
Fixed Ropes · compliance-as-code · EU CRA
CRA compliance & DevSecOps consulting
The EU Cyber Resilience Act starts to bite in September 2026, when vulnerability-reporting obligations begin, with full obligations following in December 2027 — and it applies to almost any product with digital elements sold into the EU. North Peak Cloud gets software businesses CRA-ready the engineering way: an OWASP SAMM-based security-maturity baseline, a gap map against the Act's essential requirements, and the DevSecOps build-out — policy-as-code guardrails, SBOMs and supply-chain controls, secure pipelines, automated evidence — that turns compliance into something your CI enforces, not a binder nobody opens. We call the package Fixed Ropes: the safety lines bolted to the mountain so the climb gets faster, not slower.
- OWASP SAMM security-maturity baseline and 12-month uplift roadmap
- CRA gap map against the Act's essential requirements and deadlines
- Policy-as-code guardrails (Azure Policy, Rego/conftest) enforced in CI
- SBOM generation, artefact signing and supply-chain controls
- Vulnerability-handling and reporting processes that meet the Sep 2026 obligations
- Audit-ready evidence generated automatically, not assembled manually
AI on Azure, done right.
AI-ready foundations
Azure AI Foundry hubs and projects, private networking to your models, identity and policy guardrails — the secure base every AI workload needs before it scales.
Cost control for AI & cloud
FinOps for the AI era: token and PTU strategy, model right-sizing, reservations and anomaly detection. We find the waste your invoice is hiding.
Platform engineering
Landing zones as code in Bicep or Terraform, GitOps, policy-as-code and golden paths. Enterprise-grade Azure delivered in weeks, not quarters.
Security & responsible AI
Content filtering, evaluations, data-residency and audit-ready guardrails aligned to the EU AI Act and ISO 42001 — trustworthy AI you can put in front of customers.
Migration & modernisation
Cloud Adoption Framework migrations and Well-Architected reviews that leave you cheaper, faster and ready for AI — not just lifted-and-shifted.
Senior engineers, direct
You work with the architect who does the build — no account managers, no offshore hand-off, no gatekeeping. Answers in plain English.
Three ways to start.
An AI-ready Azure landing zone, delivered in weeks.
- Azure AI Foundry hub & projects
- Private networking to model endpoints
- Identity, RBAC & Azure Policy guardrails
- Responsible-AI baseline & content filters
- Infrastructure as code you own
- Handover & runbook
One AI use case, production-grade, on AI Foundry.
- RAG, agent or document-intelligence build
- Evaluation & guardrails wired in
- CI/CD and observability
- Cost model before you commit
- Knowledge transfer to your team
- Reusable accelerator IP
Stop AI and cloud bill shock — with a gain-share option where our fee aligns to the savings we deliver.
- Token / PTU vs pay-as-you-go strategy
- Model right-sizing & reservations
- Cost anomaly detection
- Classic Azure estate optimisation
- Monthly reporting & reviews
- Gain-share option available
for AI.
Asked and answered.
What is the EU Cyber Resilience Act (CRA)?+
The CRA is EU regulation setting mandatory cybersecurity requirements for products with digital elements — software and connected hardware — sold in the EU. Vulnerability-reporting obligations apply from 11 September 2026 and the full obligations from 11 December 2027, with significant fines for non-compliance.
Does the CRA apply to my software?+
If you sell software or connected products into the EU — directly or through your customers' products — the CRA almost certainly applies, whether or not you are based in the EU. UK and US software businesses selling into Europe are in scope. A short gap assessment answers it definitively for your product.
What is compliance-as-code?+
Compliance-as-code turns regulatory controls into automated checks that run in your pipelines — policy gates on infrastructure, SBOMs on every build, signed artefacts, and evidence generated as a by-product of delivery. It replaces annual audit panic with continuous, demonstrable compliance.
How do you assess security maturity?+
With OWASP SAMM — the industry-standard software assurance maturity model. You get a scored baseline across all fifteen practices, benchmarked priorities, and a pragmatic roadmap sequenced against your CRA deadlines rather than a generic checklist.