The M&A environment in the U.S. is undergoing rapid change due to shifting regulatory approaches, rising geopolitical risks, and heightened scrutiny across sectors. In this landscape, due diligence has become increasingly important.
Regulatory changes, undisclosed liabilities, and entity-level concerns that arise during a deal can influence the pricing, structure, and timeline of transactions. In some instances, these issues may impact whether a transaction is consummated.
Evolving federal oversight environment
The Trump administration has adopted a much more lenient approach to merger reviews. Nevertheless, the overall compliance burden associated with transactions has increased due to uncertainty in enforcement and geopolitical concerns.
Multiple overlapping review processes, such as state antitrust regulations, the Hart-Scott-Rodino (HSR) Act, the Department of War (DOW), the Committee on Foreign Investment in the United States (CFIUS), and outbound investment, mean that general counsel must do more to see around corners to ensure that their organizations are prepared for transactions before a deal is presented.
Pro-deal, but not a rubber stamp
Although in early 2025 it seemed that the antitrust enforcement policies of the prior administration might be continued under the Trump administration, it is now clear that this administration has taken a more pro-transaction stance, with greater reliance on settlements to allow transactions to move forward.
Where agencies see potential competition issues in a transaction, they expect long term, effective changes to address antitrust concerns, not just quick fixes. For example, remedies imposed could include selling off entire business lines or separate units, with creative caveats. Generally, where divestiture is the remedy, the divested unit should not remain linked to the seller, and a capable buyer for the divested business must be clearly identified from the start. In addition, the Trump Administration has shown a willingness to craft creative solutions to address potential concerns regarding a transaction, especially in comparison to the Biden Administration, where lawsuits to block transactions were more frequent. Agencies also want proposed solutions for potential competition issues presented early in the process.
Hart-Scott-Rodino
The U.S. Department of Justice (DOJ) and the Federal Trade Commission (FTC) are closely monitoring transaction compliance, Hart-Scott-Rodino (HSR) obligations.
Although it was generally thought that the Trump Administration might rescind the Biden Era changes to the HSR filing requirements, as of March 2026, those rules remain in place, and HSR filings must follow them.
Both the DOJ and the FTC maintain broad authority to request additional information from parties filing for HSR if they have questions about a transaction, and they have leveraged it to suggest both behavioral and structural remedies.
Department of War obligations
The DOW now requires companies to notify it when they plan to merge with or acquire another company that could affect the defense industry. This requirement is part of the HSR Act and was specified in guidance issued in February 2026.
This guidance stems from Section 857 of the Fiscal Year 2024 National Defense Authorization Act (NDAA). Companies must inform the DOW at the same time they report these transactions to the FTC or the DOJ. This change replaces the old system, which relied on referrals from the FTC or DOJ.
Section 857 specifies that M&A activity related to the following transactions may require DOW review:
- Defense contracts or subcontracts
- Critical national security technologies
- Defense industrial-base sectors
- Associated intellectual property
The Pentagon advises that anyone involved in these transactions should send their HSR filings directly to them. This means that parties must evaluate early whether their transaction requires notifying the Pentagon and ensure they include this evaluation when preparing their HSR filing.
CFIUS and reverse-CFIUS
The Committee on Foreign Investment in the United States (CFIUS) is accelerating its reviews of allies' investments while closely examining Chinese investments in specific areas. They also require companies to sell off investments when there are national security concerns.
For outbound investments, the Comprehensive Outbound Investment National Security Act of 2025 (COINS Act) broadens the rules governing notifications to the Treasury. This update, known as Reverse CFIUS, gives the government greater authority to restrict U.S. investments in countries that pose risks. Funds now need to carefully check their transactions to determine if they need to notify the government under these new rules.
The COINS Act expands the scope of countries included in the outbound investment regime, introduces new procedural mechanisms, and modifies the definitions of covered persons and transactions.
Additionally, the Act broadens the prohibition of "knowingly directing" to include "notifiable transactions" as well.
Sector watch: Life sciences and healthcare
Government scrutiny extends beyond national security and the defense industry. The life sciences and healthcare sectors have also received significant attention during the Trump administration. Agencies focus closely on the medical devices and pharmaceutical markets, particularly on how innovation is affected and on the potential for new companies to enter these markets.
State antitrust enforcement is increasing
State attorneys general are increasingly active in enforcing merger regulations, both by collaborating with federal agencies as co-plaintiffs and by pursuing independent legal actions. This enforcement encompasses multistate interventions and healthcare-specific laws in at least 13 states, which mandate premerger notifications and often include extended waiting periods.
- California and New York have long been recognized as leading antitrust enforcers at the state level, with established frameworks and a history of independent actions.
- Washington and Colorado have also implemented broad premerger notification laws that apply generally.
- Notably, a jury in the Southern District of New York delivered a verdict that, among other things, determined that Live Nation and Ticketmaster violated the Sherman Act and similar state antitrust laws, despite the federal government's earlier settlement. This verdict demonstrates the risk of states pursuing remedies against a company’s market dominance, even if the FTC has cleared a merger or settled litigation over competition under the Sherman Act.
For companies considering strategic transactions, these developments show that obtaining federal approval alone may not address all the risks associated with the deal, and careful planning across different jurisdictions is key. The states have clearly shown a willingness to “step into the breach” and enforce state laws similar to HSR and the Sherman Act. Companies should evaluate how relevant state agencies – beyond just the DOJ and FTC – will view their proposed transactions. This includes the states where they operate and those with affected consumers. State-level filings can greatly affect the timing and costs of the deal.
EU data privacy and digital regulation
New data protection and digital regulation rules require a company to ensure compliance in advance of a contemplated transaction; otherwise they could significantly affect both the transaction timing and potential liabilities post-closing.
On October 9, 2025, the European Commission and the European Data Protection Board released Draft Guidance on how the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR) work together.
This guidance increases scrutiny of major companies designated as "gatekeepers" under the DMA, as well as their business users seeking data access under Article 6(10) of the DMA. These companies will need to ensure full compliance and a full understanding of how the two regulations interact.
The DMA guidance builds on existing GDPR rules, which already have strict compliance requirements. GDPR applies to any organization that processes the personal data of EU residents, no matter where the organization is located. This means that businesses without a physical presence in Europe are still subject to the GDPR if they provide goods or services to EU residents or track their online activities.
Initially, it seemed the EU would enforce very strict rules. However, recent signs and news reports indicate that regulators might be adopting a more flexible approach.
Why this matters: This possible shift suggests a more adaptable regulatory environment. It could affect how companies evaluate compliance risks and plan their long-term strategies in the EU.
