Through 2023, compliance for crypto validator operators was largely self-asserted. Operators wrote "ISO 27001 certified" on a marketing page and rarely had to produce the certificate. By 2026, every institutional onboarding starts with a vendor-risk questionnaire that itemises the compliance evidence required: certificate validity period, audit firm, scope statement, last surveillance audit date, exception list. Self-assertion is no longer a credible substitute for documentation.
This article is the institutional compliance stack as it now stands for serious validator operators serving regulated counterparties — funds, treasuries, custodians, and tokenised-asset issuers. We cover what each component is, what it actually costs to obtain, what it proves, and where it sits on the institutional priority order. The status of each item at 01node is documented at /security; this piece is the structural framing, not a marketing description of capability.
ISO 27001: the floor
ISO/IEC 27001 is the international standard for Information Security Management Systems. Certification requires an organisation to implement a documented, risk-based management framework covering policies, controls, and continuous improvement, then submit to an annual audit by an accredited certification body.
A first-time ISO 27001 certification typically takes 6-9 months from kick-off to certificate issuance, with audit fees in the €15-40k range for a small-to-mid operator. Annual surveillance audits add €5-15k, and recertification (every three years) is roughly equivalent to the initial audit. Total three-year cost: €40-90k for a serious certification, less for a thinly-scoped one.
For validator operators, ISO 27001 is now table stakes. Every institutional questionnaire we have seen in 2025 and 2026 lists it as a precondition. Operators without it are filtered out before the technical conversation begins.
The substantive value of ISO 27001 — beyond the certificate itself — is that the controls map to a majority of the SOC 2 Security common criteria. Operators with mature ISO 27001 programmes can engage SOC 2 Type II audits with materially less gap-closure work. This makes ISO 27001 not just the floor but the smart starting point.
SOC 2 Type II: the institutional bar
SOC 2 (System and Organization Controls 2) is an audit report issued under AICPA standards, attesting to a service organisation’s controls over five trust-services criteria: security, availability, processing integrity, confidentiality, and privacy. Most operators scope their SOC 2 to security and availability; processing integrity and privacy are added when relevant.
SOC 2 reports come in two types. Type I is a point-in-time control-design assessment — the auditor reviews the controls as they exist on a specific date and attests they are designed to meet the criteria. Type I takes 3-4 months and is sometimes used as a bridge or readiness assessment.
Type II is the bar institutional capital actually wants. The Type II observation window is 6-12 months long, during which the auditor monitors that the controls operate effectively and consistently. The Type II report describes both control design and operating effectiveness over the window. Engagement to delivered report is typically 12-18 months end to end.
Cost: a first SOC 2 Type II for a small-to-mid operator runs €40-100k including auditor fees, GRC platform tooling (Drata, Vanta, Secureframe), and internal time. Annual subsequent reports in the €25-60k range. Tier-1 auditors (Prescient Assurance, A-LIGN, Schellman, KPMG) charge more but are recognised by name in vendor questionnaires.
For 01node, SOC 2 Type II is on the 2026-2027 roadmap. The observation window is the binding constraint — it is pure-time investment, not parallelisable. Operators that started Type II engagement in 2025 will be in the institutional consideration set when MiCA enforcement and US regulated-staking products fully arrive in mid-2026; operators who start in late 2026 will not.
MiCA CASP: the EU operating licence
Markets in Crypto-Assets (MiCA) is the EU’s comprehensive regulatory framework for crypto-asset issuers and service providers. Regulation 2023/1114 took effect across EU member states in stages through 2024-2026, with full enforcement (and end of grandfathering) on July 1, 2026.
For validator operators, MiCA implications turn on whether the service provided constitutes a Crypto-Asset Service that requires CASP authorisation. The relevant categories are: providing custody and administration of crypto-assets, exchange of crypto-assets for funds or other crypto-assets, and operation of trading platforms.
Pure validator delegation services — where the operator only signs blocks and never takes custody of delegator tokens — are typically not in scope. But operators offering: (a) custody integrations where the operator’s infrastructure participates in custody, (b) liquid staking products with fungible representations of delegated stake, or (c) staking-as-a-service products with bundled custody, fall in scope and require CASP authorisation.
CASP authorisation is granted by the national competent authority of the operator’s EU domicile (in our case the Romanian ASF — Autoritatea de Supraveghere Financiară). Application requires demonstrating organisational structure, governance, capital requirements (minimum €50k-€150k depending on services), AML/KYC procedures, IT and security policies, and conflict-of-interest management.
Applications take 6-9 months in normal cycle. Operators serving European institutional clients beyond July 2026 need either CASP authorisation or a clear scope-out argument. Operators outside the EU serving EU clients need to be aware of the "reverse solicitation" constraints.
Penetration testing: annual cadence
Annual third-party penetration tests are now standard line items on vendor risk questionnaires. The expectations have hardened from "has the operator ever been pen-tested" in 2022 to "provide the executive summary of the most recent test by a Tier 1 vendor, dated within the past 12 months" in 2026.
Tier 1 pen-test vendors for crypto infrastructure: NCC Group, Trail of Bits, Cure53, Quarkslab, Halborn, Sigma Prime, Zellic. Engagements range from €30-150k per test depending on scope (validator infrastructure, RPC endpoints, web surfaces). The deliverable is a written report with severity-graded findings; counterparties typically receive the executive summary under NDA, not the full vulnerability detail.
For operators, pen-test cadence creates a real engineering rhythm: quarter 1 plan and engage, quarter 2 conduct, quarter 3 remediate, quarter 4 verify and prepare next cycle. The findings are productive — every test we have seen produces material remediation that strengthens the underlying architecture.
Bug bounty programmes
Public bug bounty programmes signal mature security posture in a way that purely internal pen-testing does not. The signal is: we believe our infrastructure can withstand inspection by motivated external researchers, and we are willing to pay for the findings.
For crypto infrastructure, the dominant platform is Immunefi, which provides scoping templates, payout escrow, and disclosure coordination. Payout pools for validator operators typically range €100k-€500k for critical findings, scaled by impact. Smaller operators sometimes run programmes through HackerOne or YesWeHack.
Operationally, a bug bounty programme requires a triage rotation, written SLAs for acknowledgement and payment, and a budget for actual payouts. The cost is real but the brand signal — "our infrastructure is publicly attacked-tested by paid researchers" — is materially harder for competitors to dispute.
DPA, MSA, SLA: the contract trio
Three documents define the contractual perimeter for any institutional engagement: the Master Service Agreement, the Service Level Agreement, and the Data Processing Agreement.
Master Service Agreement (MSA) is the multi-year framework contract: pricing structure, IP rights, confidentiality, indemnification, jurisdiction, termination clauses. MSAs are typically 24-36 months by default with break clauses; shorter terms are negotiable but unusual for institutional capital.
Service Level Agreement (SLA) quantifies operational commitments: uptime percentage (typically 99.9% or 99.99%), latency targets, incident response time SLAs (sub-15-minute P1 acknowledgement is the institutional standard), monthly reporting commitments, and service credits for breaches. The credits part matters — SLAs without contractual credits for breach are largely cosmetic.
Data Processing Agreement (DPA) is the EU GDPR-mandated contract between data controller (the client) and data processor (the operator). It defines categories of personal data, processing purposes, retention, security obligations, sub-processors, and international transfer mechanisms. For validator operators, the DPA scope is typically narrow because pure delegation involves minimal personal data; but enterprise integrations (custody, reporting, white-label) can broaden the scope considerably.
Operators serving institutional capital should have all three documents in template form, ready to customise. Operators that do not — that approach each contract as a custom build from scratch — are signalling immaturity and add weeks to onboarding.
Vendor risk questionnaires
Every institutional onboarding goes through a vendor risk questionnaire. The format varies (SIG Lite, CAIQ, custom spreadsheets) but the questions converge on the same controls.
Common categories and example questions: Information Security (do you have ISO 27001? SOC 2? what is the last audit date?), Identity and Access (FIDO2 enforced? privileged-access management? offboarding within 24 hours?), Encryption (data at rest and in transit? key custody? HSM-backed?), Incident Response (last tabletop date? P1 SLA? notification timeline per GDPR Art. 33?), Business Continuity (BC/DR plan? RPO/RTO? last drill?), Vendor Management (sub-processor list? annual review? termination procedures?).
The honest answer to most questions is the differentiator. Operators who answer "yes" to everything and produce evidence on demand pass quickly. Operators who answer "yes" to everything and cannot produce evidence get filtered out at the second-round review.
How the stack fits together
The compliance stack is not a checklist of independent items. It is a cumulative posture that builds in a specific order:
- Year 1: ISO 27001 implementation (6-9 months) → external audit → certificate. ISO 9001 in parallel for operational quality. - Year 1-2: Penetration test cadence established. Bug bounty programme launched on Immunefi or comparable. Internal vendor-risk questionnaire pack assembled with evidence. - Year 2: SOC 2 readiness assessment using ISO 27001 controls as the base. Drata/Vanta/Secureframe deployed as continuous monitoring platform. Type I report optional bridge. - Year 2-3: SOC 2 Type II observation window. MiCA CASP application track if relevant. Annual pen-test repeated. Tier-1 auditor relationship established. - Year 3+: SOC 2 annual recertification. ISO 27001 surveillance audit. Pen-test cadence stable. CASP authorisation maintained. Compliance becomes a steady-state operational track rather than a project.
Operators starting from zero today realistically need 24-30 months to reach the "institutional bar" of an active SOC 2 Type II report. Operators who started in 2024-2025 are in the consideration set now. The market does not wait for late starters.
How 01node is positioned
01node has held ISO 27001 certification and ISO 9001 certification for several recertification cycles. Penetration testing is annual via a Tier 1 vendor, with the executive summary delivered to enterprise clients under NDA. SOC 2 Type II is on the 2026-2027 roadmap with auditor scoping in progress and a target observation window beginning in 2026. MiCA CASP authorisation is on the filing track. The full status — active, in-progress, planned — is at /security, with each control tagged explicitly and never overclaimed.
The DPA, MSA, and SLA templates are part of the enterprise onboarding pack delivered in step 03 of the standard 5-step engagement flow at /docs#integration-onboarding. Vendor questionnaire responses are pre-prepared with linked evidence; we typically return a completed questionnaire in 3-5 business days from receipt.
For institutional counterparties evaluating us, the trust pack at /trust-pack.pdf consolidates the public evidence; the unredacted version with audit reports, references, and commercial detail is delivered under NDA on request to [email protected].
Compliance, ultimately, is a slow-moving asset. The operators who will dominate institutional staking by 2027-2028 are the operators who started building the stack in 2024-2025. By the time the market converges on a clear set of expectations, the compliance velocity is what separates the operators who can transact from the operators who can only quote.