EN 1090 vs APRA CPS 234

What It Is

EN 1090 is a harmonized European standard series (EN 1090-1, -2, -3) for the execution and conformity assessment of structural steel and aluminium components. It serves as the primary framework under the EU Construction Products Regulation (CPR), enabling CE marking for load-bearing components in construction works. Its risk-based approach uses Execution Classes (EXC1-EXC4) to scale requirements based on failure consequences, service conditions, and production complexity.

Key Components

• **EN 1090-1Conformity assessment via Factory Production Control (FPC) certification by Notified Bodies.
• **EN 1090-2/-3Technical rules for steel/aluminium execution, covering materials, welding (ISO 3834 integration), tolerances, inspection, and corrosion protection.
• Core principles: traceability, qualified personnel, NDT inspection, and ongoing surveillance.
• Certification model: AVCP systems with initial audits and continuous monitoring.

Why Organizations Use It

Provides mandatory market access in EEA, reduces liability via proven processes, ensures weld quality consistency, and builds stakeholder trust. Strategic benefits include risk mitigation, rework reduction, and competitiveness in high-stakes projects like bridges and stadia.

Implementation Overview

Phased approach: gap analysis, FPC development, welding qualification, NB certification (3-12 months typical). Applies to fabricators of structural components; requires personnel training, digital traceability, and surveillance for steel/aluminium producers in Europe.

What It Is

APRA Prudential Standard CPS 234 (Information Security) is a binding prudential regulation from the Australian Prudential Regulation Authority, effective 1 July 2019. It mandates APRA-regulated entities—banks, insurers, super funds—to maintain an information security capability commensurate with threats, protecting confidentiality, integrity, and availability of information assets, including those managed by third parties. It employs a risk-based, proportionate approach focused on governance, controls, and assurance.

Key Components

• **Governance and rolesBoard ultimate accountability, defined responsibilities.
• **Core areasPolicy framework, asset classification by criticality/sensitivity, commensurate controls, incident response, systematic testing, third-party assessments.
• No fixed controls; built on CIA triad principles.
• Compliance via self-management, independent assurance, APRA notifications—no formal certification.

Why Organizations Use It

• Mandatory for regulated entities to avoid enforcement, penalties.
• Mitigates cyber risks, ensures operational resilience.
• Builds customer trust, enables partnerships, reduces costs.
• Provides competitive edge in security posture.

Implementation Overview

• Phased: gap analysis, governance setup, asset register, controls, testing, monitoring.
• Suits all sizes in APRA sectors (Australia).
• Involves internal audit, annual testing; 72-hour incident reporting to APRA. (178 words)