What is the primary objective of **DORA**?

**The primary objective of DORA is to strengthen the digital operational resilience of the EU financial sector against ICT disruptions, including cyberattacks, system failures, and third-party risks.** Regulation (EU) 2022/2554 mandates proactive ICT risk management, incident reporting, resilience testing, and third-party oversight for 20 types of financial entities and critical ICT third-party providers (CTPPs), entering full application on January 17, 2025.

Who is legally or professionally required to comply with **DORA**?

**DORA applies to approximately 22,000 EU-regulated financial entities across 20 types, including credit institutions, insurance undertakings, investment firms, payment institutions, and crypto-asset service providers, plus critical ICT third-party providers (CTPPs).** Critical providers like cloud and data analytics firms face direct ESA oversight via designations by end-2025.

Does **DORA** require an external audit or third-party certification?

**DORA does not mandate external audits or third-party certification but requires independent, risk-based digital operational resilience testing, including annual basic tests and triennial threat-led penetration testing (TLPT) for critical entities.** Testing may involve external providers, with results reported to authorities and scopes validated per Batch 2 RTS (July 17, 2024).

How often should an assessment for **DORA** be performed?

**DORA mandates annual basic ICT resilience tests, such as vulnerability assessments, and triennial advanced TLPT for critical or significant-risk entities.** ICT risk management frameworks must undergo annual reviews, with testing tailored proportionally to entity size, complexity, and risk exposure.

What are the consequences of non-compliance with **DORA**?

**Non-compliance with DORA incurs administrative fines up to 2% of total global annual turnover for firms or €5 million (or 10% of annual salary) for individuals, imposed by ESAs or competent authorities.** Additional measures include remedial orders, oversight fees up to €1 million annually for CTPPs, and reputational damage from public reporting.

An **DORA** be mapped to other international frameworks?

**Yes, DORA's ICT risk management, incident reporting, testing, and third-party oversight elements align with established resilience practices in financial regulation.** Mapping focuses on harmonizing DORA's specific RTS/ITS (e.g., 4-hour incident notifications, TLPT) with global standards for gap analysis and integrated compliance.

What is the first step to begin implementing **DORA**?

**The first step to implement DORA is conducting a gap analysis of current ICT risk management against the published RTS on ICT risk frameworks (Batch 1, January 17, 2024).** This identifies deficiencies in strategies, incident classification, third-party policies, and testing, enabling prioritization ahead of the January 17, 2025, application date.

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** for conformity assessment via certified **Factory Production Control (FPC)** and **Declaration of Performance (DoP)**, **EN 1090-2** for steel technical requirements (welding, tolerances, inspection), and **EN 1090-3** for aluminium. Risk-based **Execution Classes (EXC1–EXC4)** scale controls by consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU/EEA construction works must comply with EN 1090 to affix CE marking.** This includes fabricators, welding shops, and steelwork contractors supplying to buildings, bridges, or industrial structures. **Notified Bodies** certify FPC; non-compliance bars market access.

Oes **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates third-party certification of the FPC system by a Notified Body under AVCP systems.** This involves initial inspection, **Initial Type Testing (ITT)** or **Type Calculation (ITC)** review, certificate issuance, and ongoing surveillance audits to verify constancy of performance.

How often should an assessment for **EN 1090** be performed?

**FPC surveillance audits by Notified Bodies occur initially within one year of certification, then periodically per EN 1090-1 Table B.3, scaled by Execution Class.** Higher EXC (e.g., EXC4) demand more frequent audits; manufacturers conduct internal audits continuously, notifying NBs of changes.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance prevents legal CE marking, risking market withdrawal, product recalls, fines, and certificate suspension by Notified Bodies.** CPR enforcement includes civil liability; major non-conformities (e.g., traceability failures) trigger public notices and additional audits.

An **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality and Eurocodes for design, but direct mappings to non-EU frameworks require case-by-case verification.** It aligns with ISO 9001 for FPC foundations, with EXC determining ISO 3834 levels.

What is the first step to begin implementing **EN 1090**?

**Conduct a gap analysis of current processes against EN 1090-1 FPC requirements and determine Execution Classes for product families.** Appoint a **Responsible Welding Coordinator** and engage a Notified Body early for scope confirmation.

DORA vs EN 1090

Standards Comparison

DORA

Mandatory

2023

EU regulation for digital operational resilience in financial sector

EN 1090

Mandatory

2009

EU harmonized standard for steel and aluminium structural execution.

Quick Verdict

DORA mandates ICT resilience for EU finance against cyber threats, while EN 1090 requires certified FPC for CE-marking steel/aluminium structures. Finance adopts DORA for regulatory compliance; manufacturers use EN 1090 for EU market access.

Digital Operational Resilience

DORA

Regulation (EU) 2022/2554, Digital Operational Resilience Act

Cost

€€€€

Complexity

High

Implementation Time

18-24 months

Key Features

Mandates comprehensive ICT risk management frameworks overseen by management body
Requires incident reporting within 4 hours for major disruptions
Enforces risk-based resilience testing including triennial TLPT
Imposes direct ESAs oversight on critical third-party providers
Harmonizes rules across 20 EU financial entity types proportionally

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Factory Production Control (FPC) certification
Execution Classes (EXC1-EXC4) risk scaling
CE marking under CPR for market access
Welding quality via ISO 3834 alignment
Material traceability and NDT inspection regimes

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

DORA Details

What It Is

The Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is a transformative EU regulation enhancing digital operational resilience for the financial sector against ICT disruptions like cyberattacks and third-party failures. Enacted in 2022 and applying from January 17, 2025, it covers 20 financial entity types and critical ICT third-party providers (CTPPs), using a risk-based, proportional approach to harmonize rules across member states.

Key Components

DORA's pillars include ICT risk management frameworks with vulnerability controls and continuity plans; incident reporting with 4/72-hour timelines; resilience testing via annual scans and triennial TLPT; and third-party oversight with due diligence and ESAs supervision. It mandates management oversight, annual reviews, and penalties up to 2% of global turnover.

Why Organizations Use It

Financial firms adopt DORA for legal compliance amid rising threats (74% ransomware hit rate), to mitigate systemic risks shown in CrowdStrike outage, improve resilience, foster information sharing, and gain trust from regulators/stakeholders in a tech-dependent ecosystem.

Implementation Overview

Entities conduct gap analyses against RTS/ITS, develop frameworks, implement testing/monitoring tools, and assess vendors. Proportional to size/complexity, it targets EU finance; compliance via authority audits, with preparation urged pre-2025 deadline. (178 words)

EN 1090 Details

What It Is

EN 1090 is the harmonized European standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components. It implements the EU Construction Products Regulation (CPR), enabling CE marking via a risk-based approach through Execution Classes (EXC1–EXC4).

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification by Notified Bodies.
**EN 1090-2/-3Technical rules for steel/aluminium (welding, tolerances, corrosion protection, inspection/NDT).
Core principles: Material traceability, ISO 3834 welding quality, risk-scaled controls.
AVCP systems with ongoing surveillance.

Why Organizations Use It

Mandatory for EU market access with CE marking.
Reduces liability, rework; builds trust via certified quality.
Strategic: Enables high-risk projects (EXC3/4), competitive bidding.

Implementation Overview

Phased: Gap analysis, FPC build, welding quals, NB certification (3–12 months). Applies to fabricators in construction; requires audits, training for all sizes.

Key Differences

Aspect	DORA	EN 1090
Scope	Digital operational resilience in finance	Execution of steel/aluminium structural components
Industry	EU financial sector only	EU construction/manufacturing
Nature	Mandatory EU regulation	Harmonized standard for CE marking
Testing	Annual basic + triennial TLPT	FPC certification + surveillance audits
Penalties	Up to 2% global turnover fines	Market exclusion, no CE marking

Scope

DORA

Digital operational resilience in finance

EN 1090

Execution of steel/aluminium structural components

Industry

DORA

EU financial sector only

EN 1090

EU construction/manufacturing

Nature

DORA

Mandatory EU regulation

EN 1090

Harmonized standard for CE marking

Testing

DORA

Annual basic + triennial TLPT

EN 1090

FPC certification + surveillance audits

Penalties

DORA

Up to 2% global turnover fines

EN 1090

Market exclusion, no CE marking

Frequently Asked Questions

Common questions about DORA and EN 1090

DORA FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

Top 10 Reasons ISO 27701 is the Ultimate Privacy Boost for Your ISO 27001 ISMS in 2025

Extend ISO 27001 with ISO 27701 for ultimate privacy governance amid GDPR & AI regs. Discover top 10 advantages like integrated audits to future-proof your ISMS

Beyond Reactive: Transforming Compliance into Real-Time Threat Prevention

Discover how modern compliance monitoring tools leverage continuous, real-time oversight and automated alerts to shift organizations from reactive problem-solving to proactive threat detection and prevention, safeguarding against emerging risks before they escalate.

ISO 27701 Implementation Roadmap: Extending Your ISMS to PIMS in 12 Months or Less

Extend ISO 27001 ISMS to ISO 27701 PIMS in 12 months with our phased roadmap. Templates, checklists & infographics for RoPA, DSARs & audit-ready privacy complia

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

FERPA vs UAE PDPL

Discover FERPA vs UAE PDPL: US student privacy law meets UAE data protection. Compare rights, consents, disclosures & compliance strategies for educators worldwide.

PCI DSS vs CSL (Cyber Security Law of China)

PCI DSS vs CSL (Cyber Security Law of China): Compare key requirements, compliance strategies, data rules & penalties. Secure payments & China ops—expert insights now!

IFS Food vs CMMI

Compare IFS Food vs CMMI: Key differences in food safety audits, process maturity levels, and certification strategies for manufacturers. Boost compliance, efficiency—choose wisely now!

DORA

EN 1090

Quick Verdict

DORA

Key Features

EN 1090

Key Features

Detailed Analysis

DORA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

DORA FAQ

What is the primary objective of DORA?

Who is legally or professionally required to comply with DORA?

Does DORA require an external audit or third-party certification?

How often should an assessment for DORA be performed?

What are the consequences of non-compliance with DORA?

An DORA be mapped to other international frameworks?

What is the first step to begin implementing DORA?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Oes EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

An EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

Top 10 Reasons ISO 27701 is the Ultimate Privacy Boost for Your ISO 27001 ISMS in 2025

Beyond Reactive: Transforming Compliance into Real-Time Threat Prevention

ISO 27701 Implementation Roadmap: Extending Your ISMS to PIMS in 12 Months or Less

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

FERPA vs UAE PDPL

PCI DSS vs CSL (Cyber Security Law of China)

IFS Food vs CMMI