The compliance landscape for small and mid-size companies has shifted significantly over the past three years. SOC 2 used to be the only framework most growing companies needed to know about; now it’s table-stakes for selling enterprise but rarely the whole picture. Cyber insurance has gotten harder; customer security questionnaires have gotten longer; the EU started enforcing things; and several US states followed suit.
This is the practitioner’s field guide. What’s required, when it applies, what it costs, and how to think about which layers you actually need.
SOC 2 — still the floor for B2B SaaS, but differently
What it is. SOC 2 is an audit framework administered through the AICPA. There are two reports: Type I (controls in place at a point in time) and Type II (controls operating effectively over a period, typically 6-12 months). Type II is the one customers actually want.
When it applies. If you sell software or services to enterprises, you’ll be asked for SOC 2 by the time you’re meaningfully selling above $50k ACV. Below that, customers tend to accept a cheaper alternative (Vanta-style “trust center” with raw evidence, CAIQ-Lite responses, or a strong security questionnaire response). Above $250k ACV, customers want Type II and will frequently want a year of audit history.
What it covers. Five “trust-services criteria”: Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy. Most companies start with Security only and add the others as customer demand drives.
Cost in 2026. The audit itself runs $25,000 to $50,000 per year for a small company. The compliance-platform tooling (Vanta, Drata, Secureframe) runs $9,000 to $24,000 per year. The internal time to maintain it runs another $30,000 to $60,000 in a small company (a fraction of someone’s job, plus periodic burst work for audit preparation).
Total all-in: $65,000 to $135,000 per year for a small company running SOC 2 Type II as a core compliance program. That’s the modern floor.
What’s changed since 2023. The audit firms have gotten more rigorous (the era of “compliance theater” is largely over for serious auditors). Customer questionnaires now sometimes require evidence the auditor accepted, not just attestation that the audit happened. And customers are increasingly asking about the gaps — what’s not in your scope, what controls have exceptions, what subprocessors are in your supply chain.
ISO 27001 — increasingly the European complement to SOC 2
What it is. An international standard for information security management systems (ISMS). Audited annually with surveillance audits in years one and two and a recertification in year three.
When it applies. If you sell into Europe, customers increasingly ask for ISO 27001 in addition to or instead of SOC 2. Some industries (financial services, government-adjacent) require both globally. Within Europe, a SOC 2 alone is sometimes treated as insufficient evidence.
Cost. Similar to SOC 2 ($30,000 to $60,000 per year audit + tooling + internal time), with significant overlap in controls — meaning if you’re already running SOC 2, adding ISO 27001 is roughly 30-40% incremental rather than full additional cost.
Should you add it. If you have meaningful European customers or pipeline, yes. If you’re entirely US-focused, probably not yet — customers haven’t typically demanded it.
HIPAA — required if PHI touches you
What it is. US federal regulation for protected health information. Two main rules: Privacy (data handling, patient rights) and Security (technical, administrative, physical safeguards). Plus the Breach Notification Rule, which determines what you have to do when something goes wrong.
When it applies. If you’re a covered entity (provider, payor, healthcare clearinghouse) or a business associate (any vendor handling PHI on behalf of one), HIPAA applies to your operations. The catch: if you handle PHI even tangentially — your IT vendor, your accounting firm, your marketing firm working on healthcare clients — you’re a business associate and HIPAA applies to your IT setup.
Cost. No formal “audit” in the same sense as SOC 2. But the operational requirements (encryption, access controls, audit logs, business associate agreements, breach response) impose real costs — typically $30,000 to $80,000 a year for a small healthcare-adjacent business when implemented competently.
What’s changed. OCR enforcement intensified throughout 2024 and 2025. The Office for Civil Rights conducted a wave of compliance reviews focused on smaller organizations that had previously flown under the radar. The “we’re a small practice, OCR doesn’t notice us” defense is less viable than it was.
PCI DSS — required if you take cards on your own systems
What it is. Payment Card Industry Data Security Standard. Six categories of controls, four self-assessment levels by transaction volume (with the highest tier requiring a Qualified Security Assessor on-site).
When it applies. If your systems store, process, or transmit cardholder data, PCI applies. Most SMBs reduce scope dramatically by using hosted payment pages (Stripe Checkout, Braintree-hosted, Adyen-hosted) — the card data never touches your infrastructure.
Cost. Self-assessment Level 4 (under 20,000 e-commerce transactions/year) is roughly free, because the SAQ-A questionnaire is short. Level 1 (audited, on-site, the requirement above 6 million transactions/year) runs $50,000 to $250,000 a year. Most SMBs live at Level 4.
Best practice in 2026. Reduce scope as aggressively as possible. The cheapest PCI program is the one with the fewest systems in scope.
GDPR / UK GDPR / state privacy laws
What they are. The EU General Data Protection Regulation, the UK’s adaptation post-Brexit, plus a growing patchwork of US state laws (CCPA/CPRA in California, plus Virginia, Colorado, Connecticut, Utah, and more on the way).
When they apply. GDPR applies if you process personal data of EU residents — including in the course of marketing to them. The US state laws apply when you meet thresholds tied to revenue or transaction volume in that state.
Cost. Hard to estimate generically because the cost is mostly process changes (data subject access request workflows, vendor due-diligence, privacy notices) plus a Data Protection Officer appointment for some firms. For a typical 30-person SMB doing some EU business: $20,000 to $50,000 a year of privacy program cost, mostly internal time.
What’s changed. State privacy laws now form a meaningful patchwork. A US-only B2C company has to think seriously about the layered obligations across CA, VA, CO, CT, UT, and a growing roster of states adopting similar laws.
NIST Cybersecurity Framework — the lingua franca
What it is. Not a regulation. A framework. Five functions (Identify, Protect, Detect, Respond, Recover) that organize security activities, with subcategories that detail the specific controls. Maturity-tiered: 1 (Partial) through 4 (Adaptive).
When it applies. Always, in the sense that NIST CSF is the framework cyber-insurance underwriters, customer questionnaires, and risk-management discussions reference. You don’t get audited against it directly, but you’ll be asked where your program falls within it.
Cost. Adopting NIST CSF as your organizing framework adds approximately zero direct cost — you’re going to do the activities anyway. The benefit is having a defensible map of where you are and where you’re going.
CMMC — required for DoD contractors
What it is. The DoD’s Cybersecurity Maturity Model Certification. Three levels (1, 2, 3) by sensitivity of the controlled information. Level 2 requires a third-party assessment.
When it applies. If you’re a defense contractor handling Controlled Unclassified Information (CUI), CMMC applies. The 2024 DoD rule made it mandatory for new contracts.
Cost. Significant. CMMC Level 2 implementation typically runs $150,000 to $500,000 in initial program cost for a small company, plus $50,000 to $150,000 per year ongoing. The C3PAO assessment itself adds $50,000 to $100,000 every three years.
Reality check. If you’re considering DoD contracting and aren’t already deep into compliance, the CMMC cost will dwarf the contract value for the first two years. Plan accordingly.
How to think about layering
A pragmatic ordering for most growing companies:
- Start with NIST CSF as your organizing framework, even if you don’t formally adopt it. The structure helps everything else fit together.
- Do SOC 2 Type II once you have meaningful enterprise customers ($50k+ ACV deals). Don’t do it before; the cost outweighs the benefit.
- Add ISO 27001 if you have meaningful European business, otherwise skip until you do.
- HIPAA, PCI, GDPR/state privacy laws apply automatically based on your business — they’re not opt-in choices.
- CMMC and FedRAMP are large, late-stage commitments that should be deliberate decisions tied to specific opportunities.
The mistake we see most often is companies stacking frameworks because they think it makes them look more credible. It often does the opposite: every framework on your trust center is a maintenance commitment, and a poorly-maintained framework is worse than no framework at all. Pick the ones that match real customer demand or real regulatory exposure, run them well, and skip the rest until they matter.
How we think about compliance with our customers
When we onboard a new customer, our first question is usually: what compliance pressure are you actually under? That answer drives our Compliance Hub add-on configuration — which control mappings we maintain, which evidence we collect, which artifacts go in your quarterly report.
The second question is what compliance you’ll need within 18 months but don’t yet. That answer drives the build-out plan — small lift now to avoid big lift later.
If you’d like a candid view of what your compliance program should look like at your size and stage, the build flow is a starting point, and a 25-minute conversation usually gets you to a clearer answer than an afternoon of reading.