What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** (conformity assessment via Factory Production Control, FPC), **EN 1090-2** (steel execution requirements like welding, tolerances, traceability), and **EN 1090-3** (aluminium equivalents). Risk scales via **Execution Classes (EXC1–EXC4)** based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enforcing material traceability, welding per ISO 3834, NDT, and Declaration of Performance (DoP).

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU/EEA construction works must comply with EN 1090 to affix CE marking.** This includes fabricators, steelwork contractors, and suppliers of elements like beams, trusses, stairs, bridges, and roofs. Scope excludes non-structural or non-metallic items; professionals such as welding coordinators and FPC managers ensure **EXC**-aligned execution.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a notified body via AVCP systems.** This involves initial inspection of factory/FPC, initial type testing/calculation (ITT/ITC), certificate issuance, and continuous surveillance audits. Notified bodies like TÜV SÜD, DNV, or RINA verify **EXC**-specific controls including welding (ISO 3834), traceability, and DoP.

How often should an assessment for **EN 1090** be performed?

**EN 1090 requires ongoing FPC surveillance by notified bodies, typically annually after initial certification, scaled by Execution Class (EXC).** Higher **EXC3/EXC4** trigger more frequent/intense audits per EN 1090-1 Table B.3. Manufacturers conduct internal audits continuously, with full reassessments for changes in processes, personnel, or products; first surveillance occurs ~1 year post-certification.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance with EN 1090 prevents lawful CE marking, risking market exclusion, product recalls, fines, and certificate suspension under CPR.** Notified bodies publicly report suspensions for major non-conformities (e.g., poor traceability, unqualified welding); manufacturers face civil liability, procurement bans, rework costs, and reputational damage from structural failures.

Can **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 (welding quality), ISO 9001 (QMS base for FPC), and Eurocodes (design alignment), but no formal mappings to unrelated frameworks exist.** Welding coordination follows ISO 14731; **EXC** requirements align with EN ISO 9606 welder qualifications. National forewords (e.g., BS EN 1090-2:2018) note Eurocode compatibility caveats.

What is the first step to begin implementing **EN 1090**?

**The first step is to determine product scope and Execution Class (EXC1–EXC4) via consequence class (CC), service category (SC), and production category (PC) matrix.** Conduct gap analysis of current FPC against EN 1090-1, appoint Responsible Welding Coordinator (rWC), and engage a notified body early for scope validation before developing FPC manual and ITT/ITC.

What is the primary objective of **FedRAMP**?

**FedRAMP's primary objective is to standardize security assessment, authorization, and continuous monitoring for cloud service offerings (CSOs) used by U.S. federal agencies.** It enables reusable authorizations via the "assess once, use many times" model, reducing duplication, accelerating secure cloud adoption, and enforcing NIST SP 800-53 baselines mapped to FIPS 199 impact levels (Low, Moderate, High).

Who is legally or professionally required to comply with **FedRAMP**?

**FedRAMP is required for cloud service providers (CSPs) offering CSOs that process, store, or transmit federal data.** Federal agencies must use FedRAMP-authorized CSOs unless narrow exceptions apply, per OMB policy. CSPs targeting federal contracts face professional mandates, with 484 authorized offerings listed on the Marketplace as of recent metrics.

Does **FedRAMP** require an external audit or third-party certification?

**Yes, FedRAMP requires independent assessments by accredited Third-Party Assessment Organizations (3PAOs).** 3PAOs, accredited by A2LA to ISO/IEC 17020, produce Security Assessment Reports (SARs) and Plans of Action & Milestones (POA&Ms) using NIST SP 800-53A procedures, ensuring objective validation of controls.

How often should an assessment for **FedRAMP** be performed?

**FedRAMP requires continuous monitoring with monthly deliverables and annual 3PAO reassessments.** Monthly reports include vulnerability scans, POA&Ms, and incident summaries; annual assessments revalidate controls, supporting ongoing authorization via Rev 5 Continuous Monitoring Playbook.

What are the consequences of non-compliance with **FedRAMP**?

**Non-compliance risks revocation of authorization, Marketplace delisting, and loss of federal contracts.** Persistent POA&M failures or sponsor withdrawal lead to ATO withdrawal; legal exposure includes DOJ civil fraud claims for inaccurate security postures, halting revenue from federal procurements.

Can **FedRAMP** be mapped to other international frameworks?

**FedRAMP baselines directly derive from NIST SP 800-53 Rev 5 controls, enabling mappings to aligned frameworks.** It leverages FIPS 199 impact levels and OSCAL for interoperability, with control inheritance supporting reuse, though agency-specific tailoring may apply.

What is the first step to begin implementing **FedRAMP**?

**The first step is FIPS 199 system categorization to select the impact level (Low ~156 controls, Moderate ~323, High ~410, or LI-SaaS ~50+).** Conduct a readiness assessment or gap analysis using PMO templates, then develop the System Security Plan (SSP) to align with the chosen baseline.

EN 1090 vs FedRAMP

Standards Comparison

EN 1090

Mandatory

2009

EU harmonized standard for steel and aluminium structures execution

FedRAMP

Mandatory

2011

U.S. program standardizing federal cloud security authorizations

Quick Verdict

EN 1090 mandates CE marking for EU structural steel/aluminium via FPC and execution classes, enabling market access. FedRAMP standardizes US federal cloud security through NIST baselines and 3PAO assessments for reusable authorizations. Manufacturers adopt EN 1090 for legal compliance; CSPs pursue FedRAMP for government contracts.

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4) scaling requirements
Mandatory certified Factory Production Control (FPC) system
Enables CE marking under CPR for structural components
Integrates ISO 3834 welding quality management
Ensures full material traceability and NDT inspection

Cloud Security

FedRAMP

Federal Risk and Authorization Management Program

Cost

€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Reusable authorizations across federal agencies
NIST SP 800-53 baselines at three impact levels
Independent 3PAO security assessments required
Ongoing continuous monitoring with automation
FedRAMP Marketplace for transparency and reuse

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1/-2/-3) for execution of structural steel and aluminium components. It provides a risk-based framework under the Construction Products Regulation (CPR) for fabrication, assembly, and conformity assessment enabling CE marking.

Key Components

**EN 1090-1Conformity assessment, FPC certification by Notified Body.
**EN 1090-2/-3Technical rules for steel/aluminium (welding, tolerances, corrosion protection).
Execution Classes (EXC1-EXC4) scaling requirements.
Builds on ISO 3834 for welding; certification via AVCP systems with ongoing surveillance.

Why Organizations Use It

Mandatory for EU market access of load-bearing components.
Reduces liability, ensures traceability, improves quality.
Enables bidding on high-risk projects; builds stakeholder trust.

Implementation Overview

Phased: gap analysis, FPC build, welding quals, NB certification. Applies to fabricators in EU/EEA; 6-12 months typical, requires audits/surveillance.

FedRAMP Details

What It Is

FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government-wide standardized framework for security assessment, authorization, and continuous monitoring of cloud services used by federal agencies. Its primary purpose is to enable secure, reusable cloud adoption via NIST SP 800-53 baselines tailored to FIPS 199 impact levels (Low, Moderate, High), reducing duplication across agencies.

Key Components

**Control baselines~156 (Low), ~323 (Moderate), ~410 (High) controls from NIST SP 800-53 Rev 5, plus LI-SaaS for low-risk SaaS.
Core artifacts: System Security Plan (SSP), Security Assessment Report (SAR), Plan of Action & Milestones (POA&M).
Paths: Agency and Program Authorizations via accredited 3PAOs.
Built on continuous monitoring with automation emphasis (FedRAMP 20x).

Why Organizations Use It

Mandatory for federal cloud procurement, unlocking contracts.
Enhances security posture, reuse, and market access.
Builds trust with agencies, reduces risk, differentiates competitively.

Implementation Overview

Gap analysis, SSP development, 3PAO assessment, remediation.
Targets CSPs serving U.S. federal market; high complexity for all sizes.
No traditional certification; ongoing authorizations via Marketplace listing. (178 words)

Key Differences

Aspect	EN 1090	FedRAMP
Scope	Structural steel/aluminium fabrication & conformity	Cloud service security assessment & monitoring
Industry	Construction, EU/EEA manufacturers	US federal cloud providers, government-wide
Nature	Harmonized standard, mandatory CE marking	Standardized program, mandatory for federal cloud
Testing	FPC certification, notified body audits/surveillance	3PAO assessments, continuous monitoring reports
Penalties	Market exclusion, legal liability	Revocation, contract ineligibility

Scope

EN 1090

Structural steel/aluminium fabrication & conformity

FedRAMP

Cloud service security assessment & monitoring

Industry

EN 1090

Construction, EU/EEA manufacturers

FedRAMP

US federal cloud providers, government-wide

Nature

EN 1090

Harmonized standard, mandatory CE marking

FedRAMP

Standardized program, mandatory for federal cloud

Testing

EN 1090

FPC certification, notified body audits/surveillance

FedRAMP

3PAO assessments, continuous monitoring reports

Penalties

EN 1090

Market exclusion, legal liability

FedRAMP

Revocation, contract ineligibility

Frequently Asked Questions

Common questions about EN 1090 and FedRAMP

EN 1090 FAQ

FedRAMP FAQ

You Might also be Interested in These Articles...

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

Uncover top 5 unseen complexities modern compliance software manages effortlessly—from sensitive data mapping to real-time regulatory shifts. Automate audits, i

NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

Discover NIST 800-53 ROI in private sector: control families like RA, SI, SR reduce median breach costs from $100K to under $50K. Get benchmarks to prioritize i

TISAX Tabletop Exercises for EV Battery Suppliers: Ransomware Drill Scripts and AAR Templates with 2025 ENX Podcast Breakdown

Practical TISAX tabletop scripts for EV battery suppliers facing 'Very High' ASLP. Download ransomware AAR templates, get 2024 ENX lessons & 2025 podcast on VDA

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 27032 vs HITRUST CSF

Compare ISO 27032 vs HITRUST CSF: cybersecurity guidelines for Internet threats vs certifiable controls for compliance. Uncover differences, benefits & choose the right framework now.

TOGAF vs SAMA CSF

Compare TOGAF vs SAMA CSF: EA framework for business-IT alignment meets Saudi financial cyber maturity model. Uncover key differences, implementation strategies & governance wins. Optimize now!

NIST 800-53 vs ISO 22000

Discover NIST 800-53 vs ISO 22000: Compare cybersecurity/privacy controls with food safety management. Uncover differences, overlaps, RMF integration & implementation for compliance success.

EN 1090

FedRAMP

Quick Verdict

EN 1090

Key Features

FedRAMP

Key Features

Detailed Analysis

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

FedRAMP Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

Can EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

FedRAMP FAQ

What is the primary objective of FedRAMP?

Who is legally or professionally required to comply with FedRAMP?

Does FedRAMP require an external audit or third-party certification?

How often should an assessment for FedRAMP be performed?

What are the consequences of non-compliance with FedRAMP?

Can FedRAMP be mapped to other international frameworks?

What is the first step to begin implementing FedRAMP?

You Might also be Interested in These Articles...

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

TISAX Tabletop Exercises for EV Battery Suppliers: Ransomware Drill Scripts and AAR Templates with 2025 ENX Podcast Breakdown

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 27032 vs HITRUST CSF

TOGAF vs SAMA CSF

NIST 800-53 vs ISO 22000