M&A Is Back. Cyber Diligence Has to Catch Up.

In February 2026, McKinsey & Company published its annual M&A outlook: 2026 M&A trends — Navigating a rapidly rebounding market. The numbers describe a deal market that has not just recovered, but moved into a structurally different phase. For private equity, venture capital, family offices and M&A advisors in DACH, the report is essentially a planning document — and a quiet repricing of cyber risk inside every transaction.

The aim of this piece is narrow: to read McKinsey's headline data through the lens of cyber due diligence, and to set out where the established DD pipeline of 2024 no longer matches the 2026 market it is supposed to serve.

What Rebounded — and By How Much

McKinsey's figures for full-year 2025, on which the 2026 outlook is built, are the strongest baseline in nearly a decade:

• Global deal value reached $4.7 trillion, up 43 percent from $3.3 trillion a year earlier — roughly 20 percent above the ten-year average of $3.9 trillion.
• The number of transactions clearing the $10 billion mark expanded to 60 — the highest count since the previous M&A peak. Combined megadeal value was up 112 percent.
• Private equity deal value rose 54 percent to $1.2 trillion, with average PE deal size at roughly $890 million. PE dry powder remained near $2.2 trillion.
• The technology, media and telecommunications (TMT) sector accounted for 23 percent of total deal value — $1.1 trillion, up 61 percent year-on-year. Ten of the twenty largest deals of 2025 were TMT targets.
• Cross-regional deal value rose to 19 percent of total activity (from 15 percent in 2024). Inbound deal flow from the Americas into EMEA targets grew 68 percent year-on-year to $144 billion.
• Hold periods for PE portfolio companies have lengthened to 6.2 years on average, against 4.0 years in 2009.
• Activist campaigns reached a five-year high, up 15 percent year-on-year — roughly one in three had an M&A component.

The full report is freely available on McKinsey's site for any decision-maker who wants to read it directly. Our reading below assumes those figures as given.

Why TMT Concentration Matters for Cyber DD

The single most consequential pattern for cyber due diligence sits inside the sector mix. Capital is buying digital business models at record speed. Code bases, data architectures, cloud footprints, identity stacks, vendor chains, AI models. When a quarter of the global deal value, and half of the very largest deals, are technology-led, the marginal target is one whose entire valuation hangs on the integrity of its software, its data and its third-party dependencies.

This shifts cyber from a discrete workstream — sitting alongside legal, tax and financial DD — to a load-bearing component of the valuation itself. Findings here move purchase price, escrow size, SPA language, and R&W insurance coverage. That is no longer a 2026 prediction. It is what 2025 transaction documentation already reflects.

Three Structural Shifts the DD Pipeline Has to Absorb

1. Longer Hold Periods Mean Longer Cyber Exposure

At an average hold period of 6.2 years, a portfolio company at exit is not the company that was acquired. Tech stack, vendor mix, regulatory perimeter and threat model have all moved. A one-time cyber due diligence at the day of closing has a short half-life — and any operating partner relying on it past month 18 is, in practice, managing a risk they no longer measure.

This is the structural argument for continuous cyber posture management across the hold period, rather than a one-off pre-deal scan. A Compliance Sprint addresses the closing-window baseline. A vCISO mandate keeps it credible across the years that follow.

2. Twenty-Eight Percent of Activity Sits in Megadeals — and Megadeals Mean Integration

When a single buyer absorbs a target of $10 billion or more, the dominant post-closing risk is not strategic — it is operational. The most under-budgeted line item in PE integration plans since 2022 is not headcount or real estate. It is the integration of heterogeneous IT and security stacks — identity, endpoint, network, data, GRC, and vendor exposure — that were sized in the DD phase against a thinner scope than the deal ultimately required.

The correction is not a thicker DD report. It is a DD process whose findings translate directly into an integration plan with named workstreams, owners and budgets — before signing, not after. This is what we mean by M&A cyber due diligence that survives contact with the closing date.

3. AI Accelerates the Deal Cycle Without Accelerating Diligence Quality

McKinsey reports deal cycle compression of 10 to 30 percent and overall M&A cost reductions of around 20 percent attributable to generative AI tooling. This is unambiguously useful — and dangerous in equal measure.

A confirmatory DD compressed from six weeks to ten days only produces a better outcome if the cyber workstream is industrialised to match. If the operational throughput of the deal team doubles while the cyber workstream remains a bespoke, slow, generalist exercise, the buyer is paying for faster decisions on thinner information. The honest framing: speed without structure imports systematic blind spots into the portfolio.

What Changes in the Cross-Border Picture

Two further shifts in the McKinsey data deserve a separate note for DACH-based investors and advisors.

First, cross-regional deal share is up sharply, and the strongest single corridor is Americas-into-EMEA, where inbound value rose 68 percent year-on-year. US acquirers are deploying capital into European technology assets at a tempo that brings with it a different compliance expectation — built around US frameworks like SOC 2, HIPAA and SEC cyber disclosure rules, layered onto DACH targets engineered for BSI IT-Grundschutz, NIS2 and the GDPR. Reconciling these in the DD phase is cheaper than reconciling them in the integration phase.

Second, activist campaigns reaching a five-year high — with around a third linked to M&A — means cyber governance disclosure is increasingly a board-level reporting expectation, not only a CISO-level operational concern. The trajectory of regulator scrutiny is in the same direction: see the recent joint US-UK warnings to systemically important banks, which we covered separately in our note on "AI Has Made It Worse".

What the 2026 Cyber DD Pipeline Has to Look Like

If the McKinsey data is accepted, the implications for cyber due diligence in DACH transactions are reasonably narrow:

• Pre-LOI cyber scans that deliver in five working days, not three weeks — so findings can shape the initial bid, not just confirm it.
• Confirmatory due diligence that maps risk to valuation in EUR, with named SPA negotiation asks — and that is delivered with a reliance letter compatible with R&W insurance.
• Post-merger cyber integration scoped as a 12-month workstream, with measurable progress against a defined remediation plan — not as a generic "improve security posture" line item.
• Continuous portfolio cyber watch between closing and exit, with a monthly reporting cadence to the operating partner — recognising that a 6.2-year hold cannot be governed by an annual snapshot.
• Exit-readiness review six to twelve months before sale, so the next buyer's cyber findings do not surface as a price reduction at the worst possible point in the process.

Each of these is a distinct stage in the lifecycle of a portfolio company. Each is a stage at which cyber findings — well-presented or badly presented — affect the EUR outcome of the transaction.

A Note for Operating Partners and CIOs

There is no honest reading of McKinsey's 2026 outlook that leaves cyber due diligence where it sat in 2024. The market is larger, faster, more tech-weighted and more cross-border than the DD process most DACH PE houses, family offices and M&A boutiques designed two cycles ago.

The decisions worth making now are not dramatic. They are structural: when a target reaches LOI in Q3 2026, is the cyber workstream ready to deliver in days, not weeks? When a portfolio company sits at hold-year four, is its cyber posture being measured monthly, or is it being assumed? When the next megadeal lands, does the integration plan have a named cyber workstream owner — or is it an item on the operating partner's worry list?

These are the conversations we are having in Q2 and Q3 2026 with DACH PE operating partners, family office CIOs and M&A advisory partners. If a current deal, holding, or pipeline question would benefit from a short conversation, that is the most useful place to start.

Speak with us →

---

Sources and further reading:

• McKinsey & Company. 2026 M&A trends — Navigating a rapidly rebounding market. February 2026.
• BSI. IT-Grundschutz framework.
• European Commission. NIS2 Directive overview.