Assurance in 2026

We spoke with Jaimy Jansen, Senior Project Lead, about what companies can expect in the field of Assurance in 2026. The assurance landscape is changing, mainly because of new regulations and growing expectations around transparency, governance, and oversight of the supply chain. Below, Jaimy explains what really matters and how organisations can prepare.

One development clearly stands out for 2026: the implementation of NIS2. Once it comes into force, organisations that are affected will be expected to have much better oversight of how they govern their internal control and, just as importantly, how their supply chain is organised.

This means organisations will need to show that they understand and manage risks not only within their own organisation, but also at their sub-service providers.

As a result, we expect to see more requests for assurance reports, especially from clients who themselves need to comply with NIS2 either directly or via their user organizations.

The SOC 1 and SOC 2 standards themselves are not changing. What is changing is the demand from the market.

Because regulations like NIS2 require organisations to know more about their suppliers, assurance reports are increasingly used to get a clearer picture of how those suppliers manage risks and controls. SOC reports help organisations explain and support that oversight.

In short: expect more questions from clients, even if the standards stay exactly the same.

The difference between SOC 1 and SOC 2 is still a common source of confusion.

• SOC 1 focuses on controls that affect financial reporting. It’s typically used when a service provider plays a role in a client’s financial processes, such as processing transactions or running financial systems.
• SOC 2 has a broader scope and always includes security. It can also cover availability, confidentiality, processing integrity, and privacy. This makes SOC 2 more relevant for IT service providers, SaaS companies, and platforms.

To make an informed decision, you know who will use the report, and which risks your client cares about.

SOC and ISAE reports are often seen as very different, but in practice they are quite similar. The main difference is where they come from: SOC originates in the US, while ISAE is more commonly used internationally.

The real question is:

• Are you reporting on controls that affect financial statements?
• Or do you need to provide broader assurance on security, availability, and outsourced processes?

That distinction should guide your choice, rather than the name of the standard itself.

As we’ve said many times before, one of the most common misunderstandings is treating a SOC 2 report like a simple “tick-the-box” certification, similar to ISO.

A SOC 2 report works differently. It shows how controls actually worked during a specific period of time. A SOC 2 report will always be issued, but the real value is in what’s inside it:

• Does the reporting period cover what you want to assess?
• Is the scope relevant to your situation?
• Are there any findings or deviations?

Reviewing the content of the report is far more important than simply confirming that a report exists.

Many organisations only focus on controls when an audit is approaching, which often leads to unnecessary stress.

A better approach is to embed controls into daily work. Tasks like access reviews or onboarding checks can run on a fixed schedule and be handled in the tools teams already use. Documentation then becomes part of normal operations, rather than a separate audit exercise.

When the audit starts, the evidence is already available. That reduces audit fatigue and last-minute pressure.

A common issue is that organisations do perform controls, but don’t document them properly.

From an auditor’s perspective, undocumented controls effectively don’t exist. Documentation doesn’t have to be complicated. It can live in systems, workflows, or even emails, as long as it is consistent and easy to retrieve. Good documentation is the foundation of any assurance engagement.

Looking ahead, Jaimy hopes to see more maturity in how organisations use assurance reports.

Rather than seeing them purely as a compliance requirement, companies should use them to better understand their outsourced processes and supply-chain risks, especially with both NIS2 and DORA in mind. Assurance becomes much more valuable when reports are actively reviewed and understood, instead of simply being requested.

Final advice

For 2026, the advice is straightforward: take a close look at your processes, understand your place in the wider cybersecurity landscape, prepare early for NIS2, and get support where needed.