What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 (conformity assessment via Factory Production Control, FPC), EN 1090-2 (steel execution requirements like welding, tolerances, and traceability), and EN 1090-3 (aluminium equivalents). Risk-based Execution Classes (EXC1–EXC4) scale controls for consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling lawful market placement in the EEA.

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent construction works must comply with EN 1090 to affix CE marking. This includes fabricators, welding shops, and suppliers targeting EEA markets; non-compliance bars market access. Applies to products like beams, trusses, bridges, and building frames, but excludes non-structural items.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a notified body via AVCP systems. This involves initial inspection, type testing/calculation (ITT/ITC), and ongoing surveillance audits to verify performance constancy, enabling Declaration of Performance (DoP) and CE marking issuance.

How often should an assessment for EN 1090 be performed?

Notified bodies conduct initial FPC certification followed by surveillance audits, typically annually, scaled by Execution Class (EXC). Higher EXC (e.g., EXC4) demands more frequent/intense checks; manufacturers perform continuous internal FPC monitoring, with changes (e.g., processes, personnel) triggering NB notifications.

What are the consequences of non-compliance with EN 1090?

Non-compliance prevents CE marking, blocking EEA market access and risking product withdrawal, fines, or liability under CPR. Notified bodies may suspend/revoke FPC certificates for major non-conformities; failures expose manufacturers to civil claims, recalls, and reputational damage from structural incidents.

Can EN 1090 be mapped to other international frameworks?

EN 1090 integrates with standards like ISO 3834 for welding quality, but no formal mappings to unrelated frameworks are specified. It aligns with Eurocodes for design and requires ISO 14731 competence for welding coordinators; FPC can leverage ISO 9001 structures but must meet EN 1090-specific clauses independently.

What is the first step to begin implementing EN 1090?

Determine product scope and Execution Class (EXC1–EXC4) via consequence, service, and production category matrix. Default to EXC2 if unspecified; then conduct FPC gap analysis against EN 1090-1, appointing a Responsible Welding Coordinator (rWC).

What is the primary objective of MAS TRM?

MAS TRM's primary objective is to establish sound technology risk governance and cyber resilience through defence-in-depth for financial institutions. Issued by the Monetary Authority of Singapore in January 2021, the Guidelines promote robust practices across governance (§3), risk frameworks (§4), secure SDLC (§5-6), IT service management (§7), resilience (§8), access controls (§9-10), data security (§11), cyber operations (§12), and assessments (§13) to preserve CIA of systems and data.

Who is legally or professionally required to comply with MAS TRM?

MAS TRM applies to all financial institutions supervised by MAS, including banks, insurers, capital market intermediaries, payment service providers, and fintech sandbox participants. Applicability is proportionate to risk and complexity (§2.2), with boards and senior management accountable for oversight (§3.1), extending to third-party service providers managing FI information assets (§3.3, §3.4).

Does MAS TRM require an external audit or third-party certification?

MAS TRM requires an independent internal audit function to assess TRM effectiveness but does not mandate external audits or certifications. Boards must ensure independent audit coverage of controls, governance, and risk management (§3.1.7, §15); external penetration testing is expected annually for internet-facing systems (§13.2.4), with proportionality for other assurance.

How often should an assessment for MAS TRM be performed?

MAS TRM requires periodic risk assessments, with vulnerability assessments regular and commensurate to criticality, and penetration testing at least annually for internet-facing systems. Reassessments trigger on major changes (§13.1-13.2.4); DR plans reviewed annually (§8.2.2), policies updated regularly (§3.2.1), and cyber exercises scheduled by objectives (§13.3).

What are the consequences of non-compliance with MAS TRM?

Non-compliance with MAS TRM can result in supervisory actions including fines, license conditions, revocations, and executive prohibitions. MAS considers TRM observance in supervision (§2.2); examples include S$27.45M fines across nine FIs for AML/CFT lapses tied to tech gaps, CMS license revocation, and personal sanctions on executives.

Can MAS TRM be mapped to other international frameworks?

Yes, MAS TRM aligns with outcomes in NIST CSF 2.0, ISO 27001, and practitioner frameworks for ERM integration. It supports CSRRs for risk aggregation (NIST IR 8286), ISMS controls, and hybrid approaches; MAS encourages industry standards (§3.2.1) for monitoring and assurance cycles.

What is the first step to begin implementing MAS TRM?

The first step is Board approval of a technology risk appetite/tolerance statement and establishment of an independent TRM function. Per §3.1, boards ensure framework oversight, appoint competent CIO/CISO (CEO-approved, §3.1.3), and integrate TRM into ERM with asset inventories (§3.3) for proportional controls.

Standards Comparison

EN 1090 vs MAS TRM

EN 1090

Mandatory

2009

European standards for structural steel/aluminium execution and CE marking

MAS TRM

Mandatory

2021

Singapore guidelines for technology risk management in finance

Quick Verdict

EN 1090 mandates CE marking for structural steel/aluminium in EU construction, while MAS TRM guides Singapore FIs on cyber resilience. Fabricators need EN 1090 for market access; banks adopt TRM to avoid fines and ensure operational stability.

Structural Metalwork

EN 1090

Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4) scaling requirements
Mandatory Factory Production Control (FPC) certification
Enables CE marking under CPR for structural components
Detailed technical execution rules for steel/aluminium
Integrates ISO 3834 welding quality management

Technology Risk Management

MAS TRM

MAS Technology Risk Management Guidelines

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Board-level technology risk accountability
Proportionality to FI risk profile
Third-party service risk management
Annual pen testing for internet systems
Defence-in-depth cyber resilience controls

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) for execution and conformity assessment of structural steel and aluminium components. It serves as the primary framework under the EU Construction Products Regulation (CPR), enabling CE marking for load-bearing metal components in construction. Its risk-based approach uses Execution Classes (EXC1-EXC4) to scale requirements based on failure consequences, service conditions, and production complexity.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
**EN 1090-2/-3Technical rules for steel/aluminium (materials, welding, tolerances, corrosion protection, NDT).
Core principles: Traceability, welding via ISO 3834, inspection regimes.
Certification model: Notified Body audits FPC with ongoing surveillance.

Why Organizations Use It

Mandated for EU market access; reduces liability, ensures safety. Benefits include risk mitigation, rework reduction, market credibility. Builds stakeholder trust via certified quality and traceability.

Implementation Overview

Phased: Gap analysis, FPC design, personnel training (e.g., Welding Coordinator), NB certification. Applies to fabricators in construction; 6-12 months typical for medium firms, involving audits and digital traceability.

MAS TRM Details

What It Is

MAS Technology Risk Management (TRM) Guidelines (January 2021) are supervisory guidelines from Singapore's Monetary Authority of Singapore (MAS). They establish a risk-based framework for financial institutions (FIs) to govern, control, and assure technology and cyber risks, emphasizing proportionality to risk profile and complexity.

Key Components

Pillars: governance, asset management, secure SDLC, IT service management, resilience, access/cryptography, cyber operations, testing, audit (15 sections).
Defence-in-depth approach preserving CIA triad.
Principles: board accountability, independent oversight, continuous improvement.
No certification; compliance via supervisory review and enforcement.

Why Organizations Use It

Mandatory for MAS-regulated FIs to mitigate enforcement risks (fines, revocations).
Enhances resilience, reduces systemic cyber threats.
Supports ERM integration, digital transformation.
Builds regulator, customer, stakeholder trust.

Implementation Overview

Phased: governance setup, asset inventory, controls, testing, monitoring.
Targets banks, insurers, fintechs in Singapore.
Audit-focused; 12-24 months for maturity.

Key Differences

Aspect	EN 1090	MAS TRM
Scope	Execution and conformity of steel/aluminium structures	Technology and cyber risk management in finance
Industry	Construction, steel/aluminium fabrication, Europe	Financial institutions, Singapore regulated entities
Nature	Harmonized standard enabling CE marking, mandatory	Supervisory guidelines, proportionate enforcement
Testing	FPC certification, surveillance audits, NDT by notified bodies	Penetration testing, vulnerability assessments, cyber exercises
Penalties	Market exclusion, no CE marking, legal liability	Fines, license conditions, supervisory actions

Scope

EN 1090

Execution and conformity of steel/aluminium structures

MAS TRM

Technology and cyber risk management in finance

Industry

EN 1090

Construction, steel/aluminium fabrication, Europe

MAS TRM

Financial institutions, Singapore regulated entities

Nature

EN 1090

Harmonized standard enabling CE marking, mandatory

MAS TRM

Supervisory guidelines, proportionate enforcement

Testing

EN 1090

FPC certification, surveillance audits, NDT by notified bodies

MAS TRM

Penetration testing, vulnerability assessments, cyber exercises

Penalties

EN 1090

Market exclusion, no CE marking, legal liability

MAS TRM

Fines, license conditions, supervisory actions

Frequently Asked Questions

Common questions about EN 1090 and MAS TRM

EN 1090 FAQ

MAS TRM FAQ

You Might also be Interested in These Articles...

SEC Cybersecurity Rules Implementation Guide: Mastering Form 8-K Item 1.05 Materiality Determination and 4-Business-Day Reporting Workflow

Master SEC Form 8-K Item 1.05 compliance with step-by-step materiality assessment, incident workflows & Inline XBRL tagging. Beat the 4-business-day clock. Esse

NIST CSF 2.0 Plain English Decoder: Translating Govern, Supply Chain, and Core Functions from Jargon to Actionable Insights

Demystify NIST CSF 2.0 jargon with plain English tables for Govern, Supply Chain & Core Functions. Actionable steps for risk oversight & vendor management. Empo

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EN 1090 and MAS TRM compare against other standards

Other EN 1090 Comparisons

Other MAS TRM Comparisons

What It Is

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).

**EN 1090-2/-3Technical rules for steel/aluminium (materials, welding, tolerances, corrosion protection, NDT).

Core principles: Traceability, welding via ISO 3834, inspection regimes.

Certification model: Notified Body audits FPC with ongoing surveillance.

What It Is

Key Components

Pillars: governance, asset management, secure SDLC, IT service management, resilience, access/cryptography, cyber operations, testing, audit (15 sections).

Defence-in-depth approach preserving CIA triad.

Principles: board accountability, independent oversight, continuous improvement.

No certification; compliance via supervisory review and enforcement.

Aspect

EN 1090

MAS TRM

Scope

Execution and conformity of steel/aluminium structures

Technology and cyber risk management in finance

Industry

Construction, steel/aluminium fabrication, Europe

Financial institutions, Singapore regulated entities

Nature

Harmonized standard enabling CE marking, mandatory

Supervisory guidelines, proportionate enforcement

Testing

FPC certification, surveillance audits, NDT by notified bodies

Penetration testing, vulnerability assessments, cyber exercises

Penalties

Market exclusion, no CE marking, legal liability

Fines, license conditions, supervisory actions