due diligence to post-merger integration. This article equips senior leaders with a hybrid consulting perspective, blending management, finance, legal, and technology expertise to navigate these complexities.

Industry Context: Cross-Border Risks in India’s Global IT M&A

India’s Information Technology sector plays a pivotal role in global mergers and acquisitions, with leading IT services companies, SaaS startups, and GCCs actively pursuing international deals to expand capabilities, access new markets, and acquire cutting-edge intellectual property. Over the past decade, India’s IT M&A volume has steadily grown, driven by strong demand from BFSI, healthcare, retail, and manufacturing clients across the US, EU, and APAC regions.

However, as Indian firms scale internationally, they face significant cross-border risks. These include navigating multiple regulatory frameworks, complying with data privacy laws like GDPR, managing export controls, and addressing local employment and tax norms. Even small oversights in legal compliance or due diligence can lead to costly disputes or failed deals.

Understanding these cross-border risks is vital for decision-makers planning international transactions. By proactively managing legal complexities, Indian IT firms can unlock value from global acquisitions while safeguarding stakeholder interests.

1. Recent Developments in Cross-Border IT M&A (Mid-2025)

As of mid-2025, Indian IT firms continue aggressive expansion into mature markets. Notable international deals include a mid-cap SaaS firm acquiring a US-based DevOps platform for $200 million to enhance cloud-native offerings and an IT services giant purchasing a UK-based AI analytics provider to bolster GCC capabilities. Mid-cap firms increasingly target innovative startups in AI and cybersecurity, strengthening their global footprint.

Regulatory changes shape the M&A landscape. In August 2024, the Indian Finance Ministry amended the Foreign Exchange Management (Non-debt Instruments) Rules, 2019, enabling cross-border share swaps to streamline outbound acquisitions. The Finance Act, 2024, introduced valuation norms for cross-border deals, enhancing transparency. The Securities and Exchange Board of India (SEBI) relaxed private equity investment norms for foreign entities, boosting deal volumes. The Digital Personal Data Protection Act (DPDPA), with draft rules released in January 2025, tightens legal compliance for offshore data transfers, adopting a “blacklisting” approach for countries, diverging from GDPR’s adequacy model. Stricter GDPR enforcement in the EU and new US Department of Justice (DOJ) rules effective April 2025 further complicate cross-border data flows, amplifying cross-border risks.

2. Key Legal Risks in Cross-Border IT M&A

Cross-border risks in IT M&A demand meticulous navigation to protect deal value and ensure compliance. Key challenges include:

• Jurisdictional Complexities

Multi-country deals involve reconciling diverse legal frameworks, tax regimes, and corporate governance standards. For example, an Indian firm acquiring a US target must comply with India’s Foreign Exchange Management Act (FEMA) and US state laws, creating potential conflicts and cross-border risks.

• Data Privacy and Transfer Laws

Compliance with GDPR, DPDPA, and HIPAA is critical for data-intensive IT M&A. GDPR mandates strict data processing and transfer rules, with fines up to €20 million or 4% of global turnover for violations. DPDPA’s blacklisting approach lacks clarity on cross-border data transfers, increasing compliance risks. HIPAA governs health-related data in the US, adding complexity for healthcare tech acquisitions.

• IP Ownership Disputes

IP, often the core value in IT M&A, risks ownership disputes across jurisdictions. Inadequate due diligence on patents, copyrights, or trade secrets can lead to litigation, undermining deal value and escalating cross-border risks.

• Regulatory Hurdles

F FDI caps, export controls, and sector-specific approvals pose significant cross-border risks. India’s FEMA requires government approval for investments from countries sharing land borders. US export controls, tightened in 2025, restrict sensitive technology transfers. SEBI’s Takeover Code mandates disclosures for listed entities, adding compliance burdens.

• Employment Law Issues

Integrating workforces across jurisdictions raises challenges. The EU’s Acquired Rights Directive mandates retaining employee benefits, while US “at-will” employment laws require careful contract drafting. Missteps can lead to litigation and employee dissatisfaction.

• Anti-Bribery and Anti-Corruption Compliance

The US Foreign Corrupt Practices Act (FCPA) and UK Bribery Act impose strict anti-corruption standards with extraterritorial reach. Non-compliance by targets, pre- or post-acquisition, risks severe penalties.

3. Contract Enforceability and Dispute Resolution

Ensuring contracts are enforceable across jurisdictions is critical. Selecting dispute resolution forums, such as arbitration under the Singapore International Arbitration Centre (SIAC), mitigates cross-border risks from legal disputes.

4. Strategic Implications: A Hybrid Consulting Approach

A hybrid consulting framework integrating management, finance, legal, and technology expertise helps mitigate cross-border risks:

• Due Diligence Frameworks

Conduct multi-disciplinary due diligence, assessing financials, legal compliance, data privacy practices, IP portfolios, and cybersecurity posture. Use secure data rooms and engage local counsel to uncover jurisdiction-specific liabilities.

• Structuring Options

Leverage FEMA’s share swap provisions or joint ventures to navigate FDI caps and regulatory hurdles. Secure Reserve Bank of India (RBI) approvals early to avoid delays.

• Negotiating Representations and Warranties

Include robust representations, warranties, and indemnities addressing data privacy, IP validity, and anti-corruption compliance. Negotiate escrow arrangements to cover potential liabilities.

• Managing Integration

Develop integration plans prioritising legal compliance. Harmonise data governance with GDPR and DPDPA, align employment contracts, and appoint integration managers to ensure cross-functional alignment.

• Leveraging Local Counsel

Engage local counsel for jurisdiction-specific filings, such as CFIUS reviews in the US or EU merger notifications, to ensure compliance and reduce delays.

5. Tax Treaties and IP Transfer Pricing

Utilise India’s tax treaties with the US and EU to optimise tax liabilities. Implement IP transfer pricing safeguards per OECD guidelines to avoid tax disputes.

6. Addressing Cybersecurity

Conduct cybersecurity due diligence to assess target vulnerabilities. Post-acquisition, integrate encryption, access controls, and incident response plans to comply with DPDPA and GDPR.

Illustrative Examples

• Case 1: SaaS Firm Acquiring a US DevOps Platform

CodeInnovate, an Indian SaaS firm, acquired DevOpsPro, a US-based DevOps platform, for $200 million to enhance its cloud offerings. Due diligence revealed DevOpsPro served US government contractors, triggering strict export control regulations under the Bureau of Industry and Security (BIS). CodeInnovate engaged specialised counsel, secured BIS clearances, and adjusted deal valuation to account for compliance costs. A FEMA-enabled share swap streamlined the transaction, while a unified cybersecurity framework ensured DPDPA and US privacy law compliance, mitigating cross-border risks.

• Case 2: IT Services Firm Acquiring an EU Healthcare Tech Provider

TechServe India, an IT services giant, acquired MediLink EU, a German healthcare tech provider, to bolster its digital healthcare portfolio. GDPR compliance posed significant cross-border risks due to MediLink’s handling of sensitive patient data. TechServe invested in GDPR diligence, reviewing data processing agreements and consent mechanisms. They appointed an EU Data Protection Officer, adopted Standard Contractual Clauses (SCCs) for data transfers, and aligned internal protocols with GDPR and DPDPA, ensuring legal compliance.

Conclusion

Cross-border M&A offers Indian IT firms unparalleled opportunities for growth, innovation, and global leadership. However, cross-border risks spanning jurisdictional complexities, data privacy, IP disputes, and regulatory hurdles demand proactive management. By adopting a hybrid consulting approach, prioritising comprehensive due diligence, strategic deal structuring, and robust legal compliance, Indian IT leaders can transform challenges into advantages. Mastering cross-border risks ensures successful IT M&A execution, positioning India’s IT sector as a global powerhouse.

About LawCrust

LawCrust Global Consulting Ltd. delivers cutting-edge Hybrid Consulting Solutions in Management, Finance, Technology, and Legal Consulting to ambitious businesses worldwide. Recognised for our cross-functional expertise and hybrid consulting approach, we empower startups, SMEs, and enterprises to scale efficiently, innovate boldly, and navigate complexity with confidence. Our services span key areas such as Investment Banking, Fundraising, Mergers & Acquisitions, Private Placement, and Debt Restructuring & Transformation, positioning us as a strategic partner for growth and resilience. With an integrated consulting model, fixed-cost engagements, and a virtual delivery framework, we make business transformation accessible, agile, and impactful.

For expert legal help, please contact us:

• Email: inquiry@lawcrustbusiness.com