Against storms and sabotage

“The RKE Act is the next important building block after NIS 2 (cybersecurity) and concerns the resilience of critical facilities to physical threat scenarios,” explains Jürgen Karlsböck, Business Development Manager at Siemens. “Risk assessment based on the all-risk approach is very central to the RKE Act. This means that critical infrastructure companies — energy and water suppliers, hospitals, food manufacturers, banks, transport, telecommunications and IT service providers, etc. — must deal with all physical threats that could arise. ” And that covers a wide range: from natural events or climate-related effects, such as floods, storms, rockfalls, to acts of sabotage caused intentionally by humans. 

The RKE Act creates a uniform framework across the EU with the aim of strengthening the physical resilience and resilience of critical institutions against these threats and minimizing any existing weak points. 

“For such a complex topic, it is recommended to work with a strategic partner.”

Jürgen Karlsbö
ckSecurity Expert, Siemens AG Austria

Defined timetab
le The Act sets out a minimum set of obligations that must be met. “And there is already a very precise timetable for this,” says Karlsböck. For example, the EU has required national governments to draft a national strategy and risk analysis by January 2026, which includes determining which companies and institutions are essential for the functioning of the country and are therefore covered by the RKE Act. By August 2026 at the latest, they will receive a notice asking them to carry out a risk analysis using the all-risk approach, which must be completed in May 2027. “One month later, in June 2027, the affected companies or organizations must submit a resilience and action plan to the Federal Ministry of the Interior,” explains the security expert, “including an exact definition in accordance with § 15, which technical, organizational and personnel measures have been taken to ensure physical security. ” But that’s not all: The risk analysis must be carried out again as appropriate, but no later than every four years, including transmission of the updated resilience and action plan to the Ministry of the Interior. “We currently expect that between 300 and 600 companies will receive a notification,” says Jürgen Karlsböck. This is not so much about employee or turnover figures, but about belonging to the critical infrastructure. “In simple terms, you could say that the majority of all those that have already been covered under the NIS-1 Directive will also be affected by the RKE Act. ” By the way, reporting requirements are also included in the RKE Act: An initial report must be submitted to the competent authority immediately, but no later than 24 hours after a safety-relevant incident. A comprehensive safety report must follow 30 days later. Karlsböck: “The duties are very precisely defined and strictly regulated. ”

Strategic Partne
rSiemens can support companies, institutions and critical infrastructure organizations in many areas, such as preparing a risk analysis using the all-risk approach or creating a zone concept. This deals, for example, with the question of how a fence must be constructed around the factory site, how open areas should be monitored, how the “outer skin” of a building is secured or which resistance classes doors must have. Jürgen Karlsböck: “Siemens experts have comprehensive expertise ranging from perimeter protection to property protection and room security. Based on our expertise and the risk analysis carried out, the necessary steps are easy to derive. ” With its extensive know-how, Siemens is an experienced partner in implementing technical measures — from planning to commissioning. With the completed certification in accordance with ÖVE/ÖNORM EN 16763 (R9, R10, R11) in spring 2025, we offer our customers the highest quality security systems and legal and investment security. “When I look at the complexity of the RKE Act or NIS 2, I am of the opinion that a strategic partnership can be very helpful for the companies concerned in implementing an economic, legally secure and at the same time resilient security solution,” says the security expert.