What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 12 min read

CRA Compliance for Engineering Teams: The Complete Guide

The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for every product with digital elements sold in the European market. Starting September 11, 2026, manufacturers must report actively exploited vulnerabilities within 24 hours. This guide covers everything engineering teams need to know — deadlines, reporting obligations, product classification, and how to generate the compliance evidence auditors expect.

Key Deadlines

September 11, 2026

Vulnerability reporting obligations begin. The 24h/72h/14d notification timeline becomes mandatory for all manufacturers of products with digital elements.

December 11, 2027

Full CRA application. All product design requirements, CE marking, and conformity assessment procedures become enforceable.

The critical distinction: September 2026 is about reporting — you must have the infrastructure to detect, assess, and notify authorities about vulnerabilities within 24 hours. December 2027 is about design — your products must demonstrably meet secure-by-design requirements from the ground up.

The 3-Step Reporting Timeline

Under the CRA, manufacturers must report any actively exploited vulnerability or severe incident affecting product security to ENISA (the EU Cybersecurity Agency) and their national authority following this strict timeline:

24 HoursEarly Warning

A brief notification as soon as you become aware of a severe incident or actively exploited vulnerability. Must state that an event has occurred and include an assessment of whether cross-border impact is suspected. This is a speed test — you need automated detection and pre-built notification templates.

72 HoursIncident Notification

A detailed update including an initial assessment of the incident, its severity, and indicators of compromise (IoCs) if available. This is where your engineering practice data becomes critical — you need to know which products are affected, which dependencies are involved, and what the blast radius looks like.

14 DaysFinal Report

A comprehensive report describing the vulnerability or incident in detail, including all remedial measures taken (patches issued, configurations changed) and the expected remaining risk level for users. This is your evidence package — demonstrating both what happened and how your engineering practices responded.

All reports go to ENISA via their Single Reporting Platform (SRP) and to your national authority — the BSI in Germany, NCSC-NL in the Netherlands, CCB in Belgium, or ANSSI in France. The 24-hour window is what keeps engineering leaders awake at night. Manual processes cannot meet it reliably. You need automated detection, pre-mapped product inventories, and evidence pipelines that run before the clock starts ticking.

Product Classification: Which Category Are You?

The CRA classifies products into four tiers based on cybersecurity risk. The classification determines your conformity assessment route — self-assessment vs. mandatory third-party audit.

Critical Products

Hardware Security Modules (HSMs) · Smart Meter Gateways · Smartcards & TPMs · Secure Crypto-Processors

European certification required. Full quality assurance with the most rigorous assessment route.

Important Products — Class II

Industrial Firewalls & IDS/IPS · Hypervisors & Container Runtimes (Docker, Xen) · Tamper-Resistant Microprocessors · PKI Software

Mandatory third-party audit. External assessment is always required.

Important Products — Class I

IAM Software · Browsers · Smart Locks, Cameras & Baby Monitors · Operating Systems, VPNs, Routers · Password Managers · Connected Toys

Third-party review required, or you can self-assess if following harmonised standards.

Default Products (90% of all products)

All other products with digital elements — the vast majority of software.

Self-assessment (Module A). Manufacturer's internal control — no external auditor guides you through it. You need your own tooling to generate and document the evidence.

The Default category is the most significant for engineering teams. Ninety percent of products can self-assess — but that means no third-party auditor walks you through what evidence to produce. You are responsible for demonstrating compliance yourself. That requires tooling that maps your engineering practices directly to CRA requirements and generates evidence automatically.

CRA and NIS2: Where the Requirements Overlap

Engineering teams are dealing with CRA and NIS2 simultaneously. Both regulations originate from the EU's broader cybersecurity strategy, but they target different things:

CRA targets products — the software and connected devices themselves. It requires secure-by-design development, vulnerability handling, and incident reporting.
NIS2 targets organisations — the entities operating essential and important services. It requires risk management, incident reporting, and supply chain security.

The overlap is significant: both require incident reporting timelines (CRA: 24h/72h/14d; NIS2: similar structure), both require evidence of security practices, and both create penalties for non-compliance. If you're building software products used by NIS2-regulated entities, you face obligations from both directions. The engineering practice data that satisfies CRA's secure-by-design requirements often maps directly to NIS2's risk management evidence needs.

What “Secure-by-Design” Evidence Actually Looks Like

CRA Article 10 requires that products be “designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity.” For engineering teams, that translates to demonstrable practices across your entire SDLC:

CI/CD pipeline configuration as evidence of secure development processes. Are builds automated? Are security checks gated? Are deployments traceable?
Code review standards as evidence of quality assurance. Are pull requests reviewed before merge? Are review requirements enforced, not optional?
Branch protection policies as evidence of access control. Can anyone push to main? Are force-pushes blocked? Are status checks required?
Testing coverage as evidence of vulnerability assessment. Do you have automated tests? Are there coverage thresholds? Do tests run on every commit?
Dependency management as evidence of SBOM compliance. Can you enumerate every third-party component? Are dependencies scanned for known vulnerabilities? Can you produce a Software Bill of Materials on demand?
Incident response procedures as evidence of vulnerability handling. Do you have runbooks? Are roles assigned? Can you trace from detection to resolution?

This is where most engineering teams get stuck. The data exists — in Git, in CI/CD configs, in project management tools — but it's scattered across platforms and nobody has translated it into the evidence format compliance officers need. The gap isn't capability. It's translation.

Concordance addresses this by scoring 50 engineering protocols across 6 SDLC phases — Requirements, Design, Development, Testing, Release, and Operations — and mapping the results directly to CRA, NIS2, SOC 2, and ISO 27001 requirements from a single scan. The same practice data that tells you whether your code review standards are mature also generates the compliance evidence an auditor needs.

CRA Gap Analysis: Where to Start

If you're an engineering leader preparing for CRA, start with these questions:

Product inventory: Do you know which of your products have digital elements and are sold in the EU? Can you classify each one as Default, Important, or Critical?
SBOM readiness: Can you produce a Software Bill of Materials for every product? Are dependencies tracked and scanned automatically?
Vulnerability detection: Do you have automated vulnerability scanning in your CI/CD pipeline? How quickly can you identify which products are affected by a new CVE?
Notification infrastructure: Can you file a report with ENISA within 24 hours? Do you have templates ready? Do you know your national authority contact?
Practice documentation: Can you demonstrate that code review, testing, branch protection, and deployment gating are consistently followed — not just enabled?
Cross-framework mapping: If you already comply with SOC 2 or ISO 27001, do you know which controls overlap with CRA requirements and which gaps remain?

SBOM Requirements Under the CRA

The CRA requires manufacturers to identify and document the components contained in their products, including third-party and open-source dependencies. While the regulation doesn't prescribe a specific SBOM format, it requires that you can enumerate your software components and demonstrate ongoing vulnerability monitoring.

For engineering teams, this means dependency management must be automated and continuous. Manual spreadsheets won't survive the first audit. You need tooling that scans your dependency trees, generates SBOMs in standard formats (CycloneDX or SPDX), and cross-references components against known vulnerability databases. This is an engineering practice problem, not a compliance paperwork problem — and it starts in your build pipeline.

Does the CRA Apply to Open-Source Software?

This is one of the most frequently asked questions. The short answer: the CRA applies to open-source software only when it is supplied as part of a commercial activity. Purely volunteer-developed open-source projects distributed for free are generally exempt. However, if you integrate open-source components into a commercial product, you as the manufacturer are responsible for the security of those components within your product. The open-source steward concept in the CRA creates certain due diligence obligations for organisations that systematically provide open-source software for commercial use.

Frequently Asked Questions

What happens if we miss the 24-hour reporting window?

The CRA introduces significant penalties. Non-compliance with essential requirements can result in fines of up to EUR 15 million or 2.5% of global annual turnover, whichever is higher. National market surveillance authorities will enforce compliance, and repeated violations can lead to product withdrawal from the EU market.

Does the CRA apply to SaaS products?

The CRA targets “products with digital elements” — software or hardware that connects to a device or network. Pure SaaS that runs entirely in the cloud and doesn't involve client-side software components may fall outside direct CRA scope, though it could be covered by NIS2 instead. However, if your SaaS includes downloadable components, browser extensions, mobile apps, or IoT integrations, those elements are likely in scope.

How do CRA and GDPR incident reporting interact?

They are separate obligations with different triggers and authorities. GDPR covers personal data breaches reported to data protection authorities. CRA covers security vulnerabilities and incidents reported to ENISA and national cybersecurity authorities. A single incident could trigger both — a vulnerability that leads to personal data exposure requires notification under both regimes, to different authorities, on different timelines.

We already have SOC 2 / ISO 27001. How much of that applies to CRA?

Significant overlap exists in areas like access control, vulnerability management, and incident response. However, CRA adds engineering-specific requirements that SOC 2 and ISO 27001 don't cover: secure-by-design evidence from your actual development practices, SBOM requirements, and product-level vulnerability handling. Think of existing certifications as covering about 40-60% of CRA requirements — the remaining gap is in engineering practice evidence that compliance platforms like Drata don't generate.

Related Guides

See where your engineering practices stand against CRA requirements. Run a free Foundation Scan — no signup required, results in under 2 minutes.

Start with a free Foundation Scan →