What is the primary objective of CE Marking?

The primary objective of CE Marking is to indicate the manufacturer's declaration that a product meets applicable EU harmonised legislation essential requirements for health, safety, and environmental protection, enabling free movement across the EEA. It applies only to products covered by specific directives like LVD 2014/35/EU (50–1000 V AC, 75–1500 V DC equipment) or RED 2014/53/EU, providing presumption of conformity via OJEU-published harmonised standards.

Who is legally or professionally required to comply with CE Marking?

Manufacturers, importers, distributors, and authorised representatives are legally required to comply with CE Marking for products placed on the EEA market under harmonised EU rules. The manufacturer bears primary responsibility for conformity assessment, technical documentation, DoC issuance, and CE affixation; importers verify compliance and ensure EEA contact points per Regulation (EU) 2019/1020.

Does CE Marking require an external audit or third-party certification?

CE Marking does not universally require external audit or third-party certification; it mandates manufacturer-led conformity assessment per applicable legislation, with notified body involvement only for higher-risk products. For LVD 2014/35/EU, self-assessment suffices; modules B–H apply where required, using notified bodies from the NANDO database—voluntary certificates lack legal recognition.

How often should an assessment for CE Marking be performed?

CE Marking conformity assessment is performed prior to placing the product on the market, with ongoing verification required for design changes, production controls, and post-market surveillance. Technical files must be updated and retained for 10 years minimum; re-assess for significant modifications like firmware updates or component substitutions to maintain conformity.

What are the consequences of non-compliance with CE Marking?

Non-compliance with CE Marking results in market withdrawal, sales bans, product recalls, fines, and customs seizures by national authorities under Regulation (EU) 2019/1020. Incorrect affixing to out-of-scope products is prohibited; importers/distributors face liability, with enforcement via Safety Gate and cooperation mandates.

An CE Marking be mapped to other international frameworks?

CE Marking cannot be directly mapped to other international frameworks as it is a specific EU/EEA conformity declaration tied to harmonised legislation. While harmonised standards (e.g., EN/IEC) may align with global equivalents, presumption of conformity requires OJEU publication; non-EU certifications do not substitute.

What is the first step to begin implementing CE Marking?

The first step to implement CE Marking is to identify all applicable EU harmonised legislation and confirm product scope. Review Your Europe lists (e.g., LVD for electrical equipment 50–1000 V AC); map essential requirements and select conformity modules, avoiding affixing to non-covered products.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for the supply chain. It provides a risk-based framework to identify security risks, implement proportionate controls, evaluate performance, and drive continual improvement across supply-chain ecosystems, protecting people, assets, goods, infrastructure, and information.

Who is legally or professionally required to comply with ISO 28000?

No organization is legally required to comply with ISO 28000, as it is a voluntary international standard. Professional requirements arise indirectly through contractual obligations, customs facilitation programs, public-sector tenders, or industry codes demanding demonstrable security management, particularly for logistics, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers of any size.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification, but supports conformity verification through internal or external auditing. Certification by accredited bodies following ISO 28003 is optional, involving Stage 1 (readiness) and Stage 2 (implementation) audits, followed by annual surveillance for three years, to demonstrate SMS effectiveness to stakeholders.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires risk assessments to be maintained ongoing, with internal audits conducted at planned intervals via a risk-based program. Management reviews occur periodically (typically annually), monitoring and measurement are continuous, and full reassessments align with changes in context, incidents, or objectives, ensuring continual improvement.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 incurs no direct legal penalties, as it is voluntary. Indirect consequences include operational disruptions from security incidents (theft, sabotage), financial losses (product shortages, insurance hikes), reputational damage, lost contracts, and exclusion from tenders or programs requiring security credentials.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the ISO High Level Structure (HLS), enabling seamless mapping to other management system standards. Its PDCA cycle, risk-based approach (aligned with ISO 31000), and clauses 4-10 facilitate integration with frameworks for quality, environment, information security, and business continuity through shared audits, risk registers, and governance.

What is the first step to begin implementing ISO 28000?

The first step is securing executive sponsorship, defining SMS scope, and conducting a gap analysis against ISO 28000 clauses. Map supply-chain dependencies, review existing controls and documentation, produce a prioritized risk register, and develop a project charter with timeline, resources, and cross-functional team assignment.

Standards Comparison

CE Marking vs ISO 28000

CE Marking

Mandatory

1985

EU marking for product conformity to harmonised requirements

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

CE Marking mandates EU product safety compliance for market access, while ISO 28000 voluntarily certifies supply chain security management. Manufacturers use CE for legal sales; logistics firms adopt ISO 28000 for resilience and partner trust.

Product Safety

CE Marking

CE Marking (Conformité Européenne)

Cost

€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Manufacturer's legally binding conformity declaration
Enables free product movement across EEA
Presumption of conformity via OJEU harmonised standards
Risk-proportionate conformity assessment modules A-H
10-year technical documentation retention requirement

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management
PDCA cycle for continual improvement
Leadership commitment and policy requirements
Supplier and third-party risk controls
Integration with ISO 22301 and 27001

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

CE Marking Details

What It Is

CE Marking (Conformité Européenne) is the EU's mandatory conformity marking for products under harmonised legislation. It serves as the manufacturer's declaration that products meet essential health, safety, and environmental requirements, enabling free circulation in the EEA. The approach is risk-based, using New Legislative Framework (NLF) modules for assessment.

Key Components

Identification of applicable directives/regulations (e.g., LVD, Machinery, RED)
Essential requirements and harmonised standards (OJEU-published for presumption of conformity)
Conformity modules A-H (self-assessment or Notified Body involvement)
Technical documentation, EU Declaration of Conformity (DoC), and CE affixation Self-declaration for low-risk; third-party certification for high-risk.

Why Organizations Use It

Mandated for market access; reduces trade barriers; mitigates liability; builds trust. Provides presumption of conformity via standards, supports innovation, and ensures competitiveness in €5T EEA market.

Implementation Overview

Map legislation, conduct risk assessment, compile technical file, issue DoC, affix mark. Applies to manufacturers/importers across industries; 6-12 months typical; Notified Body audits for high-risk. Retain docs 10 years; ongoing post-market surveillance.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security and resilience. It uses a risk-based, PDCA (Plan-Do-Check-Act) approach to protect people, assets, goods, infrastructure, and information.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
Emphasizes risk assessment, security strategies, incident response, supplier controls, and continual improvement.
Aligns with ISO High Level Structure for integration; no fixed controls, but proportionate treatments.
Certification via accredited bodies per ISO 28003.

Why Organizations Use It

Reduces disruptions, theft, sabotage; lowers insurance costs.
Meets contractual, regulatory drivers (e.g., C-TPAT equivalents).
Enhances trade facilitation, market access, stakeholder trust.
Provides competitive edge in logistics, manufacturing, pharma.

Implementation Overview

Phased: scoping, gap analysis, risk assessment, deployment, audits (6-36 months).
Scalable for all sizes/industries; involves mapping, training, KPIs.
Optional third-party certification with surveillance audits.

Key Differences

Aspect	CE Marking	ISO 28000
Scope	Product conformity to EU safety rules	Supply chain security management system
Industry	Manufacturers of regulated EU products	Logistics, manufacturing, all supply chains
Nature	Mandatory EU market access marking	Voluntary international certification standard
Testing	Self/third-party conformity assessment	Internal audits and management reviews
Penalties	Market bans, fines, product withdrawal	Loss of certification, no legal penalties

Scope

CE Marking

Product conformity to EU safety rules

ISO 28000

Supply chain security management system

Industry

CE Marking

Manufacturers of regulated EU products

ISO 28000

Logistics, manufacturing, all supply chains

Nature

CE Marking

Mandatory EU market access marking

ISO 28000

Voluntary international certification standard

Testing

CE Marking

Self/third-party conformity assessment

ISO 28000

Internal audits and management reviews

Penalties

CE Marking

Market bans, fines, product withdrawal

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about CE Marking and ISO 28000

CE Marking FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

ISO 27701 Implementation Roadmap: Step-by-Step Guide for Extending Your ISO 27001 ISMS to PIMS

Extend ISO 27001 ISMS to ISO 27701 PIMS with this step-by-step roadmap. Master role-specific controls, avoid pitfalls, meet certification evidence needs for pri

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

Decode AICPA Trust Services Criteria from auditor jargon to plain English with side-by-side tables, analogies & TL;DRs. CISOs & founders: implement SOC 2 contro

From SOC to AI-Native CDC: Redefining Triage and Response in 2026

Explore the shift from SOCs to AI-Native CDCs. Autonomous agents handle Tier 1 triage in 2026, empowering analysts for complex threats. Discover the future of c

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how CE Marking and ISO 28000 compare against other standards

Other CE Marking Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Identification of applicable directives/regulations (e.g., LVD, Machinery, RED)

Essential requirements and harmonised standards (OJEU-published for presumption of conformity)

Conformity modules A-H (self-assessment or Notified Body involvement)

Technical documentation, EU Declaration of Conformity (DoC), and CE affixation Self-declaration for low-risk; third-party certification for high-risk.

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.

Emphasizes risk assessment, security strategies, incident response, supplier controls, and continual improvement.

Aligns with ISO High Level Structure for integration; no fixed controls, but proportionate treatments.

Certification via accredited bodies per ISO 28003.

Aspect

CE Marking

ISO 28000

Scope

Product conformity to EU safety rules

Supply chain security management system

Industry

Manufacturers of regulated EU products

Logistics, manufacturing, all supply chains

Nature

Mandatory EU market access marking

Voluntary international certification standard

Testing

Self/third-party conformity assessment

Internal audits and management reviews

Penalties

Market bans, fines, product withdrawal

Loss of certification, no legal penalties