We are seeing a worrying level of unpreparedness on the side of service providers, who for the most part have never heard of SOC 2. And for those who have, they are not experienced enough to navigate the complexity, depth and extent of the standard. It is fair to say that this is a very complex topic: depending on the number of categories included in the report, there can be up to 200 controls to be tested. Most – if not all – of the largest service providers in the world (e.g. AWS, Azure, Google, SAP) all issue those reports, and they are bulky. Another aspect is the cost of such a compliance exercise: with so many controls to evaluate by an independent auditor, it can quickly add up and make it a hard pill to swallow.