For horizontal and vertical B2B SaaS, PaaS/IaaS providers, embedded software, B2B marketplaces, AI/ML SaaS, technology consultancies with product, MSPs and cybersecurity vendors. We know the journey: ISO 27001 as the first door of enterprise onboarding, ENS for selling to the Spanish public sector, DORA/NIS2 when the end client requires it and SOC 2 Type II readiness for the US market.
Useful when selling to the Spanish public sector ENS HIGH category + 5 in-house ISO certifications RD 311/2022 · cert. ENS_2.026.061 Subsectors
9 covered · horizontal + vertical + AI + embedded
Operational focus
ISMS · cloud · SDLC · multi-tenant · enterprise client
Regulatory framework
ISO 27001 · ENS · DORA · NIS2 · AI Act · CRA
Verifiable qualifications
Hard2bit is certified to ENS HIGH category (RD 311/2022) and to ISO/IEC 27001:2022, with five in-house ISO certifications (27001, 22301, 20000-1, 9001, 14001). We operate recurring services (SOC/MDR, vCISO, vulnerability management) — we understand SaaS from the inside because we have a similar profile in regulatory and operational demands. Conversations with a SaaS CTO or CISO don't happen from theory.
Executive summary
Sector context
B2B SaaS lives off corporate-client trust. That trust is closed in the security questionnaire — the SIG, the CAIQ, the client's own questionnaire — before the first contractual euro. Without ISO 27001 (or a recognised equivalent like SOC 2 Type II), enterprise onboarding stalls and the deal does not progress. For Spanish SaaS aiming at corporate clients, ISO 27001 is the foundation on which everything else is built.
On top of that foundation, additional frameworks appear depending on who's being sold to. If the client is the Spanish public administration, ENS applies to the system or service in scope. If the client is in banking, insurance, asset management, DORA may apply as an ICT supplier to the financial sector. If the client is in a NIS2 essential sector (healthcare, energy, transport, water, digital government), NIS2 may apply as a critical supplier. If the product is AI-driven, the AI Act classifies it by risk. If it's embedded software or a digital product with CE marking, CRA applies with progressive deadlines through late 2027.
Hard2bit approaches the SaaS sector knowing its journey. We help structure the ISO 27001 baseline as a realistic ISMS (scope focused on the productive core, not inflated), add the additional frameworks reusing evidence, integrate security in the SDLC over the existing pipeline without breaking it, and run 24/7 SOC/MDR + DFIR retainer + executive vCISO for SaaS without an internal CISO. And we know the Spanish/European regulatory context from the inside, because we have a similar profile of demands — ENS HIGH ourselves, five ISO certifications, recurring operations.
Audience
Horizontal and vertical B2B SaaS, PaaS/IaaS platforms, embedded software, B2B marketplaces, AI/ML SaaS, technology consultancies with product, MSPs and cybersecurity vendors. We adapt the service to the product model, target markets (Spain, EU, US, LATAM) and end-client requirements.
CRM, ERP, productivity, communications, marketing automation, document management, HR. Products selling across many sectors with enterprise security expectations. ISO 27001 as the de facto standard, GDPR mandatory because end-customer data is processed, recurring SIG/CAIQ questionnaires at every enterprise onboarding.
LegalTech, FinTech (non-bank), HRTech, MarTech, MedTech (regulated non-medical-device software), AgriTech, ConTech, B2B EdTech. Deep knowledge of the target sector, regulation inherited from the end client (DORA when selling to a bank, ENS when selling to public administration), specific partner ecosystem.
Infrastructure platforms, developer platforms, observability, DevTools. Multi-tenant at scale, client isolation as a central concern, massive API exposure, requirements for SOC 2 Type II driven by the US market and ISO 27017 driven by the cloud environment.
Machine-learning platforms, MLOps, generative-AI SaaS, NLP/vision products, embedded LLM in customer flows. New regulatory framework (AI Act EU 2024/1689) with risk classification, training-data governance, transparency and auditability. Crosses with GDPR through mass processing.
Firmware on devices, industrial IoT, products with digital components. Cyber Resilience Act (EU) 2024/2847 — CE marking with cybersecurity requirements, product lifecycle, vulnerability management of components and notification of actively exploited vulnerabilities. Progressive compliance deadlines through 2027.
B2B marketplaces, procurement platforms, partner networks. Federated identity management with corporate clients (enterprise SSO), catalogue and supplier governance, massive API integration. DSA may apply when platforms reach a certain size.
Digital consultancies, technology agencies, integrators that have built their own product. Services + SaaS combination, services-firm identity but with recurring commitment over the platform. ISO 27001 typically required by corporate services clients and, additionally, by SaaS-side clients.
Managed Service Providers for IT, MDR, SOC, networks, cloud. Privileged and permanent access to many client environments, lateral propagation risk between clients if an MSP is compromised. When providing services to the financial sector, ENS High or NIS2 may apply through the critical-supplier role.
Cybersecurity product and service vendors. Double demand: exemplary technical behaviour (eat your own dog food) and demonstrable posture for a client who is, by definition, demanding. ISO 27001, SOC 2 Type II, ENS High and, depending on the segment, Common Criteria EAL or FIPS validation.
Regulatory framework
ISO 27001 as the de facto standard for selling to enterprise clients, ENS for the Spanish public sector, DORA/NIS2 when a critical supplier, GDPR by default, AI Act if AI product, CRA if embedded software or digital product with CE marking. Additional SOC 2 Type II readiness when there are US clients.
ISO 27001 is the certification that opens the door to enterprise onboarding. Without ISO 27001 (or a recognised equivalent like SOC 2 Type II), the corporate security questionnaire does not close. For Spanish B2B SaaS aiming at corporate clients (banking, large industry, large retail, public administration), ISO 27001 is the foundation — everything else is built on top.
SOC 2 Type II is the dominant standard in the US market and critical for Spanish SaaS selling to multinationals based in the US. It is a report on Trust Services Criteria issued by an AICPA-accredited CPA. Hard2bit accompanies the readiness and ongoing maintenance; the official audit is performed by the CPA. For the priority European market, ISO 27001 remains the first standard.
ISO 27017 adds specific controls for cloud services (shared provider/customer responsibility, virtual segregation, secure configuration). ISO 27018 adds personal-data protection controls in the cloud. A common combination on top of ISO 27001 when the SaaS runs in the cloud and processes end-customer data at scale — useful for both enterprise due diligence and cloud-partner audits.
ENS applies to SaaS selling to the Spanish public administration (system or service contracted publicly). Without ENS Medium or High as appropriate, public-sector tenders are not viable. Hard2bit holds ENS High itself — we understand the landing because we have done it. It coexists with ISO 27001, reusing evidence.
DORA (Regulation (EU) 2022/2554) classifies ICT suppliers to the financial sector and, for critical third-party ICT suppliers, sets a reinforced regime with direct European supervision. NIS2 (Directive (EU) 2022/2555) extends the perimeter to essential and important sectors. If the SaaS sells to large banks, insurers, healthcare, energy, etc., one of the two may apply — and it's worth knowing before the reinforced client questionnaire arrives.
General Data Protection Regulation as the baseline. For SaaS, the most common role is processor (handling personal data on the controller's behalf). That entails Data Processing Agreements (DPA), technical and organisational guarantees, breach-notification procedures to the controller and, where international transfers happen, standard clauses and third-country evaluation.
European AI Regulation. Classifies AI systems by risk (unacceptable, high, limited, minimal) and imposes specific obligations on each category. For B2B SaaS, especially if the category is high-risk, obligations cover training-data governance, transparency, human oversight, technical robustness and registration in the European database. Phased application through 2027.
European cyber-resilience regulation for products with digital elements. Applies to manufacturers of software (including embedded) placing products on the EU market: CE marking with cybersecurity requirements, vulnerability management throughout the product lifetime, notification of actively exploited vulnerabilities to ENISA. Progressive application through December 2027.
Applicable Hard2bit services
Ten services from Hard2bit's catalogue ordered with the right focus for SaaS: ISO 27001 first as the certifiable foundation, ENS and DORA when applicable by client, cloud and SDLC audit, IAM and cloud posture, and 24/7 operations with executive vCISO when there is no internal CISO.
ISO 27001 as a certifiable ISMS. The first door to enterprise onboarding for any serious B2B SaaS. We cover initial diagnosis, ISMS design with a realistic scope (the whole SaaS or just the productive core), gap analysis, risk-treatment plan, Annex A controls, auditable evidence, accompaniment during the certification audit and ongoing maintenance with annual surveillance and recertification every three years.
ISO 27001 service →Adequacy to RD 311/2022 when the SaaS wants to sell to the Spanish public administration. DICAT categorisation of the in-scope system or service (Medium or High depending on impact), gap analysis, plan, evidence and accompaniment during the audit performed by the ENAC-accredited certification body. Maximum reuse with ISO 27001 already implemented.
ENS service →When the SaaS is a critical ICT supplier to a bank, insurer or NIS2 essential entity, we land the applicable framework: governance, ICT risk management, contracts with regulator-mandated clauses, incident management with deadlines, regular evaluation and, under DORA, preparation for client evaluations under the TLPT scheme.
DORA service →Technical audit of the cloud environment (Azure, AWS, GCP): cross-account IAM, service configuration, external exposure, segregation between dev/staging/prod accounts, encryption, posture. We add SDLC audit: dependency management (SCA), static analysis (SAST), secret management, hardened build pipeline, CI workflow review.
Cloud security →Web pentesting on the SaaS application (multi-tenant, federated identity, billing), REST/GraphQL API pentesting with focus on cross-tenant authorization, mobile-app pentesting where applicable. Under protocol, with agreed windows and, when shipping product, on the release branch before promoting to production.
Penetration testing →Identities, privileges, access for internal teams (DevOps, engineering, support) and external partners, service-account management, posture across Azure / AWS / GCP where the platform runs. Specific focus on just-in-time access, environment separation and periodic review of broad permissions — the line between minor incident and catastrophe runs through here.
IAM & cloud posture →Operational vulnerability lifecycle over infrastructure (servers, containers, cloud), product dependencies (continuous SCA) and own code (SAST/DAST integrated in the pipeline). Prioritisation with real-exploit judgement (not just CVSS) and traceability for ISO 27001, ENS audit and enterprise due diligence.
Vulnerability management →Continuous inventory of the exposed surface: domains and subdomains, public endpoints, certificates, code repositories, storage buckets. Detection of exposures that should not be online (staging environments, secrets in public repos, open S3). Particularly useful for SaaS with many services and rapid product turnover.
Attack-surface management →Detection, investigation and response 24/7. Prioritised use cases: ransomware precursors on the corporate network, abuse of privileged accounts (DevOps, support), anomalous API behaviour, customer-data exfiltration attempts, secrets exfiltrated from repos. Integration with the product's own observability where reasonable.
Managed SOC/MDR →24/7 DFIR retainer with activation in minutes and prior readiness onboarding. Designed for SaaS where an incident kills sales — saying 'we have an active incident' destroys the next commercial quarter. Combinable with vCISO for SaaS without an internal CISO: executive representation in front of clients and ownership of the security committee.
24/7 IR retainer →Hard2bit methodology
Six phases adapted to the SaaS rhythm: fast release cycle, integrated DevOps pipeline, enterprise-client demands as a driver of priorities and reuse of evidence across frameworks to avoid duplicated work.
We identify the SaaS type (horizontal vs vertical, multi-tenant vs single-tenant, optional on-prem), customer profile (SMB, mid-market, enterprise, public sector), markets (Spain, EU, US, LATAM) and we map applicable obligations: ISO 27001 almost always, ENS if selling to Spanish public administration, DORA/NIS2 if a critical supplier, AI Act if AI product, CRA if embedded software or digital product with CE marking.
ISO 27001 is the foundation. ISMS design with a realistic scope to keep cost sane, an honest gap analysis, risk-treatment plan and execution in phases. It is the vehicle that opens doors: without ISO 27001, the enterprise client's SIG / CAIQ questionnaires don't close and the deal doesn't progress.
On top of an implemented ISO 27001, additional frameworks reuse evidence: ENS for selling to the Spanish public sector, ISO 27017/27018 for cloud and cloud privacy, SOC 2 Type II readiness for the US market (the audit is performed by a CPA), DORA if a critical supplier to the financial sector, NIS2 if a critical supplier to an essential sector, AI Act/CRA if the product requires it.
Technical landing respecting the SaaS calendar: changes coordinated with releases, validation on staging before promoting to production, integration with the existing pipeline (without breaking the DevOps flow), focus on automating evidence (logs, scans, SAST/SCA, IaC scanning) so the ISMS does not turn into bureaucracy.
Accompaniment during ISO 27001 audit (certification body), ENS (ENAC-accredited body), SOC 2 (when applicable, the AICPA-accredited CPA performs the audit — Hard2bit prepares and maintains). Additionally, support on enterprise client questionnaires (SIG, CAIQ, custom vendor questionnaires), due-diligence meetings and recurring reporting to the client's committee.
Ongoing operation (SOC/MDR, vulnerability management including SCA and SAST, continuous hardening, attack-surface management), 24/7 DFIR retainer with readiness over the SaaS architecture and executive vCISO when there is no internal CISO. Continuous improvement with lessons learned and product-roadmap adjustment when findings justify it.
Why Hard2bit in B2B SaaS
Hard2bit knows the path: a 30-person SaaS that needs ISO 27001 to close its first enterprise contract, a 100–300-person SaaS that needs ENS to enter the public sector or DORA/NIS2 because its best client is a bank, a mature SaaS with an AI product facing the AI Act. We understand it within the Spanish/European regulatory context, where we bring clear judgement.
Hard2bit holds ENS HIGH category certification (cert. ENS_2.026.061, ACCM under ENAC 48/C-PR503) and five ISO certifications (27001, 22301, 20000-1, 9001, 14001). We operate recurring services (SOC/MDR, vCISO, vulnerability management) — we understand SaaS from the inside because we have a similar profile in regulatory and operational demands. Not theory, but day-to-day reality.
SOC 2 Type II is the dominant standard in the US. Hard2bit accompanies the readiness and maintenance of the framework — controls, evidence, alignment with Trust Services Criteria. The official audit is performed by an AICPA-accredited CPA. The separation between auditor and consultant is the correct one and what the market expects. For the European market, ISO 27001 remains the first priority.
Representative scenario
An 80-person Spanish vertical B2B SaaS, with its product running in the cloud (AWS) and existing mid-market clients, received in March the security questionnaire of an enterprise prospect — a multinational industrial group ready to close a seven-figure annual contract conditional on three non-negotiable items: a current ISO 27001 certification, evidence of recurring penetration testing and an incident-response plan with metrics. The company had a reasonable posture but no certifiable framework and no recent pentesting. The project ran across five parallel fronts over six months: ISO 27001 ISMS design and landing with realistic scope (productive core + critical processes), technical gap analysis and risk-treatment plan, cloud hardening (cross-account IAM, AWS posture, environment segregation), web and API pentesting with prioritised remediation, and 24/7 DFIR retainer onboarding with documented response plan. The ISO 27001 certification audit closed with no major non-conformities, and the enterprise contract was signed in September with the security questionnaire closed cleanly on the first submission — instead of four rounds of back-and-forth.
Frequently asked questions
Direct answers to the questions we receive most often from CTOs, CISOs, product leaders and compliance leads at B2B SaaS companies.
Before looking for the first enterprise client — not after. ISO 27001 is the first door to corporate onboarding and, in many public-sector and financial-sector tenders, it is an eliminatory requirement. SaaSes that leave it for 'when the big client arrives' typically lose six to twelve months of commercial work when the first serious prospect appears. Better to anticipate: have the ISMS running before the questionnaire arrives.
No. The SOC 2 Type II audit is performed by a CPA (Certified Public Accountant) accredited by AICPA — it is a US accounting professional regulation. Hard2bit accompanies the readiness and maintenance of the framework: controls aligned with Trust Services Criteria, auditable evidence, automation of evidence capture where possible and audit preparation. The official audit is performed by the accredited CPA.
They share many controls but are not interchangeable. ISO 27001 is an international standard and the dominant model in Europe and the rest of the world; SOC 2 Type II is a US report under AICPA's Trust Services Criteria, dominant in the US. For Spanish SaaS selling in Europe, ISO 27001 comes first. If the SaaS wants to expand to the US or already has US clients, adding SOC 2 Type II readiness on top of the ISO 27001 baseline reduces the incremental cost significantly.
DORA applies if the SaaS is an ICT supplier to the financial sector — the obligation level depends on size and criticality. The Critical Third-Party Provider (CTPP) figure under direct European supervision affects only a small but very important subset. NIS2 may apply to SaaS that is a supplier to an essential sector (healthcare, energy, transport, water, digital government). In both cases, the end client ends up requesting evidence in the questionnaire — it pays to anticipate.
SIG (Standardized Information Gathering, Shared Assessments) and CAIQ (Consensus Assessments Initiative Questionnaire, CSA) are the most common in enterprise due diligence. Recommended practice: keep an always-up-to-date master version of the SIG / CAIQ with answers aligned to ISO 27001 and, where applicable, SOC 2; keep it alive with every change to the ISMS; and review it before each new onboarding. It dramatically reduces questionnaire-closing time.
The Regulation (EU) 2024/1689 classifies AI systems into four risk levels (unacceptable, high, limited, minimal). Obligations change radically. For a B2B SaaS, the critical points are: classifying the product correctly, documenting the system and training data, ensuring transparency and human oversight where applicable, and, in high-risk, registering in the European database. Phased deadlines through 2027 — the prohibitions and general-purpose model milestones are already in force.
The CRA — Regulation (EU) 2024/2847 applies to products with digital elements placed on the EU market. CE marking with cybersecurity requirements, vulnerability management throughout the product lifetime, notification of actively exploited vulnerabilities to ENISA. Progressive application with milestones in 2026 and full application by late 2027. For embedded-software vendors and industrial-IoT product vendors, anticipating the roadmap before the mandatory date is reasonable.
As a central risk, not an implementation detail. The strategy combines architecture (chosen isolation model — single row with tenant_id in every query, schema per tenant, database per tenant — with its implications), code review of tenant filters in the ORM or data-access layer, specific security tests (cross-tenant access tests in pentesting), SOC monitoring of anomalous cross-tenant access patterns and, in some sectors, per-tenant encryption with dedicated KMS.
Continuous dependency inventory (SBOM in CycloneDX or SPDX format), Software Composition Analysis (SCA) integrated in the pipeline to catch vulnerabilities in dependencies before merging, open-source license management and explicit policies on permitted dependencies. Meets modern enterprise-client expectations and, where applicable, CRA. We work on the existing pipeline, not replacing it.
Yes. vCISO is a recurring service for SaaS that needs executive representation in front of clients, ownership of the security committee, ISMS definition and maintenance and overall governance — without hiring a full-time CISO. Especially useful in the 50–250 employee range, where the organization already requires serious governance but does not yet justify a full-time internal CISO.
We adapt the service to the international parent's frameworks (global controls, proprietary frameworks, group-strategic providers) while also covering the applicable Spanish/European framework (ISO 27001, ENS if selling to Spanish public administration, GDPR, NIS2/DORA where applicable). Technical liaison runs in Spanish or English as appropriate, and deliverables are prepared in a format compatible with the client's security committee.
For a B2B SaaS without prior framework and with reasonable scope (productive core + associated critical processes), a first ISO 27001 certification typically takes between six and nine months if the team dedicates real time, and between nine and twelve if attention is partial. Companies with a good technical posture but undocumented practices shorten the timeline; companies with immature practices lengthen it. We determine it honestly in the initial diagnosis — we do not sell impossible deadlines.
Related
Implementation, certification and maintenance of the ISO 27001 ISMS. The first door to enterprise onboarding for any serious B2B SaaS.
ISO 27001 service →Adequacy to RD 311/2022. Applicable to SaaS selling to the Spanish public administration and integrations under public contract.
ENS service →Adequacy to DORA — ICT supplier to the financial sector. When a B2B SaaS sells to large banks, insurers or asset managers.
DORA service →For B2B SaaS selling to banking, insurance, servicing and IT suppliers to the sector. DORA, EBA, supervision and recurring operation.
Financial sector →Side-by-side ENS vs ISO 27001 vs NIS2 vs DORA to understand overlaps and control reuse.
Framework comparison →Audit and posture across Azure, AWS and GCP. Technical core of the modern B2B SaaS.
Cloud security →Let's talk
A short session to diagnose where the ISMS stands (or how much you already have, even if not formalised), which frameworks apply based on your target clients, how robust the cloud and SDLC posture is and where to start to avoid losing six commercial months when the first serious questionnaire arrives. Confidential conversation, no commitment.
Page reviewed: 2026-04-29. Hard2bit · Cybersecurity company in Spain since 2013 · ENS HIGH category · ISO 27001 · ISO 22301 · ISO 20000-1 · ISO 9001 · ISO 14001
Antes de irte…
Te damos un diagnóstico rápido de 15 min y te decimos qué priorizar primero: M365, pentesting, vulnerabilidades, SOC y/o DORA, NIS2, ENS o ISO 27001.
Sin spam. Respuesta en 24h.
