What It Is

EN 1090 is the European harmonized standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). It provides a risk-based framework via Execution Classes (EXC1-EXC4) to ensure controlled fabrication, assembly, and market placement with CE marking.

Key Components

• **EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
• **EN 1090-2/-3Technical requirements for steel/aluminium (materials, welding, tolerances, corrosion protection, NDT).
• Core principles: traceability, welding coordination (ISO 3834), risk-scaled inspection.
• Certification model: Notified Body audits FPC with ongoing surveillance.

Why Organizations Use It

Mandated for EU/EEA market access; reduces liability, ensures quality; enables high-risk projects (EXC3/EXC4); builds trust via certified capability; aligns with sustainability trends.

Implementation Overview

Phased approach: gap analysis, FPC build, personnel qualification, NB certification (3-12 months). Applies to fabricators of load-bearing components; requires welding expertise, digital traceability.

What It Is

23 NYCRR Part 500 is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, a prescriptive state-level mandate for financial services entities. It establishes minimum risk-based cybersecurity requirements to protect nonpublic information (NPI) and information systems' confidentiality, integrity, and availability. The approach is hybrid: risk-based tailoring with prescriptive elements like MFA and incident reporting.

Key Components

• 14 core requirements including cybersecurity program, CISO governance, risk assessments, MFA, encryption, penetration testing, TPSP oversight, and 72-hour incident notification.
• Built on risk assessment architecture; annual dual CISO/CEO certification with 5-year record retention.
• Class A companies face enhanced controls like independent audits and EDR.
• Compliance model emphasizes evidence-based attestation, not third-party certification.

Why Organizations Use It

• Mandatory for NY-licensed financial entities (banks, insurers, etc.) to avoid multimillion-dollar fines.
• Reduces cyber incident risk, strengthens governance, and builds stakeholder trust.
• Provides competitive edge via robust TPSP management and resilience.

Implementation Overview

• Phased roadmap: gap analysis, asset inventory, MFA rollout, TPSP contracts, testing.
• Applies to Covered Entities in NY financial services; scalable by size/complexity.
• No formal certification; annual filing and DFS examinations required. (178 words)