What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

SIGNAL·NIS2 EVIDENCE MAPPING

NIS2 Article 21(2) — Complete Coverage
Engineering signal + structured policy attestation across all 10 measures. CyFun-aligned dual-axis evidence.

Article 21 — Cybersecurity risk-management measures

“The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:”

(e)

“security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure”

EU Directive 2022/2555 — OJ L 333, 27.12.2022

50 engineering protocols observed directly from your repos and trackers — mapped to all 10 Article 21(2) measures. Real data from your actual toolchain, not questionnaires.

Run Free NIS2 Scan →

SEE HOW IT WORKS

What Signal measures — and what it doesn't

Concordance observes 50 engineering protocols from your GitHub repos and issue trackers, then maps them to the 10 measures of NIS2 Article 21(2). It reports what it finds — not whether you comply. Compliance decisions rest with your organisation and the relevant national competent authority.

Concordance covers all 10 NIS2 Article 21(2) measures using the CyFun dual-axis methodology — engineering signal from your toolchain combined with structured policy attestation. 9 measures combine both axes; measure (j) MFA & secure communications is satisfied via your IdP MFA policy and secure-communications standard, referenced as a policy attestation in the same evidence pack.

Try It Now

Run a scan. See how your repo maps to all 10 Article 21(2) measures.

Point Concordance at any public GitHub repo. You'll see 50 protocol scores observed from the toolchain — mapped to every NIS2 Article 21(2) measure with strength ratings. Free, instant, no sign-up.

NIS2 Compliance Scanner

All 10 Article 21(2) measures covered — 9 with engineering signal, 1 attested via policy

(e) SDLC & Vulnerability

protocols mapped · Core measure

(b) Incident Handling

protocols mapped · Strong

(d) Supply Chain

protocols mapped · Strong

(f) Assess Effectiveness

protocols mapped · Strong

Scan a Repository → NIS2 Mapping →

Pro feature: Run across your full portfolio to surface org-wide NIS2 evidence continuously.

Context

What is NIS2?

The NIS2 Directive (EU 2022/2555) is the EU's updated network and information security framework. It expands scope to cover more sectors and imposes stricter cybersecurity requirements on essential and important entities.

Article 21(2) defines 10 minimum risk management measures. These range from risk analysis and incident handling to supply chain security and SDLC practices. Across the EU, national legislation will transpose NIS2 into law, bringing thousands of essential and important entities into scope.

NIS2 is not a certification — there is no audit or certificate to obtain. It's a regulatory obligation: essential and important entities must implement cybersecurity risk-management measures and be prepared for supervision by their national competent authority. Concordance provides continuous evidence mapping — engineering data from your toolchain, structured against Article 21(2) measures, ready when a competent authority asks to see it.

Article 21(2) Measures Covered

Dual-Axis

Engineering Signal + Policy Attestation

~35k

EU Entities in Scope

CyFun

Aligned Methodology (BE / IE / RO)

What This Does

Observes the engineering practices Article 21(2)(e) asks about.

NIS2 requires essential and important entities to secure their network and information systems acquisition, development, and maintenance. Concordance watches how your teams actually do that — from real toolchain data, across every repo, continuously.

ACQUISITION

Requirements & Design

14 protocols observe how your teams specify, trace, and review requirements before code is written. Acceptance criteria, threat modelling, design review.

DEVELOPMENT

Code, Review & Analysis

11 protocols observe how code is written, reviewed, and analysed. Branch protection, PR review quality, SAST, secrets management, dependency scanning.

MAINTENANCE

Testing, Release & Operations

25 protocols observe how your teams test, release, and operate. Test coverage, regression, CI gating, rollback readiness, incident response, monitoring.

VULNERABILITY HANDLING

Detection & Response

Dependency scanning, security analysis, incident response, post-incident review, and change failure tracking. Observed from your CI pipelines and issue trackers.

+ 9 OTHER MEASURES

Supporting Data

Concordance also surfaces data that maps to measures (a) through (d), (f) through (i). Varying depth — strongest on engineering, thinner on org-wide policy. See the full mapping below.

Note: Concordance surfaces observed engineering data that maps to NIS2 Article 21(2) requirements. It does not determine, certify, or imply compliance. Compliance decisions rest with your organisation, your legal advisors, and the relevant national competent authority.

The Mapping

Article 21(2) → Concordance Protocols

Each NIS2 measure maps to specific Concordance protocols. The mapping strength indicates the depth of engineering evidence Concordance surfaces for that measure.

Measure

Description

Mapped Protocols

Evidence

(a)

Policies on risk analysis and information system security

1.8 Requirement Traceability, 2.2 Architecture Decision Records, 2.4 API Contract Definition

Partial

(b)

Incident handling

6.1 Incident Response, 6.2 Postmortem Practice, 6.5 On-Call Practice, 6.6 Monitoring & Alerting, 6.7 Change Failure Tracking

Strong

(c)

Business continuity, backup management and disaster recovery

5.7 Rollback Capability, 6.3 Runbooks

Partial

(d)

Supply chain security, including relationships between each entity and its direct suppliers or service providers

2.6 Dependency Management, 4.6 Security Analysis, 4.7 Dependency Scanning

Partial

(e)

Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

36 of 50 protocols — full SDLC evidence

Core

(f)

Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

4.3 Test Coverage, 4.4 Test Reliability, 4.5 Test Categorization, 6.7 Change Failure Tracking, 6.8 Operational Review

Strong

(g)

Basic cyber hygiene practices and cybersecurity training

3.6 Code Ownership, 3.8 Linting Enforcement, 3.10 Repository Documentation, 2.3 Technical Documentation

Partial

(h)

Policies and procedures regarding the use of cryptography and, where appropriate, encryption

3.9 Secrets Management

Partial

(i)

Access control policies and asset management

3.6 Code Ownership, 3.1 Branch Protection, 3.5 Approval Rigor + IAM/HR policy reference

Partial

(j)

Multi-factor authentication and secured voice/video/text communications

IdP MFA Policy + Secure Communications Standard (attested)

Attested

StrongAutomated, observed from toolchain

PartialEngineering signal + supporting policy reference (CyFun dual-axis)

AttestedAttested — referenced policy document (IdP MFA, secure comms standard)

Signal · NIS2

Your engineering data, mapped to Article 21(2).

Same pattern as SOC 2 and ISO 27001. Concordance scores map to the relevant NIS2 measure. Data from your existing scan — no additional tooling.

Art.21(e)SDLC security

→3.2 PR Review Quality

Art.21(e)Vulnerability handling

→4.6 Security Analysis

Art.21(e)Secure development

→3.1 Branch Protection

Art.21(b)Incident handling

→6.1 Incident Response

Art.21(d)Supply chain

→3.7 Dependency Scanning

Art.21(f)Effectiveness

→4.1 Unit Test Coverage

Art.21(h)Cryptography

→3.5 Secrets Management

Art.21(a)Risk analysis

→1.8 Risk Assessment

Evidence Depth

Deepest where NIS2 asks the most of engineering.

Concordance covers all 10 Article 21(2) measures via the CyFun dual-axis model: engineering signal where the toolchain produces it (deepest on Measure (e) SDLC + (b) Incident Handling) plus structured policy attestation referencing your supporting documents. Both axes ship in the same evidence pack.

(e) SDLC Security & Vulnerability Handling36 protocols · Core

(b) Incident Handling5 protocols · Strong

(f) Assess Effectiveness5 protocols · Strong

(d) Supply Chain Security3 protocols · Partial

(g) Cyber Hygiene & Training4 protocols · Partial

(a) Risk Analysis & Policies3 protocols · Partial

(i) Access Control & Code Permissions3 protocols · Partial

(h) Cryptography & Encryption1 protocol · Partial

(j) MFA & Secure CommunicationsAttested · Policy reference

How It Works

Sample scan to org-wide evidence in four steps.

Try a sample scan

Point Concordance at any public repo. See all 50 protocol scores mapped to Article 21(2) measures. Free, instant, no sign-up.

Connect your teams

Read-only OAuth. Create your teams, add your repos. Portfolio view surfaces NIS2-mapped evidence across every team in the org.

Continuous observation

NIS2 requires ongoing risk management. Concordance scans continuously, so your evidence mapping stays current. Practices degrade? You see it before anyone asks.

Data when it’s needed

When a competent authority asks what your engineering practices look like, the data is already structured. Per-team, per-measure, mapped to Article 21(2) measures, CyFun tiers, and NIST CSF v2.0 functions.

Portfolio View

Org-wide NIS2 evidence. Every team. Always current.

A single scan tells you where one repo stands. The Portfolio view surfaces NIS2-mapped data across every team in your organisation — continuously.

Concordance Pro · Signal · NIS2 Article 21

Team(e) SDLC(b) Incident(d) Supply(f) Assess

Platform Core4.23.83.54.0

Payments API3.93.12.83.6

Mobile Team3.42.53.22.9

Data Pipeline2.82.11.92.4

Legacy Services1.91.41.21.7

Illustrative data. Concordance Pro shows your actual team scores across all 10 Article 21(2) measures.

Sample Scan (Free)

See how the mapping works

Scan any public repo. See all 50 protocol scores mapped through the NIS2 lens. Understand what engineering data maps to Article 21(2) on a single repo.

Pro · Portfolio View ($99/mo)

Org-wide evidence, continuously

Up to 5 teams, 20 repos. Continuous observation. NIS2 evidence mapping across every team. Plus SOC 2, ISO 27001, Sentinel, and Bastion lenses.

Framework Alignment

Maps to CyFun and NIST CSF v2.0.

Belgium's CCB developed the Cyber Fundamentals Framework (CyFun), built on NIST CSF v2.0. Protocol scores map to these function categories, so the data aligns with the frameworks assessors will reference.

GV

Govern

Risk policies & oversight

ID

Identify

Asset & risk identification

PR

Protect

SDLC & access controls

DE

Detect

Monitoring & alerting

RS

Respond

Incident response

RC

Recover

Backup & restoration

See what your engineering data
says about NIS2.

Try a free sample scan on any public repo. When you're ready for org-wide evidence, the NIS2 Signal lens is included with Concordance Pro.

Run Free NIS2 Scan →Set Up Your Teams

Also see how Concordance automates evidence for the EU Cyber Resilience Act (CRA) and explore the full compliance framework mapping.

NIS2 Article 21(2) — Complete CoverageEngineering signal + structured policy attestation across all 10 measures. CyFun-aligned dual-axis evidence.

Try a sample scan

Connect your teams

Continuous observation

Data when it’s needed

See how the mapping works

Org-wide evidence, continuously

See what your engineering datasays about NIS2.

NIS2 Article 21(2) — Complete Coverage
Engineering signal + structured policy attestation across all 10 measures. CyFun-aligned dual-axis evidence.

See what your engineering data
says about NIS2.