What is the primary objective of **REACH**?

**The primary objective of REACH is to ensure a high level of protection of human health and the environment from chemical risks while enhancing EU chemicals industry innovation and competitiveness.** Under **Regulation (EC) No 1907/2006**, it shifts responsibility to industry for registering substances manufactured or imported above **1 tonne per year per legal entity**, generating data on hazards, exposure, and safe use via dossiers submitted to **ECHA**. This enables evaluation, authorisation of **SVHCs** on **Annex XIV**, and restrictions on **Annex XVII** to phase out unacceptable risks and promote non-animal testing methods.

Who is legally or professionally required to comply with **REACH**?

**REACH legally requires manufacturers, importers, downstream users, and distributors placing substances, mixtures, or certain articles on the EU/EEA market to comply.** Obligations trigger for substances exceeding **1 tonne/year per legal entity**; non-EU manufacturers appoint an **Only Representative**. Downstream users must implement exposure scenarios from **eSDS** (Annex II), notify uses if uncovered, and respond to **Article 33** SVHC inquiries within **45 days**. Article producers notify ECHA under **Article 7(2)** if SVHCs exceed **0.1% w/w** and **1 tonne/year**.

Does **REACH** require an external audit or third-party certification?

**No, REACH does not require external audits or third-party certification.** It imposes continuous obligations like dossier submission to **ECHA** via **REACH-IT**, updates for new data, and national enforcement inspections. **ECHA** conducts dossier evaluations (Articles 40-42), while Member States handle substance evaluations (Articles 44-48) and penalties under **Article 126**, which must be "effective, proportionate, and dissuasive."

How often should an assessment for **REACH** be performed?

**REACH assessments must be performed continuously as a living obligation, with updates triggered by events like tonnage changes, new hazards, or list amendments.** Registrants update dossiers upon significant new information; monitor **Candidate List** (biannual updates), **Annex XIV** sunset dates, and **Annex XVII** restrictions. Annual tonnage reviews ensure >**1 tonne/year** thresholds; **Chemical Safety Reports** (for ≥**10 tonnes/year**) require exposure scenario conformity checks.

What are the consequences of non-compliance with **REACH**?

**Non-compliance with REACH results in penalties set by Member States, which must be effective, proportionate, and dissuasive per Article 126.** These include administrative fines, product seizures, market withdrawal, and potential criminal sanctions. Enforcement via national authorities and **ECHA’s Forum** targets unregistered substances (>1 tpa), missing SVHC notifications (**Article 33**), or ignored restrictions (**Annex XVII**), leading to market exclusion.

Can **REACH** be mapped to other international frameworks?

**REACH cannot be directly mapped as a standalone certification scheme but aligns conceptually with global chemicals regimes through shared data and hazard principles.** Its IUCLID dossiers and **CSR** elements support mutual recognition under agreements like the TCA, though UK REACH requires separate submissions post-Brexit.

What is the first step to begin implementing **REACH**?

**The first step to implement REACH is to conduct a substance inventory identifying all chemicals manufactured or imported ≥1 tonne/year per legal entity.** Map tonnages, roles (manufacturer/importer/downstream), and screen against **ECHA** lists (**Candidate List**, **Annexes XIV/XVII**) to prioritize registrations and notifications.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security.** The 2022 edition provides a risk-based framework to identify, assess, and treat security risks across supply chains, protecting people, assets, goods, infrastructure, and information through PDCA cycles, leadership commitment, operational controls, performance evaluation, and continual improvement.

Who is legally or professionally required to comply with **ISO 28000**?

**ISO 28000 is voluntary with no universal legal mandate but becomes professionally required via contracts, tenders, or programs like customs facilitation.** It applies scalably to all organization sizes in logistics, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers, where supply-chain security is a priority for C-suite, supply-chain directors, security managers, and compliance officers facing contractual or reputational drivers.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 conformity can be verified internally or externally but third-party certification is optional via accredited bodies per ISO 28003.** Certification involves Stage 1 (documentation review) and Stage 2 (implementation audit), followed by annual surveillance audits for three years, ensuring SMS effectiveness through ANAB-accredited Certification Bodies.

How often should an assessment for **ISO 28000** be performed?

**ISO 28000 requires risk assessments to be maintained continuously, with internal audits at planned intervals and management reviews at least annually.** Reassessments occur on major changes (e.g., new suppliers, threats), using risk-based scheduling; performance monitoring via KPIs like incident rates is ongoing.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 risks operational disruptions, financial losses from incidents, higher insurance premiums, contract penalties, and reputational damage.** As a voluntary standard, it leads to lost market access, failed tenders, regulatory scrutiny in high-risk sectors, and cascading supply-chain outages from theft, sabotage, or fraud.

Can **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000:2022 aligns with the High Level Structure for integration with ISO 9001, ISO 14001, ISO 22301, and ISO/IEC 27001.** Common elements include PDCA, risk management (ISO 31000), leadership, and audits, enabling shared processes, unified risk registers, and combined surveillance for efficiency.

What is the first step to begin implementing **ISO 28000**?

**The first step is executive commitment via a project charter defining scope, appointing a Senior Responsible Owner, and conducting supply-chain mapping.** Follow with gap analysis against clauses (context, leadership, planning) to baseline risks, produce a prioritized roadmap, and secure resources (6-12 weeks).

REACH vs ISO 28000

Standards Comparison

REACH

Mandatory

2007

EU regulation for chemical registration, evaluation, authorisation, restriction

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

REACH mandates chemical risk management for EU market access, requiring registration and restrictions. ISO 28000 provides voluntary security framework for resilient supply chains. Companies adopt REACH for compliance, ISO 28000 for certification and risk reduction.

Chemical Safety

REACH

Regulation (EC) No 1907/2006 (REACH)

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Shifts burden to industry for chemical registration >1 tonne/year
Authorisation regime for SVHCs driving substitution post-sunset
EU-wide restrictions via Annex XVII for unacceptable risks
Dual evaluation by ECHA and Member States
Mandatory SVHC communication in articles >0.1% w/w

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
PDCA cycle with ISO High Level Structure alignment
Comprehensive third-party and supplier governance
Integrated incident response and recovery plans
Scalable for all organization sizes and sectors

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

REACH Details

What It Is

REACH (Regulation (EC) No 1907/2006) is a directly applicable EU regulation establishing a comprehensive framework for managing chemical risks. It shifts responsibility to industry for registration, evaluation, authorisation, and restriction of chemicals, covering substances, mixtures, and certain articles to protect health and environment while promoting innovation.

Key Components

Four pillars: Registration (>1 tonne/year dossiers), Evaluation (dossier/substance checks), Authorisation (Annex XIV SVHCs), Restriction (Annex XVII bans/limits).
17 technical annexes detailing data requirements, SDS rules, exemptions.
Built on risk-based assessments, tonnage bands, supply-chain communication.
No certification; compliance enforced nationally with ECHA coordination.

Why Organizations Use It

Legal obligation for EU market access; avoids fines, seizures, market bans. Enhances risk management, substitution innovation, supply-chain transparency. Builds stakeholder trust, supports ESG, ensures continuity amid evolving lists (Candidate List, Annexes).

Implementation Overview

Phased: gap analysis, substance inventory, dossiers via IUCLID/REACH-IT, SDS management, monitoring. Applies to manufacturers/importers/downstream users across sectors; ongoing audits, no central certification but national enforcement readiness essential.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard titled Security and resilience — Security management systems — Requirements. It provides a risk-based framework for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain protection against threats like theft, sabotage, and disruptions.

Key Components

Clauses 4-10 follow ISO High Level Structure (HLS) and PDCA cycle.
Core areas: context analysis, leadership, risk assessment, operations, performance evaluation, improvement.
Emphasizes supply chain mapping, third-party controls, incident response.
Supports third-party certification via accredited bodies per ISO 28003.

Why Organizations Use It

Mitigates operational risks, reduces incident costs, enables trade facilitation.
Meets contractual/regulatory expectations (e.g., C-TPAT equivalents).
Builds stakeholder trust, competitive edge in procurement.
Integrates with ISO 27001, ISO 22301 for efficiency.

Implementation Overview

Phased approach: gap analysis, risk assessment, control deployment, audits.
Scalable for SMEs to multinationals in logistics, manufacturing, etc.
Involves training, supplier engagement; certification optional but common.

Key Differences

Aspect	REACH	ISO 28000
Scope	Chemicals registration, evaluation, authorisation, restriction	Supply chain security management system
Industry	Chemicals, manufacturing, importers EU-wide	Logistics, manufacturing, all sectors globally
Nature	Mandatory EU regulation with penalties	Voluntary ISO certification standard
Testing	Dossier submission, ECHA evaluation	Internal audits, certification body audits
Penalties	Fines, market bans by Member States	Loss of certification, no legal penalties

Scope

REACH

Chemicals registration, evaluation, authorisation, restriction

ISO 28000

Supply chain security management system

Industry

REACH

Chemicals, manufacturing, importers EU-wide

ISO 28000

Logistics, manufacturing, all sectors globally

Nature

REACH

Mandatory EU regulation with penalties

ISO 28000

Voluntary ISO certification standard

Testing

REACH

Dossier submission, ECHA evaluation

ISO 28000

Internal audits, certification body audits

Penalties

REACH

Fines, market bans by Member States

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about REACH and ISO 28000

REACH FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

CMMC Scoping Mastery for Defense Supply Chains: Enclave Mapping, Subcontractor Flow-Down, and CUI Inventory Blueprint

Master CMMC scoping for DIB: delineate FCI/CUI boundaries, segment enclaves, manage subcontractor flow-down. Prevent 80% assessment failures with SSP templates,

NIST CSF 2.0 Implementation Tiers Roadmap: Step-by-Step Guide from Partial to Adaptive Cybersecurity Maturity

Master NIST CSF 2.0 Implementation Tiers with a step-by-step roadmap. Assess your tier, build gap analyses, and advance from Partial (Tier 1) to Adaptive (Tier

SOC 2 Audit Survival Guide: Auditor Questions, Red Flags, and Evidence Prep for First-Time Pass

Ace your SOC 2 audit with predicted auditor questions, model answers, red flags, and evidence checklists from CPA best practices & SignWell's journey. Reduce st

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 37001 vs ISO 28000

Compare ISO 37001 vs ISO 28000: Anti-bribery systems vs supply chain security. Key differences, benefits & implementation for compliance. Find your best fit now!

GMP vs PIPEDA

Discover GMP vs PIPEDA: Pharma manufacturing standards meet Canada's privacy law. Unlock compliance strategies, risk insights. Expert comparison awaits!

CSA vs ISO 56002

Compare CSA (Z1000/Z1002 OHS) vs ISO 56002 innovation systems. Uncover PDCA alignment, leadership, risk mgmt & implementation for safety & growth. Boost compliance now!

REACH

ISO 28000

Quick Verdict

REACH

Key Features

ISO 28000

Key Features

Detailed Analysis

REACH Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

REACH FAQ

What is the primary objective of REACH?

Who is legally or professionally required to comply with REACH?

Does REACH require an external audit or third-party certification?

How often should an assessment for REACH be performed?

What are the consequences of non-compliance with REACH?

Can REACH be mapped to other international frameworks?

What is the first step to begin implementing REACH?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

Can ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

CMMC Scoping Mastery for Defense Supply Chains: Enclave Mapping, Subcontractor Flow-Down, and CUI Inventory Blueprint

NIST CSF 2.0 Implementation Tiers Roadmap: Step-by-Step Guide from Partial to Adaptive Cybersecurity Maturity

SOC 2 Audit Survival Guide: Auditor Questions, Red Flags, and Evidence Prep for First-Time Pass

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 37001 vs ISO 28000

GMP vs PIPEDA

CSA vs ISO 56002