What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 7 min read

Cybersecurity Compliance Evidence: What CRA and NIS2 Actually Require from Engineering Teams

The Compliance Landscape Has Shifted

The EU Cyber Resilience Act (CRA) and NIS2 Directive have fundamentally changed the game for engineering teams. It's no longer enough to have security tools. Regulators now require evidence that your development practices are secure by design — documented proof that security is embedded throughout your SDLC, not bolted on at the end. For many engineering leaders, cybersecurity is the ultimate nightmare scenario because a breach has consequences beyond revenue: loss of public trust, regulatory penalties, and personal liability.

What CRA Requires

The CRA targets products with digital elements sold in the EU. It requires: documented secure development lifecycle, vulnerability handling processes, security testing evidence, incident reporting within 24 hours, ongoing security maintenance. This isn't a checkbox exercise. Auditors want to see continuous evidence of practice quality, not a one-time audit snapshot.

What NIS2 Requires

NIS2 extends cybersecurity obligations to essential and important entities. It mandates: risk analysis and security policies, incident handling procedures, supply chain security, security in network and system development, cyber hygiene practices, and continuous assessment of security measures. The key word is "continuous" — NIS2 expects ongoing evidence, not annual reviews.

The Evidence Problem

Most engineering teams have some security practices in place. The problem is proving it. When an auditor asks "show me evidence that code reviews include security considerations," can you produce data? When they ask "demonstrate that your testing includes security test cases," do you have metrics? When they ask "prove that your deployment process includes security gates," is there a paper trail? For many teams, the answer is manual screenshots and ad hoc documentation assembled the week before an audit.

Practice Scoring as Compliance Evidence

Concordance's 50 protocols include security-relevant practices across all 6 SDLC phases. Your practice maturity scores become your compliance evidence. Security-related protocol scores map directly to CRA and NIS2 requirements. The data is generated continuously from your actual toolchain — not assembled manually for audits. This means your compliance evidence is always current, always accurate, and always available.

One Dataset, Multiple Purposes

The same practice data that helps you improve engineering quality also generates compliance evidence. No separate compliance workstream. No audit scramble. Your day-to-day engineering improvement effort IS your compliance documentation.

Ready to align your engineering practices with compliance requirements?

CRA compliance mapping →NIS2 compliance mapping →See full compliance mapping →