EU regulators handed platform teams a gift. Claim it!

Hey there! Welcome to Platform Weekly. Your weekly stir of the platform engineering pot. Every week, we round up the best the community has been cooking, with a side of warm takes from your friendly neighborhood host.

Plus… we have launched Platform Engineering Consulting (PEC)!! I am super excited to share that we are making it easier for teams to work with us. Check out the website to understand what it’s all about.

Last week I pinged a bunch of you about an upcoming community webinar on the Cyber Resilience Act and the response… was basically a shrug. Oof. The wave of regulation tightening through 2026 (CRA, EU AI Act etc) isn't just a hassle for the CISO. It's the single biggest opportunity platform teams have been handed in years, and you're sleeping right through it.

The dream world regulators live in is, almost word for word, the dream world a platform team wants to live in. Secure by default. Golden paths. Automated SBOMs. Centralized observability. We've been arguing for this stuff for half a decade! Now it's becoming law.

If your company does business in Europe, your platform team has been handed its greatest weapon for securing budget and attention this year.

Nigel Douglas at Cloudsmith (def one of the sharpest people working on supply chain security in the community right now) wrote an awesome piece, and a gave a companion webinar on everything you need to know on the CRA and how platform teams operationalize it. He breaks down a four-part framework for surviving the CRA’s requirements:

• Hardening the golden path: Bake the requirements into the IDP so every new service is compliant from git init. Hardened base image, pre-configured logging, mandatory auth, the works.

• Automating the SBOM and dependency chain: Every push generates an updated SBOM. The audit trail goes from a manual nightmare to a byproduct of the pipeline.

• Self-service compliance via templates. IaC modules that disable public access, enforce TLS 1.3, prohibit weak defaults by design. Gates that block containers with known-exploited CVEs.

• Incident response and telemetry: Observability that flags exploit patterns automatically, so the 24-hour reporting window stops being terrifying.

Read that list again. Every one of those is something a good platform team is already trying to build, or wishes they had cover to build. Now you have the cover.

Nigel calls this compliance becoming "a byproduct of the developer workflow, not a blocker to it." The orgs that figure it out before September 2026 are going to find themselves with faster audits, easier enterprise sales conversations, and the funding they need for their platform dreams. The orgs that don't? They'll be panic-buying tools and building security slop in crunch time at 2am.

What are you waiting for? Take a look at Read Nigel's full breakdown, and start using it’s arguments to pitch your boss.

Quick bites

• The sirens of IT Ops want to drown your platform crew

• Want to watch the recordings of PlatformCon workshops and talks you weren't able to attend? We're uploading more every day on the community YouTube channel.