What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 7 min read

NIS2 for US Companies: What American Engineering Teams Need to Know

If your company provides services in the EU — regardless of where you're headquartered — NIS2 applies to you. US companies are scrambling to understand the extraterritorial reach, reconcile it with existing NIST frameworks, and prepare for obligations that go well beyond anything US cybersecurity regulations currently require.

Jurisdictional Scoping: Are You In?

NIS2 classifies organisations as either "Essential" or "Important" entities based on the criticality of their services. Any US-based medium-to-large organisation providing critical services in the EU falls under scope. This includes technology and SaaS companies, managed service providers, cloud computing platforms, manufacturers with EU customers, healthcare technology providers, and digital infrastructure operators. The key distinction: NIS2 follows the service, not the headquarters.

Executive Liability: The Provision US Leaders Aren't Ready For

Article 20 of NIS2 introduces personal liability for management. This is the provision that gets the most attention from US executives — and for good reason. Management bodies must approve cybersecurity risk management measures, oversee their implementation, and can be held personally accountable for failures. In extreme cases, executives can face temporary bans from management roles. US corporate governance has nothing equivalent to this, and existing D&O insurance policies may not cover NIS2 sanctions.

The Supply Chain Knock-On Effect

Many US firms that aren't directly in scope are discovering they're affected anyway. NIS2 legally mandates EU-based companies to assess and manage risk across their supply chain — which means your EU customers are now required to "police" their vendors. US companies are facing new contract requirements including NIS2-aligned security clauses, evidence of vulnerability management programmes, incident notification commitments that match the 24-hour timeline, and third-party audit rights. If you sell to EU enterprises, your customers' compliance obligations become your operational requirements.

The 24-Hour Reporting Challenge

NIS2 mandates a three-stage incident reporting process: a 24-hour early warning from the moment a significant incident is detected, a 72-hour incident notification with initial assessment and impact analysis, and a final detailed report within one month. The 24-hour window is the operational challenge that most US companies are unprepared for. It requires pre-built triage workflows, clear escalation paths, and the ability to classify an incident's severity within hours, not days. Engineering teams need automated detection, documented response procedures, and practice-level readiness that can be evidenced to regulators.

NIST CSF to NIS2: The Mapping Problem

Most US organisations have invested in NIST CSF 2.0 as their voluntary cybersecurity framework. The challenge is that NIS2 requirements are binding and prescriptive where NIST is flexible and risk-based. The good news: there is significant overlap — NIST's Identify, Protect, Detect, Respond, and Recover functions map reasonably well to NIS2's risk management requirements. The gaps are primarily around the mandatory reporting timelines (NIST has no equivalent to the 24-hour window), the personal liability provisions, and the supply chain governance requirements.

Engineering teams that have solid NIST CSF practices have a head start, but they still need to fill the compliance gaps — particularly around incident reporting speed, governance evidence, and supply chain documentation.

Governance Evidence, Not Narratives

US companies accustomed to high-level policy narratives for compliance are finding that NIS2 enforcement expects operational evidence: logs demonstrating multi-factor authentication enforcement, records of disaster recovery tests, vulnerability scanning results with remediation timelines, and practice-level data showing that security controls are continuously maintained, not just annually reviewed.

This is where practice measurement becomes essential. Continuous evidence of how your engineering team operates — testing practices, deployment controls, review thoroughness, dependency management — provides the audit-ready documentation that NIS2 enforcement expects.

Read: NIS2 Supply Chain and Incident Reporting Requirements →

Read: What CRA and NIS2 Actually Require as Evidence →

Try the Free NIS2 Scanner →