What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 for conformity assessment via certified Factory Production Control (FPC) and Declaration of Performance (DoP); EN 1090-2 for steel execution requirements like welding, tolerances, and inspection; and EN 1090-3 for aluminium. Risk scales via Execution Classes (EXC1–EXC4) based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU construction works must comply with EN 1090 to affix CE marking. This includes fabricators, welding shops, and suppliers to construction projects like buildings, bridges, and stadia. Compliance is mandatory under CPR for market placement in the EEA; non-structural or non-metallic elements are excluded.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a Notified Body via AVCP systems. This involves initial inspection, type testing/calculation (ITT/ITC), and issuance of an FPC certificate enabling CE marking and DoP. Ongoing surveillance audits ensure continued conformity.

How often should an assessment for EN 1090 be performed?

EN 1090 requires initial Notified Body certification followed by continuous surveillance audits, typically annually. Frequency aligns with EN 1090-1 Table B.3, scaled by Execution Class (EXC); higher EXC (e.g., EXC4) demands more frequent or intensive audits. Internal FPC assessments are ongoing via procedures, inspections, and traceability checks.

What are the consequences of non-compliance with EN 1090?

Non-compliance with EN 1090 prevents lawful CE marking, risking market exclusion, product recalls, and CPR enforcement. Notified Bodies may suspend/withdraw FPC certificates for major non-conformities, publicizing status. Manufacturers face civil liability, fines, and reputational damage from structural failures.

An EN 1090 be mapped to other international frameworks?

EN 1090 integrates with standards like ISO 3834 for welding quality, but no formal mappings to unrelated frameworks are defined. It aligns internally with Eurocodes for design and focuses on CPR-specific conformity; organizations adapt FPC using ISO 9001 as a base where welding aligns with EXC requirements.

What is the first step to begin implementing EN 1090?

The first step is to determine product scope and Execution Class (EXC1–EXC4) via risk assessment of consequence, service, and production categories. Default to EXC2 if unspecified, then conduct a gap analysis of current FPC against EN 1090-1, prioritizing welding coordination and traceability.

What is the primary objective of SAMA CSF?

SAMA CSF aims to create a common cybersecurity approach across SAMA-regulated financial institutions, achieve appropriate maturity levels, and ensure proper management of cybersecurity risks. Issued in May 2017 (Version 1.0), it prescribes principles, objectives, and controls across four domains—Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, and Third Party Cyber Security—using a six-level maturity model targeting at least Level 3 (Structured and Formalized).

Who is legally or professionally required to comply with SAMA CSF?

SAMA CSF is mandatory for all SAMA-regulated entities, including banks, insurance and reinsurance companies, financing companies, credit bureaus, and financial market infrastructure providers operating in Saudi Arabia. Boards, senior management, CISOs (Saudi nationals with SAMA no-objection), Chief Risk Officers, IT leaders, and third-party risk managers must ensure adoption, with full applicability to banking and tailored exceptions for non-banks (e.g., payment systems if not handling cards/SWIFT).

Does SAMA CSF require an external audit or third-party certification?

No, SAMA CSF does not require external audits or third-party certification; compliance is demonstrated through periodic self-assessments using SAMA-provided questionnaires and subject to SAMA supervisory review. Internal audits by independent functions are mandated, with evidence of maturity Level 3+ (policies, standards, procedures, KPIs) maintained for SAMA inspections.

How often should an assessment for SAMA CSF be performed?

SAMA CSF requires periodic self-assessments using the official questionnaire, typically annually or as triggered by changes, projects, outsourcing, or new products/technologies. Maturity levels (0-5) must be evaluated per domain, with annual reviews of critical assets, penetration testing for customer-facing services, and ongoing monitoring via KPIs (Level 3) and KRIs (Level 4+).

What are the consequences of non-compliance with SAMA CSF?

Non-compliance with SAMA CSF triggers SAMA supervisory actions, including remediation demands, elevated scrutiny, audit findings, operational restrictions, and potential enforcement under broader banking regulations. While specific fines are not detailed in the framework, failures in maturity (below Level 3), incident reporting, or controls can lead to mandated audits, business conditions, financial losses, reputational damage, and systemic interventions.

An SAMA CSF be mapped to other international frameworks?

Yes, SAMA CSF conceptually aligns with international frameworks like NIST CSF, ISO 27001, PCI-DSS, and BASEL, enabling control mappings for integrated compliance. Its domains mirror NIST functions (Identify, Protect, Detect, Respond, Recover), with ISO 27001's ISMS supporting governance and risk processes; sector-specific controls (e.g., payment systems) add tailored requirements, but mappings reduce duplication via GRC tools.

What is the first step to begin implementing SAMA CSF?

The first step is securing Board and senior management sponsorship, establishing a Cyber Security Committee, and conducting a gap analysis against SAMA CSF controls and maturity model. Form a program team (CISO-led), inventory assets, perform initial self-assessment to baseline maturity (target Level 3+), and produce a gap register to prioritize remediation.

Standards Comparison

EN 1090 vs SAMA CSF

EN 1090

Mandatory

2009

European standard for steel/aluminium structural execution and CE marking

SAMA CSF

Mandatory

2017

Saudi regulatory framework for financial cybersecurity.

Quick Verdict

EN 1090 ensures CE-marked structural steel/aluminium compliance for EU construction, while SAMA CSF mandates cybersecurity maturity for Saudi financial institutions. Fabricators adopt EN 1090 for market access; banks use SAMA CSF for regulatory resilience and threat defense.

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Enables mandatory CE marking via FPC certification
Risk-based Execution Classes (EXC1-4) scaling controls
Factory Production Control with notified body surveillance
Technical rules for welding, tolerances, corrosion protection
Declaration of Performance for structural components

Cybersecurity

SAMA CSF

SAMA Cyber Security Framework Version 1.0

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Six-level maturity model with Level 3 baseline
Four domains including third-party cybersecurity
Principle-based controls across 114+ subcontrols
Board oversight and independent CISO mandate
Alignment with NIST, ISO 27001, PCI-DSS

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1/2/3) for execution and conformity assessment of steel and aluminium structural components under the Construction Products Regulation (CPR). It enables CE marking through a risk-based framework scaling requirements via Execution Classes (EXC1-4).

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification by notified bodies.
**EN 1090-2/3Technical rules for steel/aluminium (welding per ISO 3834, tolerances, corrosion protection, NDT).
Core: Traceability, personnel qualification, Declaration of Performance (DoP), ongoing surveillance.

Why Organizations Use It

Mandatory for EU market access of load-bearing components.
Reduces liability, ensures safety via risk-proportional controls.
Builds trust, enables high-risk projects (bridges, stadia), competitive edge through certification.

Implementation Overview

Phased: gap analysis, FPC build, welding quals, NB certification (3-12 months). Applies to fabricators EU-wide; requires audits, training, digital traceability.

SAMA CSF Details

What It Is

The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF), Version 1.0 (May 2017), is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia, including banks, insurers, and finance companies. It adopts a principle-based, risk-oriented approach with a maturity model to ensure detection, resistance, response, and recovery from cyber threats, focusing on information assets' confidentiality, integrity, and availability.

Key Components

Four main **domainsCyber Security Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Cyber Security.
Numerous subdomains with principles, objectives, and control considerations (114+ subcontrols).
Six-level maturity model (0: Non-existent to 5: Adaptive), baseline at Level 3.
Aligned with NIST CSF, ISO 27001, PCI-DSS; self-assessment via questionnaire, SAMA audits.

Why Organizations Use It

Mandatory compliance avoids fines, audits, operational halts.
Enhances resilience, efficiency, reduces incidents; strategic edge in partnerships.
Builds stakeholder trust, supports Vision 2030 digital growth.

Implementation Overview

**Phased roadmapInitiation/gap analysis, risk assessment, design/deployment, operate/audit.
Applies to all sizes in Saudi finance; iterative self-assessments, no external certification.

Key Differences

Aspect	EN 1090	SAMA CSF
Scope	Execution and conformity of steel/aluminium structures	Cybersecurity governance, risk, operations, third-party
Industry	Construction, fabrication (EU/EEA)	Financial sector (Saudi Arabia only)
Nature	Harmonized technical standard, CE marking mandatory	Mandatory regulatory framework, maturity-based compliance
Testing	FPC certification, notified body audits/surveillance	Self-assessments, SAMA audits, maturity level reviews
Penalties	Market exclusion, no CE marking, legal liability	Fines, license suspension, supervisory actions

Scope

EN 1090

Execution and conformity of steel/aluminium structures

SAMA CSF

Cybersecurity governance, risk, operations, third-party

Industry

EN 1090

Construction, fabrication (EU/EEA)

SAMA CSF

Financial sector (Saudi Arabia only)

Nature

EN 1090

Harmonized technical standard, CE marking mandatory

SAMA CSF

Mandatory regulatory framework, maturity-based compliance

Testing

EN 1090

FPC certification, notified body audits/surveillance

SAMA CSF

Self-assessments, SAMA audits, maturity level reviews

Penalties

EN 1090

Market exclusion, no CE marking, legal liability

SAMA CSF

Fines, license suspension, supervisory actions

Frequently Asked Questions

Common questions about EN 1090 and SAMA CSF

EN 1090 FAQ

SAMA CSF FAQ

You Might also be Interested in These Articles...

Top 10 Cost-Saving Hacks for CMMC Compliance: Budgeting Blueprints for Small DIB Suppliers

Slash CMMC costs 30-50% with top 10 hacks for small DIB suppliers. Enclave scoping, FedRAMP clouds, automation, POA&M tips & budgeting blueprints for Level 2 co

CIS Controls v8.1 IG1 Ransomware-Resilience Sprint: A 30-60-90 Day Action Plan (With Evidence Checklist)

Tactical CIS Controls v8.1 IG1 playbook for ransomware resilience. 30-60-90 day sprint with tool-agnostic tasks, ownership & evidence checklists to prove progre

CMMC Scoping Mastery for Defense Supply Chains: Enclave Mapping, Subcontractor Flow-Down, and CUI Inventory Blueprint

Master CMMC scoping for DIB: delineate FCI/CUI boundaries, segment enclaves, manage subcontractor flow-down. Prevent 80% assessment failures with SSP templates,

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EN 1090 and SAMA CSF compare against other standards

Other EN 1090 Comparisons

Other SAMA CSF Comparisons

What It Is

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification by notified bodies.

**EN 1090-2/3Technical rules for steel/aluminium (welding per ISO 3834, tolerances, corrosion protection, NDT).

Core: Traceability, personnel qualification, Declaration of Performance (DoP), ongoing surveillance.

What It Is

Key Components

Four main **domainsCyber Security Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Cyber Security.

Numerous subdomains with principles, objectives, and control considerations (114+ subcontrols).

Six-level maturity model (0: Non-existent to 5: Adaptive), baseline at Level 3.

Aligned with NIST CSF, ISO 27001, PCI-DSS; self-assessment via questionnaire, SAMA audits.

Aspect

EN 1090

SAMA CSF

Scope

Execution and conformity of steel/aluminium structures

Cybersecurity governance, risk, operations, third-party

Industry

Construction, fabrication (EU/EEA)

Financial sector (Saudi Arabia only)

Nature

Harmonized technical standard, CE marking mandatory

Mandatory regulatory framework, maturity-based compliance

Testing

FPC certification, notified body audits/surveillance

Self-assessments, SAMA audits, maturity level reviews

Penalties

Market exclusion, no CE marking, legal liability

Fines, license suspension, supervisory actions