What is the primary objective of **NIS2**?

**The primary objective of **NIS2** is to establish a high common level of cybersecurity and resilience across EU member states by strengthening critical infrastructure and digital services against cyber threats.** It expands upon the original NIS Directive through a size-cap rule applying to medium and large entities in sectors like energy, transport, health, digital infrastructure, postal services, waste management, and food production, mandating risk management, incident reporting, supply chain security, and cross-border cooperation.

Who is legally or professionally required to comply with **NIS2**?

**NIS2 applies to all medium-sized and large entities classified as 'essential' or 'important' within specified EU sectors.** Essential entities typically have 250+ employees, €50M+ annual turnover, or €43M+ balance sheet; important entities have 50+ employees, €10M+ annual turnover, or €10M+ balance sheet. Criticality can override size if an entity is a sole provider of essential services; sectors include energy (electricity, oil, gas, district heating), transport, manufacturing, cloud computing, and public administration. EU member states transpose by October 17, 2024, with national variations.

Does **NIS2** require an external audit or third-party certification?

**NIS2 does not mandate external audits or third-party certification but empowers national authorities for spot checks and real-time evidence demands.** Compliance shifts to continuous assurance via dynamic risk registers, OT/IT asset inventories, and verifiable controls, with registration to central authorities providing entity details like name, sector, and operating states. Authorities like CSIRTs oversee enforcement, focusing on proactive risk management over periodic certifications.

How often should an assessment for **NIS2** be performed?

**NIS2 requires ongoing, continuous risk assessments rather than fixed intervals, with quarterly updates to dynamic risk registers recommended for compliance.** Entities must maintain live risk management covering supply chain security, vulnerability mitigation, and incident response, enabling real-time evidence for spot checks. This supports multi-stage incident reporting—early warning within 24 hours, detailed report within 72 hours, final report within one month—to national CSIRTs.

What are the consequences of non-compliance with **NIS2**?

**Non-compliance with NIS2 incurs fines up to €10 million or 2% of total global annual turnover for essential entities, and €7 million or 1.4% for important entities.** Senior management faces personal liability, potential business suspension, and enforcement via national authorities conducting spot checks. Measures took effect October 18, 2024, post-transposition, emphasizing board-level accountability for risk management failures.

An **NIS2** be mapped to other international frameworks?

**Yes, EU member states incorporate standards like ISO 27001 and NIST CSF into national NIS2 frameworks to support compliance.** This mapping aids implementation of required risk management, supply chain security, and incident handling, though national variations exist due to differing transposition deadlines and scopes.

What is the first step to begin implementing **NIS2**?

**The first step for NIS2 implementation is to determine applicability by assessing entity size, sector, and criticality against the size-cap rule.** Conduct a gap analysis of current risk management, register with national authorities providing details like organization name and operating states, then develop continuous measures including risk assessments, incident reporting procedures, and supply chain oversight.

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of steel and aluminium structural components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** (conformity assessment via Factory Production Control, FPC), **EN 1090-2** (steel execution requirements like welding, tolerances, and inspection), and **EN 1090-3** (aluminium equivalents). Risk-based **Execution Classes (EXC1–EXC4)** scale controls for consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling lawful market placement in the EEA.

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium components and kits for permanent incorporation in construction works must comply with EN 1090 to apply CE marking.** This includes fabricators, steelwork contractors, and suppliers to EU/EEA markets, covering sectors like buildings, bridges, and stadia. Non-structural or non-metallic elements are excluded; scope hinges on CPR harmonization.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates certification of the FPC system by a Notified Body via AVCP systems (e.g., 2+), including initial inspection and ongoing surveillance audits.** Notified Bodies like TÜV SÜD or DNV perform factory audits, review technical documentation (ITT/ITC), and issue certificates enabling Declaration of Performance (DoP) and CE marking.

How often should an assessment for **EN 1090** be performed?

**FPC surveillance audits by Notified Bodies occur annually or per EN 1090-1 Table B.3, scaled by Execution Class and prior performance.** Initial certification follows factory inspection; subsequent audits verify ongoing constancy of performance, with frequencies increasing for higher EXC3/EXC4. Internal audits are continuous via FPC procedures.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance prevents CE marking, blocking EEA market access and risking product withdrawal, fines, or certificate suspension by Notified Bodies.** CPR enforcement includes recalls, civil liability for failures, and public NB notifications of suspensions due to major non-conformities like poor traceability or unauthorized changes.

An **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality (level per EXC), but no formal mappings to unrelated international frameworks are defined.** It aligns with Eurocodes for design and requires ISO 9606 welder qualifications; FPC often builds on ISO 9001, but compliance is standalone under CPR.

What is the first step to begin implementing **EN 1090**?

**Conduct a gap analysis of current processes against EN 1090-1 FPC requirements and determine Execution Class (EXC) for product families using CC/SC/PC matrix.** Default to EXC2 if unspecified; appoint a Responsible Welding Coordinator and engage a Notified Body early for scope confirmation.

NIS2 vs EN 1090

Standards Comparison

NIS2

Mandatory

2022

EU directive strengthening cybersecurity for critical infrastructure sectors

EN 1090

Mandatory

2009

EU standard for execution of steel and aluminium structures

Quick Verdict

NIS2 mandates cybersecurity resilience for EU essential entities via risk management and reporting, while EN 1090 requires certified FPC and CE marking for structural metal fabricators. Companies adopt NIS2 for regulatory compliance and threat mitigation; EN 1090 for market access and quality assurance.

Cybersecurity

NIS2

Directive (EU) 2022/2555 (NIS2)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Size-cap rule covers medium/large entities in expanded sectors
Strict incident reporting with 24h early warning, 72h notification
Direct senior management accountability for cybersecurity compliance
Continuous risk management including supply chain security measures
Fines up to 2% global annual turnover for non-compliance

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Factory Production Control (FPC) certification required
Execution Classes (EXC1-4) scale risk-based requirements
CE marking for EU market access
Welding coordination per ISO 3834
Full material and process traceability

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

NIS2 Details

What It Is

NIS2 Directive (Directive (EU) 2022/2555) is an EU regulation expanding the original NIS Directive's scope to enhance cybersecurity resilience across member states. It targets essential and important entities in critical sectors like energy, transport, health, and digital services, using a risk-based approach for risk management, incident handling, and governance.

Key Components

**Risk managementContinuous assessments, supply chain security, access controls, encryption.
**Incident reporting24-hour early warnings, 72-hour notifications, one-month final reports to CSIRTs.
**Corporate accountabilitySenior management and boards directly liable.
**Business continuityResilience plans and recovery procedures. Incorporates standards like ISO 27001, NIST CSF; enforced via audits and spot checks.

Why Organizations Use It

Mandatory for in-scope entities to avoid fines up to €10M or 2% global turnover.
Reduces cyber risks, ensures service continuity.
Builds trust with stakeholders, regulators.
Enables proactive resilience amid evolving threats.

Implementation Overview

Applies to medium/large entities (50+ employees, €10M+ turnover) EU-wide. Involves gap analysis, policy updates, training, registration by Oct 2024. Tailor to national transpositions; ongoing monitoring required.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family for the execution and conformity assessment of structural steel and aluminium components. It supports CE marking under the Construction Products Regulation (CPR). The primary purpose is ensuring safe fabrication, assembly, and market placement of load-bearing metal structures. It uses a risk-based approach via Execution Classes (EXC1–EXC4) scaling requirements by failure consequences.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), and Declaration of Performance (DoP).
**EN 1090-2/-3Technical rules for steel/aluminium execution (welding, tolerances, corrosion protection).
Core areas: traceability, welding (ISO 3834), inspection/NDT, tolerances.
AVCP systems with Notified Body certification and surveillance.

Why Organizations Use It

Mandated for EU market access; reduces liability, ensures quality. Benefits: risk mitigation, rework reduction, market credibility. Builds stakeholder trust via certified FPC and CE marking.

Implementation Overview

Phased: gap analysis, FPC build, welding qualification, NB certification. Applies to fabricators in construction; 3–12 months typical. Requires audits, training for EXC capability.

Key Differences

Aspect	NIS2	EN 1090
Scope	Cybersecurity risk management, incident reporting	Structural steel/aluminium fabrication, conformity
Industry	Essential/important entities across EU sectors	Steel/aluminium structural component manufacturers
Nature	Mandatory EU directive, national transposition	Harmonized standard under CPR, CE marking
Testing	Risk assessments, incident simulations	FPC certification, NDT, surveillance audits
Penalties	Up to 2% global turnover fines	Market exclusion, certificate suspension

Scope

NIS2

Cybersecurity risk management, incident reporting

EN 1090

Structural steel/aluminium fabrication, conformity

Industry

NIS2

Essential/important entities across EU sectors

EN 1090

Steel/aluminium structural component manufacturers

Nature

NIS2

Mandatory EU directive, national transposition

EN 1090

Harmonized standard under CPR, CE marking

Testing

NIS2

Risk assessments, incident simulations

EN 1090

FPC certification, NDT, surveillance audits

Penalties

NIS2

Up to 2% global turnover fines

EN 1090

Market exclusion, certificate suspension

Frequently Asked Questions

Common questions about NIS2 and EN 1090

NIS2 FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

Discover NIST 800-53 ROI in private sector: control families like RA, SI, SR reduce median breach costs from $100K to under $50K. Get benchmarks to prioritize i

You Guide on how to Start Implementing NIS2 in Your Organization

Master NIS2 implementation with our detailed guide. Learn requirements, risk assessment, supply chain security, and compliance steps for your organization. Star

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

Uncover top 5 unseen complexities modern compliance software manages effortlessly—from sensitive data mapping to real-time regulatory shifts. Automate audits, i

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 37001 vs ISO 17025

Compare ISO 37001 vs ISO 17025: Anti-bribery ABMS (37001) for ethical risk control vs lab competence (17025) for precise testing. Uncover scopes, benefits & paths to certification. Dive in!

ISO 27032 vs AS9120B

ISO 27032 vs AS9120B: Compare cybersecurity Internet guidelines with aerospace distributor QMS. Key differences in scope, risks, compliance & implementation. Boost resilience—explore now!

CMMC vs LEED

CMMC vs LEED: Compare DoD cybersecurity tiers (NIST-based) with green building points system. Key differences, costs, strategies & implementation for dual compliance success.

NIS2

EN 1090

Quick Verdict

NIS2

Key Features

EN 1090

Key Features

Detailed Analysis

NIS2 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

NIS2 FAQ

What is the primary objective of NIS2?

Who is legally or professionally required to comply with NIS2?

Does NIS2 require an external audit or third-party certification?

How often should an assessment for NIS2 be performed?

What are the consequences of non-compliance with NIS2?

An NIS2 be mapped to other international frameworks?

What is the first step to begin implementing NIS2?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

An EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

You Guide on how to Start Implementing NIS2 in Your Organization

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 37001 vs ISO 17025

ISO 27032 vs AS9120B

CMMC vs LEED