What is the primary objective of CSL (Cyber Security Law of China)?

The primary objective of CSL is to establish a nationwide framework for securing information systems, enforcing network security, data localization, and cybersecurity governance for all entities processing data in China. Enacted on June 1, 2017, with 69 articles, it mandates technical safeguards like firewalls and real-time monitoring (network security pillar), storage of Critical Information Infrastructure (CII) and important data in Mainland China (data localization pillar), and senior executive accountability with incident reporting (cybersecurity governance pillar).

Who is legally or professionally required to comply with CSL (Cyber Security Law of China)?

All network operators, CII operators, data processors of important data, and foreign enterprises serving Chinese users must comply with CSL. This includes entities owning networks for public services (e.g., Alibaba Cloud), operating systems vital to national security or economy (e.g., power grids), handling large-scale personal or important data (e.g., e-commerce platforms), and multinationals like Microsoft 365 with Chinese customers, regardless of server location.

Does CSL (Cyber Security Law of China) require an external audit or third-party certification?

CSL requires government-approved security evaluations and certifications for CII operators, including third-party testing but not routine external audits for all entities. CII operators must submit Cybersecurity Classified Protection (MLPS) assessment reports to relevant authorities (Article 38), and obtain MLPS 2.0 certification where applicable, alongside penetration testing and vulnerability scans.

How often should an assessment for CSL (Cyber Security Law of China) be performed?

CSL mandates periodic security testing and real-time monitoring, with full reassessments triggered by regulatory amendments or incidents, typically annually or within 60 days of changes. Article 38 requires ongoing assessments for CII assets, including vulnerability scanning and penetration testing; post-implementation establishes continuous KPIs like Mean Time to Detect, with annual compliance reports.

What are the consequences of non-compliance with CSL (Cyber Security Law of China)?

Non-compliance with CSL incurs fines up to 5% of annual revenue, business license suspension, service shutdowns, and operational disruptions. The 2022 amendment escalated penalties; examples include an 8.026 billion CNY fine against a major ride-hailing platform in 2022 and API blocks for cloud providers, plus reputational damage and lawsuits under intersecting laws.

An CSL (Cyber Security Law of China) be mapped to other international frameworks?

Yes, CSL can be mapped to international frameworks like ISO 27001 and NIST for aligned implementation. Its policy suite and Annex A controls align with CSL Articles 21 (network security) and 25 (incident reporting); organizations use these mappings for audit readiness, governance, and technical controls like Zero-Trust Architecture.

What is the first step to begin implementing CSL (Cyber Security Law of China)?

The first step is Phase 0 pre-engagement: secure executive sponsorship and conduct regulatory baseline mapping. Establish a C-suite charter, cross-functional steering committee, and catalog applicable CSL articles, cross-referencing PIPL and DSL, to align stakeholders and prevent scope creep before gap analysis.

What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 for conformity assessment via certified Factory Production Control (FPC) and Declaration of Performance (DoP); EN 1090-2 for steel execution requirements like welding, tolerances, and inspection; and EN 1090-3 for aluminium, scaling controls via Execution Classes (EXC1–EXC4) based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU/EEA construction works must comply with EN 1090. This includes fabricators, welding shops, and suppliers needing CE marking; non-compliance bars market access. Applies to products like beams, trusses, bridges, and building frames, determined by scope under CPR.

Oes EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a notified body via AVCP systems. This involves initial inspection, type testing/calculation (ITT/ITC), and issuance of an FPC certificate enabling CE marking and DoP, followed by continuous surveillance audits.

How often should an assessment for EN 1090 be performed?

EN 1090 requires initial FPC certification by a notified body, followed by ongoing surveillance audits typically annually. Frequency scales with Execution Class (EXC) per EN 1090-1 Table B.3; higher EXC (e.g., EXC4) demands more intensive monitoring, plus assessments for changes in processes, personnel, or products.

What are the consequences of non-compliance with EN 1090?

Non-compliance with EN 1090 prevents lawful CE marking, leading to market exclusion, product withdrawal, and certificate suspension by notified bodies. Under CPR, it triggers regulatory enforcement, fines, liability for damages, and public reporting of suspensions, with manufacturers fully accountable for product safety.

An EN 1090 be mapped to other international frameworks?

EN 1090 integrates with standards like ISO 3834 for welding quality and Eurocodes for design, but no formal mappings to unrelated international frameworks are defined. Compliance focuses on its modular structure (EN 1090-1/2/3) and CPR-specific AVCP, with welding coordination per execution class aligning to ISO 14731.

What is the first step to begin implementing EN 1090?

The first step is to determine product scope and Execution Class (EXC1–EXC4) via risk assessment of consequence class, service category, and production category. Default to EXC2 if unspecified, then conduct a gap analysis of current FPC against EN 1090-1 requirements before notified body engagement.

Standards Comparison

CSL (Cyber Security Law of China) vs EN 1090

CSL (Cyber Security Law of China)

Mandatory

N/A

China's national law for network security and data localization

EN 1090

Mandatory

2009

EU standard for execution and CE marking of steel/aluminium structures

Quick Verdict

CSL mandates cybersecurity for China operations with data localization and incident reporting, while EN 1090 requires certified FPC for EU structural steel/aluminium components. Companies adopt CSL for Chinese market access; EN 1090 for CE marking and legal market entry.

Standard

CSL (Cyber Security Law of China)

Cybersecurity Law of the People's Republic of China

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Mandates data localization for critical information infrastructure
Requires real-time network security monitoring and testing
Imposes executive accountability for cybersecurity governance
Applies broadly to all network operators in China
Enforces security assessments for cross-border data transfers

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4)
Factory Production Control (FPC) certification
CE marking via notified body audits
Welding quality aligned with ISO 3834
Material traceability and NDT inspection

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

CSL (Cyber Security Law of China) Details

What It Is

Cybersecurity Law of the People’s Republic of China (CSL), enacted June 1, 2017, is a nationwide statutory regulation comprising 69 articles. It governs network operators, service providers, and data processors in China, focusing on securing information systems. Its risk-based approach emphasizes three pillars: network security, data localization, and governance.

Key Components

Three pillars: Network security (safeguards, testing); Data localization/personal info protection (CII/important data in China); Cybersecurity governance (executive duties, incident reporting).
Applies to broad entities like cloud platforms, SaaS, IoT.
Built on baseline requirements replacing sector rules; compliance via assessments, no formal certification but MIIT evaluations for CII.

Why Organizations Use It

Mandatory compliance avoids fines up to 5% annual revenue, disruptions, lawsuits.
Builds consumer/enterprise trust, enables efficiency via microservices, SOAR.
Drives innovation through local R&D, regulatory sandboxes; enhances market position in China.

Implementation Overview

Phased GRC framework: Gap analysis, architectural redesign (data centers, ZTA, SIEM), governance, testing.
Targets MNCs, CII operators, data processors with Chinese users.
Involves audits, MLPS reports; continuous monitoring essential.

EN 1090 Details

What It Is

EN 1090 is the European harmonized standard family for execution of steel structures (EN 1090-2) and aluminium structures (EN 1090-3), with EN 1090-1 defining conformity assessment under the EU Construction Products Regulation (CPR). It ensures safe fabrication, assembly, and market placement of load-bearing components via CE marking. Adopts a risk-based methodology through Execution Classes (EXC1-EXC4) linked to consequence, service, and production categories.

Key Components

Factory Production Control (FPC): Documented system for production consistency, certified by notified bodies.
Technical requirements: Materials traceability, welding (aligned with ISO 3834), tolerances, corrosion protection, NDT inspection.
Conformity model: AVCP systems (2+), Initial Type Testing/Calculation (ITT/ITC), Declaration of Performance (DoP). Built on risk scaling for proportionate controls.

Why Organizations Use It

Mandatory for CE marking and EU/EEA market access.
Mitigates liability, ensures quality/traceability.
Enables high-risk projects, builds trust.
Strategic: reduces rework, competitive differentiation.

Implementation Overview

Phased approach: gap analysis, FPC development, personnel/welding qualification, NB certification (initial audit + surveillance). Targets fabricators in construction; 3-12 months typical. Requires welding coordinators, ongoing audits.

Key Differences

Aspect	CSL (Cyber Security Law of China)	EN 1090
Scope	Cybersecurity for networks, data, governance	Execution of steel/aluminium structural components
Industry	All network operators, China-wide	Construction fabricators, EU/EEA market
Nature	Mandatory national law	Harmonized standard for CE marking
Testing	Periodic security assessments, incident reporting	FPC certification, NDT, surveillance audits
Penalties	Fines up to 5% revenue, shutdowns	Market exclusion, certificate withdrawal

Scope

CSL (Cyber Security Law of China)

Cybersecurity for networks, data, governance

EN 1090

Execution of steel/aluminium structural components

Industry

CSL (Cyber Security Law of China)

All network operators, China-wide

EN 1090

Construction fabricators, EU/EEA market

Nature

CSL (Cyber Security Law of China)

Mandatory national law

EN 1090

Harmonized standard for CE marking

Testing

CSL (Cyber Security Law of China)

Periodic security assessments, incident reporting

EN 1090

FPC certification, NDT, surveillance audits

Penalties

CSL (Cyber Security Law of China)

Fines up to 5% revenue, shutdowns

EN 1090

Market exclusion, certificate withdrawal

Frequently Asked Questions

Common questions about CSL (Cyber Security Law of China) and EN 1090

CSL (Cyber Security Law of China) FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

The Panoramic View: How Integrated Compliance Monitoring Creates Unprecedented Organizational Visibility and Adaptability

Gain unprecedented organizational visibility with integrated compliance monitoring. Automate real-time alerts, ensure GDPR & SOC 2 adherence, reduce risks, and

CMMC Cost Calculator: Realistic Budgets for Levels 1-3, C3PAO Fees, and ROI for Small DIB Suppliers

Calculate realistic CMMC costs for Levels 1-3: self-assessments, C3PAO fees, tooling, remediation & ROI. Interactive tool for small DIB suppliers. Get benchmark

PDPA Cross-Border Transfer Rules Decoded: Singapore, Thailand, and Taiwan Mechanisms Compared with Practical Implementation Templates

Decode PDPA cross-border transfers for Singapore, Thailand, Taiwan. Statutory excerpts, approved mechanisms, SCC templates. Harmonize with GDPR, navigate exempt

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how CSL (Cyber Security Law of China) and EN 1090 compare against other standards

Other CSL (Cyber Security Law of China) Comparisons

Other EN 1090 Comparisons

What It Is

Key Components

Three pillars: Network security (safeguards, testing); Data localization/personal info protection (CII/important data in China); Cybersecurity governance (executive duties, incident reporting).

Applies to broad entities like cloud platforms, SaaS, IoT.

Built on baseline requirements replacing sector rules; compliance via assessments, no formal certification but MIIT evaluations for CII.

What It Is

Key Components

Factory Production Control (FPC): Documented system for production consistency, certified by notified bodies.

Technical requirements: Materials traceability, welding (aligned with ISO 3834), tolerances, corrosion protection, NDT inspection.

Conformity model: AVCP systems (2+), Initial Type Testing/Calculation (ITT/ITC), Declaration of Performance (DoP). Built on risk scaling for proportionate controls.

Aspect

CSL (Cyber Security Law of China)

EN 1090

Scope

Cybersecurity for networks, data, governance

Execution of steel/aluminium structural components

Industry

All network operators, China-wide

Construction fabricators, EU/EEA market

Nature

Mandatory national law

Harmonized standard for CE marking

Testing

Periodic security assessments, incident reporting

FPC certification, NDT, surveillance audits

Penalties

Fines up to 5% revenue, shutdowns

Market exclusion, certificate withdrawal