What is the primary objective of **CSL (Cyber Security Law of China)**?

**The primary objective of CSL is to establish a nationwide framework for securing information systems, enforcing network security, data localization, and cybersecurity governance for all entities processing data in China.** Enacted on **June 1, 2017**, with 69 articles, it mandates technical safeguards like firewalls and real-time monitoring (**network security** pillar), storage of **Critical Information Infrastructure (CII)** and **important data** in Mainland China (**data localization** pillar), and senior executive accountability with incident reporting (**cybersecurity governance** pillar).

Who is legally or professionally required to comply with **CSL (Cyber Security Law of China)**?

**All network operators, CII operators, data processors of important data, and foreign enterprises serving Chinese users must comply with CSL.** This includes entities owning networks for public services (e.g., **Alibaba Cloud**), operating systems vital to national security or economy (e.g., power grids), handling large-scale personal or **important data** (e.g., e-commerce platforms), and multinationals like **Microsoft 365** with Chinese customers, regardless of server location.

Does **CSL (Cyber Security Law of China)** require an external audit or third-party certification?

**CSL requires government-approved security evaluations and certifications for CII operators, including third-party testing but not routine external audits for all entities.** **CII operators** must submit **Security Protection Capability Test (SPCT)** reports to **MIIT** via certified agencies (**Article 20**), and obtain **China Information Security Certification (CISC)** where applicable, alongside penetration testing and vulnerability scans.

How often should an assessment for **CSL (Cyber Security Law of China)** be performed?

**CSL mandates periodic security testing and real-time monitoring, with full reassessments triggered by regulatory amendments or incidents, typically annually or within 60 days of changes.** **Article 20** requires ongoing assessments for CII assets, including vulnerability scanning and penetration testing; post-implementation establishes continuous KPIs like Mean Time to Detect, with annual compliance reports.

What are the consequences of non-compliance with **CSL (Cyber Security Law of China)**?

**Non-compliance with CSL incurs fines up to 5% of annual revenue, business license suspension, service shutdowns, and operational disruptions.** The 2022 amendment escalated penalties; examples include a CNY 150 million fine for data non-localization (2020 streaming platform) and API blocks for cloud providers, plus reputational damage and lawsuits under intersecting laws.

An **CSL (Cyber Security Law of China)** be mapped to other international frameworks?

**Yes, CSL can be mapped to international frameworks like ISO 27001 and NIST for aligned implementation.** Its policy suite and Annex A controls align with CSL **Articles 21** (network security) and **31** (incident reporting); organizations use these mappings for audit readiness, governance, and technical controls like Zero-Trust Architecture.

What is the first step to begin implementing **CSL (Cyber Security Law of China)**?

**The first step is Phase 0 pre-engagement: secure executive sponsorship and conduct regulatory baseline mapping.** Establish a C-suite charter, cross-functional steering committee, and catalog applicable CSL articles, cross-referencing **PIPL** and **DSL**, to align stakeholders and prevent scope creep before gap analysis.

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** for conformity assessment via certified **Factory Production Control (FPC)** and **Declaration of Performance (DoP)**; **EN 1090-2** for steel execution requirements like welding, tolerances, and inspection; and **EN 1090-3** for aluminium, scaling controls via **Execution Classes (EXC1–EXC4)** based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU/EEA construction works must comply with EN 1090.** This includes fabricators, welding shops, and suppliers needing **CE marking**; non-compliance bars market access. Applies to products like beams, trusses, bridges, and building frames, determined by scope under CPR.

Oes **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a notified body via AVCP systems.** This involves initial inspection, type testing/calculation (ITT/ITC), and issuance of an FPC certificate enabling **CE marking** and **DoP**, followed by continuous surveillance audits.

How often should an assessment for **EN 1090** be performed?

**EN 1090 requires initial FPC certification by a notified body, followed by ongoing surveillance audits typically annually.** Frequency scales with **Execution Class (EXC)** per EN 1090-1 Table B.3; higher EXC (e.g., EXC4) demands more intensive monitoring, plus assessments for changes in processes, personnel, or products.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance with EN 1090 prevents lawful CE marking, leading to market exclusion, product withdrawal, and certificate suspension by notified bodies.** Under CPR, it triggers regulatory enforcement, fines, liability for damages, and public reporting of suspensions, with manufacturers fully accountable for product safety.

An **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality and Eurocodes for design, but no formal mappings to unrelated international frameworks are defined.** Compliance focuses on its modular structure (EN 1090-1/2/3) and CPR-specific AVCP, with welding coordination per execution class aligning to ISO 14731.

What is the first step to begin implementing **EN 1090**?

**The first step is to determine product scope and Execution Class (EXC1–EXC4) via risk assessment of consequence class, service category, and production category.** Default to **EXC2** if unspecified, then conduct a gap analysis of current FPC against EN 1090-1 requirements before notified body engagement.

CSL (Cyber Security Law of China) vs EN 1090

Standards Comparison

CSL (Cyber Security Law of China)

Mandatory

N/A

China's national law for network security and data localization

EN 1090

Mandatory

2009

EU standard for execution and CE marking of steel/aluminium structures

Quick Verdict

CSL mandates cybersecurity for China operations with data localization and incident reporting, while EN 1090 requires certified FPC for EU structural steel/aluminium components. Companies adopt CSL for Chinese market access; EN 1090 for CE marking and legal market entry.

Standard

CSL (Cyber Security Law of China)

Cybersecurity Law of the People's Republic of China

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Mandates data localization for critical information infrastructure
Requires real-time network security monitoring and testing
Imposes executive accountability for cybersecurity governance
Applies broadly to all network operators in China
Enforces security assessments for cross-border data transfers

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4)
Factory Production Control (FPC) certification
CE marking via notified body audits
Welding quality aligned with ISO 3834
Material traceability and NDT inspection

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

CSL (Cyber Security Law of China) Details

What It Is

Cybersecurity Law of the People’s Republic of China (CSL), enacted June 1, 2017, is a nationwide statutory regulation comprising 69 articles. It governs network operators, service providers, and data processors in China, focusing on securing information systems. Its risk-based approach emphasizes three pillars: network security, data localization, and governance.

Key Components

**Three pillarsNetwork security (safeguards, testing); Data localization/personal info protection (CII/important data in China); Cybersecurity governance (executive duties, incident reporting).
Applies to broad entities like cloud platforms, SaaS, IoT.
Built on baseline requirements replacing sector rules; compliance via assessments, no formal certification but MIIT evaluations for CII.

Why Organizations Use It

Mandatory compliance avoids fines up to 5% annual revenue, disruptions, lawsuits.
Builds consumer/enterprise trust, enables efficiency via microservices, SOAR.
Drives innovation through local R&D, regulatory sandboxes; enhances market position in China.

Implementation Overview

**Phased GRC frameworkGap analysis, architectural redesign (data centers, ZTA, SIEM), governance, testing.
Targets MNCs, CII operators, data processors with Chinese users.
Involves audits, SPCT reports; continuous monitoring essential.

EN 1090 Details

What It Is

EN 1090 is the European harmonized standard family for execution of steel structures (EN 1090-2) and aluminium structures (EN 1090-3), with EN 1090-1 defining conformity assessment under the EU Construction Products Regulation (CPR). It ensures safe fabrication, assembly, and market placement of load-bearing components via CE marking. Adopts a risk-based methodology through Execution Classes (EXC1-EXC4) linked to consequence, service, and production categories.

Key Components

**Factory Production Control (FPC)Documented system for production consistency, certified by notified bodies.
**Technical requirementsMaterials traceability, welding (aligned with ISO 3834), tolerances, corrosion protection, NDT inspection.
**Conformity modelAVCP systems (2+), Initial Type Testing/Calculation (ITT/ITC), Declaration of Performance (DoP). Built on risk scaling for proportionate controls.

Why Organizations Use It

Mandatory for CE marking and EU/EEA market access.
Mitigates liability, ensures quality/traceability.
Enables high-risk projects, builds trust.
Strategic: reduces rework, competitive differentiation.

Implementation Overview

Phased approach: gap analysis, FPC development, personnel/welding qualification, NB certification (initial audit + surveillance). Targets fabricators in construction; 3-12 months typical. Requires welding coordinators, ongoing audits.