SOC 2, ISO 27001, HIPAA & GDPR: The Complete Compliance Guide for 2026

What Is Compliance and Why Does It Matter for Technology Companies?

Compliance means demonstrating that your organization follows specific rules — legal regulations, industry standards, or contractual requirements — about how you handle data, manage security risks, and operate your business. For technology companies, compliance matters for three distinct reasons.

First, it is increasingly a legal requirement. GDPR applies to any company processing EU residents' data, regardless of where the company is based. HIPAA applies to any company touching US healthcare data. Violations carry fines measured in millions: GDPR can reach €20M or 4% of global revenue; HIPAA violations have cost organizations up to $1.9M per violation type per year.

Second, it is an enterprise sales requirement. Over 70% of enterprise procurement processes now include a security questionnaire, and an increasing number require SOC 2 or ISO 27001 certification before signing contracts. Without compliance, deals die in procurement — the software might be brilliant but the deal never closes.

Third, it is a trust signal that converts prospects. A SOC 2 badge on your pricing page or a GDPR-compliant privacy policy communicates that your company takes data protection seriously. In competitive markets, this directly affects conversion.

SOC 2: The US Enterprise Sales Certificate

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of CPAs. It evaluates how well a company protects customer data across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most companies pursue the Security criterion as a minimum.

SOC 2 Type I is a point-in-time assessment — it certifies your controls exist as of a specific date. SOC 2 Type II covers a monitoring period (typically 6-12 months) and certifies that controls operated effectively throughout that period. Enterprise customers almost universally require Type II.

Who needs SOC 2: SaaS companies, cloud service providers, managed service providers, and any B2B technology company with enterprise customers. Companies selling into healthcare, finance, or government verticals typically need it sooner.

Typical timeline: 2-4 months to close gaps, then 6-12 months of monitoring, then 2-4 months for the audit itself. Total: 10-18 months for a first Type II report. Costs range from $15,000-$80,000+ depending on scope and auditor.

What auditors actually check: vendor access controls, MFA on all systems, patch management, vulnerability scanning, incident response procedures, encryption, background checks, change management, and business continuity plans.

ISO 27001: The Global Information Security Standard

ISO 27001:2022 is an international standard specifying requirements for an Information Security Management System (ISMS). Unlike SOC 2, which is primarily US-centric, ISO 27001 is recognized in 160+ countries and is often preferred by European enterprises, government contractors, and multinational companies.

The 2022 revision updated the control structure from 114 controls across 14 domains to 93 controls across four themes: Organizational, People, Physical, and Technological. The certification process involves implementing the ISMS, completing a risk assessment, documenting a Statement of Applicability (SoA), and passing a two-stage audit by an accredited certification body.

Who needs ISO 27001: Companies with European or international enterprise customers, companies pursuing government contracts outside the US, organizations where a globally recognized standard is preferred over a US-specific one, and companies that want the discipline of a full ISMS rather than a point-in-time audit.

ISO 27001 vs SOC 2: Many companies pursue both. The standards have significant overlap — approximately 60-70% of controls are common — so implementing one makes the other substantially faster and cheaper.

HIPAA: The US Healthcare Privacy Law

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets mandatory requirements for protecting Protected Health Information (PHI) — any individually identifiable health data. HIPAA compliance is not optional for covered entities and their business associates.

HIPAA has three main rules: the Privacy Rule (who can access PHI and for what purpose), the Security Rule (administrative, physical, and technical safeguards for electronic PHI), and the Breach Notification Rule (how to respond when PHI is compromised).

Who must comply: Healthcare providers, health insurance companies, healthcare clearinghouses (Covered Entities), and any vendor that handles PHI on behalf of a Covered Entity (Business Associates). This includes medical apps, health data analytics platforms, telehealth software, medical billing systems, and any SaaS tool used by healthcare organizations that could access patient data.

Key requirements include: appointing a Privacy Officer and Security Officer, signing Business Associate Agreements (BAAs) with all vendors, conducting annual Security Risk Assessments, encrypting PHI, implementing access controls, and training all staff annually. Penalties range from $100 to $50,000+ per violation, capped at $1.9M per violation category per year.

GDPR: The European Data Privacy Regulation

The General Data Protection Regulation applies to any organization that collects, processes, or stores personal data of EU/EEA residents — regardless of where the organization is headquartered. A startup in Austin that has EU website visitors must comply with GDPR.

GDPR's core principles are: lawfulness (you need a legal basis for processing), purpose limitation (collect data only for stated purposes), data minimization (collect only what you need), accuracy (keep data correct), storage limitation (don't keep data longer than needed), and accountability (document everything).

The eight data subject rights under GDPR are widely known: Right to Access, Right to Rectification, Right to Erasure ("right to be forgotten"), Right to Restrict Processing, Right to Data Portability, Right to Object, Rights Related to Automated Decision-Making, and Right to Withdraw Consent.

Practical GDPR compliance requires: a GDPR-compliant privacy policy, documented legal basis for each processing activity, a Record of Processing Activities (ROPA), Data Processing Agreements with vendors, a 72-hour breach notification procedure, and processes for handling data subject requests within 30 days. Organizations meeting the criteria must also appoint a Data Protection Officer (DPO).

Fines: Up to €10M or 2% of global annual revenue for procedural violations; up to €20M or 4% of global annual revenue for fundamental violations of core principles.

PCI DSS, NIST CSF, CIS Controls, and Other Frameworks

PCI DSS v4.0 (Payment Card Industry Data Security Standard) is mandatory for any organization that processes, stores, or transmits payment card data. The standard is maintained by the PCI Security Standards Council (representing Visa, Mastercard, and other card networks). Non-compliance risks include fines, increased transaction fees, and ultimately losing the ability to accept card payments. PCI DSS v4.0, released in March 2022, introduced new requirements including multi-factor authentication for all access to the cardholder data environment, and enhanced phishing countermeasures.

NIST Cybersecurity Framework v2.0 is a voluntary framework published by the US National Institute of Standards and Technology. The 2024 version adds a sixth function — Govern — to the original five (Identify, Protect, Detect, Respond, Recover). NIST CSF is widely adopted by US critical infrastructure, federal agencies, and companies seeking a structured approach to cybersecurity risk management. It is not a certification but a maturity model.

CIS Controls v8 (Center for Internet Security) is an ordered set of 18 prioritized security best practices. Unlike SOC 2 or ISO 27001, CIS Controls focuses on practical security improvement rather than certification. It is ideal for organizations with no formal security program who need a clear, prioritized starting point. Implementation Groups (IG1, IG2, IG3) allow organizations to focus on controls proportionate to their size and risk.

Where to Start: A Practical Compliance Roadmap

The right starting point depends on your situation:

1. If you have zero formal security program: Start with CIS Controls IG1 (6 foundational controls) and Internal Compliance policies simultaneously. This takes 1-3 months and costs very little. It gives you the foundation that every other framework builds on.

2. If you are a SaaS company starting to sell to US enterprises: Pursue SOC 2. Begin immediately — the observation period is the long part. Use this tool to identify your gaps, close them, then engage an auditor. Budget $20,000-$50,000 for a mid-market auditor.

3. If you have EU customers: GDPR compliance is a legal obligation, not a choice. Start with a data mapping exercise, update your privacy policy, put DPAs in place with vendors, and create a breach response procedure. This can be done in 6-10 weeks with the right resources.

4. If you handle health data: HIPAA is a legal requirement. Appoint your Privacy and Security Officers, complete a Security Risk Assessment, and ensure every vendor with PHI access has a BAA in place.

5. If you want global enterprise certification: Pursue ISO 27001 — it is recognized worldwide and often satisfies customers in both the US and Europe.

Using Formly's Compliance AI tool, you can complete a gap assessment for any of these frameworks in under 10 minutes, identify your most critical gaps, and generate a phased remediation roadmap — without paying a consultant for the initial scoping work.