What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 (conformity assessment via Factory Production Control, FPC), EN 1090-2 (steel execution requirements like welding, tolerances, and inspection), and EN 1090-3 (aluminium equivalents). Risk scales via Execution Classes (EXC1–EXC4) based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enforcing traceability, NDT, and ISO 3834 welding alignment.

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU/EEA construction works must comply with EN 1090. This includes fabricators supplying bridges, buildings, and industrial structures; CE marking is mandatory for market placement. Steelwork contractors, welding shops, and those performing design (Initial Type Calculation, ITC) require certified FPC. Default to EXC2 if unspecified; higher EXC demands qualified welding coordinators.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates third-party certification of Factory Production Control (FPC) by a Notified Body under AVCP systems. This involves initial inspection, type testing/calculation (ITT/ITC), and issuance of FPC certificate enabling CE marking and Declaration of Performance (DoP). Ongoing surveillance audits follow, with frequency per EXC (e.g., annual for higher classes).

How often should an assessment for EN 1090 be performed?

FPC surveillance audits by Notified Bodies occur initially within one year of certification, then per EN 1090-1 Table B.3 based on EXC and performance. Higher EXC (e.g., EXC3/EXC4) trigger more frequent or intensive checks. Manufacturers must conduct internal audits continuously, with full reassessments for changes in processes, personnel, or products.

What are the consequences of non-compliance with EN 1090?

Non-compliance prevents lawful CE marking, risking market withdrawal, certificate suspension, and CPR enforcement. Notified Bodies publicize suspensions for major non-conformities (e.g., traceability failures, unauthorized changes). Liabilities include product recalls, fines, civil claims for structural failures, and exclusion from EU tenders.

Can EN 1090 be mapped to other international frameworks?

No, these FAQs address EN 1090 independently per instructions.

What is the first step to begin implementing EN 1090?

Conduct a product scope and Execution Class (EXC) assessment to confirm CPR applicability and determine EXC1–EXC4 via CC/SC/PC matrix. Default to EXC2 if unspecified; then perform gap analysis of current FPC against EN 1090-1, prioritizing welding (ISO 3834), traceability, and personnel qualifications before Notified Body engagement.

What is the primary objective of NERC CIP?

NERC CIP standards mandate cybersecurity and physical security controls to protect the Bulk Electric System (BES) against compromise that could cause misoperation or instability. Developed by the North American Electric Reliability Corporation (NERC), the CIP family (CIP-002 through CIP-014) focuses on risk-based tiering of BES Cyber Systems into High, Medium, or Low Impact categories, applying governance, perimeters, hardening, incident response, recovery, and supply chain protections.

Who is legally or professionally required to comply with NERC CIP?

NERC CIP applies to registered Responsible Entities owning or operating BES Cyber Systems, including Balancing Authorities, Generator Owners/Operators, Transmission Owners/Operators, and limited Distribution Providers. Scope includes entities with BES facilities meeting CIP-002 bright-line criteria, such as ≥300 MW UFLS/UVLS systems or Blackstart paths; exemptions cover nuclear-regulated assets. Enforcement occurs via NERC Regional Entities and FERC under the Energy Policy Act of 2005.

Does NERC CIP require an external audit or third-party certification?

NERC CIP requires offsite and onsite audits by NERC Regional Entities, typically annual or per compliance cycle, without formal third-party certification. Audits verify evidence retention for three years, including policies, logs, and test records; mechanisms include self-certifications, spot checks, and investigations per NERC Rules of Procedure.

How often should an assessment for NERC CIP be performed?

NERC CIP mandates recurring assessments on defined cadences: vulnerability assessments every 15 months (paper) or 36 months (active in test environments) for High/Medium Impact systems. Patch evaluations occur every 35 days, log reviews every 15 days (90-day retention), policy/training reviews every 15 months, and incident response testing every 15 months.

What are the consequences of non-compliance with NERC CIP?

Non-compliance with NERC CIP incurs civil penalties up to over $1.5 million per day per violation, enforced by FERC via NERC Regional Entities. Penalties factor Violation Risk Factors (VRF), Severity Levels (VSL), duration, and Sanction Guidelines; repeat violations trigger mitigation plans, operational restrictions, and potential license revocation.

Can NERC CIP be mapped to other international frameworks?

Yes, NERC CIP maps to frameworks like IEC 62443 for OT security, with alignments in asset categorization, perimeters, and supply chain controls. CIP-002 scoping parallels IEC zones, CIP-007 patching aligns with IEC system hardening, and CIP-013 SCRM matches IEC vendor risk; mappings support unified compliance but require entity-specific validation.

What is the first step to begin implementing NERC CIP?

The first step is CIP-002 categorization: identify and classify BES Cyber Systems as High, Medium, or Low Impact using bright-line criteria. Document inventory, boundaries, and CIP Senior Manager approval, reviewed every 15 months, to define scope for all subsequent standards.

Standards Comparison

EN 1090 vs NERC CIP

EN 1090

Mandatory

2009

European standard for execution of structural steel and aluminium

NERC CIP

Mandatory

2006

Mandatory standards for BES cybersecurity and reliability.

Quick Verdict

EN 1090 mandates CE marking for structural steel/aluminium in EU construction, ensuring execution quality via FPC certification. NERC CIP enforces cyber/physical security for North American grid operators through audits and fines. Fabricators choose EN 1090 for market access; utilities adopt CIP for reliability compliance.

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Mandates CE marking via certified Factory Production Control
Risk-based Execution Classes (EXC1-EXC4) scaling requirements
Technical rules for steel (EN 1090-2) and aluminium (EN 1090-3)
Requires ISO 3834-aligned welding coordination and qualifications
Ensures full material traceability, tolerances, and NDT inspection

Critical Infrastructure Protection

NERC CIP

NERC Critical Infrastructure Protection Standards

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based tiering of BES Cyber Systems
Electronic/physical security perimeters
35-day patch evaluation cadence
Incident response and recovery plans
Supply chain risk management controls

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is the harmonized European standard family for execution and conformity assessment of steel and aluminium structural components under the Construction Products Regulation (CPR). It comprises EN 1090-1 (conformity assessment), EN 1090-2 (steel execution), and EN 1090-3 (aluminium). Primary purpose: ensure safe fabrication, assembly, and CE marking for load-bearing components in construction. Key approach: risk-based Execution Classes (EXC1-EXC4) scaling controls by consequence, service, and production categories.

Key Components

**Factory Production Control (FPC)documented system for traceability, welding, inspection.
**Welding managementISO 3834 integration, qualified coordinators/personnel.
**Technical requirementsmaterials, tolerances, corrosion protection, NDT.
Certification model: Notified Body audits FPC, issues certificate enabling Declaration of Performance (DoP) and CE mark.

Why Organizations Use It

Mandated for EU market access; reduces liability, rework. Drives capability in welding/traceability; enhances competitiveness for high-risk projects like bridges/stadia.

Implementation Overview

Phased: gap analysis, FPC build, personnel training, NB certification (3-12 months). Applies to fabricators; requires ongoing surveillance.

NERC CIP Details

What It Is

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) are mandatory reliability standards for cybersecurity and physical protection of the Bulk Electric System (BES). They apply to high-voltage assets across the US, Canada, and parts of Mexico, using a risk-based, tiered approach categorizing systems as High, Medium, or Low Impact.

Key Components

Core standards: CIP-002 (scoping), CIP-003 (governance), CIP-004 (personnel), CIP-005/006 (perimeters), CIP-007 (systems), CIP-008-010 (response/recovery/config), CIP-013 (supply chain), CIP-014/015 (physical/monitoring).
~45 requirements across 15+ standards.
Built on BES reliability principles; enforced via audits, penalties by NERC/FERC.

Why Organizations Use It

Legal mandate for BES owners/operators to prevent misoperation/instability.
Mitigates cyber/physical risks, reduces outages/fines.
Enhances resilience, insurance rates, stakeholder trust.

Implementation Overview

Phased: scoping, controls, testing, audits.
Targets utilities/transmission entities; annual audits, 15-month reviews.

Key Differences

Aspect	EN 1090	NERC CIP
Scope	Structural steel/aluminium execution & conformity	Cyber/physical security for Bulk Electric System
Industry	Construction, fabrication (EU/EEA)	Electric utilities (North America)
Nature	Harmonized standard for CE marking	Mandatory reliability standards enforced by FERC
Testing	FPC certification, surveillance audits by Notified Bodies	Annual audits, vulnerability assessments, incident drills
Penalties	Market exclusion, no CE marking	Fines up to $1M per violation, license suspension

Scope

EN 1090

Structural steel/aluminium execution & conformity

NERC CIP

Cyber/physical security for Bulk Electric System

Industry

EN 1090

Construction, fabrication (EU/EEA)

NERC CIP

Electric utilities (North America)

Nature

EN 1090

Harmonized standard for CE marking

NERC CIP

Mandatory reliability standards enforced by FERC

Testing

EN 1090

FPC certification, surveillance audits by Notified Bodies

NERC CIP

Annual audits, vulnerability assessments, incident drills

Penalties

EN 1090

Market exclusion, no CE marking

NERC CIP

Fines up to $1M per violation, license suspension

Frequently Asked Questions

Common questions about EN 1090 and NERC CIP

EN 1090 FAQ

NERC CIP FAQ

You Might also be Interested in These Articles...

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Discover the top tools for ISO 27701 compliance. Compare functionality, complexity, costs, and benefits to choose the best solution for your privacy program. Ac

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for

From Reactive Gatekeeper to Proactive Strategist: How Compliance Software Reshapes the Compliance Professional's Day

Discover how compliance software automates monitoring, delivers real-time insights, and transforms compliance pros from reactive gatekeepers to proactive strate

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EN 1090 and NERC CIP compare against other standards

Other EN 1090 Comparisons

Other NERC CIP Comparisons

Quick Verdict

What It Is

Key Components

**Factory Production Control (FPC)documented system for traceability, welding, inspection.

**Welding managementISO 3834 integration, qualified coordinators/personnel.

**Technical requirementsmaterials, tolerances, corrosion protection, NDT.

Certification model: Notified Body audits FPC, issues certificate enabling Declaration of Performance (DoP) and CE mark.

What It Is

Key Components

Core standards: CIP-002 (scoping), CIP-003 (governance), CIP-004 (personnel), CIP-005/006 (perimeters), CIP-007 (systems), CIP-008-010 (response/recovery/config), CIP-013 (supply chain), CIP-014/015 (physical/monitoring).

~45 requirements across 15+ standards.

Built on BES reliability principles; enforced via audits, penalties by NERC/FERC.

Aspect

EN 1090

NERC CIP

Scope

Structural steel/aluminium execution & conformity

Cyber/physical security for Bulk Electric System

Industry

Construction, fabrication (EU/EEA)

Electric utilities (North America)

Nature

Harmonized standard for CE marking

Mandatory reliability standards enforced by FERC

Testing

FPC certification, surveillance audits by Notified Bodies

Annual audits, vulnerability assessments, incident drills

Penalties

Market exclusion, no CE marking

Fines up to $1M per violation, license suspension