H-X Technologies expands its compliance practice across SOC 2, NIS2, DORA, and MiCA

13 Jul 2026 Author: Maria Ohnivchuk

For many years, some of the most requested H-X Technologies services have been security compliance audits, together with the implementation and ongoing support of ISO 27001 and GDPR. These projects help organisations not only prepare for an external assessment but also establish effective risk management, data protection, incident response and business continuity processes.

Our project case studies demonstrate that clients rarely approach us solely to obtain a certificate. For example, implementing ISO 27001 helped a developer of Microsoft Office solutions answer customer questions about personal data security. Another client, a medical software company, successfully completed an independent certification audit and then continued working with H-X Technologies through Virtual CISO and technical security services. For a European video analytics provider, we combined CISO and DPO expertise, helped define controller and processor responsibilities, prepared DPAs and established procedures for handling data subject requests.

New requirements are driven by real business situations

More recently, we have seen a notable increase in requests related to SOC 2, NIS2, DORA and MiCA.

A company will often begin a SOC 2 project when entering the US market, participating in an enterprise procurement process or receiving a customer request for independent evidence that its controls operate effectively. For SaaS and other technology companies, this requirement can become a condition for signing or renewing a major contract.

NIS2 affects organisations operating in essential and important EU sectors, providers of digital infrastructure and managed IT services, and other entities within the Directive’s expanded scope. Even where a supplier is not directly regulated, security requirements can reach it through customer contracts, questionnaires and supply-chain assessments. NIS2 creates a common EU cybersecurity framework covering 18 critical sectors.

DORA is relevant to banks, insurers, payment and investment firms and other financial entities, as well as the ICT providers on which their operations depend. In practice, a DORA project may be triggered by the need to structure ICT risk management, operational resilience testing, incident handling and third-party oversight.

MiCA creates practical compliance challenges for crypto-asset service providers, token issuers and other businesses seeking to operate or obtain authorisation in the EU. Their obligations extend beyond legal documentation and require reliable governance, operational resilience, security controls and incident management.

From gap analysis to operational controls

H-X Technologies combines regulatory and compliance expertise with practical cybersecurity capabilities. We conduct a gap analysis, assess risks, develop policies and controls, review cloud environments and applications, perform penetration testing, organise evidence collection and prepare the client’s team for an external assessment.

Clients do not have to coordinate several unrelated providers. A single engagement can include assessment, implementation, technical testing, employee training and ongoing managed compliance or Virtual CISO support.

We work with organisations of different sizes and adapts each project to the client’s business objective and budget. Our team holds internationally recognised certifications. Key deliverables undergo independent quality review, and our legal entities in the EU, Ukraine and the United States allow clients to contract in a suitable jurisdiction. Our experience covers international projects in SaaS, fintech, industrial systems, automotive, healthcare, retail, Web3, and many other industries.

A cost-effective alternative to an early CPA engagement

A separate and rapidly developing H-X Technologies offering is the non-CPA SOC 2 advisory assessment, sometimes described as an advisory audit.

A formal SOC 2 report is an attestation engagement performed by a licensed CPA firm. However, an expensive CPA engagement may be premature when an organisation is still building its controls, preparing for a future examination or only needs an independent assessment for management, partners or customers.

In these situations, H-X Technologies perform an advisory assessment using a SOC 2 Type 1 or Type 2-style approach. We define the scope, map controls to the applicable Trust Services Criteria, review documentation and evidence, test control operation over an agreed period, identify gaps and prepare a remediation roadmap.

A recent example is the public SOC 2 Type 2 Non-CPA Advisory Assessment Report for Digitum. The engagement covered three in-scope systems and the Security, Availability and Privacy criteria. It provided the client with an independent, structured view of its control environment and a practical path towards a potential future CPA-led attestation.

The price of this service is generally drastically lower than that of a full engagement of comparable scope performed by a licensed CPA firm. Its limitations must nevertheless be understood: an H-X Technologies advisory report is not an official SOC 2 attestation report.

Where a formal CPA-issued report is required by a contract, procurement process or customer, we prepare the organisation for the examination and coordinate the engagement with partner CPA firms, including leading international auditors.

By expanding its security audit and compliance support services, we help organisations select the optimal level of assessment and assurance that matches their market, contractual commitments, regulatory obligations and current stage of development — rather than automatically choosing the most expensive or formal option.

Contact us today to discuss your security compliances needs.

Other news

19/06/2026
H-X Technologies at Incrypted Conference 2026
05/06/2026
The new front line of application security