1. Introduction

China-related transactions are increasingly affected by risks that do not arise during due diligence, but only after signing or closing. While forensic reviews have traditionally focused on identifying past misconduct – such as fraud, accounting irregularities or corruption – recent enforcement developments in China indicate a potential structural shift.

Regulatory action is now frequently triggered by post-closing operational changes, including IT integration, data centralization and supply-chain restructuring. As a result, transactions that appeared unproblematic at signing may become subject to investigations shortly thereafter, with significant implications for value, integration and exit planning.

2. From historical misconduct to structural non-compliance

Classical forensic due diligence is retrospective by nature. It assesses whether historical behavior gives rise to legal or financial exposure. In the current Chinese regulatory environment, this approach may no longer be sufficient.

Recent enforcement practice shows that authorities increasingly focus on systemic compliance, rather than intent or past wrongdoing. Data governance structures, export routing, group control mechanisms and access rights are assessed based on their current and future configuration. These configurations are often fundamentally altered by the transaction itself.

Accordingly, deal risk has shifted from the target’s past into the post-closing operating model.

3. Data and IT integration as investigation triggers

This shift is most apparent in the area of data protection and cross-border data transfers.

Under the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the recently (2026) amended Cybersecurity Law (CSL), cross-border transfers of personal and certain business data require specific legal pathways, such as a security assessment, standard contractual arrangements or certification. Enforcement cases published in 2025 and early 2026 demonstrate that investigations are frequently triggered by routine post-closing measures, including ERP harmonization, remote access by overseas headquarters or shared group databases.

In many cases, the target company had not engaged in any prior misconduct. The compliance issue arose solely because the transaction changed the data-processing reality. This makes data-related risks particularly difficult to identify in traditional due-diligence processes.

4. National security review beyond formal thresholds

In parallel, China’s national security review regime has become more assertive. Authorities increasingly coordinate merger control, sector-specific regulation and data security considerations. Reviews may be initiated even where formal thresholds are not met, particularly in transactions involving sensitive data, technology, or infrastructure.

This may lead to situations in which transactions are signed and announced without objection, only to face regulatory scrutiny once effective control is exercised.

Ironically, with Chinese enforcement practices expanding and covering economic intelligence and supply-chain information, if they intersect with security concerns – it could render corporate (post-deal) internal investigations more challenging. Depending on context, it should be assumed that investigative work touching on sensitive data can implicate national security concerns.

5. Implications for forensic M&A reviews

These developments require a recalibration of forensic due diligence in China-related transactions. Reviews must increasingly address forward-looking risks, including the regulatory implications of post-closing integration, data flows and supply-chain changes.

Forensic work therefore evolves from a purely investigative function into a preventive risk-management tool, supporting comprehensive cross-border data compliance assessments, deal structuring, cybersecurity assessments, integration planning and governance.

6. Conclusion

China-related M&A risks are becoming less visible at signing, but more consequential after closing. They are often created by the transaction itself rather than inherited from the target. Forensic due diligence that remains focused solely on historical misconduct risks overlooking the very issues that determine deal success in the current regulatory environment.