What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for construction works. It regulates fabrication, assembly, material traceability, welding, tolerances, inspection, and corrosion protection to enable CE marking under the CPR, scaling requirements via Execution Classes (EXC1–EXC4) based on failure consequences, service conditions, and production complexity.

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EEA construction works must comply with EN 1090. This includes fabricators, steelwork contractors, and suppliers to projects like buildings, bridges, and stadia; CE marking is mandatory for market placement, with Notified Body oversight for FPC certification.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090 requires third-party certification of Factory Production Control (FPC) by a Notified Body under AVCP systems. This involves initial inspection, technical documentation review (including ITT/ITC), certificate issuance, and continuous surveillance audits to verify ongoing conformity and enable CE marking.

How often should an assessment for EN 1090 be performed?

EN 1090 assessments occur via initial certification followed by annual or periodic surveillance audits by the Notified Body. Frequency depends on Execution Class (EXC) and prior performance; internal audits are ongoing within FPC, with changes (e.g., processes, personnel) triggering re-assessments or notifications to the NB.

What are the consequences of non-compliance with EN 1090?

Non-compliance with EN 1090 results in inability to affix CE marking, market exclusion, certificate suspension/withdrawal, product recalls, fines, and liability for structural failures. Notified Bodies publicize suspensions; CPR enforcement includes legal actions, contractual penalties, and reputational damage from incidents like corrosion or weld failures.

Can EN 1090 be mapped to other international frameworks?

EN 1090 integrates with quality systems but maintains unique structural execution requirements. Its FPC can leverage existing management frameworks for overlap in documentation and audits, while welding controls align with specialized quality levels; however, EN 1090-specific EXC scaling and CPR conformity demand tailored adaptations.

What is the first step to begin implementing EN 1090?

The first step is conducting a gap analysis against EN 1090-1 FPC requirements and determining Execution Classes for product families. This includes scoping products for CE marking obligations, assessing current processes (traceability, welding, inspection), and appointing a Responsible Welding Coordinator before Notified Body engagement.

What is the primary objective of U.S. SEC Cybersecurity Rules?

U.S. SEC Cybersecurity Rules aim to standardize and accelerate disclosures of material cybersecurity incidents and risk management practices for public companies. Adopted in Release No. 33-11216, the rules enhance investor protection by requiring timely Form 8-K filings within four business days of materiality determination and annual Item 106 disclosures on governance and strategy in Form 10-K, promoting capital market efficiency amid rising cyber threats.

Who is legally or professionally required to comply with U.S. SEC Cybersecurity Rules?

All U.S. Exchange Act reporting companies, including domestic issuers, foreign private issuers, SRCs, and EGCs, must comply with U.S. SEC Cybersecurity Rules. This encompasses filers of Forms 10-K, 8-K, 20-F, and 6-K; business development companies are included, with compliance now mandatory for all entities including smaller reporting companies.

Does U.S. SEC Cybersecurity Rules require an external audit or third-party certification?

No, U.S. SEC Cybersecurity Rules do not mandate external audits or third-party certification. Compliance is demonstrated through public disclosures subject to SEC review and enforcement; organizations may use internal audits or frameworks like NIST CSF for process validation, but no formal certification is required.

How often should an assessment for U.S. SEC Cybersecurity Rules be performed?

Organizations should continuously assess cybersecurity risks and incidents under U.S. SEC Cybersecurity Rules, with annual disclosures in Form 10-K. Materiality determinations must occur without unreasonable delay post-discovery, supporting four-business-day 8-K filings; periodic reviews align with fiscal year-ends.

What are the consequences of non-compliance with U.S. SEC Cybersecurity Rules?

Non-compliance with U.S. SEC Cybersecurity Rules can result in SEC enforcement actions, civil penalties, injunctions, and shareholder litigation. Recent enforcement actions for misleading disclosures highlight risks under antifraud provisions; failures in disclosure controls may trigger Sarbanes-Oxley violations and reputational damage.

Can U.S. SEC Cybersecurity Rules be mapped to other international frameworks?

Yes, U.S. SEC Cybersecurity Rules processes can map to frameworks like NIST CSF 2.0, ISO 27001, and COSO ERM. Item 106 disclosures often reference these for risk management descriptions; NIST's Govern function aligns with board oversight, while Identify/Protect support third-party and incident processes.

What is the first step to begin implementing U.S. SEC Cybersecurity Rules?

The first step for implementing U.S. SEC Cybersecurity Rules is conducting a gap analysis of current disclosure processes against Items 1.05 and 106. Form a cross-functional team (CISO, legal, finance, IR) to map incident response, materiality frameworks, governance structures, and third-party oversight, prioritizing playbooks for four-day filings.

Standards Comparison

EN 1090 vs U.S. SEC Cybersecurity Rules

EN 1090

Mandatory

2009

European standard for execution of steel and aluminium structures

U.S. SEC Cybersecurity Rules

Mandatory

2023

U.S. SEC regulation for cybersecurity incident disclosures

Quick Verdict

EN 1090 mandates CE marking for structural steel/aluminium via FPC and execution classes in EU construction, while U.S. SEC rules require 4-day material cyber incident disclosure and annual governance reporting for public companies.

Structural Metalwork

EN 1090

EN 1090: Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4) scaling requirements
Factory Production Control (FPC) certification by Notified Body
CE marking for structural steel/aluminium components under CPR
Technical execution rules for steel (EN 1090-2) and aluminium (EN 1090-3)
Welding quality aligned with ISO 3834 levels by execution class

Capital Markets

U.S. SEC Cybersecurity Rules

Cybersecurity Risk Management, Strategy, Governance, Incident Disclosure

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Four-business-day material incident disclosure on Form 8-K
Annual risk management and governance in Item 106
Inline XBRL tagging for structured data comparability
Board oversight and management role disclosures
Third-party risk processes inclusion

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) for the execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). Its primary purpose is to ensure controlled fabrication, assembly, and performance declaration for load-bearing components in construction works. It employs a risk-based approach via Execution Classes (EXC1–EXC4), linking consequence, service, and production categories to stringent requirements.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP), and CE marking.
**EN 1090-2/-3Technical rules for steel/aluminium execution (materials, welding, tolerances, corrosion protection, inspection/NDT).
Core principles: traceability, qualified welding (ISO 3834 alignment), and third-party certification by Notified Bodies.
Compliance model: AVCP systems with initial audits and ongoing surveillance.

Why Organizations Use It

EN 1090 enables market access via mandatory CE marking for EEA sales, reduces liability through traceability and quality controls, minimizes rework via risk-scaled assurance, and builds trust with specifiers/contractors. It drives capability for high-risk projects (e.g., bridges, stadia).

Implementation Overview

Phased approach: gap analysis, FPC development, personnel qualification (e.g., welding coordinators), ITT/ITC, Notified Body certification, and surveillance. Applies to fabricators of structural components; scales with size/EXC; requires certified FPC for CE marking.

U.S. SEC Cybersecurity Rules Details

What It Is

U.S. SEC Cybersecurity Rules (Release No. 33-11216) is a federal regulation mandating standardized disclosures for public companies. It requires timely reporting of material cybersecurity incidents and annual updates on risk management, strategy, and governance. The approach is materiality-based, aligned with securities law principles.

Key Components

**Form 8-K Item 1.05Four-business-day disclosure of material incidents' nature, scope, timing, and impacts.
**Regulation S-K Item 106Annual descriptions of risk processes, board oversight, and management's role.
Inline XBRL tagging for structured data.
Applies to all Exchange Act registrants, including FPIs via Forms 6-K and 20-F.

Why Organizations Use It

Enhances investor protection through uniform, timely information. Meets legal obligations for public filers, reduces information asymmetry, improves capital market efficiency, and strengthens governance amid rising cyber threats.

Implementation Overview

Fully effective for all registrants. Involves gap analysis, disclosure playbooks, cross-functional committees, third-party risk integration, and XBRL readiness. Targets all public companies; no certification but SEC enforcement applies.

Key Differences

Aspect	EN 1090	U.S. SEC Cybersecurity Rules
Scope	Execution and conformity of steel/aluminium structures	Cybersecurity incident disclosure and governance
Industry	Construction, steel/aluminium fabrication (EU/EEA)	All public companies (U.S. SEC registrants)
Nature	Harmonized technical standard under CPR (mandatory CE marking)	Mandatory SEC disclosure regulation
Testing	FPC certification, audits by notified bodies, execution class testing	Materiality assessment, Inline XBRL tagging, no external certification
Penalties	Market exclusion, no CE marking, legal liability	SEC enforcement, fines, civil penalties

Scope

EN 1090

Execution and conformity of steel/aluminium structures

U.S. SEC Cybersecurity Rules

Cybersecurity incident disclosure and governance

Industry

EN 1090

Construction, steel/aluminium fabrication (EU/EEA)

U.S. SEC Cybersecurity Rules

All public companies (U.S. SEC registrants)

Nature

EN 1090

Harmonized technical standard under CPR (mandatory CE marking)

U.S. SEC Cybersecurity Rules

Mandatory SEC disclosure regulation

Testing

EN 1090

FPC certification, audits by notified bodies, execution class testing

U.S. SEC Cybersecurity Rules

Materiality assessment, Inline XBRL tagging, no external certification

Penalties

EN 1090

Market exclusion, no CE marking, legal liability

U.S. SEC Cybersecurity Rules

SEC enforcement, fines, civil penalties

Frequently Asked Questions

Common questions about EN 1090 and U.S. SEC Cybersecurity Rules

EN 1090 FAQ

U.S. SEC Cybersecurity Rules FAQ

You Might also be Interested in These Articles...

TISAX Tabletop Exercises for EV Battery Suppliers: Ransomware Drill Scripts and AAR Templates with 2025 ENX Podcast Breakdown

Practical TISAX tabletop scripts for EV battery suppliers facing 'Very High' ASLP. Download ransomware AAR templates, get 2024 ENX lessons & 2025 podcast on VDA

From Hygiene to Governance: How to Scale Cyber Essentials into a Full ISO 27001 ISMS in 2026

Discover how to scale Cyber Essentials into a full ISO 27001 ISMS in 2026. Reuse evidence, map controls, meet DORA & NIS2 rules and win enterprise contracts.

SOC 2 Audit Survival Guide: First 5 Steps to Ace Your Type 2 Audit with Infographic

Ace your SOC 2 Type 2 audit with the first 5 essential steps: evidence collection, auditor tips, red flags from SignWell's experience. Get checklists & infograp

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EN 1090 and U.S. SEC Cybersecurity Rules compare against other standards

Other EN 1090 Comparisons

Other U.S. SEC Cybersecurity Rules Comparisons

What It Is

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP), and CE marking.

**EN 1090-2/-3Technical rules for steel/aluminium execution (materials, welding, tolerances, corrosion protection, inspection/NDT).

Core principles: traceability, qualified welding (ISO 3834 alignment), and third-party certification by Notified Bodies.

Compliance model: AVCP systems with initial audits and ongoing surveillance.

What It Is

Key Components

**Form 8-K Item 1.05Four-business-day disclosure of material incidents' nature, scope, timing, and impacts.

**Regulation S-K Item 106Annual descriptions of risk processes, board oversight, and management's role.

Inline XBRL tagging for structured data.

Applies to all Exchange Act registrants, including FPIs via Forms 6-K and 20-F.

Aspect

EN 1090

U.S. SEC Cybersecurity Rules

Scope

Execution and conformity of steel/aluminium structures

Cybersecurity incident disclosure and governance

Industry

Construction, steel/aluminium fabrication (EU/EEA)

All public companies (U.S. SEC registrants)

Nature

Harmonized technical standard under CPR (mandatory CE marking)

Mandatory SEC disclosure regulation

Testing

FPC certification, audits by notified bodies, execution class testing

Materiality assessment, Inline XBRL tagging, no external certification

Penalties

Market exclusion, no CE marking, legal liability

SEC enforcement, fines, civil penalties