What is the primary objective of **NIST CSF**?

**The primary objective of NIST CSF is to provide organizations with a voluntary, risk-based approach to manage and reduce cybersecurity risks.** Developed under the Cybersecurity Enhancement Act of 2014, it offers a flexible framework consisting of the Core (Functions, Categories, Subcategories), Implementation Tiers (Partial to Adaptive), and Profiles (Current vs. Target) to align cybersecurity with business objectives, foster common language for stakeholders, and enable gap analysis for continuous improvement. CSF 2.0 (February 2024) adds the **Govern** function to emphasize organizational context, policies, oversight, and supply chain risk management.

Who is legally or professionally required to comply with **NIST CSF**?

**NIST CSF is voluntary for private sector organizations but mandatory for U.S. federal agencies and contractors per OMB memo M-17-25 (2017).** It applies to organizations of any size or sector seeking to demonstrate due care, with widespread adoption (>70% of mid-size enterprises mapping controls). Critical infrastructure sectors (16 defined by PPD-21) were the original focus, but CSF 2.0 broadens applicability globally without legal mandates outside federal contexts.

Does **NIST CSF** require an external audit or third-party certification?

**No, NIST CSF does not require external audits or third-party certification; self-attestation via Profiles and Tiers suffices.** NIST provides no formal endorsements, emphasizing practical risk reduction through internal assessments. Organizations may opt for third-party gap analyses, but the framework's non-prescriptive nature relies on self-reported Current and Target Profiles.

How often should an assessment for **NIST CSF** be performed?

**NIST CSF assessments should be performed continuously, with formal Current and Target Profile reviews at least annually or after significant changes.** Tiers (especially Tier 4 Adaptive) promote ongoing monitoring, lessons learned integration, and adaptation to evolving threats, supported by CSF 2.0's emphasis on real-time measurement and supply chain updates.

What are the consequences of non-compliance with **NIST CSF**?

**There are no direct legal penalties for non-compliance with NIST CSF as it is voluntary, but failure to align may increase cyber insurance premiums, litigation risks, and loss of federal contracts.** For mandated entities like U.S. agencies, non-alignment violates FISMA requirements; broadly, it exposes organizations to unmitigated risks, with surveys showing Tier 1 (Partial) correlating to higher breach probabilities.

An **NIST CSF** be mapped to other international frameworks?

**Yes, NIST CSF subcategories (112 in CSF 2.0) map directly to standards like CIS Controls, NIST SP 800-53, and COBIT via NIST-provided spreadsheets.** The framework's informative references enable flexible overlays, with CSF 2.0 enhancing alignments through plain-English outcomes and Community Profiles for sector-specific adaptations.

What is the first step to begin implementing **NIST CSF**?

**The first step to implement NIST CSF is to create a Current Profile documenting existing cybersecurity activities against the Framework Core's six Functions (Govern, Identify, Protect, Detect, Respond, Recover).** Use NIST's free Quick Start Guides to assess Tiers, identify gaps to a Target Profile, and prioritize actions based on risk tolerance.

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of steel and aluminium structural components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** (conformity assessment via Factory Production Control, FPC), **EN 1090-2** (steel execution requirements like welding, tolerances, traceability), and **EN 1090-3** (aluminium equivalents). Risk scales via **Execution Classes (EXC1–EXC4)**, linking consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2) to controls on welding (ISO 3834 alignment), NDT, and material traceability.

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium components and kits for permanent construction works in the EEA must comply with EN 1090 for CE marking.** This includes fabricators, steelwork contractors, and suppliers of structural elements like beams, trusses, bridges, and building frames. **Notified Bodies** certify FPC; non-compliance bars market access.

Oes **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates third-party certification of Factory Production Control (FPC) by a Notified Body under AVCP systems.** This involves initial inspection, ITT/ITC review, certificate issuance, and ongoing surveillance audits to verify constancy of performance, enabling legal CE marking and Declaration of Performance (DoP).

How often should an assessment for **EN 1090** be performed?

**EN 1090 requires initial Notified Body certification followed by continuous surveillance audits, typically annually.** Frequency scales with **Execution Class (EXC)** per EN 1090-1 Table B.3; higher EXC (e.g., EXC4) demands more intensive monitoring. Internal audits maintain FPC; changes trigger re-assessments.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance with EN 1090 prevents CE marking, blocking EEA market access and risking product withdrawal, fines, and liability under CPR.** Notified Bodies suspend/withdraw FPC certificates for major non-conformities, publicizing status; structural failures expose manufacturers to civil claims, recalls, and bans.

An **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 (welding quality), ISO 9001 (QMS base for FPC), and Eurocodes (design).** FPC leverages these for efficiency; welding coordination aligns with ISO 14731, but EN 1090 remains the harmonized CPR route for CE marking structural metals.

What is the first step to begin implementing **EN 1090**?

**Conduct a gap analysis of current processes against EN 1090-1 FPC requirements and determine Execution Class (EXC) for product families.** Assess materials, welding, traceability, and appoint a Responsible Welding Coordinator (rWC); default to **EXC2** if unspecified, then engage a Notified Body.

NIST CSF vs EN 1090

Standards Comparison

NIST CSF

Voluntary

2024

Voluntary framework for managing cybersecurity risks organization-wide

EN 1090

Mandatory

2009

EU standards for execution and CE marking of steel/aluminium structures

Quick Verdict

NIST CSF provides voluntary cybersecurity risk management for all organizations worldwide, while EN 1090 mandates CE marking and FPC for EU structural steel/aluminium fabricators. Companies adopt NIST for flexible risk reduction; EN 1090 for legal market access.

Cybersecurity

NIST CSF

NIST Cybersecurity Framework Version 2.0

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Six core functions including new Govern for lifecycle coverage
Four Implementation Tiers assessing risk management maturity
Current and Target Profiles enabling gap analysis
Common language fostering stakeholder communication
Flexible mappings to standards like ISO 27001

Structural Metalwork

EN 1090

EN 1090: Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4)
Factory Production Control (FPC) certification
CE marking and Declaration of Performance
Welding quality management via ISO 3834
Material traceability and NDT inspection

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

NIST CSF Details

What It Is

NIST Cybersecurity Framework (CSF) 2.0 is a voluntary, risk-based guideline developed by NIST for managing cybersecurity risks. It provides organizations a flexible structure to identify, protect, detect, respond, recover, and govern cyber risks across any size or sector.

Key Components

**Six Core FunctionsGovern (new), Identify, Protect, Detect, Respond, Recover.
**Framework CoreOrganized into Functions, 22 Categories, 112 Subcategories with informative references to standards like ISO 27001.
**Implementation TiersFour levels (Partial to Adaptive) for maturity assessment.
**ProfilesCurrent vs. Target for gap analysis. No formal certification; self-attestation used.

Why Organizations Use It

Enhances risk prioritization, stakeholder communication, supply chain management. Demonstrates due care, supports compliance (mandatory for U.S. federal), builds trust, elevates cybersecurity to board level.

Implementation Overview

Create Profiles, assess Tiers, map to existing controls. Quick starts via tools/guides; scalable for SMEs to enterprises globally. Focuses on outcomes, not prescriptions; ongoing via continuous monitoring.

EN 1090 Details

What It Is

EN 1090 is a family of European harmonized standards—EN 1090-1 for conformity assessment, EN 1090-2 for steel structures, and EN 1090-3 for aluminium—under the EU Construction Products Regulation (CPR). It governs fabrication, assembly, and CE marking of load-bearing structural components and kits for construction works. Adopts a risk-based methodology via Execution Classes (EXC1-4), scaling requirements by failure consequences, service conditions, and production complexity.

Key Components

**Factory Production Control (FPC)Certified system for traceability, inspection, and processes.
**Execution ClassesMatrix from consequence/service/production categories.
**Technical requirementsWelding (ISO 3834), tolerances, corrosion protection, NDT.
**Conformity modelNB certification, ITT/ITC, DoP, ongoing surveillance.

Why Organizations Use It

Mandatory for EU/EEA market access and CE marking.
Mitigates liability, ensures consistent quality.
Enables high-risk projects (EXC3/4), builds stakeholder trust.
Drives efficiency, reduces rework, enhances competitiveness.

Implementation Overview

Phased approach: gap analysis, FPC development, personnel/welding qualification, NB audits. Targets fabricators in construction; 3-12 months typical. Requires certified FPC and surveillance. (178 words)

Key Differences

Aspect	NIST CSF	EN 1090
Scope	Cybersecurity risk management across organizations	Execution of steel/aluminium structural components
Industry	All sectors worldwide, any size	Construction/structural fabrication, EU/EEA market
Nature	Voluntary risk framework, no certification	Harmonized standard, mandatory CE marking
Testing	Self-assessment via Profiles/Tiers	Notified Body FPC certification/surveillance audits
Penalties	No legal penalties, reputational risk	Market exclusion, fines, certificate suspension

Scope

NIST CSF

Cybersecurity risk management across organizations

EN 1090

Execution of steel/aluminium structural components

Industry

NIST CSF

All sectors worldwide, any size

EN 1090

Construction/structural fabrication, EU/EEA market

Nature

NIST CSF

Voluntary risk framework, no certification

EN 1090

Harmonized standard, mandatory CE marking

Testing

NIST CSF

Self-assessment via Profiles/Tiers

EN 1090

Notified Body FPC certification/surveillance audits

Penalties

NIST CSF

No legal penalties, reputational risk

EN 1090

Market exclusion, fines, certificate suspension

Frequently Asked Questions

Common questions about NIST CSF and EN 1090

NIST CSF FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

Thailand PDPA Implementation Guide: Subordinate Regulations for 72-Hour Breach Reporting and Cross-Border Transfers (2022-2024 Rules)

Step-by-step Thailand PDPA guide: 72-hour breach notifications, cross-border transfers (2022-2024 rules). Risk checklists, GDPR templates avoid THB 5M fines. Mu

CMMC Level 2 Implementation Guide for Small DIB Contractors: First 5 Steps to C3PAO Certification with Infographic

Actionable CMMC Level 2 guide for small DIB contractors: 5-step roadmap to C3PAO certification with infographic on timelines, costs & POA&Ms. Achieve DoD compli

Asset-Backed Issuers and SEC Cybersecurity Rules: Applicability, Disclosures, and Compliance Roadmap

How SEC cybersecurity rules apply to asset-backed issuers (ABS): Form 10-D disclosures, ABS-EE risk management, Inline XBRL tagging, exemptions. Roadmap for tru

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

EMAS vs MAS TRM

EMAS vs MAS TRM: Compare EU's eco-management scheme with Singapore's tech risk guidelines. Key differences in governance, compliance & strategy for global leaders. Dive in!

ITIL vs ISO 27701

Compare ITIL vs ISO 27701: ITSM excellence meets privacy governance. Align services with business via SVS & 34 practices, extend to PIMS controls. Choose wisely!

PRINCE2 vs IEC 62443

PRINCE2 vs IEC 62443: PRINCE2's 7 principles, practices & processes ensure governed project success; IEC 62443's zones, SLs secure IACS. Compare for optimal strategy!

NIST CSF

EN 1090

Quick Verdict

NIST CSF

Key Features

EN 1090

Key Features

Detailed Analysis

NIST CSF Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

NIST CSF FAQ

What is the primary objective of NIST CSF?

Who is legally or professionally required to comply with NIST CSF?

Does NIST CSF require an external audit or third-party certification?

How often should an assessment for NIST CSF be performed?

What are the consequences of non-compliance with NIST CSF?

An NIST CSF be mapped to other international frameworks?

What is the first step to begin implementing NIST CSF?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Oes EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

An EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

Thailand PDPA Implementation Guide: Subordinate Regulations for 72-Hour Breach Reporting and Cross-Border Transfers (2022-2024 Rules)

CMMC Level 2 Implementation Guide for Small DIB Contractors: First 5 Steps to C3PAO Certification with Infographic

Asset-Backed Issuers and SEC Cybersecurity Rules: Applicability, Disclosures, and Compliance Roadmap

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

EMAS vs MAS TRM

ITIL vs ISO 27701

PRINCE2 vs IEC 62443