What is the primary objective of **IEC 62443**?

**IEC 62443 defines requirements and processes for implementing and maintaining cybersecurity in Industrial Automation and Control Systems (IACS).** The series establishes a shared-responsibility framework across asset owners, system integrators, and product suppliers, using zones/conduits for segmentation, security levels (SL 0–4), and foundational requirements (FR 1–7) to address OT constraints like availability and long lifecycles.

Who is legally or professionally required to comply with **IEC 62443**?

**IEC 62443 applies to asset owners, system integrators/service providers, and product suppliers managing IACS cybersecurity.** Asset owners establish programs per **IEC 62443-2-1**; integrators meet system requirements (**IEC 62443-3-3**); suppliers adhere to secure development (**IEC 62443-4-1**) and component requirements (**IEC 62443-4-2**). It is professionally required in critical sectors like energy and manufacturing for risk management and procurement.

Does **IEC 62443** require an external audit or third-party certification?

**IEC 62443 does not mandate external audits but supports them via ISASecure certifications.** Schemes include SDLA (**IEC 62443-4-1** processes, ML1–ML4), CSA (**IEC 62443-4-2** components), and SSA (**IEC 62443-3-3** systems), with accredited bodies ensuring conformance through multi-stage audits, surveillance, and re-certification.

How often should an assessment for **IEC 62443** be performed?

**IEC 62443 assessments should occur during initial implementation, major changes, and periodically per CSMS continuous improvement.** **IEC 62443-3-2** risk assessments (zones/conduits, SL-T) are repeated for system redesigns; **IEC 62443-2-1** maturity (ML1–ML4) reviews align with annual surveillance audits and triennial re-assessments.

What are the consequences of non-compliance with **IEC 62443**?

**Non-compliance with IEC 62443 exposes organizations to operational disruptions, safety incidents, and regulatory penalties in critical infrastructure.** It risks production downtime, supply chain failures, and loss of insurance/market access, as the horizontal standard is referenced in policies requiring IACS security baselines.

Can **IEC 62443** be mapped to other international frameworks?

**Yes, IEC 62443 maps to frameworks like ISO/IEC 27001 via aligned concepts in governance and controls.** The **IEC 62443-2-1:2024** update provides explicit mappings from Security Program Elements (SPE) to system requirements (**IEC 62443-3-3**) and component requirements (**IEC 62443-4-2**), enabling traceability.

What is the first step to begin implementing **IEC 62443**?

**The first step is establishing an IACS security program per IEC 62443-2-1, including CSMS governance and asset inventory.** Define the System Under Consideration (SUC), conduct initial risk assessment (**IEC 62443-3-2**), and produce a gap heatmap against ~127 requirements for maturity assessment (ML1–ML4).

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** for conformity (Factory Production Control, FPC, and Declaration of Performance, DoP), **EN 1090-2** for steel technical requirements (welding, tolerances, inspection), and **EN 1090-3** for aluminium. Risk-based **Execution Classes (EXC1–EXC4)** scale controls via consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling lawful market placement.

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent construction works in the EEA must comply with EN 1090 for CE marking.** This includes fabricators, welding shops, and suppliers of components like beams, trusses, stairs, and bridges. **Notified Bodies** certify FPC; non-compliance bars market access. Applies to EXC1–EXC4 products; defaults to **EXC2** if unspecified.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates third-party certification of Factory Production Control (FPC) by a Notified Body under AVCP systems.** Process includes initial inspection, type testing/calculation (ITT/ITC), FPC certification, and ongoing surveillance audits. Certification enables CE marking and DoP issuance; surveillance verifies continued performance constancy.

How often should an assessment for **EN 1090** be performed?

**EN 1090 requires initial Notified Body assessment followed by continuous surveillance audits, typically annually.** Frequency per EN 1090-1 Table B.3 scales with Execution Class (EXC); higher EXC (e.g., EXC4) demands more frequent/intense audits. Internal FPC audits are ongoing; changes (e.g., processes, rWC) trigger re-assessments.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance with EN 1090 prevents CE marking, blocking EEA market access and risking CPR enforcement.** Outcomes include product withdrawal, FPC certificate suspension/withdrawal by Notified Bodies, fines, liability for failures, and reputational damage. Major non-conformities (e.g., traceability gaps) lead to public notices and sales halts.

Can **EN 1090** be mapped to other international frameworks?

**No, EN 1090 FAQs must stand alone without mapping to other frameworks per topical authority guidelines.** Focus remains on its unique CPR harmonization for structural metal execution and conformity.

What is the first step to begin implementing **EN 1090**?

**The first step is to determine product scope and Execution Class (EXC1–EXC4) via consequence class (CC), service category (SC), and production category (PC) matrix.** Conduct gap analysis of current FPC against EN 1090-1, appoint Responsible Welding Coordinator (rWC), and engage a Notified Body early.

IEC 62443 vs EN 1090

Standards Comparison

IEC 62443

Voluntary

2018

International standard for IACS cybersecurity frameworks

EN 1090

Mandatory

2009

EU standard for steel and aluminium structures execution

Quick Verdict

IEC 62443 secures industrial control systems via risk-based cybersecurity frameworks globally, while EN 1090 mandates CE marking for structural steel/aluminium in EU construction through FPC and execution classes. Companies adopt IEC for OT resilience, EN 1090 for legal market access.

Industrial Cybersecurity

IEC 62443

IEC 62443: Security for industrial automation systems

Cost

€€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based zones and conduits segmentation model
Security levels SL-T, SL-C, SL-A triad
Shared responsibility across asset owners, integrators, suppliers
Seven foundational requirements FR1-FR7 taxonomy
ISASecure modular certifications for components, systems

Structural Metalwork

EN 1090

EN 1090: Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4)
Certified Factory Production Control (FPC)
CE marking under CPR for market access
ISO 3834-aligned welding quality management
Full material and process traceability

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

IEC 62443 Details

What It Is

IEC 62443 is the ISA/IEC series of consensus-based standards for securing Industrial Automation and Control Systems (IACS). It provides a comprehensive, risk-based framework spanning governance, risk assessment, system architecture, and component requirements tailored to OT environments.

Key Components

Four groupings: General (-1), Policies (-2), System (-3), Components (-4).
Seven foundational requirements (FR1-7) like identification, integrity, restricted flows.
Zones/conduits model and security levels (SL 0-4) with SL-T, SL-C, SL-A.
ISASecure certifications (SDLA, CSA, SSA) for modular conformance.

Why Organizations Use It

Mitigates OT-specific risks to safety, availability, production.
Enables shared responsibility, supply chain assurance.
Supports regulatory compliance, insurance benefits, procurement standards.
Builds stakeholder trust via certified maturity levels.

Implementation Overview

Phased: governance (2-1 CSMS), risk assessment (3-2), controls (3-3/4-2), certification.
Applies to asset owners, integrators, suppliers across industries.
Requires OT-aware audits, training; multi-year for full maturity.

EN 1090 Details

What It Is

EN 1090 is the European harmonized standard family (EN 1090-1, -2, -3) for execution and conformity assessment of steel and aluminium structural components. It implements the EU Construction Products Regulation (CPR), enabling CE marking. Primary purpose: ensure safe fabrication via risk-based Execution Classes (EXC1-EXC4) scaling requirements for welding, inspection, and traceability.

Key Components

**EN 1090-1FPC certification, AVCP, DoP, Notified Body oversight.
**EN 1090-2/-3Technical rules for steel/aluminium (materials, joining, tolerances, corrosion). Built on ISO 3834 for welding; ~100+ clauses with certification model.

Why Organizations Use It

Mandatory for EU/EEA market access and CE marking.
Mitigates liability, reduces rework via disciplined processes.
Wins tenders, builds stakeholder trust; strategic for fabricators.

Implementation Overview

Phased: gap analysis, FPC development, training, NB audits (3-12 months). Targets steel/aluminium fabricators in Europe; requires ongoing surveillance.

Key Differences

Aspect	IEC 62443	EN 1090
Scope	IACS cybersecurity lifecycle, zones, security levels	Steel/aluminium structural fabrication, conformity assessment
Industry	Industrial automation, OT sectors globally	Construction, structural engineering in EU/EEA
Nature	Voluntary consensus framework, certifications	Mandatory harmonized standard for CE marking
Testing	Risk assessments, SL-T/C/A verification, ISASecure	FPC audits, ITT/ITC, NB surveillance inspections
Penalties	Loss of certification, supply chain exclusion	Market exclusion, fines, legal liability under CPR

Scope

IEC 62443

IACS cybersecurity lifecycle, zones, security levels

EN 1090

Steel/aluminium structural fabrication, conformity assessment

Industry

IEC 62443

Industrial automation, OT sectors globally

EN 1090

Construction, structural engineering in EU/EEA

Nature

IEC 62443

Voluntary consensus framework, certifications

EN 1090

Mandatory harmonized standard for CE marking

Testing

IEC 62443

Risk assessments, SL-T/C/A verification, ISASecure

EN 1090

FPC audits, ITT/ITC, NB surveillance inspections

Penalties

IEC 62443

Loss of certification, supply chain exclusion

EN 1090

Market exclusion, fines, legal liability under CPR

Frequently Asked Questions

Common questions about IEC 62443 and EN 1090

IEC 62443 FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

ISO 27701 Standalone Certification in 2025: Debunking Myths and Navigating the New Reality

Debunk myths on ISO 27701 standalone certification post-2025. Clarify viability, accreditation bodies, ISO 27001 audit differences & procurement benefits. Guide

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

Discover 5 ways modern compliance software turns evolving regulations into strategic advantage. Automate monitoring, cut 3x non-compliance costs, stay audit-rea

CMMC Sustainment Mastery: Continuous Monitoring, Annual Affirmations, and Subcontractor Flow-Down Playbook

Master CMMC sustainment beyond certification: continuous monitoring dashboards, SPRS/eMASS affirmations, enforceable subcontractor clauses. Get templates for ve

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

WEEE vs NERC CIP

Unlock WEEE vs NERC CIP: EU e-waste directive meets US grid cyber standards. Compare scopes, compliance strategies & targets for global ops success today!

ISO 27001 vs AS9110C

Compare ISO 27001 vs AS9110C: Info security mastery meets aerospace QMS rigor. Uncover key differences in risk, controls & compliance for resilience. Explore now!

NIST CSF vs AS9100

Compare NIST CSF vs AS9100: How NIST's flexible cyber framework aligns with AS9100's aerospace quality rigor for superior risk management. Boost compliance—discover now!

IEC 62443

EN 1090

Quick Verdict

IEC 62443

Key Features

EN 1090

Key Features

Detailed Analysis

IEC 62443 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

IEC 62443 FAQ

What is the primary objective of IEC 62443?

Who is legally or professionally required to comply with IEC 62443?

Does IEC 62443 require an external audit or third-party certification?

How often should an assessment for IEC 62443 be performed?

What are the consequences of non-compliance with IEC 62443?

Can IEC 62443 be mapped to other international frameworks?

What is the first step to begin implementing IEC 62443?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

Can EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

ISO 27701 Standalone Certification in 2025: Debunking Myths and Navigating the New Reality

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

CMMC Sustainment Mastery: Continuous Monitoring, Annual Affirmations, and Subcontractor Flow-Down Playbook

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

WEEE vs NERC CIP

ISO 27001 vs AS9110C

NIST CSF vs AS9100