Due diligence in Spain: what changed and what’s coming

Pre-investment and acquisition analysis is no longer limited to finance and legal aspects: today it also includes sustainability, GDPR, and compliance

Due diligence in Spain has entered a new phase. Until a few years ago, this exhaustive review process prior to an investment or acquisition focused mainly on numbers and contracts. Today, however, the picture is different: European regulations, pressure from regulators, and growing investor demands have broadened the scope of analysis. The impact of sustainability, data protection, and compliance culture is now decisive for closing deals. This transformation is not cosmetic — those who fail to adapt lose appeal to private equity funds, institutional investors, and corporates. The key question is no longer just “What is the company worth?” but “What hidden risks could compromise its future?”

What is due diligence?

Due diligence is the detailed investigation carried out before closing an investment, merger, or acquisition. Its goal is to identify risks, validate information, and ensure there are no surprises that could affect the transaction’s value. Traditionally, this involved reviewing financial statements, contracts, pending litigation, and tax status. But practices have evolved: today, due diligence also covers GDPR compliance, the existence of a criminal compliance program, sustainability and ESG strategy, and even workplace climate or diversity policies. In other words, the analysis no longer stops at the balance sheets — it also examines what sustains a company’s reputation and long-term viability.

How due diligence has changed in Spain

Beyond the numbers

• Finance + ESG: Investors now value both financial strength and the company’s ability to adapt to the green transition.

• Legal + GDPR: Contracts matter, but so does how client and employee data is protected.

• Tax + Compliance: A clear tax plan without an effective corporate crime prevention program is no longer enough.

Regulations that make the difference

• CSDDD Directive (Corporate Sustainability Due Diligence): Will require thousands of companies to report environmental and social risks.

• GDPR: Non-compliance can lead to multimillion-euro fines and destroy investor and customer trust.

• Spanish Criminal Code: Demands effective compliance programs to avoid corporate criminal liability.

Real case in Spain

In 2022, an international fund decided not to acquire a Madrid-based tech company despite its strong growth potential. The reason: lack of a robust compliance program and insufficient data policies to meet GDPR standards. The issue wasn’t the price — it was the reputational and legal risk.

“Due diligence is no longer focused solely on accounts and contracts; today, the sustainability of the business model is analyzed comprehensively.” — Jorge Quintana, ACK3 CEO

What it means for investors and companies

For investors

• Mitigate legal and reputational risks.

• Identify opportunities in companies with sustainable practices.

• Ensure safety in a highly regulated market.

For companies

• Preparing for comprehensive due diligence increases perceived value.

• Integrating ESG, GDPR, and compliance makes companies more attractive to capital.

• Ignoring these areas can lead to failed deals.

Is your company looking for a due diligence consultancy in Spain?

Due diligence is no longer just financial or legal: today it assesses how a company manages risk, protects data, and ensures regulatory compliance. At ACK3, we support companies in investment and merger processes, providing expertise in risk management and business intelligence. If your organization wants to strengthen its appeal to international investors, now is the time to act.