What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 7 min read

NIS2 in 2026: Supply Chain Liability, 24-Hour Reporting, and What Your Engineering Team Needs

NIS2 Has Teeth — and They're Personal

NIS2 isn't just another compliance framework to file away. It introduces personal liability for executives: management bodies can face personal fines or temporary bans from management roles for non-compliance. It also mandates regular cybersecurity training for boards. This isn't an IT problem anymore — it's a C-suite problem.

Supply Chain: Your Liability Extends Beyond Your Walls

The most searched NIS2 topic is supply chain security, and for good reason. NIS2 makes you responsible for your suppliers' security posture. This means:

Contractual cybersecurity obligations embedded in vendor agreements
Supplier security audits and assessments
Mapping your digital supply chain to identify critical third-party dependencies
Ongoing monitoring of supplier risk

For engineering teams, this means your dependency management practices — how you handle open-source libraries, third-party APIs, and external services — are now compliance-critical.

The 24-Hour Clock

When a significant incident occurs, the clock starts immediately. NIS2 requires an "early warning" notification within 24 hours of detection. Within 72 hours, you need a full incident notification with initial assessment. Within one month, a final report. The challenge isn't just speed — it's classification. How do you distinguish between a routine security event and a "significant" incident that triggers mandatory reporting? This requires defined incident classification processes, documented escalation paths, and practiced response procedures. Engineering teams without documented incident response protocols will struggle to meet these windows.

The Ten Mandatory Security Measures

NIS2 specifies ten areas of mandatory security measures including:

Risk analysis and security policies
Incident handling
Business continuity
Supply chain security
Network and system security
Access control and multi-factor authentication
Cryptography
Security in system development
Cyber hygiene practices
Continuous security assessment

For engineering teams, "security in system development" is the direct requirement: you need evidence that security is integrated into your SDLC, not bolted on as an afterthought.

Practice Evidence as NIS2 Compliance

Concordance's 50 SDLC protocols map directly to NIS2's mandatory security measures. Your practice maturity scores become your compliance evidence. Security-related protocols cover:

Secure development practices (Development phase)
Security testing coverage (Testing phase)
Deployment security gates (Release phase)
Incident response procedures (Operations phase)
Vulnerability management (across phases)

The evidence is generated continuously from your actual toolchain — always current, always available for auditors.

Country Variations Matter

Because NIS2 is a directive (not a regulation like GDPR), each EU country transposes it into local law with potential variations. Germany, Belgium, and others have added stricter requirements or different registration deadlines. If you operate across borders, you need to track these variations. Practice-level data gives you a foundation that works across all transpositions.

Ready to assess your NIS2 readiness?

See NIS2 compliance mapping →Assess your NIS2 readiness with a free Foundation Scan →