What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 (conformity assessment via Factory Production Control, FPC), EN 1090-2 (steel execution requirements like welding, tolerances, and inspection), and EN 1090-3 (aluminium equivalents). Risk-based Execution Classes (EXC1–EXC4) scale controls for consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling market placement with Declaration of Performance (DoP).

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU construction works must comply with EN 1090. This includes fabricators, steelwork contractors, and suppliers needing CE marking via certified FPC. Applies to sectors like buildings, bridges, and stadia; non-structural items are excluded. Default to EXC2 if unspecified.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates third-party certification of the FPC system by a Notified Body using AVCP systems. Process includes initial inspection, type testing/calculation (ITT/ITC), certificate issuance, and ongoing surveillance audits. Welding must align with ISO 3834 levels per execution class.

How often should an assessment for EN 1090 be performed?

FPC surveillance audits by Notified Bodies occur initially within one year, then per EN 1090-1 Table B.3 based on execution class and prior performance. Annual intervals are common; changes in processes, personnel, or products trigger additional audits. Internal audits maintain ongoing constancy of performance.

What are the consequences of non-compliance with EN 1090?

Non-compliance prevents CE marking, blocks EU market access, and risks certificate suspension or withdrawal by Notified Bodies. Outcomes include product recalls, fines under CPR, civil liability, and reputational damage. Major non-conformities (e.g., traceability failures) lead to public notification and mandatory CE mark cessation.

Can EN 1090 be mapped to other international frameworks?

No, these FAQs address EN 1090 independently per standalone requirements.

What is the first step to begin implementing EN 1090?

Conduct a product scope assessment to confirm EN 1090 applicability and determine execution classes (EXC1–EXC4) via CC/SC/PC matrix. Follow with gap analysis of current FPC against EN 1090-1, prioritizing welding coordination and traceability.

What is the primary objective of GDPR UK?

The primary objective of UK GDPR is to protect the fundamental rights and freedoms of individuals with regard to personal data processing through seven core principles. These principles—lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability—require controllers to process data lawfully and demonstrate compliance (UK GDPR Article 5). Enforced by the ICO alongside the Data Protection Act 2018, UK GDPR ensures risk-based safeguards, individual rights, and accountability for UK-established entities and those targeting UK individuals.

Who is legally or professionally required to comply with GDPR UK?

UK GDPR applies to controllers and processors established in the UK, and non-UK entities offering goods/services to or monitoring behaviour of UK individuals. This includes extra-territorial scope for digital targeting (e.g., UK websites, analytics) regardless of payment (Article 3). Controllers determine purposes/means; processors act on instructions and bear direct obligations like security (Article 28). Public/private organisations processing personal data must comply, with DPOs required for large-scale monitoring or special category processing.

Does GDPR UK require an external audit or third-party certification?

UK GDPR does not mandate external audits or third-party certification. Controllers/processors must implement risk-based technical/organisational measures (Article 32) and demonstrate accountability (Article 5(2)) via internal records (RoPA, Article 30), DPIAs, and processor contracts with audit rights (Article 28). ICO may require assessments; adherence to codes of conduct or certification schemes offers mitigating evidence but is voluntary.

How often should an assessment for GDPR UK be performed?

UK GDPR requires ongoing assessment through continuous monitoring, testing, and evaluation of security measures. Regular reviews tie to risk-based obligations: update RoPA for changes, conduct DPIAs for high-risk processing, perform periodic internal audits, and reassess after incidents or material changes. No fixed frequency is prescribed; quarterly governance reviews and annual policy/DPIA cycles align with accountability principle (Articles 5(2), 32, 35).

What are the consequences of non-compliance with GDPR UK?

Non-compliance with UK GDPR can result in fines up to the higher of £17.5 million or 4% of global annual turnover for serious infringements. Higher tier applies to principles breaches, rights failures, transfers (Learning 1); standard tier up to £8.7 million or 2% for others. ICO uses a five-step fining process (seriousness, turnover, factors, proportionality), plus corrective powers like processing bans (Article 58), reputational harm, and civil claims.

Can GDPR UK be mapped to other international frameworks?

Yes, UK GDPR's core principles, rights, and obligations align closely with EU GDPR, enabling control harmonisation. Identical seven principles (Article 5) and similar DPIAs, lawful bases, processor duties facilitate mapping, though UK-specific ICO oversight and transfers (IDTA) require adjustments. Executives maintain GDPR-grade frameworks while addressing jurisdictional duality.

What is the first step to begin implementing GDPR UK?

The first step is to create a Record of Processing Activities (RoPA) mapping all personal data flows, purposes, lawful bases, and safeguards. This demonstrates accountability (Article 5(2), 30), informs DPIAs, rights handling, and contracts. Involve cross-functional teams to inventory systems, vendors, and risks for a live, evidence-based foundation.

Standards Comparison

EN 1090 vs GDPR UK

EN 1090

Mandatory

2009

European standard for steel/aluminium structural execution and CE marking

GDPR UK

Mandatory

2016

UK regulation for personal data protection and privacy

Quick Verdict

EN 1090 governs structural steel fabrication for CE marking in construction, while GDPR UK mandates personal data protection across all sectors. Fabricators certify FPC for market access; all firms adopt GDPR UK to avoid massive fines and ensure compliance.

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Enables CE marking via Factory Production Control certification
Risk-scaled Execution Classes (EXC1-EXC4) for proportionality
Detailed technical rules for steel (EN 1090-2) and aluminium (EN 1090-3)
Welding quality management aligned with ISO 3834
Material traceability and inspection regimes by risk level

Data Privacy

GDPR UK

UK General Data Protection Regulation (UK GDPR)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Seven core data processing principles with accountability
Enforceable individual data subject rights
72-hour personal data breach notification to ICO
Mandatory DPIAs for high-risk processing
Risk-based security and international transfer safeguards

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is the harmonized European standard family (EN 1090-1, -2, -3) for execution of steel and aluminium structural components under CPR. It provides a risk-based framework for fabrication, assembly, and conformity assessment enabling CE marking for load-bearing components in construction works.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification by Notified Bodies.
**EN 1090-2/-3Technical requirements for steel/aluminium (materials, welding, tolerances, corrosion protection, NDT).
**Execution Classes (EXC1-4)Scales requirements by consequence, service, production categories.
Built on ISO 3834 for welding; AVCP systems with surveillance audits.

Why Organizations Use It

Mandatory for EU market access via CE marking; avoids exclusion, fines, liability.
Reduces risks through traceability, qualified processes; boosts competitiveness.
Enhances trust, enables high-risk projects (bridges, stadia).

Implementation Overview

Phased: gap analysis, FPC build, personnel training (rWC), NB certification, ongoing surveillance. Targets fabricators; 6-12 months typical; suits all sizes with welding focus.

GDPR UK Details

What It Is

UK GDPR (UK General Data Protection Regulation) is the UK's post-Brexit adaptation of the EU GDPR, a binding legal regulation enforced by the Information Commissioner’s Office (ICO). Its primary purpose is to protect individuals' personal data through risk-based principles, rights, and accountability, applying to controllers and processors in or targeting the UK.

Key Components

Seven core processing principles (lawfulness, purpose limitation, minimisation, accuracy, storage limitation, security, accountability)
Enforceable data subject rights (access, rectification, erasure, portability, objection)
Controller/processor obligations (records, contracts, DPIAs, breach notification)
No formal certification; compliance demonstrated via documentation and audits

Why Organizations Use It

Mandatory legal compliance to avoid fines up to 4% global turnover
Enhances risk management, security, and incident response
Builds stakeholder trust and competitive differentiation
Supports cross-border operations with transfer safeguards

Implementation Overview

Phased approach: governance, data mapping (RoPA), policies, training, DPIAs, audits
Applies to all UK-handling organizations; scalable by size/industry
Ongoing; no certification but ICO enforcement via fines/notices (178 words)

Key Differences

Aspect	EN 1090	GDPR UK
Scope	Structural steel/aluminium fabrication and conformity	Personal data processing principles and rights
Industry	Construction, manufacturing (EU/UK steel fabricators)	All sectors handling personal data (UK-wide)
Nature	Harmonized technical standard for CE marking	Mandatory data protection regulation with fines
Testing	FPC certification, NDT, notified body audits	DPIAs, security testing, ICO audits/investigations
Penalties	Market exclusion, no CE marking	Fines up to 4% global turnover

Scope

EN 1090

Structural steel/aluminium fabrication and conformity

GDPR UK

Personal data processing principles and rights

Industry

EN 1090

Construction, manufacturing (EU/UK steel fabricators)

GDPR UK

All sectors handling personal data (UK-wide)

Nature

EN 1090

Harmonized technical standard for CE marking

GDPR UK

Mandatory data protection regulation with fines

Testing

EN 1090

FPC certification, NDT, notified body audits

GDPR UK

DPIAs, security testing, ICO audits/investigations

Penalties

EN 1090

Market exclusion, no CE marking

GDPR UK

Fines up to 4% global turnover

Frequently Asked Questions

Common questions about EN 1090 and GDPR UK

EN 1090 FAQ

GDPR UK FAQ

You Might also be Interested in These Articles...

From SOC to AI-Native CDC: Redefining Triage and Response in 2026

Explore the shift from SOCs to AI-Native CDCs. Autonomous agents handle Tier 1 triage in 2026, empowering analysts for complex threats. Discover the future of c

How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)

Deploy CIS Controls v8.1 as a control backbone for NIS2 & DORA compliance. Step-by-step roadmap (IG1→IG2), deliverables, metrics & evidence model for hybrid/clo

What is DORA and which Requirements does the Standard define?

Discover DORA requirements for info security, strict authority monitoring, and steps to achieve compliance. Build a resilient organization with our detailed gui

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EN 1090 and GDPR UK compare against other standards

Other EN 1090 Comparisons

Other GDPR UK Comparisons

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification by Notified Bodies.

**EN 1090-2/-3Technical requirements for steel/aluminium (materials, welding, tolerances, corrosion protection, NDT).

**Execution Classes (EXC1-4)Scales requirements by consequence, service, production categories.

Built on ISO 3834 for welding; AVCP systems with surveillance audits.

What It Is

Key Components

Seven core processing principles (lawfulness, purpose limitation, minimisation, accuracy, storage limitation, security, accountability)

Enforceable data subject rights (access, rectification, erasure, portability, objection)

Controller/processor obligations (records, contracts, DPIAs, breach notification)

No formal certification; compliance demonstrated via documentation and audits

Aspect

EN 1090

GDPR UK

Scope

Structural steel/aluminium fabrication and conformity

Personal data processing principles and rights

Industry

Construction, manufacturing (EU/UK steel fabricators)

All sectors handling personal data (UK-wide)

Nature

Harmonized technical standard for CE marking

Mandatory data protection regulation with fines

Testing

FPC certification, NDT, notified body audits

DPIAs, security testing, ICO audits/investigations

Penalties

Market exclusion, no CE marking

Fines up to 4% global turnover