NorthPeakCloud
A padlock over lines of code

Fixed Ropes · compliance-as-code · EU CRA

CRA compliance & DevSecOps consulting

The EU Cyber Resilience Act starts to bite in September 2026, when vulnerability-reporting obligations begin, with full obligations following in December 2027 — and it applies to almost any product with digital elements sold into the EU. North Peak Cloud gets software businesses CRA-ready the engineering way: an OWASP SAMM-based security-maturity baseline, a gap map against the Act's essential requirements, and the DevSecOps build-out — policy-as-code guardrails, SBOMs and supply-chain controls, secure pipelines, automated evidence — that turns compliance into something your CI enforces, not a binder nobody opens. We call the package Fixed Ropes: the safety lines bolted to the mountain so the climb gets faster, not slower.

  • OWASP SAMM security-maturity baseline and 12-month uplift roadmap
  • CRA gap map against the Act's essential requirements and deadlines
  • Policy-as-code guardrails (Azure Policy, Rego/conftest) enforced in CI
  • SBOM generation, artefact signing and supply-chain controls
  • Vulnerability-handling and reporting processes that meet the Sep 2026 obligations
  • Audit-ready evidence generated automatically, not assembled manually
Photo: Pixabay
Azure AI Foundry specialists
FinOps cost engineering
Fixed-price foundations
UK · US · Canada
What we do

AI on Azure, done right.

The foundations, guardrails and cost discipline that turn an Azure AI pilot into something you can actually run in production.

AI-ready foundations

Azure AI Foundry hubs and projects, private networking to your models, identity and policy guardrails — the secure base every AI workload needs before it scales.

Cost control for AI & cloud

FinOps for the AI era: token and PTU strategy, model right-sizing, reservations and anomaly detection. We find the waste your invoice is hiding.

Platform engineering

Landing zones as code in Bicep or Terraform, GitOps, policy-as-code and golden paths. Enterprise-grade Azure delivered in weeks, not quarters.

Security & responsible AI

Content filtering, evaluations, data-residency and audit-ready guardrails aligned to the EU AI Act and ISO 42001 — trustworthy AI you can put in front of customers.

Migration & modernisation

Cloud Adoption Framework migrations and Well-Architected reviews that leave you cheaper, faster and ready for AI — not just lifted-and-shifted.

Senior engineers, direct

You work with the architect who does the build — no account managers, no offshore hand-off, no gatekeeping. Answers in plain English.

How we work

Three ways to start.

Fixed-scope engagements with a clear price and outcome agreed before any work starts — then ongoing cost and platform management if you want it. No day-rate open-endedness.
FIXED-PRICE FOUNDATION
AI Base Camp

An AI-ready Azure landing zone, delivered in weeks.

  • Azure AI Foundry hub & projects
  • Private networking to model endpoints
  • Identity, RBAC & Azure Policy guardrails
  • Responsible-AI baseline & content filters
  • Infrastructure as code you own
  • Handover & runbook
Scope your foundation
PILOT TO PRODUCTION
Foundry Accelerator

One AI use case, production-grade, on AI Foundry.

  • RAG, agent or document-intelligence build
  • Evaluation & guardrails wired in
  • CI/CD and observability
  • Cost model before you commit
  • Knowledge transfer to your team
  • Reusable accelerator IP
Start an accelerator
FINOPS · GAIN-SHARE AVAILABLE
AI Cost Control

Stop AI and cloud bill shock — with a gain-share option where our fee aligns to the savings we deliver.

  • Token / PTU vs pay-as-you-go strategy
  • Model right-sizing & reservations
  • Cost anomaly detection
  • Classic Azure estate optimisation
  • Monthly reporting & reviews
  • Gain-share option available
Cut your Azure bill
The typical estate we audit is carrying six figures a year of avoidable spend. Every engagement is fixed-price and agreed up front — and if we’re right about the waste, the audit pays for itself in the first month. Not sure? Run your own numbers first.
Also in the family: Fixed Ropes — CRA compliance & DevSecOps. Plus Azure Well-Architected reviews, cloud migration, Microsoft Entra identity and classic cost-optimisation engagements. See all Azure services.
Why now
The 2016 cloud moment,
for AI.
Azure AI today is where Azure cloud was a decade ago: the organisations that build the right foundations now will compound the advantage for years. The ones that bolt AI on without guardrails will pay for it — in cost, risk and rework. North Peak Cloud gets you on the right side of that line.
Questions

Asked and answered.

What is the EU Cyber Resilience Act (CRA)?+

The CRA is EU regulation setting mandatory cybersecurity requirements for products with digital elements — software and connected hardware — sold in the EU. Vulnerability-reporting obligations apply from 11 September 2026 and the full obligations from 11 December 2027, with significant fines for non-compliance.

Does the CRA apply to my software?+

If you sell software or connected products into the EU — directly or through your customers' products — the CRA almost certainly applies, whether or not you are based in the EU. UK and US software businesses selling into Europe are in scope. A short gap assessment answers it definitively for your product.

What is compliance-as-code?+

Compliance-as-code turns regulatory controls into automated checks that run in your pipelines — policy gates on infrastructure, SBOMs on every build, signed artefacts, and evidence generated as a by-product of delivery. It replaces annual audit panic with continuous, demonstrable compliance.

How do you assess security maturity?+

With OWASP SAMM — the industry-standard software assurance maturity model. You get a scored baseline across all fifteen practices, benchmarked priorities, and a pragmatic roadmap sequenced against your CRA deadlines rather than a generic checklist.

Get in touch

Let’s get you AI-ready.

Tell us what you’re trying to do with AI on Azure — a couple of sentences is plenty. You’ll get a reply within one working day with clear next steps. No obligation, UK, US and Canada welcome.