What is SOC 2 Compliance? The Complete Guide for European SaaS in 2026

If you sell SaaS to US enterprises, "SOC 2 compliance" will come up in every security questionnaire. And if you're based in Europe, you've probably noticed that most SOC 2 tooling is built for Delaware-incorporated, AWS-us-east-1 companies — not for you. This guide explains what SOC 2 actually is, what it requires, and how European SaaS companies can achieve it without re-architecting their stack around American defaults.

The one-sentence definition

SOC 2 is a voluntary audit framework developed by the American Institute of Certified Public Accountants (AICPA) that attests how a service organization handles customer data across five trust criteria: security, availability, processing integrity, confidentiality, and privacy.

Unlike ISO 27001 (which is a certification), SOC 2 is an attestation — an independent licensed CPA firm examines your controls and issues a report. That report is the deliverable you share with customers under NDA.

Why SOC 2 matters even if you're European

Three scenarios where you can't avoid SOC 2:

1. Selling to US enterprises. Procurement will ask. No SOC 2 report = deal dies in security review.
2. Raising from US-based VCs. Many US funds now include SOC 2 as a post-Series A expectation.
3. Integrating with US SaaS platforms. Salesforce, HubSpot, Slack app stores increasingly require it for featured placement.

European-only SaaS selling to European customers usually doesn't need it — ISO 27001 is the equivalent locally. But the moment you open a US sales motion, SOC 2 becomes non-negotiable.

The five Trust Services Criteria (TSC)

SOC 2 lets you choose which of the five criteria you include in your audit. Most SaaS start with just Security. The full list:

For most B2B SaaS: Security + Availability + Confidentiality is the standard bundle. Privacy is usually better handled via GDPR for European companies — dual-covering it under SOC 2 Privacy is overhead with little additional value.

Type 1 vs Type 2 — the most confusing part

This trips up every founder. Simplified:

• SOC 2 Type 1 — snapshot of your controls on a specific date. "Here's our control set as of March 15."
• SOC 2 Type 2 — operating effectiveness over a period (typically 3 to 12 months). "Here are our controls and here's evidence they worked every day from Jan 1 to Dec 31."

Type 1 is faster to achieve (2-4 months from start) but has less market value. Many enterprise buyers won't accept it and require Type 2.

Type 2 is the real deal but requires a continuous observation window. You can't fake your way through — auditors will sample evidence across the period.

Typical journey:

1. Month 1-3: readiness + gap closure
2. Month 4: Type 1 audit (if going this route)
3. Months 4-9: observation window for Type 2 (6 months is the most common length)
4. Month 10: Type 2 audit
5. Month 11: Type 2 report issued — share with customers

Many companies skip Type 1 and go straight to Type 2 after a 3-6 month observation window — saves money and you get market-ready evidence faster.

What controls does SOC 2 require?

SOC 2 doesn't prescribe specific controls — it asks you to design controls that achieve the criteria. But in practice, auditors expect a consistent set. For the Security criterion typical controls include:

• Access control — MFA, least privilege, access reviews quarterly
• Change management — code review required, production changes tracked
• Risk management — documented risk assessments, annual review
• Vendor management — critical vendors reviewed, their SOC 2 reports collected
• Incident response — documented playbook, tested annually
• Monitoring — SIEM or equivalent, security event logging
• Encryption — at rest and in transit for customer data
• Backup and recovery — documented, tested
• Vulnerability management — regular scans, patching SLAs (see our Vulnerability Management Guide)
• HR — background checks, security training, offboarding

Expect 60-120 individual controls depending on scope and company size.

Cost breakdown

See our dedicated SOC 2 Compliance Cost Guide for detailed numbers. Ballpark:

• Compliance automation platform: $8k-30k/year
• Audit firm (Type 2): $15k-60k
• Internal staff time: 200-600 hours over the year
• Pentest (annual): $5k-25k — see pentest costs
• Legal/policy review: $2k-8k

Total year-1 Type 2: $30k-120k depending on company size and existing maturity.

The European-SaaS challenge

If you're based in Germany, France, or elsewhere in the EU, SOC 2 tooling creates a specific problem: data residency. Popular SOC 2 tools (Vanta, Drata, Secureframe) host your compliance evidence in the US. That's often fine for the SOC 2 audit itself — but it creates friction with your own GDPR posture, your customers' data processing agreements, and your DORA/NIS2 obligations.

Matproof was built for this exact scenario:

• EU-hosted (Frankfurt, DE) — evidence stays in the EU, no GDPR Transfer Impact Assessment needed
• Dual framework — same controls mapped to both SOC 2 Trust Services Criteria and ISO 27001 Annex A, so a single audit effort covers both markets
• NIS2- and DORA-ready — the same evidence satisfies European regulators
• German-speaking support — you're not forced to run audit cycles in English

Start your SOC 2 readiness assessment or see how Matproof maps to SOC 2.

Realistic 12-month path to Type 2

Months 1-2: Readiness

• Scope decisions (which criteria, which systems)
• Pick audit firm + compliance tool
• Run readiness assessment — identify gaps
• Policy library drafted (25-40 policies)

Months 3-4: Gap remediation

• Implement missing controls (MFA gaps, logging, access reviews, etc.)
• Evidence collection automated where possible
• First pentest conducted
• Security training rolled out

Months 5-10: Observation window

• Live in "audit mode" — all controls in operation, evidence collecting
• Monthly access reviews, quarterly risk reviews, ongoing vulnerability management
• Any control break triggers a remediation ticket

Months 11-12: Audit + report

• Auditor does fieldwork (typically 3-5 weeks)
• Questions, sampling, interviews
• Report drafted, reviewed, issued
• Share SOC 2 Type 2 report with prospects

For teams with zero compliance infrastructure, first Type 2 report realistically takes 9-14 months.

Common mistakes

1. Starting too early — don't pursue SOC 2 until you have 3+ serious US enterprise deals blocked on it. Premature SOC 2 burns resources without revenue impact.
2. Scoping too wide — start with Security only. Add Availability and Confidentiality in Year 2 if needed.
3. Picking the wrong audit firm — big firms (Deloitte, EY) cost 3x and give you a less responsive experience. Use specialized SOC 2 audit firms (e.g., A-LIGN, Prescient Assurance, Johanson Group).
4. No compliance tool — trying to do SOC 2 with Google Drive works for the first audit then collapses in Year 2. Invest in a platform from Day 1.
5. Forgetting about renewal — Type 2 is annual. The first report is not the finish line.

SOC 2 vs ISO 27001 — which first?

Rough rule:

• US-only market → SOC 2 first
• EU-only market → ISO 27001 first
• Both markets → start with whichever first enterprise deal demands, then add the other

For European SaaS with transatlantic ambition, ISO 27001 is the better first investment because it earns you respect in both markets. Then SOC 2 adds ~40% additional scope the second time around, not 100% — because most controls overlap.

Matproof maps ISO 27001 Annex A and SOC 2 TSC to the same underlying controls, so running both in parallel is ~50% less effort than sequentially with separate tools.

Next steps

• Take the SOC 2 Readiness Assessment — 15 minutes, instant scoring, free.
• Read SOC 2 vs ISO 27001 comparison for decision framework.
• European SOC 2 alternative to Vanta/Drata — if you want to stay EU-hosted.

Related: SOC 2 Compliance Checklist | SOC 2 Type 1 vs Type 2 | SOC 2 Audit Preparation Guide | Vulnerability Management Guide