Due Diligence in German SMEs: A Practical Guide

How to systematically identify and assess risks. Includes case studies and categorization of findings. From company structure to commercial agreements and compliance.

Why Due Diligence is Crucial for Your Company

Acquiring or selling a company is one of the most important business decisions entrepreneurs make. Millions invested, years spent building the business – and yet the risk remains of overlooking problems that could significantly jeopardize the company's value. This is precisely where due diligence comes in.

Due diligence is more than just a checklist. It's a systematic process that examines all essential aspects of a company. A thorough review is particularly crucial for German SMEs – the backbone of our economy. Whether you're looking to sell, planning an acquisition, or bringing in a business partner, due diligence protects your financial security and gives you the confidence to make informed decisions.

This guide will walk you through the core aspects of a classic due diligence process for medium-sized businesses. We focus on practical knowledge – not legal technicalities, but on what you as a managing director or entrepreneur really need to know.

1. Definition and scope of due diligence

What exactly is due diligence?

The English word "due diligence" literally means "proper care." In the context of M&A, it refers to a comprehensive and systematic review of a company before a transaction. This involves examining the company's legal, financial, operational, and commercial situation to uncover hidden risks.

Due diligence serves several purposes simultaneously: it reveals significant risks and opportunities, supports company valuation, identifies necessary repairs, and lays the foundation for informed negotiations. At the same time, it is an expression of sound business practice – if a problem arises later, it can be demonstrated that all reasonable due diligence measures were taken.

Furthermore, a thorough examination of the target asset is legally required: A manager is obligated to make investment decisions based on adequate information. This applies particularly to private equity managers who manage third-party assets (funds/LPs), as well as to managing directors of a limited liability company (GmbH) within the scope of their duty of legality and business judgment rule. Failure to conduct an adequate examination can have legal consequences.

Conversely, the seller also has a duty to disclose information: They must provide information about essential circumstances relevant to the purchase decision without being asked, provided these circumstances are recognizably important to the buyer and the buyer can reasonably expect to be informed. Concealing such facts can constitute deception by omission and trigger corresponding warranty or rescission rights.

Modern due diligence reports are "red flag reports"—concise analyses that quantify risks and provide concrete recommendations for action. They involve analysis through an "economic lens," not merely a description of facts.

How extensive should the due diligence be?

The depth and scope of due diligence depend on several factors: the size of the company, the transaction value, the industry, and the risk profile. A small craft business with 20 employees requires a different level of detail than a software company with 200 employees. Crucially, the scope of work should be defined and documented in writing at the outset, together with the client – including materiality thresholds, level of detail, and demarcation from other advisors.

Full Due Diligence: In-depth review of all relevant areas, typical for larger transactions or high-risk profiles. This includes extensive documentation reviews, management interviews, on-site inspections, and the involvement of specialized advisors.

Legal due diligence: Focus on legal structures, contracts, governance, and compliance. It is an indispensable core component of every transaction – even if other areas are only examined in a "light" version.

Financial due diligence: Analysis of annual financial statements, profit and loss statements, cash flow, working capital, and potential hidden liabilities. Essential for buyers to understand the company's economic substance and sustainable earning power.

Tax due diligence: Examination of the tax structure, risks, and optimization potential. This includes, in particular, latent tax risks, tax audits, loss carryforwards, withholding taxes, and the tax structuring of the transaction (e.g., share vs. asset deal). It is regularly crucial for decision-making, especially in international structures and private equity setups.

Operational Due Diligence: Evaluation of business processes, efficiency, scalability, quality of organization, as well as the performance of the management team and the operational infrastructure.

Commercial Due Diligence: Analysis of the market, competition, customer base, pricing power, and growth prospects. The goal is to validate the strategic positioning and the actual market potential.

In real estate-heavy transactions, further specific areas of due diligence are regularly added: technical due diligence (structural condition, maintenance backlog, capital expenditure requirements) and environmental due diligence (legacy pollution, contamination, permitting issues). These aspects can have a significant impact on valuation, financing, and liability structure.

For many medium-sized companies, a "well-dosed" due diligence is often the right measure: not excessively extensive, but thorough enough to cover the main risks.

Case study: Mechanical engineering company (120 employees)

A medium-sized mechanical engineering company was up for sale. The initial due diligence checklist focused exclusively on contracts and licenses. It was overlooked that the technical director – holder of 15 core patents – would no longer accept a non-compete agreement without appropriate compensation. Renegotiating this agreement ultimately cost 12% of the purchase price and should have been identified as a significant risk earlier. Only expanding the scope to include intellectual property and key person risks brought clarity.

2. Company law and the clarification of ownership structures

The Chain of Title: Who really owns the company?

One of the first and most important tasks in due diligence is clarifying the ownership structure. This may sound trivial – but in reality, problems often arise here, especially in established family businesses or companies that are several generations old.

Lawyers understand "chain of title" to mean the unbroken chain of ownership transfers. They must verify: Who founded the company? How has it been passed on since then? Are there any unresolved inheritance disputes? Are all shares held by one owner or several? Were transfers – for consideration or without consideration – legally valid and properly documented?

A classic scenario: A mid-sized business owner establishes their company with 100% ownership. Later, they transfer 50% to their son. The transfer is more or less documented. But: Was there a notarized deed? Was the tax office informed? Were the entries in the commercial register updated? Errors in these seemingly administrative matters can lead to serious legal complications.

Case study: Family business with a holding structure

A family business was gradually transferred to the next generation over several years – partly through anticipated inheritance, partly through gifts. Simultaneously, a holding company was established with an external minority shareholder. Some transfers were notarized, others based solely on internal agreements. One shareholder passed away, and the inheritance settlement was never fully completed. Additionally, there were restricted shares requiring approval, which was not obtained for some of the transfers. The result: significant legal uncertainty, even raising the question of whether the sellers had the legal right to dispose of all their shares. Resolving the situation cost €35,000 in notary fees and delayed the transaction by 10 weeks.

Articles of Association and Resolution Documentation

The articles of association (or bylaws in the case of a public limited company) are the "constitution" of the company. Due diligence examines: Does the current agreement correspond to the commercial register entry? Are there any unregistered amendments? Are voting rights, profit sharing, and termination rights clearly defined? Are there any clauses that restrict or prohibit a sale? What resolutions are required?

Particularly problematic are often incomplete or outdated articles of association. A common issue: The agreement was drawn up 20 years ago and hasn't been updated since. New shareholders have been added, but the agreements haven't been amended. This leads to legal uncertainty and can cause delays or even the failure of a transaction. A sound articles of association are not only legally important – they are also a selling point.

3. Commercial Agreements: Customer and supplier contracts under scrutiny

A frequently underestimated, but crucial aspect of due diligence is the review of key business contracts. Customer and supplier agreements form the operational backbone of every company. Their stability, duration, and contractual terms significantly determine the company's sustainable value.

What matters in customer contracts

During due diligence, the key customer contracts – typically the top 10 to 20 by revenue – are examined in detail. Key questions include: What are the contract durations and notice periods? Are there automatic renewal clauses? Are price adjustment mechanisms agreed upon (indexation, annual renegotiation)? Are there exclusivity agreements or minimum purchase obligations? What warranty and liability provisions apply? Are there penalties for delivery delays or quality defects?

The issue of customer concentration is particularly critical: if a single customer accounts for more than 20–30% of total sales, this represents a significant concentration risk. Buyers and financing banks assess this as a substantial risk that directly impacts the purchase price – typically through a discount or an earn-out component.

Change-of-control clauses: The underestimated danger

Change-of-control clauses (CoC clauses) are among the most important and yet most frequently overlooked risks in due diligence. A CoC clause gives the contractual partner the right to terminate the contract without notice or to renegotiate it if the ownership structure of the company changes – precisely when a transaction takes place.

CoC clauses are typically found in customer contracts (especially long-term framework agreements with major customers), supplier contracts (exclusive purchasing agreements, license agreements), lease and rental agreements, loan agreements and financing agreements, joint venture agreements and cooperation agreements, as well as in insurance policies and public law permits.

The legal consequences vary considerably: from a mere right to information for the contractual partner, to a requirement for consent, to an immediate right of extraordinary termination. In the worst case, the company loses its most important contracts through the transaction itself – and thus the basis of its profitability.

A CoC clause in a contract representing 45% of revenue is not a peripheral issue – it's a potential dealbreaker. Timely identification and obtaining waivers before closing are crucial.

Handling CoC clauses in practice

The professional handling of CoC clauses requires a multi-stage approach: First, all material contracts are systematically reviewed for CoC clauses and categorized according to their risk relevance. For contracts with a termination right for the other party, a consent strategy is developed: When and how are the other parties contacted? What concessions might be necessary? For particularly critical contracts, obtaining consent can be agreed upon as a closing condition in the SPA – the transaction is only completed once consent has been granted.

Important: In a share deal, only the ownership structure of the holding company formally changes, not the contracting party itself. Therefore, some Code of Conduct clauses do not apply to a share deal, but do apply to an asset deal. The distinction must be carefully examined in each individual case.

Case study: Industrial supplier with CoC risk

An industrial supplier with €25 million in revenue was sold through an auction. Legal due diligence revealed that the largest customer (approximately 40% of revenue) had a framework agreement with a Code of Conduct clause that allowed for termination in the event of a change in ownership. The buyer made the transaction contingent upon obtaining a waiver from the customer beforehand. The customer leveraged its negotiating position and, in return, demanded price reductions of 8% for the next two years. Ultimately, the purchase price was reduced by €1.2 million to reflect these concessions.

Supplier contracts and dependencies

Significant risks can also lurk on the procurement side: Are key components only available from a single supplier (single-source risk)? Are there long-term purchase commitments with minimum quantities? What price adjustment mechanisms apply? Are there exclusivity agreements that restrict the buyer's strategic flexibility? Can supplier contracts be terminated in the event of a change of control?

In practice, it is often observed that medium-sized companies maintain informal supplier relationships that have developed over years and are either not contractually secured or only rudimentarily so. Such "handshake agreements" may work in day-to-day operations, but in the event of a change of ownership, legal protection is lacking.

General Terms and Conditions (GTC)

An often overlooked but economically relevant point to review is the company's general terms and conditions (GTC). Outdated or legally invalid GTC clauses can lead to liability limitations not applying, warranty provisions being unfavorable to the company, or retention of title clauses being ineffective. Especially in light of recent case law regarding the review of GTC in the B2B sector, regular updates are highly recommended.

4. Bogus self-employment and labor law issues

The risk of bogus self-employment

Many medium-sized businesses employ "entrepreneurs" or "independent contractors" who are, in fact, employees. This poses a significant risk – both with regard to social security contributions and taxation. The German Pension Insurance and the tax office analyze whether the work is genuinely self-employed or dependent employment.

Key criteria include: being subject to instructions (does the person follow specific directions?), integration into the organization, place of work, use of company equipment, fixed working hours, and bearing one's own entrepreneurial risk. If it subsequently turns out that supposedly "external" workers were in fact employees, substantial back payments of social security contributions are likely – often retroactively for several years, plus late payment surcharges. In addition, there are potential employment law claims and reputational risks. Furthermore, withholding social security contributions is a criminal offense under Section 266a of the German Criminal Code (StGB) – with personal liability risks for managing directors.

Case study: Software company with 15 "freelancers"

An IT company with 80 permanent employees also employed 15 "freelancers" who had worked exclusively for the company for years, used company email addresses, and participated in weekly team meetings. Due diligence identified a risk of approximately €450,000 in back payments for social security contributions for the past four years. A specific indemnification for this risk was agreed upon in the share purchase agreement (SPA), in addition to a purchase price reduction of €200,000.

Employment contracts and compliance

As part of due diligence, employment contracts are systematically reviewed. Are all contracts legally valid and do they comply with the requirements of the German Employment Contract Law (Nachweisgesetz)? Do the agreements comply with the Minimum Wage Act? Are vacation entitlements correctly documented? Are there any tacit agreements that are not officially stipulated?

Typical labor law findings include: unclear or ineffective fixed-term contracts, defective non-compete clauses, insufficiently documented bonus structures, missing overtime regulations, incorrectly compensated vacation entitlements, and inconsistencies between employment contracts and applicable collective agreements or company agreements.

The issue of "customary practice" is particularly relevant: Recurring benefits provided by the employer (e.g., bonus payments, special leave) that have been granted unconditionally over a longer period can lead to an enforceable claim by the employees – even if they were originally intended to be voluntary.

A critical point: works councils and trade unions. If a works council exists, it has the right to be consulted in the event of a sale. The Works Constitution Act stipulates that the works council must be informed and consulted. A lack of or flawed involvement can lead to significant legal risks and delays.

5. Legal disputes and procedural risks

Reviewing ongoing, threatened, and concluded legal disputes is a core component of any due diligence process. Legal disputes can have significant financial repercussions, disrupt day-to-day business operations, and—in the worst-case scenario—be a threat to a company's existence.

What is being tested?

The scope of the audit includes all ongoing court proceedings (civil, labor, administrative, tax courts), out-of-court disputes and dunning procedures, arbitration proceedings, official proceedings (cartel office, data protection authority, trade supervisory office, tax office), threatened legal disputes (e.g. warnings, letters of claim, pre-litigation correspondence) as well as significant completed proceedings of the last three to five years that allow conclusions to be drawn about recurring problems.

Special risk areas

Product liability: Companies with physical products are regularly exposed to product liability risks. Due diligence examines whether recalls have taken place, whether insurance coverage exists, and whether claims are imminent. Particularly for automotive suppliers or medical technology companies, the liability amounts can reach levels that threaten their very existence.

Patent disputes and IP conflicts: Especially for technology-driven SMEs, it is crucial to examine whether their own intellectual property rights are being infringed or whether the company itself is infringing the intellectual property rights of third parties. Ongoing patent infringement proceedings can lead to claims for injunctive relief and damages amounting to millions.

Employment law proceedings: unfair dismissal claims, equal pay claims in temporary employment, claims concerning company pension schemes or overtime pay. Disputes with former managing directors regarding severance payments or non-compete clauses are also common in medium-sized companies.

Antitrust risks: Participation in price-fixing agreements, market sharing, or concerted practices can lead to fines of up to 10% of global group revenue. In addition, companies risk claims for damages from affected customers (follow-on lawsuits).

Tax proceedings: Ongoing tax audits, appeals against tax assessments, or tax court proceedings. Transfer pricing risks in international structures and tax audits that are not completed for several years are particularly problematic.

Assessment and hedging

Crucial is the careful evaluation of each procedure: What is the probability of a negative outcome? What is the potential financial risk (best case/worst case)? Have provisions been made in the balance sheet, and are they adequate? Is there sufficient insurance coverage?

The results are directly incorporated into the purchase price structuring and contract negotiation: through provisions that are deducted from the enterprise value as a financial liability, through specific exemptions in the SPA, through tax escrow solutions for tax risks, or through consideration in the W&I insurance.

Case study: Automotive supplier with ongoing antitrust proceedings

During an audit of an automotive supplier, an ongoing cartel investigation by the German Federal Cartel Office was discovered. The company was the subject of a sector inquiry and had already received a request for information. The potential fine was estimated at €2–5 million. The buyer demanded full indemnification for this risk, in addition to an escrow of €3 million. Negotiations regarding the amount of the indemnification and its time limit alone took four weeks.

Case study: Medical technology company with product liability lawsuit

A medical technology manufacturer was in the process of selling the company when it was served with an $8 million product liability lawsuit in the US. Although the lawsuit had little chance of success according to the litigation lawyers, the mere fact of its existence represented a significant valuation discount. The warranty and indemnity (W&I) insurance excluded this known issue. Ultimately, a specific indemnity agreement was negotiated with a cap of €5 million and a term of five years.

6. Data protection and compliance issues

GDPR compliance: More than just a technical issue

The General Data Protection Regulation (GDPR) is a complex set of rules that many medium-sized businesses underestimate. Due diligence checks the following: Does a data protection concept exist? Have data protection impact assessments been carried out? Is there a data protection officer? Are there consent forms? How is personal data stored? Are there contracts with data processors?

Violations of the GDPR can be costly: fines of up to €20 million or 4% of global annual turnover are possible. This represents a significant risk for a buyer. A company without GDPR compliance is considerably less attractive and worth less.

Case study: Service company without a data protection officer

A B2B service provider with 60 employees processed extensive customer data but had neither appointed a data protection officer nor created a record of processing activities. Due diligence also identified missing data processing agreements with three cloud service providers. The buyer demanded comprehensive rectification before closing (appointment of a data protection officer, creation of a record of processing activities, conclusion of data processing agreements) as well as indemnification against any past fines.

Further compliance aspects

In addition to data protection, there are other compliance issues: export controls (particularly relevant for companies exporting to non-EU countries), anti-money laundering regulations, corruption prevention (especially in government contracts), antitrust law, sanctions, and regulatory approvals. A common surprise: a company has been operating for years with unvalidated permits. "That's how it's always been" is not a valid argument – current, valid permits must be documented during due diligence.

7. Environmental and real estate issues

Contaminated sites and environmental liability

An underestimated risk: If the company works with chemicals, oils, or other substances, or has a production facility, potential environmental damage must be assessed. If contaminated waste was previously disposed of improperly, the current operator can be held liable for remediation – at considerable expense. Due diligence examines: What substances are used and how are they stored? Are there permits? Has waste been disposed of properly? Is there documentation of historical uses? Have soil investigations been carried out?

Case study: Metalworking company with soil contamination

Environmental due diligence at a metalworking company revealed soil contamination from trichloroethylene dating back to previous use (1960s-1980s). The report estimated remediation costs at €750,000. The seller was unaware of this – the contamination originated from a previous owner. As a result, the purchase price was reduced by the estimated remediation costs, and an environmental indemnification agreement with a cap of €1.5 million was also concluded.

Buildings and real estate

For rental properties: What is the lease term? What are the associated costs? Are there any adjustment clauses? Can the landlord terminate the lease? Are there any hidden additional costs? For owner-occupied properties: Is a current building description available? Are all permits in place? Are there any historic preservation restrictions? Have inspections been carried out? Are there any outstanding debts on the property? Are all environmental regulations met?

Particularly relevant for buyers: Is the property essential for business operations? What happens if the lease expires and is not renewed? What are the costs of relocation? Are there any Certificate of Conformity (CoC) clauses in the lease? These questions can be business-critical for a buyer.

8. The process: How is due diligence carried out?

Phase 1: Preparation and Scope Definition

Before due diligence begins, the following must be clarified: What will be examined? How in-depth will we go? Who will conduct the review? What timeframe is realistic? The scope of work is agreed upon with the client and documented in writing – including materiality thresholds, demarcation from other advisors, and level of detail. A lead associate coordinates the team and oversees the master due diligence report.

Phase 2: Document acquisition and analysis

The company is requested to provide documents in a virtual data room. Important: Check the completeness of the data room not only using the data room index, but also using your own checklists. A poorly organized data room is itself a warning sign – it indicates inadequate internal processes. Also check the completeness of individual documents: Are all pages present? Are signature pages complete? Are there any newer versions or amendment agreements?

Typical documents: articles of association and commercial register entries, lists of shareholders, financial documents (annual financial statements for the last 3-5 years, tax returns, current business analysis), employment contracts and personnel documents, customer and supplier contracts, insurance policies, permits and licenses, IT and data protection documentation, real estate and lease agreements, ongoing and concluded legal disputes.

Phase 3: Management interviews and on-site visit

Due diligence is not purely documentary. Professional auditors conduct expert sessions with management and visit production facilities and offices. The goal is to compare the written documentation with reality. The books show 50 employees, but the site visit reveals significantly fewer? The documentation lists 5 top customers, but interviews reveal that one customer accounts for 60% of revenue? Such discrepancies are crucial.

Phase 4: Q&A Process

A list of questions is compiled based on the documents and interviews. Important: Questions are posed on a "need to know" basis – not "nice to have" questions. They must be self-explanatory, specific, and user-friendly. In auction processes with a limited number of questions, careful prioritization is crucial: Questions relevant to the evaluation are addressed first; purely confirmatory questions can be postponed.

Phase 5: Report and Evaluation

A comprehensive report is ultimately produced. Modern due diligence reports are "red flag reports"—concise, analysis-oriented reports with a clear risk assessment and concrete recommendations for action. The type of report depends on the intended audience: a commercial report with risk indicators, a legal report with recommendations for action, or a bank-ready report for lenders.

9. The Due Diligence Report as a Bankable Work Product

What makes a report "bankable"?

A bankable report must meet the following requirements: transparency (all assumptions documented), traceability (an external auditor can understand the logic), completeness (all relevant risks addressed), structure (clear, logical organization) and realism (fair, objective assessments).

The structure typically follows: Executive Summary (2-3 pages), company overview, detailed analysis by topic area, risk presentation with severity level, specific recommendations and appendices.

Recommendations in the Due Diligence Report

Professional reports contain specific recommendations for action, which are typically divided into five categories: consideration in the purchase price (pricing through purchase price deduction), consideration in the purchase price mechanism (e.g. provision as a financial liability), repair measures to be initiated by the seller before or after signing (possibly as a condition of completion), coverage by indemnities or warranties in the SPA, and further investigations with the seller.

Banks pay particular attention to the presentation of risks. A realistic report that also discloses problems is more trustworthy than one that only reports positive aspects. Banks know that every company has risks. If the audit finds none, it was probably not thorough enough.

10. Common problems and red flags

In our practice as M&A lawyers, we repeatedly see similar problems:

Incomplete or outdated documentation: The articles of association date from 1998 and have not been updated. Some employment contracts are missing. The tax office has not been informed of important changes in ownership.

Dependence on individuals: The company only functions because a specific person is there (often the founder). If that person leaves, the business collapses. Banks are reluctant to finance this.

Hidden debts: Loans that don't appear on the balance sheet. Private loans from the managing director to the company. Supplier credits that effectively function as financing.

Tax problems: Unpaid tax debts. Unfiled tax returns. Incomplete tax audits.

Labor law problems: Missing employment contracts. Incorrectly billed interns. Bogus self-employment. Incomplete works council involvement.

Customer concentration: A small number of customers account for a large portion of the revenue. If one of them is lost, the business is seriously at risk.

Missing or inadequate CoC analysis: Change-of-control clauses in key contracts are overlooked. The transaction itself triggers termination rights of important contractual partners.

Unresolved legal disputes: Ongoing proceedings without sufficient reserves. Threatened lawsuits that are not disclosed. Inadequate insurance coverage.

11. Categorization of Due Diligence Findings

A professional due diligence process not only identifies risks – it assesses and categorizes them according to their severity and the available courses of action. The following system has proven effective in practice and is based on a traffic light system:

Category 1 – RED: Showstopper / Dealbreaker

Findings of this category can jeopardize the entire transaction and typically lead to the termination of negotiations or necessitate a fundamental restructuring of the deal. For example, if the seller cannot prove that they have effective control over all company shares (broken chain of title), the transaction is simply not feasible in its planned form. Similarly, criminally relevant issues—such as the systematic withholding of social security contributions or corruption—can cause the deal to collapse because the buyer is unwilling to assume the reputational risk and the liability associated with the transaction.

Category 2 – DARK RED/ORANGE: Red Flags with potential for resolution

These findings are serious, but generally solvable – although they have a significant impact on the purchase price and contract terms. A typical example is bogus self-employment: The risk can be quantified, factored into the purchase price, and mitigated through a specific indemnification clause. A similar approach applies to essential Code of Conduct clauses: Obtaining a waiver before closing can be made a condition of execution.

Category 3 – ORANGE: Protection through contract design

These are findings that can be managed through skillful contract drafting. Typically, they are addressed through warranties, indemnities with de minimis thresholds and caps, or purchase price adjustments. Alternatively, the seller can offer to carry out certain remedial measures before closing – such as updating the articles of association or obtaining missing approvals.

Category 4 – YELLOW: Notes and potential for improvement

These findings do not represent a significant transaction risk, but should be addressed during post-merger integration. They provide the buyer with a roadmap for the first 100 days after closing: Which processes need to be modernized, which documents updated, and which policies implemented? Yellow findings can also serve as leverage for moderate purchase price reductions.

Conclusion: Investing in security

Due diligence costs time and money. It's an investment, not a cost. A thorough review before buying or selling a company can save millions and prevent major headaches.

If you, as a seller, have due diligence carried out (yes, sellers also make sense to do this – keyword: vendor due diligence), you ensure that the buyer isn't faced with any unpleasant surprises – and that you yourself know what you need to work towards. If you are a buyer, you protect your investment: due diligence is your chance to gain clarity before you sign.

Most importantly: Take due diligence seriously. Work with experienced partners – lawyers, tax advisors, and, if necessary, specialized consultants for environmental, IT, or compliance matters. And categorize the findings systematically: Not every problem is a dealbreaker – but every problem deserves a clear classification and a well-thought-out solution.

Ultimately, a clean, thoroughly vetted purchase or sale is significantly less expensive than dealing with surprises later on. Due diligence is your compass through the complexities of a transaction – use it.