GRADUM
    Standards Comparison

    EN 1090

    Mandatory
    2009

    European standard for execution of steel and aluminium structures

    VS

    U.S. SEC Cybersecurity Rules

    Mandatory
    2023

    U.S. SEC regulation for cybersecurity incident disclosures

    Quick Verdict

    EN 1090 mandates CE marking for structural steel/aluminium via FPC and execution classes in EU construction, while U.S. SEC rules require 4-day material cyber incident disclosure and annual governance reporting for public companies.

    Structural Metalwork

    EN 1090

    EN 1090: Execution of steel and aluminium structures

    Cost
    €€€€
    Complexity
    High
    Implementation Time
    6-12 months

    Key Features

    • Risk-based Execution Classes (EXC1-EXC4) scaling requirements
    • Factory Production Control (FPC) certification by Notified Body
    • CE marking for structural steel/aluminium components under CPR
    • Technical execution rules for steel (EN 1090-2) and aluminium (EN 1090-3)
    • Welding quality aligned with ISO 3834 levels by execution class
    Capital Markets

    U.S. SEC Cybersecurity Rules

    Cybersecurity Risk Management, Strategy, Governance, Incident Disclosure

    Cost
    €€€€
    Complexity
    High
    Implementation Time
    6-12 months

    Key Features

    • Four-business-day material incident disclosure on Form 8-K
    • Annual risk management and governance in Item 106
    • Inline XBRL tagging for structured data comparability
    • Board oversight and management role disclosures
    • Third-party risk processes inclusion

    Detailed Analysis

    A comprehensive look at the specific requirements, scope, and impact of each standard.

    EN 1090 Details

    What It Is

    EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) for the execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). Its primary purpose is to ensure controlled fabrication, assembly, and performance declaration for load-bearing components in construction works. It employs a risk-based approach via Execution Classes (EXC1–EXC4), linking consequence, service, and production categories to stringent requirements.

    Key Components

    • **EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP), and CE marking.
    • **EN 1090-2/-3Technical rules for steel/aluminium execution (materials, welding, tolerances, corrosion protection, inspection/NDT).
    • Core principles: traceability, qualified welding (ISO 3834 alignment), and third-party certification by Notified Bodies.
    • Compliance model: AVCP systems with initial audits and ongoing surveillance.

    Why Organizations Use It

    EN 1090 enables market access via mandatory CE marking for EEA sales, reduces liability through traceability and quality controls, minimizes rework via risk-scaled assurance, and builds trust with specifiers/contractors. It drives capability for high-risk projects (e.g., bridges, stadia).

    Implementation Overview

    Phased approach: gap analysis, FPC development, personnel qualification (e.g., welding coordinators), ITT/ITC, Notified Body certification, and surveillance. Applies to fabricators of structural components; scales with size/EXC; requires certified FPC for CE marking.

    U.S. SEC Cybersecurity Rules Details

    What It Is

    U.S. SEC Cybersecurity Rules (Release No. 33-11216) is a federal regulation mandating standardized disclosures for public companies. It requires timely reporting of material cybersecurity incidents and annual updates on risk management, strategy, and governance. The approach is materiality-based, aligned with securities law principles.

    Key Components

    • **Form 8-K Item 1.05Four-business-day disclosure of material incidents' nature, scope, timing, and impacts.
    • **Regulation S-K Item 106Annual descriptions of risk processes, board oversight, and management's role.
    • Inline XBRL tagging for structured data.
    • Applies to all Exchange Act registrants, including FPIs via Forms 6-K and 20-F.

    Why Organizations Use It

    Enhances investor protection through uniform, timely information. Meets legal obligations for public filers, reduces information asymmetry, improves capital market efficiency, and strengthens governance amid rising cyber threats.

    Implementation Overview

    Phased rollout: incident reporting from Dec 2023 (SRCs June 2024); annual from FYE Dec 2023. Involves gap analysis, disclosure playbooks, cross-functional committees, third-party risk integration, and XBRL readiness. Targets all public companies; no certification but SEC enforcement applies.

    Key Differences

    Scope

    EN 1090
    Execution and conformity of steel/aluminium structures
    U.S. SEC Cybersecurity Rules
    Cybersecurity incident disclosure and governance

    Industry

    EN 1090
    Construction, steel/aluminium fabrication (EU/EEA)
    U.S. SEC Cybersecurity Rules
    All public companies (U.S. SEC registrants)

    Nature

    EN 1090
    Harmonized technical standard under CPR (mandatory CE marking)
    U.S. SEC Cybersecurity Rules
    Mandatory SEC disclosure regulation

    Testing

    EN 1090
    FPC certification, audits by notified bodies, execution class testing
    U.S. SEC Cybersecurity Rules
    Materiality assessment, Inline XBRL tagging, no external certification

    Penalties

    EN 1090
    Market exclusion, no CE marking, legal liability
    U.S. SEC Cybersecurity Rules
    SEC enforcement, fines, civil penalties

    Frequently Asked Questions

    Common questions about EN 1090 and U.S. SEC Cybersecurity Rules

    EN 1090 FAQ

    U.S. SEC Cybersecurity Rules FAQ

    You Might also be Interested in These Articles...

    Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

    Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

    Decode PDPC Thailand's 1,048 complaints & 610 breaches. Uncover consent/security violations, project 2025 enforcement. Risk heatmap, self-assessment & playbook

    Real-World ISO 27701 Success: Synthesized Case Studies, Metrics, and Lessons for Privacy Resilience

    Real-World ISO 27701 Success: Synthesized Case Studies, Metrics, and Lessons for Privacy Resilience

    Real-world ISO 27701 success from Tribeca, Kocho: DSAR efficiency gains, risk score reductions, certification ROI. Synthesized metrics prove privacy resilience

    Scaling Compliance: How Modern Tools Transform Lean Teams into Regulatory Powerhouses

    Scaling Compliance: How Modern Tools Transform Lean Teams into Regulatory Powerhouses

    Discover how compliance monitoring tools empower lean teams to automate real-time checks, ensure GDPR/HIPAA/SOC 2 compliance, and scale oversight efficiently. T

    Run Maturity Assessments with GRADUM

    Transform your compliance journey with our AI-powered assessment platform

    Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

    100+ Standards & Regulations
    AI-Powered Insights
    Collaborative Assessments
    Actionable Recommendations

    Check out these other Gradum.io Standards Comparison Pages

    SOX vs GRI

    Explore SOX vs GRI: SOX mandates ICFR for financial accuracy; GRI drives impact materiality in sustainability. Compare key requirements, strategies & benefits for compliance mastery. (152)

    NIST 800-53 vs SQF

    Discover NIST 800-53 vs SQF: Compare federal security/privacy controls with GFSI food safety standards. Align compliance, cut risks, boost audits. Expert insights now!

    WCAG vs ISO 26000

    WCAG vs ISO 26000: WCAG's testable POUR guidelines (AA levels) boost web accessibility; ISO 26000's 7 principles guide broad SR. Compare for compliance mastery!