EN 1090 vs 23 NYCRR 500
EN 1090
European standard for steel/aluminium structural execution and conformity
23 NYCRR 500
NY regulation for financial services cybersecurity.
Quick Verdict
EN 1090 enables CE marking for structural metal components in Europe, ensuring fabrication quality via FPC. 23 NYCRR 500 mandates cybersecurity for NY financial firms, protecting NPI through governance and controls. Fabricators need EN 1090 for market access; financiers require Part 500 compliance.
EN 1090
EN 1090 Execution of steel and aluminium structures
Key Features
- Risk-based Execution Classes (EXC1-EXC4) scaling requirements
- Mandatory Factory Production Control (FPC) certification
- Enables CE marking under CPR for structures
- Detailed technical execution rules for steel/aluminium
- Welding quality management via ISO 3834 alignment
23 NYCRR 500
23 NYCRR Part 500 Cybersecurity Regulation
Key Features
- Annual CISO/CEO dual-signature compliance certification
- 72-hour cybersecurity incident notification to NYDFS
- Multi-Factor Authentication (MFA) for privileged and remote access
- Comprehensive TPSP risk management and contractual controls
- Risk-based penetration testing and vulnerability assessments
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
EN 1090 Details
What It Is
EN 1090 is the European harmonized standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). It provides a risk-based framework via Execution Classes (EXC1-EXC4) to ensure controlled fabrication, assembly, and market placement with CE marking.
Key Components
- **EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
- **EN 1090-2/-3Technical requirements for steel/aluminium (materials, welding, tolerances, corrosion protection, NDT).
- Core principles: traceability, welding coordination (ISO 3834), risk-scaled inspection.
- Certification model: Notified Body audits FPC with ongoing surveillance.
Why Organizations Use It
Mandated for EU/EEA market access; reduces liability, ensures quality; enables high-risk projects (EXC3/EXC4); builds trust via certified capability; aligns with sustainability trends.
Implementation Overview
Phased approach: gap analysis, FPC build, personnel qualification, NB certification (3-12 months). Applies to fabricators of load-bearing components; requires welding expertise, digital traceability.
23 NYCRR 500 Details
What It Is
23 NYCRR Part 500 is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, a prescriptive state-level mandate for financial services entities. It establishes minimum risk-based cybersecurity requirements to protect nonpublic information (NPI) and information systems' confidentiality, integrity, and availability. The approach is hybrid: risk-based tailoring with prescriptive elements like MFA and incident reporting.
Key Components
- 14 core requirements including cybersecurity program, CISO governance, risk assessments, MFA, encryption, penetration testing, TPSP oversight, and 72-hour incident notification.
- Built on risk assessment architecture; annual dual CISO/CEO certification with 5-year record retention.
- Class A companies face enhanced controls like independent audits and EDR.
- Compliance model emphasizes evidence-based attestation, not third-party certification.
Why Organizations Use It
- Mandatory for NY-licensed financial entities (banks, insurers, etc.) to avoid multimillion-dollar fines.
- Reduces cyber incident risk, strengthens governance, and builds stakeholder trust.
- Provides competitive edge via robust TPSP management and resilience.
Implementation Overview
- Phased roadmap: gap analysis, asset inventory, MFA rollout, TPSP contracts, testing.
- Applies to Covered Entities in NY financial services; scalable by size/complexity.
- No formal certification; annual filing and DFS examinations required. (178 words)
Key Differences
| Aspect | EN 1090 | 23 NYCRR 500 |
|---|---|---|
| Scope | Structural steel/aluminium execution & conformity | Cybersecurity for financial information systems |
| Industry | Construction/manufacturing, EEA market access | NY financial services entities only |
| Nature | Harmonized CE marking standard, mandatory for market | State regulation with fines/enforcement |
| Testing | FPC certification, surveillance audits by Notified Bodies | Annual pen testing, vulnerability scans, risk assessments |
| Penalties | Market exclusion, no CE marking | Multi-million fines, consent orders |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about EN 1090 and 23 NYCRR 500
EN 1090 FAQ
23 NYCRR 500 FAQ
You Might also be Interested in These Articles...
You Guide on how to Start Implementing NIS2 in Your Organization
Master NIS2 implementation with our detailed guide. Learn requirements, risk assessment, supply chain security, and compliance steps for your organization. Star
Top 5 Reasons Automation Tools Like Vanta Slash SOC 2 Type 2 Timelines from Months to Weeks
Automation tools like Vanta cut SOC 2 Type 2 prep from 6 months to 6 weeks, saving 70% costs. See SignWell examples, AWS/Okta/GitHub integrations. CISOs: Get fi
How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)
Deploy CIS Controls v8.1 as a control backbone for NIS2 & DORA compliance. Step-by-step roadmap (IG1→IG2), deliverables, metrics & evidence model for hybrid/clo
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Explore More Comparisons
See how EN 1090 and 23 NYCRR 500 compare against other standards