Which Compliance Framework Do You Need? GDPR vs HIPAA vs SOC 2 vs ISO 27001

NIS2 issued its first administrative penalties in Q1 2026. DORA has been in full force for EU financial entities since January 2025. GDPR enforcement generated €2.1 billion in fines in 2025 alone — bringing the cumulative total past €7.1 billion since 2018. The message from regulators is consistent: compliance isn't optional, and they're paying attention.

But "which framework do I need?" is still one of the most common questions from founders and engineering leaders who aren't steeped in compliance. The honest answer is that most companies need more than one — and which ones depends on where you're based, what data you handle, and who your customers are. Let me break it down.

This guide covers the four frameworks that come up in almost every enterprise deal: GDPR, HIPAA, SOC 2, and ISO 27001. For each one, you'll find the trigger (who legally has to comply), the core requirements, the penalties for ignoring it, and the typical timeline to get there.

The short answer: it depends on three things

Before getting into each framework individually, here's the decision logic that drives almost every compliance conversation:

1. Where are your data subjects? If any of your users, customers, or website visitors are in the EU, GDPR applies to you — regardless of where your company is.
2. What type of data do you handle? Protected health information (PHI) triggers HIPAA. Payment card data triggers PCI-DSS. Most other sensitive personal data falls under GDPR and/or US state privacy laws.
3. Who are your customers? Enterprise B2B buyers increasingly require SOC 2 or ISO 27001 as a condition of vendor onboarding. Which one they want depends on their industry and geography.

Most SaaS companies end up needing at least two of these frameworks. A healthcare startup serving US hospitals needs both HIPAA and SOC 2 (and probably GDPR if they have any EU-based users). A security tool selling to European enterprises needs SOC 2 for US deals and ISO 27001 for EU deals — plus GDPR for handling their customers' data.

GDPR: the global default for anyone with EU users

GDPR is the one most US companies get wrong. They assume it doesn't apply because they're not based in Europe. It does. The "establishment" test and the "targeting" test both extend GDPR to US businesses. If you're tracking EU visitors with Google Analytics, running retargeting ads to EU audiences, or selling to EU companies — you're in scope.

The core GDPR requirements that get companies in trouble:

• Lawful basis for processing: You need a documented legal reason for every category of personal data you collect. "We need it for our product" isn't a legal basis. Consent, contract, legitimate interests, legal obligation — each must be documented and applied correctly.
• Privacy notices: Articles 13 and 14 require detailed disclosures about what you collect, why, how long you keep it, and who you share it with. The EDPB made transparency violations its 2026 enforcement priority.
• Data subject rights: You must be able to handle requests for access, deletion, correction, portability, and restriction — with responses required within 30 days.
• Data transfers: Moving EU personal data to countries without an adequacy decision (including most US-based cloud services) requires Standard Contractual Clauses or another approved transfer mechanism.
• Breach notification: Reportable breaches must be notified to your DPA within 72 hours of discovery.

Penalties: Up to €20 million or 4% of global annual turnover for the most serious violations. GDPR has generated over €7.1 billion in cumulative fines since 2018, with €2.1 billion issued in 2025.

Timeline: GDPR compliance is ongoing — there's no certification or audit. You need documented policies, a records of processing activities (ROPA), consent management (if you rely on consent), and operational processes for handling data subject requests and breaches. For a typical SaaS company, getting foundational GDPR compliance in place takes 1-3 months of focused work, with ongoing maintenance after that.

HIPAA: mandatory if you touch health data

HIPAA isn't optional if you're in the healthcare software space. It doesn't matter whether you think of yourself as a tech company or a healthcare company — if your product processes PHI on behalf of a hospital, clinic, or health plan, you're a business associate and the Security Rule, Privacy Rule, and Breach Notification Rule all apply to you.

The three HIPAA rules you need to know:

• Privacy Rule: Governs how PHI can be used and disclosed. Covered entities must have a Notice of Privacy Practices. Both covered entities and business associates must limit PHI use to the minimum necessary for the stated purpose.
• Security Rule: Specifies administrative, physical, and technical safeguards for electronic PHI (ePHI). HHS proposed the most significant Security Rule overhaul in 20 years in December 2024 — encryption and MFA are moving from "addressable" to mandatory. This update was expected to finalize in mid-2026.
• Breach Notification Rule: Covered entities must notify affected individuals within 60 days of discovering a breach. Breaches affecting 500+ individuals in a state require simultaneous media notice and immediate HHS reporting.

Penalties: Up to $2.1 million per violation category per calendar year. OCR enforcement has accelerated — settlements and civil monetary penalties have been issued for documentation failures, not just data breaches.

Timeline: Like GDPR, HIPAA compliance is ongoing with no certification. Getting the required policies, BAAs, and technical safeguards in place typically takes 2-4 months for a software company new to the space. The Security Rule's proposed encryption and MFA mandates (if finalized as expected) will require additional technical work for organizations currently treating those as addressable.

SOC 2: the US enterprise sales unlock

SOC 2 is the report that US enterprise security teams ask for in vendor onboarding. No SOC 2 means the deal takes longer, gets escalated, or dies in procurement. For B2B SaaS companies targeting enterprise accounts, SOC 2 Type 2 is table stakes.

SOC 2 is structured around five Trust Service Criteria (TSC): Security (required for all SOC 2 reports), Availability, Confidentiality, Processing Integrity, and Privacy. Most companies start with Security only and add criteria as customers demand them.

The SOC 2 audit process has two types:

• Type 1: A point-in-time snapshot. An auditor reviews your control design and confirms that controls exist and are designed appropriately as of a specific date. Useful for getting something in front of customers quickly. Typically takes 2-4 months.
• Type 2: Covers an observation period (minimum 6 months, often 12). Auditors review evidence that controls operated effectively throughout the period. This is what enterprise security teams actually want. Total timeline from starting controls to receiving your report: 9-18 months.

The trend in 2026: Enterprise buyers are moving toward continuous compliance expectations — they want real-time evidence feeds and ongoing monitoring rather than a once-a-year audit report. Compliance platforms like Drata and Vanta automate evidence collection to support this shift. See our Drata review and Vanta review for a detailed comparison.

Penalties: None from a regulator — SOC 2 is market-driven. The consequence of not having it is lost deals and stalled procurement, not fines.

ISO 27001: the international certification

ISO 27001 is a certification — you either have it or you don't. Unlike SOC 2, which is a report that comes in Type 1 and Type 2 flavors, ISO 27001 certification results in a certificate issued by an accredited body, valid for 3 years with annual surveillance audits.

Note that all ISO 27001:2013 certifications expired in October 2025. Every organization is now on the 2022 standard, which added 11 new controls covering threat intelligence, cloud security, data masking, physical security monitoring, and more. If you're starting the certification process in 2026, you're working with ISO 27001:2022 from day one.

The certification process has two stages:

• Stage 1 audit (documentation review): The auditor reviews your ISMS documentation — your information security policy, scope, risk assessment, Statement of Applicability (SoA), and treatment plan. Usually takes 1-2 days.
• Stage 2 audit (implementation review): The auditor verifies that the controls described in your ISMS are actually implemented and operating effectively. Takes 2-5 days depending on scope.

Total timeline from starting to receiving your certificate is typically 9-15 months for organizations without a prior compliance program.

ISO 27001 vs SOC 2: If you're primarily selling in the US, SOC 2 is the faster path to satisfying enterprise customer requirements. If you're selling in Europe or globally, ISO 27001 is more widely recognized. Many organizations end up pursuing both — they overlap significantly (building one gets you 70-80% of the way to the other). See our full ISO 27001 vs SOC 2 comparison for the details.

Quick comparison: which framework applies to you

Building one program that satisfies multiple frameworks

The good news: you don't need to run four completely separate compliance programs. The underlying security controls are largely the same across all four frameworks. Access control, encryption, logging, incident response, vulnerability management, and security training appear in every one of them under different names and numbering schemes.

The smart approach is to build a unified control library — one set of policies, procedures, and technical controls — and map it to each framework you need. When you implement MFA for all administrative access, that satisfies a SOC 2 CC6 requirement, an ISO 27001 A.8.5 control, a HIPAA technical safeguard, and GDPR's Article 32 appropriate technical measures. You implement it once.

Where the frameworks diverge is in their documentation and evidence requirements. GDPR requires a Records of Processing Activities (ROPA). HIPAA requires specific policy documents and a risk analysis. SOC 2 requires evidence that controls operated throughout the observation period. ISO 27001 requires a formal Statement of Applicability. These are all documentation tasks built on top of the same technical foundation.

What about NIS2 and DORA?

Two more EU frameworks worth knowing if you sell into European markets:

NIS2 (Network and Information Security Directive 2) applies to organizations in critical sectors — energy, healthcare, finance, transport, digital infrastructure — and their supply chains. It requires risk management measures, incident reporting within 24 hours, and supply chain security requirements. The first administrative penalties under NIS2 were issued in Q1 2026. Full compliance is expected by October 2026 for organizations in scope.

DORA (Digital Operational Resilience Act) applies specifically to EU financial entities and their ICT suppliers. It entered into force January 17, 2025. If you provide technology services to EU banks, insurers, investment firms, or payment institutions, you may be in scope — and DORA's ICT risk management, incident reporting, and resilience testing requirements are significant.

Neither NIS2 nor DORA replace GDPR — organizations in these sectors deal with all three simultaneously.

Frequently asked questions