What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** (conformity assessment via Factory Production Control, FPC), **EN 1090-2** (steel execution requirements like welding, tolerances, and inspection), and **EN 1090-3** (aluminium equivalents). Risk-based **Execution Classes (EXC1–EXC4)** scale controls for consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling market placement with Declaration of Performance (DoP).

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU construction works must comply with EN 1090.** This includes fabricators, steelwork contractors, and suppliers needing **CE marking** via certified FPC. Applies to sectors like buildings, bridges, and stadia; non-structural items are excluded. Default to **EXC2** if unspecified.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates third-party certification of the FPC system by a Notified Body using AVCP systems.** Process includes initial inspection, type testing/calculation (ITT/ITC), certificate issuance, and ongoing surveillance audits. Welding must align with **ISO 3834** levels per execution class.

How often should an assessment for **EN 1090** be performed?

**FPC surveillance audits by Notified Bodies occur initially within one year, then per EN 1090-1 Table B.3 based on execution class and prior performance.** Annual intervals are common; changes in processes, personnel, or products trigger additional audits. Internal audits maintain ongoing constancy of performance.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance prevents CE marking, blocks EU market access, and risks certificate suspension or withdrawal by Notified Bodies.** Outcomes include product recalls, fines under CPR, civil liability, and reputational damage. Major non-conformities (e.g., traceability failures) lead to public notification and mandatory CE mark cessation.

Can **EN 1090** be mapped to other international frameworks?

**No, these FAQs address EN 1090 independently per standalone requirements.**

What is the first step to begin implementing **EN 1090**?

**Conduct a product scope assessment to confirm EN 1090 applicability and determine execution classes (EXC1–EXC4) via CC/SC/PC matrix.** Follow with gap analysis of current FPC against EN 1090-1, prioritizing welding coordination and traceability.

What is the primary objective of **GDPR UK**?

**The primary objective of UK GDPR is to protect the fundamental rights and freedoms of individuals with regard to personal data processing through seven core principles.** These principles—lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability—require controllers to process data lawfully and demonstrate compliance (UK GDPR Article 5). Enforced by the ICO alongside the Data Protection Act 2018, UK GDPR ensures risk-based safeguards, individual rights, and accountability for UK-established entities and those targeting UK individuals.

Who is legally or professionally required to comply with **GDPR UK**?

**UK GDPR applies to controllers and processors established in the UK, and non-UK entities offering goods/services to or monitoring behaviour of UK individuals.** This includes extra-territorial scope for digital targeting (e.g., UK websites, analytics) regardless of payment (Article 3). Controllers determine purposes/means; processors act on instructions and bear direct obligations like security (Article 28). Public/private organisations processing personal data must comply, with DPOs required for large-scale monitoring or special category processing.

Does **GDPR UK** require an external audit or third-party certification?

**UK GDPR does not mandate external audits or third-party certification.** Controllers/processors must implement risk-based technical/organisational measures (Article 32) and demonstrate accountability (Article 5(2)) via internal records (RoPA, Article 30), DPIAs, and processor contracts with audit rights (Article 28). ICO may require assessments; adherence to codes of conduct or certification schemes offers mitigating evidence but is voluntary.

How often should an assessment for **GDPR UK** be performed?

**UK GDPR requires ongoing assessment through continuous monitoring, testing, and evaluation of security measures.** Regular reviews tie to risk-based obligations: update RoPA for changes, conduct DPIAs for high-risk processing, perform periodic internal audits, and reassess after incidents or material changes. No fixed frequency is prescribed; quarterly governance reviews and annual policy/DPIA cycles align with accountability principle (Articles 5(2), 32, 35).

What are the consequences of non-compliance with **GDPR UK**?

**Non-compliance with UK GDPR can result in fines up to the higher of £17.5 million or 4% of global annual turnover for serious infringements.** Higher tier applies to principles breaches, rights failures, transfers (Learning 1); standard tier up to £8.7 million or 2% for others. ICO uses a five-step fining process (seriousness, turnover, factors, proportionality), plus corrective powers like processing bans (Article 58), reputational harm, and civil claims.

Can **GDPR UK** be mapped to other international frameworks?

**Yes, UK GDPR's core principles, rights, and obligations align closely with EU GDPR, enabling control harmonisation.** Identical seven principles (Article 5) and similar DPIAs, lawful bases, processor duties facilitate mapping, though UK-specific ICO oversight and transfers (IDTA) require adjustments. Executives maintain GDPR-grade frameworks while addressing jurisdictional duality.

What is the first step to begin implementing **GDPR UK**?

**The first step is to create a Record of Processing Activities (RoPA) mapping all personal data flows, purposes, lawful bases, and safeguards.** This demonstrates accountability (Article 5(2), 30), informs DPIAs, rights handling, and contracts. Involve cross-functional teams to inventory systems, vendors, and risks for a live, evidence-based foundation.

EN 1090 vs GDPR UK

Standards Comparison

EN 1090

Mandatory

2009

European standard for steel/aluminium structural execution and CE marking

GDPR UK

Mandatory

2016

UK regulation for personal data protection and privacy

Quick Verdict

EN 1090 governs structural steel fabrication for CE marking in construction, while GDPR UK mandates personal data protection across all sectors. Fabricators certify FPC for market access; all firms adopt GDPR UK to avoid massive fines and ensure compliance.

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Enables CE marking via Factory Production Control certification
Risk-scaled Execution Classes (EXC1-EXC4) for proportionality
Detailed technical rules for steel (EN 1090-2) and aluminium (EN 1090-3)
Welding quality management aligned with ISO 3834
Material traceability and inspection regimes by risk level

Data Privacy

GDPR UK

UK General Data Protection Regulation (UK GDPR)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Seven core data processing principles with accountability
Enforceable individual data subject rights
72-hour personal data breach notification to ICO
Mandatory DPIAs for high-risk processing
Risk-based security and international transfer safeguards

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is the harmonized European standard family (EN 1090-1, -2, -3) for execution of steel and aluminium structural components under CPR. It provides a risk-based framework for fabrication, assembly, and conformity assessment enabling CE marking for load-bearing components in construction works.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification by Notified Bodies.
**EN 1090-2/-3Technical requirements for steel/aluminium (materials, welding, tolerances, corrosion protection, NDT).
**Execution Classes (EXC1-4)Scales requirements by consequence, service, production categories.
Built on ISO 3834 for welding; AVCP systems with surveillance audits.

Why Organizations Use It

Mandatory for EU market access via CE marking; avoids exclusion, fines, liability.
Reduces risks through traceability, qualified processes; boosts competitiveness.
Enhances trust, enables high-risk projects (bridges, stadia).

Implementation Overview

Phased: gap analysis, FPC build, personnel training (rWC), NB certification, ongoing surveillance. Targets fabricators; 6-12 months typical; suits all sizes with welding focus.

GDPR UK Details

What It Is

UK GDPR (UK General Data Protection Regulation) is the UK's post-Brexit adaptation of the EU GDPR, a binding legal regulation enforced by the Information Commissioner’s Office (ICO). Its primary purpose is to protect individuals' personal data through risk-based principles, rights, and accountability, applying to controllers and processors in or targeting the UK.

Key Components

Seven core processing principles (lawfulness, purpose limitation, minimisation, accuracy, storage limitation, security, accountability)
Enforceable data subject rights (access, rectification, erasure, portability, objection)
Controller/processor obligations (records, contracts, DPIAs, breach notification)
No formal certification; compliance demonstrated via documentation and audits

Why Organizations Use It

Mandatory legal compliance to avoid fines up to 4% global turnover
Enhances risk management, security, and incident response
Builds stakeholder trust and competitive differentiation
Supports cross-border operations with transfer safeguards

Implementation Overview

Phased approach: governance, data mapping (RoPA), policies, training, DPIAs, audits
Applies to all UK-handling organizations; scalable by size/industry
Ongoing; no certification but ICO enforcement via fines/notices (178 words)

Key Differences

Aspect	EN 1090	GDPR UK
Scope	Structural steel/aluminium fabrication and conformity	Personal data processing principles and rights
Industry	Construction, manufacturing (EU/UK steel fabricators)	All sectors handling personal data (UK-wide)
Nature	Harmonized technical standard for CE marking	Mandatory data protection regulation with fines
Testing	FPC certification, NDT, notified body audits	DPIAs, security testing, ICO audits/investigations
Penalties	Market exclusion, no CE marking	Fines up to 4% global turnover

Scope

EN 1090

Structural steel/aluminium fabrication and conformity

GDPR UK

Personal data processing principles and rights

Industry

EN 1090

Construction, manufacturing (EU/UK steel fabricators)

GDPR UK

All sectors handling personal data (UK-wide)

Nature

EN 1090

Harmonized technical standard for CE marking

GDPR UK

Mandatory data protection regulation with fines

Testing

EN 1090

FPC certification, NDT, notified body audits

GDPR UK

DPIAs, security testing, ICO audits/investigations

Penalties

EN 1090

Market exclusion, no CE marking

GDPR UK

Fines up to 4% global turnover

Frequently Asked Questions

Common questions about EN 1090 and GDPR UK

EN 1090 FAQ

GDPR UK FAQ

You Might also be Interested in These Articles...

The 'Black Box' Risk: Why Human-in-the-Loop is the Ultimate Fail-Safe for 2026 Security Operations

Uncover the black box AI risk in security ops. Learn why human-in-the-loop auditing is crucial for 2026. Upskill analysts to ensure data privacy and robust secu

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Fail CIS Controls v8.1 audits due to missing evidence? Get the blueprint: exact artifacts auditors want, repository structure, and automation from security tool

How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)

Deploy CIS Controls v8.1 as a control backbone for NIS2 & DORA compliance. Step-by-step roadmap (IG1→IG2), deliverables, metrics & evidence model for hybrid/clo

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

DORA vs CMMI

Discover DORA vs CMMI: EU financial resilience regulation meets proven process maturity model. Boost compliance, ICT risk mgmt & performance. Find your best fit now!

ITIL vs ISO 13485

ITIL vs ISO 13485: ITIL's SVS & 34 practices align IT services for agile ops; ISO 13485's risk-based QMS ensures med device safety/compliance. Compare & choose wisely!

RoHS vs ISO 20000

RoHS vs ISO 20000: Compare hazardous substance limits in EEE (10 restricted materials) with IT service management standards. Unlock compliance strategies for global success now!

EN 1090

GDPR UK

Quick Verdict

EN 1090

Key Features

GDPR UK

Key Features

Detailed Analysis

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

GDPR UK Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

Can EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

GDPR UK FAQ

What is the primary objective of GDPR UK?

Who is legally or professionally required to comply with GDPR UK?

Does GDPR UK require an external audit or third-party certification?

How often should an assessment for GDPR UK be performed?

What are the consequences of non-compliance with GDPR UK?

Can GDPR UK be mapped to other international frameworks?

What is the first step to begin implementing GDPR UK?

You Might also be Interested in These Articles...

The 'Black Box' Risk: Why Human-in-the-Loop is the Ultimate Fail-Safe for 2026 Security Operations

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

DORA vs CMMI

ITIL vs ISO 13485

RoHS vs ISO 20000