SOC 2
complianceFull Name: Service Organization Control 2
Definition
SOC 2 (Service Organization Control 2) is a compliance and auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates and reports on the effectiveness of a service organization's controls relevant to the Trust Services Criteria: security (protection against unauthorized access), availability (system accessibility as committed), processing integrity (complete and accurate data processing), confidentiality (protection of confidential information), and privacy (proper collection, use, and disposal of personal information). In the EUDI Wallet ecosystem, SOC 2 is relevant primarily for the cloud infrastructure providers, backend service operators, and technology vendors that support the wallet's operational infrastructure. While eIDAS 2.0 references European standards (ISO 27001, Common Criteria) for formal compliance, SOC 2 certification provides additional, internationally recognized assurance that the service providers handling EUDI Wallet data maintain strong security controls, making it a practical requirement for the global technology supply chain that supports European digital identity infrastructure.
The Five Trust Services Criteria and EUDI Wallet Relevance
The Security criterion (also called Common Criteria in SOC 2 context, not to be confused with ISO 15408 Common Criteria) evaluates controls that protect system resources against unauthorized access. For EUDI Wallet infrastructure, this encompasses network firewalls, intrusion detection systems, access management, encryption at rest and in transit, vulnerability management, and incident response procedures. Every EUDI Wallet backend component, from credential issuance servers to revocation list distributors, must implement these controls to prevent data breaches that could compromise citizen identity data.
The Availability criterion evaluates controls ensuring that systems are operational and accessible as committed. For EUDI Wallet services, high availability is critical because citizens may need to present credentials at any time for border crossings, emergency medical situations, or time-sensitive financial transactions. SOC 2 availability controls include redundancy, disaster recovery, performance monitoring, and capacity planning, all essential for a service that may eventually serve 450 million EU citizens.
The Processing Integrity criterion evaluates whether system processing is complete, valid, accurate, and timely. For credential issuance and verification, processing integrity ensures that credentials are issued with correct attribute data, verification results accurately reflect credential validity, and revocation status is consistently and promptly updated. The Confidentiality criterion protects designated confidential information, while the Privacy criterion addresses the collection, use, retention, and disposal of personal information, both directly aligned with GDPR requirements that govern the EUDI Wallet ecosystem.
SOC 2 in the EUDI Wallet Supply Chain
The EUDI Wallet ecosystem relies on a complex supply chain of technology providers, and SOC 2 plays an important role in ensuring security throughout this chain. Major cloud providers (Amazon Web Services, Microsoft Azure, Google Cloud Platform) that host EUDI Wallet backend infrastructure all maintain SOC 2 Type II reports covering their infrastructure services. These reports provide assurance to EUDI Wallet operators that the underlying cloud platform meets rigorous security standards.
Beyond cloud infrastructure, specialized service providers such as Hardware Security Module (HSM) vendors, certificate management platforms, identity verification services, and content delivery networks also maintain SOC 2 compliance. EUDI Wallet operators should require SOC 2 Type II reports from all critical vendors as part of their third-party risk management program, reviewing these reports annually to verify that controls remain effective and that any identified exceptions have been remediated.
The concept of SOC 2 plus additional criteria (SOC 2+) allows organizations to include additional regulatory frameworks in their audit. A EUDI Wallet infrastructure provider might pursue a SOC 2+ audit that includes the eIDAS 2.0 security requirements as additional criteria, providing a single complete audit report that satisfies both SOC 2 and eIDAS 2.0 compliance obligations. This integrated approach reduces audit fatigue while providing complete assurance coverage.
Complementary Compliance Frameworks for EUDI Wallet
While SOC 2 provides valuable security assurance, the EUDI Wallet ecosystem relies on a combination of compliance frameworks to address its unique requirements. ISO 27001 provides the overarching information security management system framework required by eIDAS 2.0. The Common Criteria (ISO 15408) provides the product evaluation framework for the wallet application and its cryptographic components. ETSI EN 319 401 and related standards provide the specific requirements for Trust Service Providers. SOC 2 complements these by providing detailed, control-level audit evidence for the cloud and service provider layer.
The European Union's Cloud Certification Scheme (EUCS), currently under development under the EU Cybersecurity Act, will provide a European-native alternative to SOC 2 for cloud service security certification. As EUCS matures, it may become the preferred certification for cloud providers hosting EUDI Wallet infrastructure, potentially supplementing or replacing SOC 2 for European compliance purposes while maintaining interoperability with international standards.
For EUDI Wallet operators, the practical approach is to require SOC 2 Type II from US-headquartered cloud providers, ISO 27001 from European service providers, and the EUDI Wallet-specific certification for the wallet application itself. This layered compliance approach ensures complete coverage across all components of the digital identity ecosystem while working within the established compliance frameworks available from each type of provider.