What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 5 min read

EU Cyber Resilience Act: The 2026 Deadlines Engineering Teams Can't Afford to Miss

The timeline is tighter than you think. September 11, 2026: mandatory vulnerability reporting begins for all products with digital elements. December 11, 2027: full compliance required, including secure-by-design documentation. Penalties: up to €15 million or 2.5% of global annual turnover. If your engineering team hasn't started preparation, you're already behind.

What the CRA Actually Requires from Engineering

This isn't just a legal compliance checkbox. The CRA requires:

Documented secure development lifecycle — evidence that security was designed in from the start, not bolted on.
Vulnerability handling processes — not just patching, but a defined process for identifying, tracking, and disclosing vulnerabilities.
Software Bill of Materials (SBOM) — machine-readable inventory of every software component your product contains.
Ongoing security maintenance — continuous updates and improvements, not ship-and-forget.
Conformity assessment documentation — evidence demonstrating that your product meets CRA requirements.

The SBOM Challenge

SBOMs (Software Bills of Materials) are now mandatory. Every product with digital elements needs a machine-readable inventory of its software components — including open-source dependencies, third-party libraries, and internal modules. For many teams, this is new territory.

Generating an SBOM isn't hard. Maintaining one that's accurate and current across rapid development cycles is the real challenge. You'll need automated tooling to track dependencies in real-time, integrate SBOM generation into your CI/CD pipeline, and establish processes to update SBOMs whenever your software changes.

CRA + AI Act: The Compliance Overlap

Companies building AI-integrated products face a double compliance burden. The good news: meeting CRA security standards can provide "conformity presumption" for certain cybersecurity requirements of the EU AI Act. Engineering teams that demonstrate strong development practices can satisfy requirements across both regulations with a single evidence base.

Secure-by-Design: Evidence, Not Assertions

Auditors don't want to hear that your team "follows secure development practices." They want evidence. Code review records showing security considerations. Test results demonstrating security testing coverage. Deployment configurations showing security gates. Incident response documentation showing preparedness.

This is exactly what engineering practice scoring provides: continuous, automated evidence of your development practices across all 50 SDLC protocols. You're not making assertions. You're generating data that auditors can rely on.

Start with a Baseline

You can't improve what you can't measure. A Foundation Scan gives you your current practice maturity across all 6 SDLC phases — including the security-critical protocols that map directly to CRA requirements. From there, you can see exactly where your gaps are and prioritize the improvements that matter most before the September 2026 deadline.

The question isn't whether you need to comply with the CRA — it's whether you'll be ready when the deadline arrives. Start now.

Ready to assess your CRA readiness?

See full CRA compliance mapping →Run a free Foundation Scan — assess your CRA readiness →Read: What CRA and NIS2 Actually Require →