What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 4 min read

How to Prepare Your Engineering Team for CRA Compliance in 2026

The CRA Timeline Is Here

The EU Cyber Resilience Act compliance deadlines are no longer theoretical. Products placed on the market must meet CRA requirements, with critical vulnerability reporting mandated starting September 2026 and full compliance required by December 2027. If your engineering team builds or delivers software products to EU customers, you need a compliance roadmap now.

But CRA compliance isn't a one-time checkbox. It's a continuous engineering discipline. Your team needs to document secure design practices, track known vulnerabilities, generate Software Bill of Materials (SBOM), and demonstrate a secure software development lifecycle (SDLC) to regulators. This requires processes, not just policies.

What Your Engineering Team Needs to Do

CRA compliance rests on four operational foundations that your engineering team must build:

1. SBOM Generation and Maintenance
You must generate a complete Software Bill of Materials for each product, listing all components, dependencies, and supply chain elements. This isn't a one-time report—it's a continuous inventory. Your team needs automated tooling to track dependencies in real time, flag version changes, and regenerate SBOMs on every release. Manual SBOM creation will not scale.

2. Vulnerability Handling Procedures
Define how your team discovers, reports, and remediates vulnerabilities. CRA requires you to handle critical vulnerabilities within specific timeframes and report them to ENISA. You need a documented vulnerability intake process, a severity classification system, SLA targets for remediation, and audit evidence that you met them. This means logging every vulnerability, tracking its discovery method, and documenting the fix timeline.

3. Secure-by-Design Evidence
Regulators will ask: how do you prove your products are secure by design? You need documentation of your threat modeling process, security architecture decisions, design review gates, and security testing practices. Your SDLC protocols—branch protection, code review depth, secrets management, CI security scanning—are your evidence. The Concordance framework maps 50 protocols across 6 SDLC phases directly to CRA secure development requirements.

4. Continuous Compliance Monitoring
CRA compliance doesn't end at release. You must monitor your products in production for security incidents, maintain records of security updates, and demonstrate that you're actively defending against known threats. This requires incident logging, postmortem discipline, and measurable security operations maturity.

How This Maps to Your SDLC

The good news: you probably already have most of the technical practices CRA requires. The work is in formalizing them, documenting them, and proving them to auditors. The Concordance framework covers this explicitly. Secure branch protection, meaningful code review, automated security scanning, SBOM tooling, and postmortem discipline are all part of the foundation.

Your engineering team's CRA roadmap should focus on the gaps: Where are you currently reactive on vulnerability handling? Where are reviews a checkbox rather than a security gate? Where are you generating SBOMs manually instead of automatically? These gaps are compliance risks.

Why Automated Evidence Collection Matters

Manual evidence collection for CRA compliance will fail at scale. You can't audit-prepare for every regulatory requirement by hand. You need tooling that extracts compliance evidence directly from your engineering systems: vulnerability reports from your scanners, SBOMs from your artifact repositories, code review metrics from your version control system, incident response times from your incident management platform.

Automated evidence is continuous, verifiable, and auditable. When a regulator asks "show me your vulnerability handling procedures," you can pull a report that proves your team met SLAs on 98% of critical issues. That's compliance evidence that holds weight.

Scan your repo for CRA requirements →

See how Concordance maps to CRA →