SOC 2
November 2025
SOC 2 for European companies: When it makes sense and how to approach it
By Swapna De., Managing Director, AuditVantage® GmbH
SOC 2 is an American attestation framework developed by the AICPA. It is not a certification. What it produces is an attestation report, issued by a licensed CPA firm, confirming that a service organisation's controls meet the Trust Services Criteria.
For European companies, the natural question is: why would I need this?
The commercial driver
The answer is almost always the same: an American enterprise customer has asked for it. SOC 2 reports are a standard procurement requirement for US enterprise accounts, particularly in technology, financial services, and healthcare. If you are a European SaaS company selling into the US market, you will encounter this request.
SOC 2 does not compete with ISO 27001. Many organisations that need both run the programmes in parallel, mapping common controls to reduce duplication.
Type I vs Type II
A Type I report describes your controls at a point in time and attests that they are suitably designed. A Type II report covers a period, typically six to twelve months, and attests that the controls operated effectively throughout that period. Enterprise clients almost always require Type II.
How to approach it as a European company
The first step is scoping: selecting the Trust Services Criteria relevant to your service. Security is always included. Availability, confidentiality, processing integrity, and privacy are included based on your service commitments and customer expectations.
The second step is control design and evidence collection. The overlap with ISO 27001 is valuable here. Many of the controls required for SOC 2 are already present in a well-designed ISMS. The key is mapping them correctly and building the evidence infrastructure that a CPA attestation requires.
AuditVantage® designs SOC 2 programmes for European companies, integrated with existing ISO 27001 or other framework implementations where applicable. Get in touch to discuss your requirements.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
Should I get SOC 2 Type I or Type II first?+
Most organisations start with Type I, which attests to the design of controls at a point in time. Type II attests to operating effectiveness over a period (typically six to twelve months). Type I is faster and lower-cost; Type II is more credible to enterprise buyers. The right starting point depends on the timeline of your enterprise sales cycle. Many organisations begin a Type II observation window immediately after Type I completion.
Who can perform a SOC 2 audit?+
SOC 2 audits are conducted by licensed CPA firms (in the United States) or by equivalently licensed practitioners in other jurisdictions. The audit firm must be independent of the audited entity. For European organisations, the practical question is selecting an audit firm with experience auditing European entities for US enterprise customers; most major audit firms now offer this.
Is SOC 2 recognised in Europe?+
SOC 2 is increasingly recognised in Europe, particularly for SaaS providers selling to US enterprise customers and to European subsidiaries of US companies. For purely European procurement, ISO 27001 remains the more common requirement. Organisations selling across both markets often hold both. SOC 2 and ISO 27001 cover substantially overlapping ground; many controls map across both frameworks.
What is a SOC 2 bridge letter?+
A bridge letter (also called a gap letter) is issued by the audited entity between the end of one SOC 2 Type II observation period and the start of the next. It states that no significant changes have occurred and that the controls continue to operate effectively. Buyers often request a bridge letter when the most recent SOC 2 report is older than six months. The bridge letter is not a formal audit.
How does SOC 2 compare to ISO 27001?+
SOC 2 is an attestation framework under AICPA standards, focused on Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy). ISO 27001 is a certification framework under ISO standards, focused on an Information Security Management System. SOC 2 produces a detailed report describing controls and audit findings. ISO 27001 produces a certificate that the management system meets the standard. They are not interchangeable, but they are mappable.
Do I need SOC 2 Common Criteria or specific Trust Services Criteria?+
Every SOC 2 report covers the Common Criteria (CC1 through CC9), which are mandatory. Beyond that, you select additional Trust Services Criteria based on commitments you make to customers: Availability, Confidentiality, Processing Integrity, Privacy. Most SaaS providers start with Common Criteria plus Availability and Confidentiality. Adding Privacy and Processing Integrity expands scope significantly.