nullsys provides independent technical due diligence for M&A transactions in Croatia and the SEE region. Engaged directly by law firms and acquirers. No vendor relationships. No implementation work. Objective by design.
Technical due diligence is our primary service. IT Revision is available as a standalone engagement for boards and regulators. We assess and report independently, on a fixed timeline, with findings that hold up under scrutiny.
An independent assessment of the target company's IT infrastructure, security posture, licence compliance, and regulatory exposure. Delivered within the transaction timeline.
A structured, independent review of IT controls, security, and regulatory compliance delivered as a formal report to board level. Credible to investors and regulators in a way internal assessments cannot be.
In Croatian and SEE M&A transactions, IT infrastructure review is the last workstream to be commissioned, if it happens at all. These are the liabilities that surface after close.
Critical processes running on unmanaged infrastructure, invisible until operational disruption occurs post-close.
Microsoft, Oracle, and Adobe liabilities that transfer with the transaction as six-figure compliance obligations.
Unpatched systems and prior incidents that were never disclosed. These become the acquirer's liability on day one.
Inherited NIS2 and GDPR non-compliance that transfers with the acquisition and immediately becomes the acquirer's gap.
Without an independent baseline, post-acquisition IT costs are systematically underestimated in the deal model.
Systems maintained by one or two individuals. When they leave, institutional knowledge leaves with them.
Six phases from initial contact to delivery. Proactive communication throughout. We align to your transaction deadline, not the other way around.
Understanding the transaction context, target size, time window, and access level. NDA signed before any information about the target is shared. Fixed fee confirmed before work begins.
Preparation of a Risk and Controls Matrix and initial document request list for the target. Interview schedule defined with key contacts. This prevents scope creep and protects your timeline.
On-site or remote interviews with CIO and IT leads. Direct observation of controls in operation, not just documentation review.
Testing whether controls function in practice. Vulnerability assessment, licence audit, NIS2 and GDPR gap analysis.
Risk classification, cost quantification, draft shared with the client before finalisation. You review before anything is locked. No surprises at the end.
Findings presented to the acquirer and legal team. Rep and warranty input sheet delivered in a format the legal team can use directly.
nullsys has no commercial relationship with technology vendors, system integrators, or cloud providers. Our findings are objective by design. We have no incentive other than accuracy.
This is what makes our assessments credible to investors, acquirers, boards, and regulators in a way that internal IT team reports or vendor-affiliated consultants cannot be.
We put this in writing in every engagement agreement.
Law firms introduce nullsys when IT risk is material. We engage directly with the acquirer or target under a separate NDA. Project-based, no retainer required.
We run alongside legal and financial diligence simultaneously. We align our timeline to the transaction deadline.
Findings delivered in a format the legal team uses directly to draft IT-related representations and warranties in the SPA. No translation required.
nullsys is structured to integrate into your M&A workflow without friction. We work alongside legal and financial advisors as an independent technical workstream, not as a competitor to any part of your process.
Law firms refer nullsys to the acquirer or the deal team. We sign a separate engagement letter and NDA directly with the client. Your firm is not a party to the technical engagement. This keeps liability clean on both sides.
nullsys can be included in your engagement scope as an IT due diligence line item charged to the end client. We issue our own invoice, or we can coordinate billing through your firm. Whichever structure your engagement model requires.
Our findings are delivered in a Rep and Warranty Input Sheet formatted for direct use in SPA clause drafting. Your team receives structured IT risk findings, not a raw technical report requiring interpretation.
We run as a parallel workstream alongside legal and financial diligence. We adapt to your transaction deadline, not the other way around. Typical technical DD is completed within 10 to 20 business days depending on target size.
No retainer. No vendor relationship. nullsys is engaged on a project basis per transaction. There is no ongoing commercial relationship that could create a conflict of interest. Our independence is contractual. We put it in writing in every engagement agreement. If a deal does not proceed, there is no further obligation.
Common questions from law firms, acquirers, and boards considering a technical due diligence engagement.
IT due diligence is an independent assessment of a target company's technology infrastructure, security posture, software licence compliance, and regulatory exposure. Conducted before the transaction closes. The goal is to surface hidden liabilities such as shadow IT, unlicensed software, breach history, and inherited NIS2 or GDPR gaps that would transfer to the acquirer, and to quantify the integration cost baseline for the deal model.
Independence means the assessor has no commercial relationship with technology vendors, system integrators, or cloud providers, and no implementation work to sell after the engagement. This removes incentive bias from findings. An independent report carries credibility with investors, acquirers, boards, and regulators in a way that internal IT assessments or vendor-affiliated consultants cannot. nullsys puts this commitment in writing in every engagement agreement.
The engagement covers infrastructure and architecture review, security vulnerability assessment, software licence compliance audit, NIS2 and GDPR gap analysis, integration cost baseline, and a rep and warranty input sheet formatted for direct use by the legal team in SPA clause drafting. The engagement runs across six phases from scoping to delivery, typically 10 to 20 business days depending on target size.
Law firms introduce nullsys when IT risk is material to a transaction. nullsys signs a separate engagement letter and NDA directly with the acquirer or deal team. The referring firm is not a party to the technical engagement. nullsys can be billed as an IT due diligence line item through the law firm's engagement scope or independently. Output is delivered as a Rep and Warranty Input Sheet requiring no technical translation by the legal team.
IT due diligence is transaction-driven, commissioned by an acquirer or their advisors ahead of an M&A close to assess a target company's IT risk. An IT compliance audit (IT Revision) is governance-driven, commissioned by a board, management, or regulator to assess whether an organisation's own IT controls and security posture meet applicable standards such as NIS2 or GDPR. nullsys offers both as separate services.
nullsys is based in Zagreb, Croatia, and covers the broader Southeast Europe region including Slovenia, Bosnia and Herzegovina, Serbia, North Macedonia, Montenegro, and Albania. Engagements can be conducted on-site or remotely depending on access requirements and target location.
The initial call is to understand your transaction context and establish whether nullsys is the right fit. No obligation, no pitch deck.
We work with law firms referring technical diligence on M&A mandates, acquirers preparing for close, and boards requiring independent IT revision.
nullsys has no commercial relationship with technology vendors, system integrators, or cloud providers. Engagement fee is not contingent on findings.
All engagements are governed by a mutual NDA prior to any information exchange. Findings are disclosed solely to the engaging party and are not shared with the target without written consent.
nullsys assessments are advisory in nature. Liability is limited to the engagement fee. Reports are prepared for the exclusive use of the engaging party and may not be relied upon by third parties without prior written agreement.
Engagements are governed by the laws of the Republic of Croatia. Any disputes are subject to the exclusive jurisdiction of the competent courts in Zagreb.