📊
← Back to Standards Certifiable

SOC 2 Type II

System and Organization Controls 2 - Type II Report

Organization: AICPA Category: Audit & Assurance
3
Related Articles
18
Articles with Obligations
9
Key Sections
9
Coverage Areas

Overview

Audit framework for assessing security, availability, processing integrity, confidentiality, and privacy of service organization systems. Essential for DSA transparency and accountability obligations, providing independent assurance reports required by Articles 37, 40, 42.

Applicability

Independent audit reports for service organizations and online platforms

Relevance to Digital Services Act (DSA)

Essential for DSA independent audits (Article 37), accountability (Article 40), and transparency reporting (Article 42)

Key Coverage Areas

1
Security (Common Criteria)
2
Availability
3
Processing integrity
4
Confidentiality
5
Privacy
6
Independent audit and assurance
7
Control effectiveness over time (Type II)
8
Third-party attestation
9
Trust service principles

Standard Sections & Chapters

CC1

Control Environment

CC2

Communication and Information

CC3

Risk Assessment

CC4

Monitoring Activities

CC5

Control Activities

CC6

Logical and Physical Access

CC7

System Operations

CC8

Change Management

CC9

Risk Mitigation

Related Digital Services Act (DSA) Articles

Article 15: Transparency reporting obligations for providers of intermediary services

View Article →
Sections: CC2, CC4

Communication and monitoring activities

Implementation Guidance:

Use SOC 2 framework for transparency reporting and monitoring

Mapped Obligations:

  • Publish annual transparency reports in machine-readable format

Article 37: Independent audit

View Article →
Sections: All

Independent audit and assurance framework

Implementation Guidance:

Obtain SOC 2 Type II audit to demonstrate compliance with DSA requirements

Mapped Obligations:

  • Undergo independent audits at least annually at their own expense
  • Provide auditors with full cooperation, access to data and premises
  • Ensure auditor independence (no conflicts of interest, no non-audit services 12 months before/after)
  • Obtain written audit report with specific required elements
  • Implement audit recommendations within one month if audit is not positive
  • Ensure auditor has proven expertise in risk management and technical competence
  • Maintain confidentiality while enabling transparency reporting
  • Limit auditor tenure to maximum 10 consecutive years

Article 42: Transparency reporting obligations

View Article →
Sections: CC2, CC4

Communication and monitoring for accountability

Implementation Guidance:

Use SOC 2 framework to support transparency reporting

Mapped Obligations:

  • Publish transparency reports within 2 months of designation and then every 6 months
  • Submit and publish risk assessment results within 3 months of audit completion
  • Publish audit reports and implementation reports

Quick Information

Organization
AICPA
Category
Audit & Assurance
Certification
✓ Available

Related Pages

← All Digital Services Act (DSA) Standards View All Articles Compliance Guide
Get Implementation Help

🤝 Still Feeling Overwhelmed?

EU cybersecurity laws can be complex. Our free tools and guides work great for most people, but if you're dealing with something particularly challenging or have tight deadlines, we're here to help.

Talk to an expert → or Browse all our free resources →