What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** for conformity assessment via certified **Factory Production Control (FPC)** and **Declaration of Performance (DoP)**, **EN 1090-2** for steel technical requirements (welding, tolerances, inspection), and **EN 1090-3** for aluminium. Risk-scaled via **Execution Classes (EXC1–EXC4)**, it mandates traceability, qualified welding per ISO 3834, and notified body oversight for market placement.

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent construction works in the EEA must comply with EN 1090 to apply CE marking.** This includes fabricators, steelwork contractors, and suppliers of elements like beams, trusses, bridges, and building frames. Compliance is mandatory under CPR for market access; non-structural or non-metallic products are excluded.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates third-party certification of the FPC system by a notified body under AVCP systems 2+.** This involves initial inspection of the factory, FPC review, **Initial Type Testing (ITT)** or **Type Calculation (ITC)** verification, and issuance of a certificate enabling CE marking and DoP. Ongoing surveillance audits ensure continued conformity.

How often should an assessment for **EN 1090** be performed?

**Notified bodies conduct initial certification audits followed by surveillance audits, typically annually, scaled by Execution Class per EN 1090-1 Table B.3.** Manufacturers must perform continuous internal FPC assessments, with frequencies tied to risk (e.g., higher for EXC3/EXC4), plus ad-hoc audits for changes, non-conformities, or complaints.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance prevents lawful CE marking, risking market exclusion, product withdrawal, fines under CPR, and certificate suspension by notified bodies.** Major non-conformities trigger public notification, additional audits, and liability for structural failures; manufacturers remain accountable for product safety and traceability lapses.

Can **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality and ISO 9001 for QMS, but formal mappings depend on notified body practices.** It aligns with Eurocodes for design but stands as the CPR harmonized route; no direct equivalence to non-EU frameworks is specified.

What is the first step to begin implementing **EN 1090**?

**Conduct a product scope assessment to confirm EN 1090 applicability and determine Execution Class (EXC1–EXC4) based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).** Default to EXC2 if unspecified, then perform gap analysis against FPC requirements.

What is the primary objective of **APRA CPS 234**?

**APRA CPS 234 requires regulated entities to maintain an information security capability commensurate with threats and vulnerabilities to their information assets.** This ensures the continued sound operation of the entity by minimising the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of assets, including those managed by related parties or third parties (paragraphs 1, 15-16).

Who is legally or professionally required to comply with **APRA CPS 234**?

**APRA CPS 234 applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers, and RSE licensees.** It extends group-wide where an entity is the Head of a group, covering non-APRA-regulated subsidiaries, and to Australian operations of foreign ADIs, Category C insurers, and eligible foreign life companies (paragraphs 2-4).

Does **APRA CPS 234** require an external audit or third-party certification?

**APRA CPS 234 does not mandate external audit or third-party certification.** It requires internal audit to review the design and operating effectiveness of information security controls, including those of third parties, using appropriately skilled personnel; reliance on third-party assurance must be assessed for sufficiency where material impacts are possible (paragraphs 32-34).

How often should an assessment for **APRA CPS 234** be performed?

**APRA CPS 234 requires systematic testing of control effectiveness with frequency commensurate to threats, asset criticality, sensitivity, and changes, plus annual review of the testing program.** Internal audit provides ongoing assurance, and incident response plans must be reviewed and tested annually (paragraphs 27, 31, 26).

What are the consequences of non-compliance with **APRA CPS 234**?

**Non-compliance with APRA CPS 234 exposes entities to APRA's prudential powers, including remediation directions, enforcement notices, penalties, and heightened supervision.** Operational risks include business interruption, loss of license, litigation, and reputational harm; material incidents or unremediable weaknesses must be notified within 72 hours or 10 business days, respectively (paragraphs 35-36).

Can **APRA CPS 234** be mapped to other international frameworks?

**Yes, APRA CPS 234's outcomes-based requirements for governance, controls, testing, and third-party oversight can be mapped to frameworks like ISO 27001 and NIST Cybersecurity Framework.** Entities commonly align its commensurate capability, asset classification, and assurance model to these for operationalisation, though CPS 234's Board accountability and notification timelines (72 hours for incidents) remain distinct.

What is the first step to begin implementing **APRA CPS 234**?

**The first step to implement APRA CPS 234 is securing Board approval and sponsorship, establishing explicit oversight of information security commensurate with threats.** This includes defining roles and responsibilities for the Board, senior management, and others, as the Board is ultimately accountable (paragraphs 13-14).

EN 1090 vs APRA CPS 234

Standards Comparison

EN 1090

Mandatory

2009

European standards for execution of steel and aluminium structures

APRA CPS 234

Mandatory

2019

Australian prudential standard for information security capability

Quick Verdict

EN 1090 ensures CE-marked structural steel/aluminium compliance for EU construction, while APRA CPS 234 mandates information security resilience for Australian financial entities. Fabricators adopt EN 1090 for market access; banks/insurers use CPS 234 to meet regulatory oversight and avoid penalties.

Structural Metalwork

EN 1090

EN 1090: Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4) scaling requirements
Certified Factory Production Control (FPC) system mandatory
Enables CE marking under EU Construction Products Regulation
Integrates ISO 3834 for welding quality management
Ensures full material and process traceability

Information Security

APRA CPS 234

APRA Prudential Standard CPS 234 Information Security

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Board ultimately responsible for information security
Third-party managed assets fully in scope
Systematic independent testing of controls required
72-hour notification for material incidents
Risk-based asset classification by criticality

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard series (EN 1090-1, -2, -3) for the execution and conformity assessment of structural steel and aluminium components. It serves as the primary framework under the EU Construction Products Regulation (CPR), enabling CE marking for load-bearing components in construction works. Its risk-based approach uses Execution Classes (EXC1-EXC4) to scale requirements based on failure consequences, service conditions, and production complexity.

Key Components

**EN 1090-1Conformity assessment via Factory Production Control (FPC) certification by Notified Bodies.
**EN 1090-2/-3Technical rules for steel/aluminium execution, covering materials, welding (ISO 3834 integration), tolerances, inspection, and corrosion protection.
Core principles: traceability, qualified personnel, NDT inspection, and ongoing surveillance.
Certification model: AVCP systems with initial audits and continuous monitoring.

Why Organizations Use It

Provides mandatory market access in EEA, reduces liability via proven processes, ensures weld quality consistency, and builds stakeholder trust. Strategic benefits include risk mitigation, rework reduction, and competitiveness in high-stakes projects like bridges and stadia.

Implementation Overview

Phased approach: gap analysis, FPC development, welding qualification, NB certification (3-12 months typical). Applies to fabricators of structural components; requires personnel training, digital traceability, and surveillance for steel/aluminium producers in Europe.

APRA CPS 234 Details

What It Is

APRA Prudential Standard CPS 234 (Information Security) is a binding prudential regulation from the Australian Prudential Regulation Authority, effective 1 July 2019. It mandates APRA-regulated entities—banks, insurers, super funds—to maintain an information security capability commensurate with threats, protecting confidentiality, integrity, and availability of information assets, including those managed by third parties. It employs a risk-based, proportionate approach focused on governance, controls, and assurance.

Key Components

**Governance and rolesBoard ultimate accountability, defined responsibilities.
**Core areasPolicy framework, asset classification by criticality/sensitivity, commensurate controls, incident response, systematic testing, third-party assessments.
No fixed controls; built on CIA triad principles.
Compliance via self-management, independent assurance, APRA notifications—no formal certification.

Why Organizations Use It

Mandatory for regulated entities to avoid enforcement, penalties.
Mitigates cyber risks, ensures operational resilience.
Builds customer trust, enables partnerships, reduces costs.
Provides competitive edge in security posture.

Implementation Overview

Phased: gap analysis, governance setup, asset register, controls, testing, monitoring.
Suits all sizes in APRA sectors (Australia).
Involves internal audit, annual testing; 72-hour incident reporting to APRA. (178 words)

Key Differences

Aspect	EN 1090	APRA CPS 234
Scope	Execution and conformity of steel/aluminium structures	Information security capability for financial entities
Industry	Construction, fabrication; EU/EEA market	Australian financial services (banks, insurers)
Nature	Harmonized technical standard; CE marking mandatory	Binding prudential regulation; APRA enforcement
Testing	FPC certification, surveillance audits by Notified Bodies	Systematic control testing, internal audit assurance
Penalties	Market exclusion, no CE marking, legal liability	Fines, supervisory actions, license restrictions

Scope

EN 1090

Execution and conformity of steel/aluminium structures

APRA CPS 234

Information security capability for financial entities

Industry

EN 1090

Construction, fabrication; EU/EEA market

APRA CPS 234

Australian financial services (banks, insurers)

Nature

EN 1090

Harmonized technical standard; CE marking mandatory

APRA CPS 234

Binding prudential regulation; APRA enforcement

Testing

EN 1090

FPC certification, surveillance audits by Notified Bodies

APRA CPS 234

Systematic control testing, internal audit assurance

Penalties

EN 1090

Market exclusion, no CE marking, legal liability

APRA CPS 234

Fines, supervisory actions, license restrictions

Frequently Asked Questions

Common questions about EN 1090 and APRA CPS 234

EN 1090 FAQ

APRA CPS 234 FAQ

You Might also be Interested in These Articles...

From Reactive Gatekeeper to Proactive Strategist: How Compliance Software Reshapes the Compliance Professional's Day

Discover how compliance software automates monitoring, delivers real-time insights, and transforms compliance pros from reactive gatekeepers to proactive strate

The Regulatory Radar: How Data-Driven Compliance Tools Provide Strategic Foresight

Unlock strategic foresight with data-driven compliance tools. Act as your regulatory radar: real-time monitoring, automated insights, and 3x cost cuts. Anticipa

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Fail CIS Controls v8.1 audits due to missing evidence? Get the blueprint: exact artifacts auditors want, repository structure, and automation from security tool

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 9001 vs HITRUST CSF

ISO 9001 vs HITRUST CSF: Compare QMS gold standard (1M+ certs) with certifiable cybersecurity framework. Key diffs, benefits & when to choose—boost compliance now!

AEO vs CAA

Compare AEO vs CAA: Discover key differences in Authorized Economic Operator trade security benefits vs Clean Air Act compliance rules. Optimize strategies for efficiency now.

DORA vs ISO 28000

Compare DORA vs ISO 28000: EU financial ICT resilience regulation meets supply chain security std. Key diffs in risk mgmt, testing & third-party oversight. Choose wisely now!

EN 1090

APRA CPS 234

Quick Verdict

EN 1090

Key Features

APRA CPS 234

Key Features

Detailed Analysis

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

APRA CPS 234 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

Can EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

APRA CPS 234 FAQ

What is the primary objective of APRA CPS 234?

Who is legally or professionally required to comply with APRA CPS 234?

Does APRA CPS 234 require an external audit or third-party certification?

How often should an assessment for APRA CPS 234 be performed?

What are the consequences of non-compliance with APRA CPS 234?

Can APRA CPS 234 be mapped to other international frameworks?

What is the first step to begin implementing APRA CPS 234?

You Might also be Interested in These Articles...

From Reactive Gatekeeper to Proactive Strategist: How Compliance Software Reshapes the Compliance Professional's Day

The Regulatory Radar: How Data-Driven Compliance Tools Provide Strategic Foresight

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 9001 vs HITRUST CSF

AEO vs CAA

DORA vs ISO 28000