DORA, SOC 2 & ISAE 3402: Compliance for Swiss IT providers

This is an automatic transcript of our podcast. You’ll find the link to the podcast at the very bottom.

DORA, SOC 2, ISAE 3402: Three terms, one goal

Anyone working in the Swiss financial sector, the healthcare sector or other regulated industries can no longer ignore these three terms.

DORA (Digital Operational Resilience Act) is a European regulation that has been in force since January 2025. It regulates ICT service providers with regard to third-party risks and requires systematic management of the entire supply chain. Unlike the previous Swiss FINMA requirements, which are limited to significant outsourcing, DORA explicitly covers sub-service providers and fourth parties as well.

SOC 2 (Service Organization Controls 2) assesses how organisations manage risks. The standard follows the Trusted Service Criteria and focuses on IT risks, availability, confidentiality and data integrity. SOC 2 is particularly relevant in sensitive sectors that require demonstrably effective risk management.

ISAE 3402 is an international auditing standard for service providers that deliver services to others. The resulting audit report answers the key question: Is the provider’s internal control system robustly designed and does it actually work in practice? An ISAE 3402 Type II report covers a longer audit period and demonstrates that controls are not only defined but also effectively implemented.

Whilst ISO 27001 certification demonstrates that a company has a plan, SOC 2 and ISAE 3402 assess whether this plan actually works. This effectiveness assessment makes all the difference.

Why DORA also affects Swiss IT providers

Many Swiss companies assume that, as an EU regulation, DORA is not relevant to them. This is a fallacy. As soon as an IT provider serves customers who are subject to DORA – such as banks or insurance companies with EU business – it becomes part of the regulated supply chain.

In practice, this means that contractual assurances alone are no longer sufficient for many customers. They require an independent audit that provides standardised proof that the provider meets the requirements. For IT service providers, this offers a clear advantage: rather than responding to individual customer enquiries on a case-by-case basis, a uniform audit process establishes a standard that applies equally to all customers.

The figures highlight the urgency of the situation: according to FINMA reports, around 47 per cent of all reported incidents are attributable to weaknesses in third-party providers. It is precisely this risk that DORA addresses – and this is exactly why auditors are increasingly scrutinising how IT providers manage their supply chains.

What compliance really means in everyday life

For an audit to deliver value to clients, it is not enough simply to document processes. They must be put into practice on a day-to-day basis and implemented in a verifiable manner. This involves clear lines of responsibility, comprehensive documentation and controls that are carried out and reviewed on a regular basis.

Auditors do not merely check whether processes exist, but whether they function consistently over a longer period – using logs, spot checks and evidence. Companies that treat compliance as a one-off project systematically underestimate this effort. Those who, on the other hand, view compliance as an ongoing process approach an audit with far greater ease: they simply demonstrate how they already work.

The cultural aspect is crucial here. Compliance starts with corporate culture. Even in heavily regulated sectors, a culture of compliance that is actively practised is by no means a given. Companies that view compliance strategically as a competitive advantage, rather than merely a compulsory exercise, differ fundamentally from those that simply tick boxes on a checklist.

Compliance is not a project with an end date – it is an ongoing process that starts with the corporate culture. Those who live and breathe compliance rather than simply ticking boxes build trust, reduce risks and free up time for what really matters.

Build it in-house or use a certified provider?

Companies wishing to build their own compliance framework often underestimate the effort involved. It requires not only technology, but also in-house expertise in IT security, risk and compliance, clearly defined processes and controls, and often external consultancy. It can easily take several months or even years before a company is ready for an audit. Depending on the complexity, the costs can run into five or six figures.

Those who work with a certified IT provider receive many of these components as an integrated service. This not only saves set-up time but also significantly reduces the burden on the company’s own audit process: standardised audit reports in accordance with ISAE 3402 or SOC 2 give the client confidence that the outsourced services have been independently audited. In practice, this means a reduction of 30 to 50 per cent in the workload for in-house audits.

It is important to note that this does not mean the customer relinquishes responsibility. They remain responsible for their overall compliance and must understand how the outsourced services fit into the bigger picture. However, they do not have to build the foundation themselves, but can build on something that has already been tested and proven.

The biggest pitfalls in implementation

The challenges begin with understanding the regulations. The regulatory landscape is complex: FINMA requirements, DORA, NIS 2, the Cyber Resilience Act, data protection legislation – which regulations apply depends on the sector, size and market area. The principle of proportionality means that a micro-bank with five employees and a major bank must, in principle, meet the same requirements – but to varying degrees.

For companies with links to the EU, the situation becomes even more complex because local and overarching regulations must work in tandem. The question of which audit reports cover which requirements and how they complement one another is like a jigsaw puzzle.

At an operational level, there is often a lack of internal resources to establish and maintain compliance processes. Companies newly subject to regulation – such as asset managers following FINMA’s new regulations – face the particular challenge of suddenly having to create compliance structures for which there is neither internal experience nor capacity.

Compliance and Innovation: Not a Contradiction

For IT providers, innovation is essential – whether it involves AI, new software or cloud technologies. Compliance must not hinder innovation, but it must set the framework within which innovation can take place responsibly. This requires a compliance approach that deliberately operates within a positive grey area: taking risks that can be adequately managed without crossing red lines.

Over-regulation is the greater danger here than an appropriate appetite for risk. An over-regulated internal compliance bureaucracy slows a company down faster than a controlled risk. The key lies in risk management: consciously taking risks, documenting them transparently and allowing a certain degree of tolerance – as long as the core controls are functioning.

What lies ahead for businesses: AI Governance and the Cyber Resilience Act

Over the next two to three years, two issues in particular will shape the compliance landscape.

AI governance is becoming increasingly relevant for businesses working with AI. In the EU, AI is subject to restrictive regulation. Switzerland is taking a deliberately different approach: rather than imposing overly restrictive regulations, the aim is to promote innovation and capitalise on the country’s competitive advantage. Companies should nevertheless establish an AI governance framework at an early stage, as requirements for data protection and data processing increase massively with the adoption of AI.

From 2027, the Cyber Resilience Act will affect all companies that manufacture or import products capable of connecting to a network or the internet. For Swiss companies with business in the EU, this will lead to a significant change.

More broadly, the concept of operational resilience is gaining in importance: the ability to recover quickly from unexpected incidents and maintain operations. This is not a one-off measure, but a capability that every company must continuously build and maintain.

Three factors that turn compliance into a competitive advantage

For IT providers that consistently prioritise compliance, there are three concrete benefits.

Firstly, market access: the more certifications and audits a provider can demonstrate, the easier it is for them to gain access to larger and regulated clients. In tenders, demonstrable compliance is increasingly becoming a mandatory criterion.

Secondly, efficiency: standardised, audited processes for key business areas streamline operations. Instead of responding to individual compliance requests on a case-by-case basis, there is a standard that applies to everyone.

Thirdly, reduced burden on customers: customers whose IT provider has already been audited save significantly on their own audits. This makes collaboration easier and strengthens customer loyalty.

Listen to the full podcast (in German):UMB IT Expert Talk – Compliance im Fokus: DORA, SOC 2 & ISAE 3402

Learn more:Data Security and Data Protection at UMB | UMB Cyber Security | Security Services