For the complete documentation index, see /llms.txt. Markdown version of this page: /en/insights/compliance/what-soc-2-type-2-is-and-why-us-customers-ask.md.
EN / NB Contact us →
EN / NB

Consulting

MDR / SOC

Vulnerability Management

Identity

Compliance

AI Security

CrowdStrike

Aikido

Tenable

Idira (CyberArk)

Browse

Series

Events & resources

About us

Company info

Contact

Partners

Compliance ↗

What SOC 2 Type 2 is, and why US customers ask for it

A US prospect asks for your SOC 2 Type 2 report, you do not have one, and the deal stalls. Here is what it is and the decision it forces.

6 min read By Maximilian Sharoyan
SOC 2 Type 2, FM CyberSecurity branded cover

A US prospect just asked for your SOC 2 Type 2 report, you do not have one, and the deal goes quiet. Their security team will not sign until they see it. The buying side wanted to move, but a missing report froze the contract.

I have watched this stall two Norwegian software firms this quarter. Both had good security. Neither had the one document the US buyer was trained to ask for. So the question on the table is not whether your controls are sound. It is whether an independent party can confirm they ran over time.

SOC 2 Type 2, FM CyberSecurity

The deal stalls when the report is missing

A missing SOC 2 Type 2 report can park a US enterprise deal for months. In US procurement, the buyer’s security team often blocks the contract until a vendor hands over a current report. No report, no sign-off.

This hits Norwegian firms selling software, cloud services, or data handling to US customers. The larger the buyer, the harder the rule. Their own auditors and customers expect them to vet every supplier, and SOC 2 is the document they ask for by name. You can have strong controls and still lose the slot because you cannot prove it in the format they accept.

The cost is rarely a lost feature fight. It is a delayed signature, a procurement loop that drags into the next quarter, or a deal that quietly moves to a competitor who already holds the report.

What SOC 2 Type 2 is, in plain terms

SOC 2 is a US reporting standard from the AICPA, the American Institute of Certified Public Accountants, the body that sets audit rules for US accountants. It measures how a service company protects customer data. An independent auditor reviews your controls and writes a report on what they found.

It is a report, not a certificate. You do not pass or fail and get a badge. You get a written opinion from a licensed CPA firm (a US accounting firm allowed to perform these examinations) describing your controls and whether they worked. The work is an attestation, meaning the auditor inspects the evidence and states a professional opinion on it.

The review is built on the trust services criteria, the AICPA’s set of control standards. There are five categories: security, availability, processing integrity, confidentiality, and privacy. Security is required in every report. The other four are optional, and you choose them based on what you promise customers.

The difference between Type 1 and Type 2 is time. A SOC 2 Type 1 report checks that your controls are designed correctly on a single day. A SOC 2 Type 2 report (also written SOC 2 Type II) checks that those controls really operated over a stretch of time, usually three to twelve months. That stretch is called the observation period. Type 1 says the controls exist. Type 2 says they ran.

US buyers ask for Type 2 because it shows the practice held up, not just the plan. A snapshot is easy to stage. A report covering a full period is harder to fake and tells the buyer your controls survived real operations. For deeper context on which report fits a Norwegian firm and when Type 1 is enough, see our SOC 2 guide for Norwegian SMBs.

What the auditor really does

The auditor inspects evidence over the observation period, not just policy documents. They sample your access logs, change records, onboarding files, and incident handling across the months under review. They are testing whether the control ran every time it was supposed to, not whether you wrote it down once.

This is why the observation period matters to your calendar. If a buyer wants a report covering six months of operation, you cannot produce it in two weeks. The clock has to run first. Firms that start the day a deal appears are already months behind the buyer’s request.

The decision the board has to make

The board has one decision: commit to the observation period and the audit spend now, or accept that some US deals will stall until you do. There is no shortcut that skips the time on the clock.

If selling into the US is part of your plan, the report is a cost of market access, not an IT line item. Starting early means you hold a current report when the prospect asks, instead of asking them to wait two quarters while the period runs. The firms that win the slot are the ones who decided before the buyer asked.

FM CyberSecurity advises on readiness. We map your controls to the trust services criteria, close the gaps, and get you audit-ready. The SOC 2 report itself is issued by a licensed CPA firm, not by FM CyberSecurity, and we work alongside that firm so the examination goes smoothly.

See FM CyberSecurity’s credentials and partner certifications at /partners/. Or book a 30-minute board-level conversation on whether SOC 2 Type 2 belongs in your next year of US sales.

FAQ

Type 1 or Type 2, which do we need?

It depends on what the buyer asked for. Type 1 confirms your controls are designed correctly on one day. Type 2 confirms they operated over three to twelve months. US enterprise buyers usually name Type 2, because it shows the controls held up in practice. Type 1 can buy time as a first step while the Type 2 observation period runs. Our SOC 2 guide for Norwegian SMBs covers the choice in depth.

How long does SOC 2 Type 2 take?

Plan for several months, driven by the observation period. That window typically runs three to twelve months, and the auditor can only report after it closes. Add preparation before and report writing after. If you wait until a prospect asks, you are already behind their request, because the clock cannot be compressed.

Is SOC 2 the same as ISO 27001?

No. SOC 2 is a US attestation report from a CPA firm built on the AICPA trust services criteria. ISO 27001 is an international certification of an information security management system. US buyers tend to ask for SOC 2 by name. Some firms hold both. Which one fits your sales plan is a strategy question we cover in the SOC 2 guide for Norwegian SMBs.

Who can issue the SOC 2 report?

Only a licensed CPA firm, a US accounting firm authorised to perform these examinations. The report is the auditor’s independent opinion, so it cannot come from your own team or from a consultant. FM CyberSecurity gets you audit-ready and works alongside the CPA firm, but the report is theirs to sign.

Is SOC 2 a certificate?

No. SOC 2 is a report, an auditor’s written opinion on your controls. There is no pass or fail badge. The buyer reads the report and decides whether your controls meet their bar. That is why the contents matter more than the label.

More on Compliance

5 Jun 2026 · Compliance
What the EU Cyber Resilience Act is, and who it covers

The CRA is an EU law that ties cybersecurity rules to CE marking, so a product with digital elements cannot enter the EU market without it.

3 Jun 2026 · Compliance
What ISO 27001 Lead Implementer certification means for your project

An ISO 27001 Lead Implementer builds your ISMS; a Lead Auditor checks it. Hire the wrong role and your certification project stalls.

11 May 2026 · Compliance
From compliance burden to competitive advantage

How leadership teams move from compliance uncertainty to documented control, evidence that holds up under investor, customer, or regulatory due diligence.

← Back to all insights
Questions or inquiry? [email protected] Contact us →