GRADUM
    FeaturesMaturity ModelsFor CreatorsPricingBlogCompareSupport
    DashboardSign Up Free
    Blog/Compare/DORA vs EN 1090
    Standards Comparison

    DORA vs EN 1090

    DORA

    Mandatory
    2023

    EU regulation for digital operational resilience in financial sector

    VS

    EN 1090

    Mandatory
    2009

    EU harmonized standard for steel and aluminium structural execution.

    Quick Verdict

    DORA mandates ICT resilience for EU finance against cyber threats, while EN 1090 requires certified FPC for CE-marking steel/aluminium structures. Finance adopts DORA for regulatory compliance; manufacturers use EN 1090 for EU market access.

    Digital Operational Resilience

    DORA

    Regulation (EU) 2022/2554, Digital Operational Resilience Act

    Cost
    €€€€
    Complexity
    High
    Implementation Time
    18-24 months

    Key Features

    • Mandates comprehensive ICT risk management frameworks overseen by management body
    • Requires incident reporting within 4 hours for major disruptions
    • Enforces risk-based resilience testing including triennial TLPT
    • Imposes direct ESAs oversight on critical third-party providers
    • Harmonizes rules across 20 EU financial entity types proportionally
    Structural Metalwork

    EN 1090

    EN 1090 Execution of steel and aluminium structures

    Cost
    €€€€
    Complexity
    High
    Implementation Time
    6-12 months

    Key Features

    • Factory Production Control (FPC) certification
    • Execution Classes (EXC1-EXC4) risk scaling
    • CE marking under CPR for market access
    • Welding quality via ISO 3834 alignment
    • Material traceability and NDT inspection regimes

    Detailed Analysis

    A comprehensive look at the specific requirements, scope, and impact of each standard.

    DORA Details

    What It Is

    The Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is a transformative EU regulation enhancing digital operational resilience for the financial sector against ICT disruptions like cyberattacks and third-party failures. Enacted in 2022 and applying from January 17, 2025, it covers 20 financial entity types and critical ICT third-party providers (CTPPs), using a risk-based, proportional approach to harmonize rules across member states.

    Key Components

    DORA's pillars include ICT risk management frameworks with vulnerability controls and continuity plans; incident reporting with 4/72-hour timelines; resilience testing via annual scans and triennial TLPT; and third-party oversight with due diligence and ESAs supervision. It mandates management oversight, annual reviews, and penalties up to 2% of global turnover.

    Why Organizations Use It

    Financial firms adopt DORA for legal compliance amid rising threats (74% ransomware hit rate), to mitigate systemic risks shown in CrowdStrike outage, improve resilience, foster information sharing, and gain trust from regulators/stakeholders in a tech-dependent ecosystem.

    Implementation Overview

    Entities conduct gap analyses against RTS/ITS, develop frameworks, implement testing/monitoring tools, and assess vendors. Proportional to size/complexity, it targets EU finance; compliance via authority audits, with preparation urged pre-2025 deadline. (178 words)

    EN 1090 Details

    What It Is

    EN 1090 is the harmonized European standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components. It implements the EU Construction Products Regulation (CPR), enabling CE marking via a risk-based approach through Execution Classes (EXC1–EXC4).

    Key Components

    • **EN 1090-1Conformity assessment, Factory Production Control (FPC) certification by Notified Bodies.
    • **EN 1090-2/-3Technical rules for steel/aluminium (welding, tolerances, corrosion protection, inspection/NDT).
    • Core principles: Material traceability, ISO 3834 welding quality, risk-scaled controls.
    • AVCP systems with ongoing surveillance.

    Why Organizations Use It

    • Mandatory for EU market access with CE marking.
    • Reduces liability, rework; builds trust via certified quality.
    • Strategic: Enables high-risk projects (EXC3/4), competitive bidding.

    Implementation Overview

    Phased: Gap analysis, FPC build, welding quals, NB certification (3–12 months). Applies to fabricators in construction; requires audits, training for all sizes.

    Key Differences

    AspectDORAEN 1090
    ScopeDigital operational resilience in financeExecution of steel/aluminium structural components
    IndustryEU financial sector onlyEU construction/manufacturing
    NatureMandatory EU regulationHarmonized standard for CE marking
    TestingAnnual basic + triennial TLPTFPC certification + surveillance audits
    PenaltiesUp to 2% global turnover finesMarket exclusion, no CE marking

    Scope

    DORA
    Digital operational resilience in finance
    EN 1090
    Execution of steel/aluminium structural components

    Industry

    DORA
    EU financial sector only
    EN 1090
    EU construction/manufacturing

    Nature

    DORA
    Mandatory EU regulation
    EN 1090
    Harmonized standard for CE marking

    Testing

    DORA
    Annual basic + triennial TLPT
    EN 1090
    FPC certification + surveillance audits

    Penalties

    DORA
    Up to 2% global turnover fines
    EN 1090
    Market exclusion, no CE marking

    Frequently Asked Questions

    Common questions about DORA and EN 1090

    DORA FAQ

    EN 1090 FAQ

    You Might also be Interested in These Articles...

    NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

    NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

    Discover NIST 800-53 ROI in private sector: control families like RA, SI, SR reduce median breach costs from $100K to under $50K. Get benchmarks to prioritize i

    From SOC to AI-Native CDC: Redefining Triage and Response in 2026

    From SOC to AI-Native CDC: Redefining Triage and Response in 2026

    Explore the shift from SOCs to AI-Native CDCs. Autonomous agents handle Tier 1 triage in 2026, empowering analysts for complex threats. Discover the future of c

    CMMC Sustainment Mastery: Continuous Monitoring, Annual Affirmations, and Subcontractor Flow-Down Playbook

    CMMC Sustainment Mastery: Continuous Monitoring, Annual Affirmations, and Subcontractor Flow-Down Playbook

    Master CMMC sustainment beyond certification: continuous monitoring dashboards, SPRS/eMASS affirmations, enforceable subcontractor clauses. Get templates for ve

    Run Maturity Assessments with GRADUM

    Transform your compliance journey with our AI-powered assessment platform

    Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

    100+ Standards & Regulations
    AI-Powered Insights
    Collaborative Assessments
    Actionable Recommendations

    Explore More Comparisons

    See how DORA and EN 1090 compare against other standards

    Other DORA Comparisons

    • DORA vs 23 NYCRR 500
    • DORA vs U.S. SEC Cybersecurity Rules
    • DORA vs ISO 27701
    • DORA vs NIST CSF
    • NIST CSF vs DORA

    Other EN 1090 Comparisons

    • TOGAF vs EN 1090
    • COBIT vs EN 1090
    • ISO 20000 vs EN 1090
    • SAFe vs EN 1090
    • ITIL vs EN 1090
    GRADUM

    Transform your assessment process with collaborative, AI-powered maturity evaluations that deliver actionable insights.

    Navigation

    FeaturesMaturity ModelsFor CreatorsPricing

    Legal

    Terms and ConditionsPrivacy PolicyImprintCopyright PolicyCookie Policy

    © 2026 Gradum. All Rights Reserved