Categories

RKEG: Taking a Holistic View of Resilience

Written by Markus Hefler on

Climate change and geopolitical crises pose major challenges to critical infrastructure and public services. Natural disasters, terrorist attacks, cyberattacks, and acts of physical sabotage – such as the recent incident in Italy where a power line to a pumping station for an oil pipeline essential to Austria was cut – demonstrate the strong interdependence and significant vulnerability of the system.

In response to this threat landscape, the EU developed the Directive on the Resilience of Critical Entities (CER Directive) to ensure that essential services continue to function even during crises or disasters. In Austria, the Critical Entities Resilience Act (RKEG) entered into force on March 1st, 2026, followed on April 15th by the Critical Entities Resilience Regulation (RKEV), under which the Federal Ministry of the Interior (BMI) specifies which entities require special protection and what obligations they must fulfill.

A Holistic Security Regime as an Asset

NIS2 focuses on cybersecurity, while the RKEG also addresses physical security, structural protective measures, organizational preparedness, crisis management, and recovery capabilities. Together, these two pieces of legislation encourage operators of critical infrastructure to further develop resilience as a holistically organized security framework and to systematically ensure their ability to withstand disruptions and crises.

While fundamental violations of the RKEG may lead to fines of up to EUR 50,000, with repeat offenses, penalties may rise to EUR 100,000 and in serious cases up to EUR 500,000, this should not be the sole reason for compliance. Organizations themselves benefit from implementation: the RKEG provides a holistic view of risks and dependencies, offers management a clear basis for decision-making, supports efficient implementation of regulatory requirements, strengthens crisis resilience, and enables compliance that can be demonstrated to authorities.

The Countdown Is On

The Ministry of the Interior is currently identifying approximately 500 to 600 entities that are indispensable for public services, particularly where they fulfill essential supply functions, operate critical infrastructure, and are of significant relevance to society. The sectors affected include energy, healthcare, food, banking, financial markets, transport, space, drinking water, wastewater, digital infrastructure, and public administration.

Companies and organizations will receive official notification of their classification as critical entities, with the first notifications expected by late summer 2026. Clear deadlines will then apply:

  • Within four weeks, a central contact point and at least one contact person must be designated to the BMI, and the availability of the central contact point must be ensured during the period in which essential services are provided.
  • The internal risk analysis must be completed within nine months.
  • After ten months, the resilience plan must be finalized and the technical, security-related and organizational measures implemented.
  • The plan must then be submitted to the BMI within one month.

The Requirements of the RKEG

The law follows a risk-based approach that is to be continuously reviewed and further developed. Affected companies and organizations must address five areas of action:

  • Risk Analyses: Regular, systematic identification of hazards and vulnerabilities across operations
  • Resilience Plans: Development and implementation of technical, organizational and personnel-related protective measures
  • Personnel Background Checks: Comprehensive screening of security-sensitive personnel to mitigate risks
  • Incident Reporting: Prompt reporting of security incidents to the BMI within 24 hours, followed by a detailed report within one month at the latest
  • Resilience Audits: Regular reviews by state-certified auditors, at least every four years, or earlier if the risk situation changes significantly

The Solution: Systematically Building Resilience

The RKEG is a response to growing pressure on critical infrastructure and marks a paradigm shift: it is no longer about isolated individual measures, but about systematic resilience at the organizational level, ensured through the coordinated interaction of multiple disciplines within a broader governance framework.

To sustainably strengthen their ability to act in crisis situations, operators of critical infrastructure should develop their resilience strategy in a structured manner, with the support of specialized experts where needed. Four key areas of action are central:

  • Create Transparency: Impact analysis in accordance with RKEG/RKEV, identification of critical processes and dependencies, analysis of existing structures and measures
  • Identify Gaps: Resilience and gap analysis, assessment of current crisis readiness, and derivation of concrete fields of action
  • Implement Measures: Establish resilience and crisis structures, integrate them into existing governance, and ensure documentation and evidence management
  • Further Develop Resilience: Regular review and adaptation, tests and exercises, and preparation for regulatory audits

In the best-case scenario, regulatory pressure becomes strategic progress: greater clarity, stronger response capacity, and greater security for organizations indispensable to the functioning of society.

Interested in the topic or looking for support? Contact us for an initial consultation.