What is the primary objective of RoHS?

The primary objective of RoHS is to restrict hazardous substances in electrical and electronic equipment (EEE) to protect human health and the environment during waste management and recycling. Directive 2011/65/EU (RoHS 2) limits ten substances—lead (Pb), mercury (Hg), cadmium (Cd), hexavalent chromium (Cr(VI)), PBB, PBDE, DEHP, BBP, DBP, and DIBP—at maximum concentration values (MCVs) of 0.1% by weight (1000 ppm) in homogeneous materials for most, and 0.01% (100 ppm) for Cd. This supports recyclability under the parallel WEEE Directive by enabling safer substitution and reducing end-of-life risks.

Who is legally or professionally required to comply with RoHS?

Manufacturers, importers, and distributors placing EEE on the EU market are legally required to comply with RoHS, alongside authorized representatives. Scope covers all EEE categories in Annex I (e.g., household appliances, IT equipment, medical devices) unless explicitly excluded (Article 2(4), e.g., large-scale fixed installations, military equipment). Compliance demands technical documentation per EN IEC 63000:2018, EU Declaration of Conformity (DoC), and CE marking where applicable, with supply chain responsibilities for verifying homogeneous material compliance.

Does RoHS require an external audit or third-party certification?

No, RoHS does not require external audits or third-party certification. It follows a self-declaration model under the New Legislative Framework: manufacturers issue a DoC backed by a technical file (retained 10 years) demonstrating conformity via supplier declarations, risk assessments, and targeted testing (IEC 62321 series). Market surveillance by Member State authorities verifies compliance reactively.

How often should an assessment for RoHS be performed?

RoHS assessments must be performed continuously as part of a dynamic compliance management system, with periodic re-verification tied to risk. Initial assessment occurs before market placement; ongoing reviews cover supplier changes, exemption expiries (Annex III/IV, often 5-7 years), and delegated directive updates. Best practice: annual risk-based testing for high-risk materials (e.g., XRF screening quarterly for incoming lots).

What are the consequences of non-compliance with RoHS?

Non-compliance with RoHS results in decentralized enforcement by Member State authorities, including product withdrawal, recalls, sales bans, and administrative fines. Penalties vary by jurisdiction (e.g., up to €10 million or 10% turnover in some cases); no unified EU fines exist. Additional risks: customs seizures, CE marking revocation, reputational damage, and supply chain disruptions.

Can RoHS be mapped to other international frameworks?

Yes, RoHS can be mapped to frameworks like China RoHS 2, which aligns on core six substances but mandates labeling, E-PUP marking, and hazardous substance tables without EU-style exemptions. California SB50 covers subsets (e.g., heavy metals in covered devices). Mappings aid global compliance but require adjustments for scope, thresholds, and documentation divergences.

What is the first step to begin implementing RoHS?

The first step to implement RoHS is scoping products against Annex I categories and exclusions (Article 2(4)) to confirm applicability. Develop a homogeneous material Bill of Materials (BoM), collect supplier declarations, and assemble a technical file per EN IEC 63000:2018, prioritizing high-risk materials for IEC 62321 testing.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for the supply chain. The 2022 edition provides a risk-based framework to identify, assess, and treat security risks across people, assets, goods, infrastructure, and information in supply-chain ecosystems. It follows the PDCA cycle and High Level Structure for systemic protection against threats like theft, sabotage, and disruptions.

Who is legally or professionally required to comply with ISO 28000?

ISO 28000 is voluntary but becomes professionally required via contracts, tenders, or programs like customs facilitation. It applies scalably to all organization sizes in logistics, manufacturing, retail, pharmaceuticals, energy, ports, and 3PL/4PL providers. C-suite (COO/CSO), supply-chain directors, security managers, and compliance officers must address it when supply-chain security is a strategic priority for risk reduction or market access.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 supports optional third-party certification via accredited bodies meeting ISO/IEC 17021-1 requirements. Conformity can be verified internally or externally through audits, with certification involving Stage 1 (readiness) and Stage 2 (effectiveness) assessments, followed by surveillance audits. Certification by ANAB-accredited bodies enhances credibility for procurement and assurance.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires risk assessments to be maintained continuously, with formal reviews at planned intervals or upon changes. Internal audits occur via a risk-based program, management reviews at least annually, and security risk reassessments yearly or triggered by supply-chain changes, incidents, or external factors like geopolitical shifts.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 exposes organizations to operational disruptions, financial losses, and reputational damage from supply-chain incidents. Indirectly, it risks contract penalties, lost tenders, higher insurance premiums, regulatory scrutiny in high-risk sectors, and cascading outages from theft, sabotage, or fraud, without legal mandates but severe business impacts.

Can ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the High Level Structure, enabling mapping to ISO 9001, ISO 14001, ISO 22301, and ISO/IEC 27001. Shared PDCA cycles, risk processes (ISO 31000), and clauses support integrated management systems, reducing duplication in audits, documentation, and governance for quality, resilience, and information security.

What is the first step to begin implementing ISO 28000?

The first step is securing executive sponsorship and conducting a diagnostic gap analysis. Appoint a Senior Responsible Owner, map supply chains, review current controls against clauses, and produce a prioritized risk register and project charter to define scope, resources, and timeline.

Standards Comparison

RoHS vs ISO 28000

RoHS

Mandatory

2011

EU directive restricting hazardous substances in EEE

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

RoHS restricts hazardous substances in EEE for EU market access, while ISO 28000 builds security management systems for supply chains. Companies adopt RoHS for legal compliance and recyclability; ISO 28000 for resilience, risk reduction, and stakeholder trust.

Hazardous Substances

RoHS

Directive 2011/65/EU (RoHS 2)

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Restricts 10 hazardous substances in homogeneous materials
Open-scope applies to all EEE unless excluded
Time-limited exemptions via delegated directives
Requires technical documentation and EU DoC
Tiered verification using IEC 62321 testing methods

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
PDCA cycle for continual improvement and evaluation
Scalable to all organization sizes and industries
Integrates with ISO 9001, 27001, 22301 standards
Supplier governance and third-party risk controls

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

RoHS Details

What It Is

RoHS (Directive 2011/65/EU, recast as RoHS 2, amended by 2015/863) is an EU directive restricting hazardous substances in electrical and electronic equipment (EEE) to protect health and environment during waste management. It uses an open-scope approach applying to all EEE unless excluded, with restrictions at homogeneous material level (0.1% w/w default, 0.01% for Cd).

Key Components

10 restricted substances: Pb, Hg, Cd, Cr(VI), PBB, PBDE, DEHP, BBP, DBP, DIBP.
Annexes III/IV exemptions: Time-limited, application-specific allowances.
Compliance model: Technical documentation per EN IEC 63000, EU Declaration of Conformity (DoC), CE marking where applicable; tiered verification via IEC 62321 methods.

Why Organizations Use It

Ensures EU market access, reduces e-waste hazards alongside WEEE Directive, mitigates enforcement risks (fines, recalls). Drives supply chain governance, substitution innovation, ESG credibility, and recyclability for competitive edge.

Implementation Overview

Risk-based: Scope analysis, BoM mapping, supplier declarations, targeted testing (XRF screening, ICP-MS/GC-MS confirmation), technical files (10-year retention). Applies to manufacturers/importers of EEE globally selling to EU; no certification but audit-ready evidence for surveillance.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard titled Security and resilience — Security management systems — Requirements. It provides a risk-based framework for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain protection, covering people, assets, goods, infrastructure, and information.

Key Components

Core clauses: Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement (aligned with ISO High Level Structure and PDCA cycle).
Emphasizes risk assessment, controls (physical, personnel, procedural), incident response, supplier governance.
No fixed controls; proportionate to risks.
Supports third-party certification via accredited bodies per ISO/IEC 17021-1.

Why Organizations Use It

Reduces disruptions, theft, sabotage; lowers insurance costs.
Meets contractual/regulatory demands (e.g., C-TPAT equivalents).
Enhances resilience, market access, trade facilitation.
Builds stakeholder trust, competitive edge in logistics, manufacturing.

Implementation Overview

Phased: Gap analysis, risk assessment, controls deployment, audits.
Scalable for SMEs to multinationals across industries.
6-36 months typical; requires training, documentation, continual improvement.

Key Differences

Aspect	RoHS	ISO 28000
Scope	Hazardous substances in EEE materials	Supply chain security management system
Industry	Electrical/electronic equipment manufacturers	Logistics, manufacturing, all supply chains
Nature	EU directive, mandatory market access	Voluntary ISO management standard
Testing	Material analysis (XRF, ICP-MS, GC-MS)	Internal/external audits, risk assessments
Penalties	Fines, recalls, market bans by states	Loss of certification, no legal penalties

Scope

RoHS

Hazardous substances in EEE materials

ISO 28000

Supply chain security management system

Industry

RoHS

Electrical/electronic equipment manufacturers

ISO 28000

Logistics, manufacturing, all supply chains

Nature

RoHS

EU directive, mandatory market access

ISO 28000

Voluntary ISO management standard

Testing

RoHS

Material analysis (XRF, ICP-MS, GC-MS)

ISO 28000

Internal/external audits, risk assessments

Penalties

RoHS

Fines, recalls, market bans by states

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about RoHS and ISO 28000

RoHS FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Beyond the Boardroom: 5 Ways Modern Compliance Software Elevates Every Department

Discover 5 ways modern compliance software boosts HR, IT, finance & more: automate risks, enhance efficiency, ensure data integrity, stay audit-ready. Elevate y

SOC 2 for Fintech Startups: First 5 Steps to Compliance with Confidentiality Criterion Infographic

First 5 steps to SOC 2 compliance with Confidentiality for fintech SaaS. Infographic maps controls to risks like encryption & TPRM. Integrates GLBA/PCI DSS over

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Discover the top tools for ISO 27701 compliance. Compare functionality, complexity, costs, and benefits to choose the best solution for your privacy program. Ac

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how RoHS and ISO 28000 compare against other standards

Other RoHS Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

10 restricted substances: Pb, Hg, Cd, Cr(VI), PBB, PBDE, DEHP, BBP, DBP, DIBP.

Annexes III/IV exemptions: Time-limited, application-specific allowances.

Compliance model: Technical documentation per EN IEC 63000, EU Declaration of Conformity (DoC), CE marking where applicable; tiered verification via IEC 62321 methods.

What It Is

Key Components

Core clauses: Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement (aligned with ISO High Level Structure and PDCA cycle).

Emphasizes risk assessment, controls (physical, personnel, procedural), incident response, supplier governance.

No fixed controls; proportionate to risks.

Supports third-party certification via accredited bodies per ISO/IEC 17021-1.

Aspect

RoHS

ISO 28000

Scope

Hazardous substances in EEE materials

Supply chain security management system

Industry

Electrical/electronic equipment manufacturers

Logistics, manufacturing, all supply chains

Nature

EU directive, mandatory market access

Voluntary ISO management standard

Testing

Material analysis (XRF, ICP-MS, GC-MS)

Internal/external audits, risk assessments

Penalties

Fines, recalls, market bans by states

Loss of certification, no legal penalties