EN 1090 vs SAMA CSF
EN 1090
European standard for steel/aluminium structural execution and CE marking
SAMA CSF
Saudi regulatory framework for financial cybersecurity.
Quick Verdict
EN 1090 ensures CE-marked structural steel/aluminium compliance for EU construction, while SAMA CSF mandates cybersecurity maturity for Saudi financial institutions. Fabricators adopt EN 1090 for market access; banks use SAMA CSF for regulatory resilience and threat defense.
EN 1090
EN 1090 Execution of steel and aluminium structures
Key Features
- Enables mandatory CE marking via FPC certification
- Risk-based Execution Classes (EXC1-4) scaling controls
- Factory Production Control with notified body surveillance
- Technical rules for welding, tolerances, corrosion protection
- Declaration of Performance for structural components
SAMA CSF
SAMA Cyber Security Framework Version 1.0
Key Features
- Six-level maturity model with Level 3 baseline
- Four domains including third-party cybersecurity
- Principle-based controls across 114+ subcontrols
- Board oversight and independent CISO mandate
- Alignment with NIST, ISO 27001, PCI-DSS
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
EN 1090 Details
What It Is
EN 1090 is a harmonized European standard family (EN 1090-1/2/3) for execution and conformity assessment of steel and aluminium structural components under the Construction Products Regulation (CPR). It enables CE marking through a risk-based framework scaling requirements via Execution Classes (EXC1-4).
Key Components
- **EN 1090-1Conformity assessment, Factory Production Control (FPC) certification by notified bodies.
- **EN 1090-2/3Technical rules for steel/aluminium (welding per ISO 3834, tolerances, corrosion protection, NDT).
- Core: Traceability, personnel qualification, Declaration of Performance (DoP), ongoing surveillance.
Why Organizations Use It
- Mandatory for EU market access of load-bearing components.
- Reduces liability, ensures safety via risk-proportional controls.
- Builds trust, enables high-risk projects (bridges, stadia), competitive edge through certification.
Implementation Overview
Phased: gap analysis, FPC build, welding quals, NB certification (3-12 months). Applies to fabricators EU-wide; requires audits, training, digital traceability.
SAMA CSF Details
What It Is
The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF), Version 1.0 (May 2017), is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia, including banks, insurers, and finance companies. It adopts a principle-based, risk-oriented approach with a maturity model to ensure detection, resistance, response, and recovery from cyber threats, focusing on information assets' confidentiality, integrity, and availability.
Key Components
- Four main **domainsCyber Security Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Cyber Security.
- Numerous subdomains with principles, objectives, and control considerations (114+ subcontrols).
- Six-level maturity model (0: Non-existent to 5: Adaptive), baseline at Level 3.
- Aligned with NIST CSF, ISO 27001, PCI-DSS; self-assessment via questionnaire, SAMA audits.
Why Organizations Use It
- Mandatory compliance avoids fines, audits, operational halts.
- Enhances resilience, efficiency, reduces incidents; strategic edge in partnerships.
- Builds stakeholder trust, supports Vision 2030 digital growth.
Implementation Overview
- **Phased roadmapInitiation/gap analysis, risk assessment, design/deployment, operate/audit.
- Applies to all sizes in Saudi finance; iterative self-assessments, no external certification.
Key Differences
| Aspect | EN 1090 | SAMA CSF |
|---|---|---|
| Scope | Execution and conformity of steel/aluminium structures | Cybersecurity governance, risk, operations, third-party |
| Industry | Construction, fabrication (EU/EEA) | Financial sector (Saudi Arabia only) |
| Nature | Harmonized technical standard, CE marking mandatory | Mandatory regulatory framework, maturity-based compliance |
| Testing | FPC certification, notified body audits/surveillance | Self-assessments, SAMA audits, maturity level reviews |
| Penalties | Market exclusion, no CE marking, legal liability | Fines, license suspension, supervisory actions |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about EN 1090 and SAMA CSF
EN 1090 FAQ
SAMA CSF FAQ
You Might also be Interested in These Articles...
Measuring NIST CSF 2.0 Success: KPIs, Dashboards, and Continuous Improvement Using Tiers & Profiles
Transform NIST CSF 2.0 into quantifiable success: Define board-ready KPIs for Functions, build Profile dashboards, track Tier progression. Prove ROI amid cyber
CMMC Sustainment Mastery: Continuous Monitoring, Annual Affirmations, and Subcontractor Flow-Down Playbook
Master CMMC sustainment beyond certification: continuous monitoring dashboards, SPRS/eMASS affirmations, enforceable subcontractor clauses. Get templates for ve
Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency
Discover why the SEC's 2023 cybersecurity rules treat cyber risks as material financial threats. Explore the 'stick and carrot' approach for standardized disclo
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Explore More Comparisons
See how EN 1090 and SAMA CSF compare against other standards