Trends in life sciences mergers and acquisitions, investment and strategic collaborations

Monday 2 June 2025

Stéphanie De Smedt
Loyens & Loeff, Brussels
stephanie.de.smedt@loyensloeff.com

Gilles Pitschen
Loyens & Loeff, Zürich
gilles.pitschen@loyensloeff.com

Donika Morina
Loyens & Loeff, Zürich
donika.morina@loyensloeff.com

Dieuwke Hooft Graafland
Loyens & Loeff, Amsterdam
dieuwke.hooftgraafland@loyensloeff.com

Trends in Belgium: cybersecurity in healthcare and life sciences transactions

As the digital transformation accelerates and cyberspace becomes increasingly complex, cybersecurity has emerged as a critical concern for organisations active in healthcare and life sciences. The deep interconnectivity of the cyber ecosystem means that a breach involving a single entity can trigger a chain reaction, compromising entire networks, with far-reaching consequences. Even the smallest vulnerabilities in digital systems can lead to significant disruptions, ranging from financial losses to reputational damage.

For many organisations, cybersecurity is no longer merely an operational concern, it is a legal imperative. This is particularly true for entities in the life sciences and healthcare sectors. In 2024, Belgium became the first European Member State to transpose Directive (EU) 2022/2555, otherwise known as the NIS2 Directive, into national law. Other EU countries have since followed suit, although a significant number of EU Member States have not yet transposed the NIS2 Directive into national law as of the date of this publication, prompting criticism from the European Commission.

In Belgium alone, this new legislation is expected to impact over 2,500 entities across various sectors. In the healthcare sector, the following types of entities could qualify as ‘important’ or ‘essential’ according to the NIS2 Directive, depending on their size (and the size of the group of companies to which they belong):

  • healthcare providers as defined in Article 3, point (g), of EU Directive 2011/24 of the European Parliament and of the Council on the application of patients’ rights in cross-border healthcare;
  • EU reference laboratories referred to in Article 15 of EU Regulation 2022/2371 on serious cross-border threats to health;
  • entities carrying out research and development activities relating to medicinal products, as defined in Article 1, point (2), of EU Directive 2001/83 on the Community code relating to medicinal products for human use;
  • entities manufacturing basic pharmaceutical products and pharmaceutical preparations, referred to in Section C, division 21 of NACE Rev. 2, the ‘statistical classification of economic activities’ in the European Community, (Nomenclature statistique des activités économiques dans la Communauté européenne or NACE); and
  • entities manufacturing medical devices considered critical during a public health emergency within the meaning of Article 22 of EU Regulation 2022/123 on a reinforced role for the European Medicines Agency in terms of crisis preparedness and management for medicinal products and medical devices.

Additionally, manufacturers of medical devices and in vitro medical devices (referencing EU Regulation 2017/745 on medical devices), food business operators within the meaning of EU Regulation 178/2002 laying down the general principles and requirements of food law and entities subject to the EU REACH (Registration, Evaluation, Authorisation and Restriction of Chemicals) Regulation, may also qualify as ‘important’ entities under NIS2, if the relevant size thresholds are met.

A substantial number of players in the life sciences and healthcare industry may thus find themselves subject to this new legislation, although distributors (as opposed to manufacturers) of both pharmaceuticals and medical devices generally seem to be exempt from NIS2.

It is important to note that whether the triggering ‘in-scope’ activity constitutes the company’s main activity or only a secondary ancillary activity is largely irrelevant. With some limited exceptions, the entire legal entity’s operations will need to become compliant. Furthermore, groups with offices across the EU may need to comply with local implementation legislation in various EU countries.

In the context of M&A transactions, NIS2 has led to closer scrutiny of a target company’s cybersecurity standards and cyber resilience, from legal, organisational and technical perspectives. Legal due diligence in this area tends to focus on the applicability of NIS2, compliance with the obligation to self-register with the national cybersecurity regulator (which should have been completed by 18 March 2025), a high-level assessment of cybersecurity protection and liability arrangements in regard to the target’s contracts (primarily supply chain contracts), verification of any available (sometimes mandatory) certifications (eg, ISO 27001) and the absence of significant cybersecurity incidents (which are reportable to the regulator), disputes and claims, etc.

Management bodies will also need to become more heavily involved, as the law imposes several obligations and responsibilities on them. Specifically, management bodies of entities that fall within the scope of the NIS2 Directive must: (1) approve risk management measures related to cybersecurity and oversee their implementation; (2) complete regular training to ensure they possess the necessary knowledge and skills to identify risks, assess cybersecurity risk management practices and understand their impact on the services provided by their organisation; and (3) ensure the organisation’s compliance with the law. They can be held personally liable in cases of non-compliance. Sanctions under NIS2, for example, include a temporary ban from holding executive responsibilities within the organisation.

While 2025 will likely still be a year of transition, enforcement of the NIS2 Directive by national regulators is expected to gradually increase, especially in the event of major cybersecurity incidents or malicious attacks against hospitals or high-profile manufacturers of pharmaceuticals or medical devices. In the context of M&A transactions, the investment required to make a company NIS2 compliant will, in some cases, become a significant consideration. The acquisition by a large player of a small target company in an in-scope sector, which is not required to comply with NIS2 as part of the seller group, may trigger the entire NIS2 compliance regime for the target company (post-acquisition) and potentially for the buyer group (if it deploys fully integrated IT systems).

Trends in Switzerland: AI use in the healthcare sector under scrutiny

Artificial Intelligence (AI) is making its way into the healthcare sector, particularly in the area of pharmaceuticals, according to which AI is used in research and development, including to help process large amounts of data and evaluate different combinations of active ingredients more quickly. In regard to medical treatment, AI is increasingly being used in diagnostics and medical devices, either as standalone software or integrated into hardware components.

In Switzerland, the use of AI in the healthcare sector is under scrutiny and is a topic of increasing relevance in M&A transactions, both during the due diligence phase and in the negotiation of the transaction documentation. In particular, it has become common to include specific information requests targeting risks arising from the use of AI systems.

While there is currently no specific AI regulation in place in Switzerland, several legal requirements apply to the use of AI in Switzerland, including, but not limited to:

  • discriminatory AI practices may violate Article 8 of the Swiss Federal Constitution or Article 3 of the Swiss Gender Equality Act, for example through AI-assisted hiring systems that discriminate between genders;
  • AI systems must comply with the provisions of the Swiss Data Protection Act, that provides, in particular, that the processing of personal data must be fair and transparent;
  • Article 3 of the Swiss Unfair Competition Act prohibits deceptive and unfair business practices, such as misleading advertising through AI-generated content;
  • AI-enabled products and software must comply with Swiss safety and certification regulations, for eg, with the requirements of the Swiss Therapeutic Products Act, the Swiss Ordinance on Medical Devices, the Swiss Ordinance on In vitro Diagnostic Medical Devices and the Swiss Ordinance on Clinical Trials with Medical Devices;
  • manufacturers may incur liability for damages caused by defective products, including defects caused by built in AI;
  • AI systems should not infringe third parties’ intellectual property rights; and
  • the use of AI may lead to criminal and civil liability, in particular, in relation to fraudulent behaviour and cybercrime.

In addition, activities in Switzerland may fall within the scope of application of the EU’s AI Act. The EU AI Act is applicable: (1) to any providers placing on the market or putting into service AI systems or placing on the market general-purpose AI models in the EU, irrespective of whether those providers are established or located within the EU or in a third country, and (2) to providers and deployers of AI systems that have their place of establishment or are located in a third country, wherein the output produced by the AI system is used in the EU.

Furthermore, we recommend that legislative and administrative developments are closely monitored. On 27 March 2025, the Swiss government signed the Council of Europe’s Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law. As a consequence, the Swiss government has instructed the Federal Department of Justice and Police (FDJP) to prepare a draft consultation by the end of 2026 that defines the necessary legal measures to implement the Council of Europe's Convention on AI. This draft will cover areas such as transparency, data protection, non-discrimination and supervision. At the same time, the Federal Department of the Environment, Transport, Energy and Communications (DETEC), together with the FDJP, the Federal Department of Foreign Affairs (FDFA) and the Federal Department of Economic Affairs, Education and Research (EAER), will develop a plan for further measures not requiring legislative changes by the end of 2026. Therefore, several legislative changes are expected in the near term.

Generally, the Swiss government has communicated its position to create a regulatory environment that reinforces Switzerland as an innovation hub, while safeguarding fundamental rights and enhancing public trust in AI. While Switzerland’s approach to AI regulation remains rather liberal, sector-specific adjustments and alignment with international standards will play a central role in its approach going forward.

Such regulatory developments will have a direct impact on Swiss M&A transactions in the Swiss healthcare sector. In particular, the due diligence process will need to incorporate a more detailed assessment of target companies’ compliance with evolving AI regulations. Moreover, these factors will influence the negotiation of representations and warranties in transaction agreements, with buyers seeking enhanced contractual protection against regulatory uncertainties. As Switzerland adapts its AI regulatory framework, healthcare companies will need to proactively align themselves with the relevant legal standards to maintain their attractiveness to potential investors and acquirers.

International Bar Association 2025 © Privacy policy Terms & conditions Cookie Settings Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.