Jump to content
Law Blog
Show all blog posts
01.10.2025

How Europe intends to make its key companies/entities more resilient

Threats in Europe are increasing and becoming more novel. In addition to natural disasters and pandemics, attacks by "semi-state" actors and acts of sabotage (physical and cyber), industrial espionage and much more must be taken into account.

Such events can – as we are currently experiencing on several levels – lead to the failure of essential entities, which may not only have an impact at Member State level, but can also trigger chain reactions in the internal market due to the interoperability of such entities within the Union. For this reason, EU legislators have enacted several legal acts to strengthen the resilience of critical entities ("CE").

On 24 September 2025, the Austrian National Council (first of two chambers in the Austrian parliament) passed the "Critical Entities Resilience Act" (Resilienz kritischer Einrichtungen-Gesetz "RKEG"). The title is both technical and impressive. We take this as an opportunity to briefly introduce the EU's legislative measures in response to the changed threat situations – both natural and man-made – and to give an overview of the planned RKEG.

1 )  CER Directive (including the planned RKEG)

At the top is Directive 2022/2557 on the resilience of critical entities ("CER Directive"), which is now to be transposed into Austrian law with the RKEG.

The CER Directive defines "resilience" as " a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident". In short, it is about modern risk management in the sense of an extended "all-hazards approach" beyond cybersecurity.

CEs are defined as public or private entities that

  • provide an essential service in one of 11 sectors and
  • where an incident (i.e. an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service) could occur.

These 11 sectors are: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space, and food production, processing and distribution of food

The Federal Government must adopt a strategy to strengthen the resilience of CEs (by 17 January 2026); based on this, the Federal Minister of the Interior (Bundesminister für Inneres, "BMI") must carry out risk assessments in the aforementioned sectors. Companies identified on this basis will then be classified as CEs by means of an official administrative decree. Based on estimates there will be approximately 400 to 600 such CEs in Austria.

What to do if you are classified as CE

First, the CE should check the administrative decree for accuracy. If you have no objections to the classification as a CE, you must

  • designate a point of contact and at least one contact person,
  • carry out a risk assessment,
  • take technical, security and organisational resilience measures based on this analysis,
  • document these measures in a resilience plan, and
  • immediately report any security incidents to the competent authorities

The timetable for implementing these measures is shown here.

The BMI should advise and support the CEs in the implementation process.

Focus: What resilience measures should be taken

Required are such technical, security and organisational resilience measures that are appropriate and proportionate to meet the targets set out in the planned RKEG. These include, for example, adequate physical protection of critical infrastructures, background checks on personnel and the rapid resumption of essential services after security incidents.

From a legal perspective, it will be interesting to see which resilience measures meet the "benchmark". The legislative technique with undefined legal terms does not come as a surprise, but may – in practice – lead to complex cost-benefit considerations in light of limited resources. Certainly, CEs will not have to install a "drone wall" to protect its physical infrastructure.

Let's move on to security measures in the area of cybersecurity:

2 )  NIS-2 Directive (the national implementation law is still pending)

While the CER Directive focuses on physical resilience, Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU ("NIS-2 Directive") aims to strengthen EU-wide resilience in the area of cybersecurity. Our IP/IT team has already reported on this in detail in the Law Blog (only available in German). In addition to CE, the NIS-2 Directive also covers other (essential and important) entities. For the definition and classification of these entities, we also refer to our Law Blog (only available in German).

The NIS-2 Directive should have been transposed into national law by 17 October 2024. However, Austria is in default.

3 )  DORA

Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (“DORA”) established uniform rules for the security of network and information systems of financial companies. Our experts in banking supervisory law and IT law have reported on this in detail in the Law Blog (only available in German).

4 )  CRA

The topic of "resilience" has also found its way into product law. Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements ("CRA") aims to improve the cyber resilience of products themselves. This affects software and hardware products with digital elements (e.g. smartwatches, chip card readers, firewalls, accounting software). Depending on their classification (general, important and critical products), different requirements apply which must be met in order for these products to be placed on the market.

Conclusion

While in the past, risk prevention in the security universe was seen as a purely governmental task, companies themselves are now also obliged to collaborate with Member States to ensure their security (in the broader sense) and a functioning internal market.

Against the background of the European Commission's ProtectEU (European Strategy for Internal Security) political agenda, we expect further regulation in this area. Companies should keep an eye on this and prepare themselves.

We are here to support you.

Please note: This blog is for general information purposes only and in no way constitutes legal advice from Binder Grösswang Rechtsanwälte GmbH. The blog cannot replace individual legal advice. Binder Grösswang Rechtsanwälte GmbH accepts no liability of any kind for the content and accuracy of the blog.

Further blog posts of this expertise

MAL-TAming

21.05.2025
“MAL-TAming” – The Judgment of the Court of Justice in the case Commission v Malta (Citizenship by investment) and its effects on Austrian laws

Sanctions Act 2024

24.03.2025
Sanctions Act 2024

A guide for Europe's future economic policy

21.02.2025
Competitiveness Compass for the EU
Further blog posts of this expertise

Use of cookies

This website uses cookies for analytical reasons and  to provide the best possible user experience.

You can accept technically non-essential cookies or configure the usage of cookies individually.

Our privacy policy provides further information about our privacy guidelines.

Preferences

Here you can activate or deactivate services and their cookies individually.

Our privacy policy provides further information about our privacy guidelines.

Cookies in this category are essential for the basic functionality of the website and therefore can not be deactivated.

Cookies in this category are used for web analytics purposes and help us to improove the usability and overall experience of this site.

Service for analyzing usage behavior.