What is the primary objective of **RoHS**?

**The primary objective of **RoHS** is to restrict hazardous substances in electrical and electronic equipment (EEE) to protect human health and the environment during waste management and recycling.** Directive 2011/65/EU (RoHS 2) limits ten substances—**lead (Pb)**, **mercury (Hg)**, **cadmium (Cd)**, **hexavalent chromium (Cr(VI))**, **PBB**, **PBDE**, **DEHP**, **BBP**, **DBP**, and **DIBP**—at maximum concentration values (**MCVs**) of **0.1%** by weight (1000 ppm) in homogeneous materials for most, and **0.01%** (100 ppm) for **Cd**. This supports recyclability under the parallel WEEE Directive by enabling safer substitution and reducing end-of-life risks.

Who is legally or professionally required to comply with **RoHS**?

**Manufacturers, importers, and distributors placing EEE on the EU market are legally required to comply with **RoHS**, alongside authorized representatives.** Scope covers all EEE categories in Annex I (e.g., household appliances, IT equipment, medical devices) unless explicitly excluded (Article 2(4), e.g., large-scale fixed installations, military equipment). Compliance demands technical documentation per EN IEC 63000:2018, EU Declaration of Conformity (**DoC**), and CE marking where applicable, with supply chain responsibilities for verifying homogeneous material compliance.

Does **RoHS** require an external audit or third-party certification?

**No, **RoHS** does not require external audits or third-party certification.** It follows a self-declaration model under the New Legislative Framework: manufacturers issue a **DoC** backed by a technical file (retained 10 years) demonstrating conformity via supplier declarations, risk assessments, and targeted testing (IEC 62321 series). Market surveillance by Member State authorities verifies compliance reactively.

How often should an assessment for **RoHS** be performed?

**RoHS assessments must be performed continuously as part of a dynamic compliance management system, with periodic re-verification tied to risk.** Initial assessment occurs before market placement; ongoing reviews cover supplier changes, exemption expiries (Annex III/IV, often 5-7 years), and delegated directive updates. Best practice: annual risk-based testing for high-risk materials (e.g., XRF screening quarterly for incoming lots).

What are the consequences of non-compliance with **RoHS**?

**Non-compliance with **RoHS** results in decentralized enforcement by Member State authorities, including product withdrawal, recalls, sales bans, and administrative fines.** Penalties vary by jurisdiction (e.g., up to €10 million or 10% turnover in some cases); no unified EU fines exist. Additional risks: customs seizures, CE marking revocation, reputational damage, and supply chain disruptions.

An **RoHS** be mapped to other international frameworks?

**Yes, **RoHS** can be mapped to frameworks like China RoHS 2, which aligns on core six substances but mandates labeling, E-PUP marking, and hazardous substance tables without EU-style exemptions.** California SB50 covers subsets (e.g., heavy metals in covered devices). Mappings aid global compliance but require adjustments for scope, thresholds, and documentation divergences.

What is the first step to begin implementing **RoHS**?

**The first step to implement **RoHS** is scoping products against Annex I categories and exclusions (Article 2(4)) to confirm applicability.** Develop a homogeneous material Bill of Materials (**BoM**), collect supplier declarations, and assemble a technical file per EN IEC 63000:2018, prioritizing high-risk materials for IEC 62321 testing.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for the supply chain.** The 2022 edition provides a risk-based framework to identify, assess, and treat security risks across people, assets, goods, infrastructure, and information in supply-chain ecosystems. It follows the PDCA cycle and High Level Structure for systemic protection against threats like theft, sabotage, and disruptions.

Who is legally or professionally required to comply with **ISO 28000**?

**ISO 28000 is voluntary but becomes professionally required via contracts, tenders, or programs like customs facilitation.** It applies scalably to all organization sizes in logistics, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers. C-suite (COO/CSO), supply-chain directors, security managers, and compliance officers must address it when supply-chain security is a strategic priority for risk reduction or market access.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 supports optional third-party certification via accredited bodies meeting ISO 28003 requirements.** Conformity can be verified internally or externally through audits, with certification involving Stage 1 (readiness) and Stage 2 (effectiveness) assessments, followed by surveillance audits. Certification by ANAB-accredited bodies enhances credibility for procurement and assurance.

How often should an assessment for **ISO 28000** be performed?

**ISO 28000 requires risk assessments to be maintained continuously, with formal reviews at planned intervals or upon changes.** Internal audits occur via a risk-based program, management reviews at least annually, and security risk reassessments yearly or triggered by supply-chain changes, incidents, or external factors like geopolitical shifts.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 exposes organizations to operational disruptions, financial losses, and reputational damage from supply-chain incidents.** Indirectly, it risks contract penalties, lost tenders, higher insurance premiums, regulatory scrutiny in high-risk sectors, and cascading outages from theft, sabotage, or fraud, without legal mandates but severe business impacts.

An **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000:2022 aligns with the High Level Structure, enabling mapping to ISO 9001, ISO 14001, ISO 22301, and ISO/IEC 27001.** Shared PDCA cycles, risk processes (ISO 31000), and clauses support integrated management systems, reducing duplication in audits, documentation, and governance for quality, resilience, and information security.

What is the first step to begin implementing **ISO 28000**?

**The first step is securing executive sponsorship and conducting a diagnostic gap analysis.** Appoint a Senior Responsible Owner, map supply chains, review current controls against clauses, and produce a prioritized risk register and project charter to define scope, resources, and timeline.

RoHS vs ISO 28000

Standards Comparison

RoHS

Mandatory

2011

EU regulation restricting hazardous substances in EEE

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

RoHS restricts hazardous substances in EEE for EU market access, while ISO 28000 builds security management systems for supply chains. Companies adopt RoHS for legal compliance and recyclability; ISO 28000 for resilience, risk reduction, and stakeholder trust.

Hazardous Substances

RoHS

Directive 2011/65/EU (RoHS 2)

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Restricts 10 hazardous substances in homogeneous materials
Open-scope applies to all EEE unless excluded
Time-limited exemptions via delegated directives
Requires technical documentation and EU DoC
Tiered verification using IEC 62321 testing methods

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
PDCA cycle for continual improvement and evaluation
Scalable to all organization sizes and industries
Integrates with ISO 9001, 27001, 22301 standards
Supplier governance and third-party risk controls

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

RoHS Details

What It Is

RoHS (Directive 2011/65/EU, recast as RoHS 2, amended by 2015/863) is an EU regulation restricting hazardous substances in electrical and electronic equipment (EEE) to protect health and environment during waste management. It uses an open-scope approach applying to all EEE unless excluded, with restrictions at homogeneous material level (0.1% w/w default, 0.01% for Cd).

Key Components

**10 restricted substancesPb, Hg, Cd, Cr(VI), PBB, PBDE, DEHP, BBP, DBP, DIBP.
**Annexes III/IV exemptionsTime-limited, application-specific allowances.
**Compliance modelTechnical documentation per EN IEC 63000, EU Declaration of Conformity (DoC), CE marking where applicable; tiered verification via IEC 62321 methods.

Why Organizations Use It

Ensures EU market access, reduces e-waste hazards alongside WEEE Directive, mitigates enforcement risks (fines, recalls). Drives supply chain governance, substitution innovation, ESG credibility, and recyclability for competitive edge.

Implementation Overview

Risk-based: Scope analysis, BoM mapping, supplier declarations, targeted testing (XRF screening, ICP-MS/GC-MS confirmation), technical files (10-year retention). Applies to manufacturers/importers of EEE globally selling to EU; no certification but audit-ready evidence for surveillance.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard titled Security and resilience — Security management systems — Requirements. It provides a risk-based framework for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain protection, covering people, assets, goods, infrastructure, and information.

Key Components

Core clauses: Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement (aligned with ISO High Level Structure and PDCA cycle).
Emphasizes risk assessment, controls (physical, personnel, procedural), incident response, supplier governance.
No fixed controls; proportionate to risks.
Supports third-party certification via accredited bodies per ISO 28003.

Why Organizations Use It

Reduces disruptions, theft, sabotage; lowers insurance costs.
Meets contractual/regulatory demands (e.g., C-TPAT equivalents).
Enhances resilience, market access, trade facilitation.
Builds stakeholder trust, competitive edge in logistics, manufacturing.

Implementation Overview

Phased: Gap analysis, risk assessment, controls deployment, audits.
Scalable for SMEs to multinationals across industries.
6-36 months typical; requires training, documentation, continual improvement.

Key Differences

Aspect	RoHS	ISO 28000
Scope	Hazardous substances in EEE materials	Supply chain security management system
Industry	Electrical/electronic equipment manufacturers	Logistics, manufacturing, all supply chains
Nature	EU directive, mandatory market access	Voluntary ISO management standard
Testing	Material analysis (XRF, ICP-MS, GC-MS)	Internal/external audits, risk assessments
Penalties	Fines, recalls, market bans by states	Loss of certification, no legal penalties

Scope

RoHS

Hazardous substances in EEE materials

ISO 28000

Supply chain security management system

Industry

RoHS

Electrical/electronic equipment manufacturers

ISO 28000

Logistics, manufacturing, all supply chains

Nature

RoHS

EU directive, mandatory market access

ISO 28000

Voluntary ISO management standard

Testing

RoHS

Material analysis (XRF, ICP-MS, GC-MS)

ISO 28000

Internal/external audits, risk assessments

Penalties

RoHS

Fines, recalls, market bans by states

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about RoHS and ISO 28000

RoHS FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

NIST CSF 2.0: Key Enhancements and How They Address Evolving Cyber Threats

Explore NIST CSF 2.0 updates: Govern function, supply chain security, SME playbooks for ransomware & AI threats. Boost your cyber defenses now!

Real-World ISO 27701 Success: Synthesized Case Studies, Metrics, and Lessons for Privacy Resilience

Real-world ISO 27701 success from Tribeca, Kocho: DSAR efficiency gains, risk score reductions, certification ROI. Synthesized metrics prove privacy resilience

CIS Controls v8.1 for Cloud & Kubernetes: A Practical Implementation Playbook (AWS/Azure/GCP + IaC)

Translate CIS Controls v8.1 to cloud-native: Kubernetes patterns for IAM, logging, vuln mgmt, hardening on AWS, Azure, GCP + IaC. Practical playbook for teams.

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

BRC vs GRI

Compare BRC vs GRI: BRCGS ensures food safety via HACCP, audits & grading; GRI drives ESG impact reporting thru materiality & disclosures. Master compliance—read now!

CSA vs IATF 16949

Discover CSA vs IATF 16949: Compare OHS standards (Z1000/Z1002) with automotive QMS. Key gaps in risk, leadership & compliance. Boost your strategy now!

C-TPAT vs AS9110C

Compare C-TPAT vs AS9110C: CBP's trusted trader security for supply chains vs aerospace QMS for aviation maintenance. Key differences, benefits & strategies inside!

RoHS

ISO 28000

Quick Verdict

RoHS

Key Features

ISO 28000

Key Features

Detailed Analysis

RoHS Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

RoHS FAQ

What is the primary objective of RoHS?

Who is legally or professionally required to comply with RoHS?

Does RoHS require an external audit or third-party certification?

How often should an assessment for RoHS be performed?

What are the consequences of non-compliance with RoHS?

An RoHS be mapped to other international frameworks?

What is the first step to begin implementing RoHS?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

An ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

NIST CSF 2.0: Key Enhancements and How They Address Evolving Cyber Threats

Real-World ISO 27701 Success: Synthesized Case Studies, Metrics, and Lessons for Privacy Resilience

CIS Controls v8.1 for Cloud & Kubernetes: A Practical Implementation Playbook (AWS/Azure/GCP + IaC)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

BRC vs GRI

CSA vs IATF 16949

C-TPAT vs AS9110C