EN 1090 vs 23 NYCRR 500
EN 1090
European standard for steel/aluminium structural execution and conformity
23 NYCRR 500
NY regulation for financial services cybersecurity.
Quick Verdict
EN 1090 enables CE marking for structural metal components in Europe, ensuring fabrication quality via FPC. 23 NYCRR 500 mandates cybersecurity for NY financial firms, protecting NPI through governance and controls. Fabricators need EN 1090 for market access; financiers require Part 500 compliance.
EN 1090
EN 1090 Execution of steel and aluminium structures
Key Features
- Risk-based Execution Classes (EXC1-EXC4) scaling requirements
- Mandatory Factory Production Control (FPC) certification
- Enables CE marking under CPR for structures
- Detailed technical execution rules for steel/aluminium
- Welding quality management via ISO 3834 alignment
23 NYCRR 500
23 NYCRR Part 500 Cybersecurity Regulation
Key Features
- Annual CISO/CEO dual-signature compliance certification
- 72-hour cybersecurity incident notification to NYDFS
- Multi-Factor Authentication (MFA) for privileged and remote access
- Comprehensive TPSP risk management and contractual controls
- Risk-based penetration testing and vulnerability assessments
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
EN 1090 Details
What It Is
EN 1090 is the European harmonized standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). It provides a risk-based framework via Execution Classes (EXC1-EXC4) to ensure controlled fabrication, assembly, and market placement with CE marking.
Key Components
- **EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
- **EN 1090-2/-3Technical requirements for steel/aluminium (materials, welding, tolerances, corrosion protection, NDT).
- Core principles: traceability, welding coordination (ISO 3834), risk-scaled inspection.
- Certification model: Notified Body audits FPC with ongoing surveillance.
Why Organizations Use It
Mandated for EU/EEA market access; reduces liability, ensures quality; enables high-risk projects (EXC3/EXC4); builds trust via certified capability; aligns with sustainability trends.
Implementation Overview
Phased approach: gap analysis, FPC build, personnel qualification, NB certification (3-12 months). Applies to fabricators of load-bearing components; requires welding expertise, digital traceability.
23 NYCRR 500 Details
What It Is
23 NYCRR Part 500 is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, a prescriptive state-level mandate for financial services entities. It establishes minimum risk-based cybersecurity requirements to protect nonpublic information (NPI) and information systems' confidentiality, integrity, and availability. The approach is hybrid: risk-based tailoring with prescriptive elements like MFA and incident reporting.
Key Components
- 14 core requirements including cybersecurity program, CISO governance, risk assessments, MFA, encryption, penetration testing, TPSP oversight, and 72-hour incident notification.
- Built on risk assessment architecture; annual dual CISO/CEO certification with 5-year record retention.
- Class A companies face enhanced controls like independent audits and EDR.
- Compliance model emphasizes evidence-based attestation, not third-party certification.
Why Organizations Use It
- Mandatory for NY-licensed financial entities (banks, insurers, etc.) to avoid multimillion-dollar fines.
- Reduces cyber incident risk, strengthens governance, and builds stakeholder trust.
- Provides competitive edge via robust TPSP management and resilience.
Implementation Overview
- Phased roadmap: gap analysis, asset inventory, MFA rollout, TPSP contracts, testing.
- Applies to Covered Entities in NY financial services; scalable by size/complexity.
- No formal certification; annual filing and DFS examinations required. (178 words)
Key Differences
| Aspect | EN 1090 | 23 NYCRR 500 |
|---|---|---|
| Scope | Structural steel/aluminium execution & conformity | Cybersecurity for financial information systems |
| Industry | Construction/manufacturing, EEA market access | NY financial services entities only |
| Nature | Harmonized CE marking standard, mandatory for market | State regulation with fines/enforcement |
| Testing | FPC certification, surveillance audits by Notified Bodies | Annual pen testing, vulnerability scans, risk assessments |
| Penalties | Market exclusion, no CE marking | Multi-million fines, consent orders |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about EN 1090 and 23 NYCRR 500
EN 1090 FAQ
23 NYCRR 500 FAQ
You Might also be Interested in These Articles...
Unpacking the True Cost: A Guide to Calculating TCO for Modern Compliance Monitoring Software
Unpack the true Total Cost of Ownership (TCO) for compliance monitoring software. Factor in licenses, implementation, training, maintenance, and ROI savings for
Thailand PDPA Implementation Guide: Subordinate Regulations for 72-Hour Breach Reporting and Cross-Border Transfers (2022-2024 Rules)
Step-by-step Thailand PDPA guide: 72-hour breach notifications, cross-border transfers (2022-2024 rules). Risk checklists, GDPR templates avoid THB 5M fines. Mu
Measuring CIS Controls v8.1 in the Real World: KPIs, Dashboards, and Automated Evidence for Continuous Assurance
Master CIS Controls v8.1 measurement with essential KPIs, executive-ready dashboards, and automated evidence collection for continuous assurance. Make complianc
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Explore More Comparisons
See how EN 1090 and 23 NYCRR 500 compare against other standards