← Back to all posts
Guest Post | RKEG and Know‑How Leakage: An Underestimated Threat
Guest PostAustriaBackground Checks

Guest Post | RKEG and Know‑How Leakage: An Underestimated Threat

By Mischa Zöberer

Economic espionage is increasingly relevant in the context of critical infrastructure. While cyberattacks dominate headlines, the greatest damage often occurs where few are looking: in the targeted leakage of knowledge and skills. Beyond digital threats, traditional espionage methods – from social engineering to physical access – are gaining renewed importance, as they often go unnoticed and have long-lasting effects. Critical infrastructure, clearly defined under the RKEG, has therefore become a particularly attractive target.

With Austria’s Resilience of Critical Infrastructure Act (RKEG) and the accompanying RKE Regulation (RKEV), a comprehensive legal framework has been established to strengthen the resilience of critical facilities against both physical and digital threats. At first glance, this may seem like a standard regulatory issue, but its implications are far-reaching: the RKEG addresses specific risk areas for companies and places economic espionage firmly on the radar – a threat that is set to grow in importance over the coming years.

Key Changes Under the RKEGs

For the first time, the RKEG clearly defines which facilities are considered critical, the thresholds they must meet, and which security incidents are reportable. The RKEV specifies these thresholds across sectors such as energy, transport, health, drinking water, digital infrastructure, and public administration.

Facilities are also required to harden their processes, supply chains, and IT systems while strengthening organizational resilience.

A cornerstone of this new security framework is the mandatory vetting of personnel in critical infrastructure – establishing a uniform, legally binding standard for trustworthiness and reliability checks.

From Recommendations to Mandatory Resilience Standards

Previously, KRITIS designations and APCIP measures were based on cooperation, voluntary adherence, and strategic guidance. The RKEG transforms this into a legally binding resilience regime. What was once a cooperative protection program now becomes a mandatory resilience system. Facilities must not only be “KRITIS-capable,” but fully RKE-resilient – at a legally defined, significantly higher standard.

The RKEG fundamentally changes the landscape:

  • The number of affected facilities expands significantly.
  • Classification is no longer voluntary but issued via official notice.
  • Security incidents are reportable, with clearly defined thresholds.
  • Requirements are legally binding, not merely advisory.
  • Oversight is centralized and professionalized.
  • Personnel in security-relevant positions undergo mandatory security vetting – a key step in reducing insider risks and countering hybrid threats.

Corporate Espionage: The Overlooked Side of Resilience

While cyberattacks get the spotlight, modern economic espionage remains underestimated: it is hybrid, long-term, and highly professional. Attackers combine digital techniques with traditional methods – from human reconnaissance and social engineering to physical access to facilities, documents, and personnel. In the context of RKEG-defined critical infrastructure, these traditional attacks are gaining renewed significance. Access to buildings, control centers, maintenance areas, or sensitive operational information can cause as much, or even more, damage than a cyberattack – often more discreetly and sustainably.

Attack methods include:

  • OSINT techniques to research personnel, supply chains, partners, and internal structures
  • Social engineering to manipulate employees
  • Insider recruitment to gain access credentials, trade secrets, or critical systems
  • Physical attacks on data centers, control centers, or logistics hubs
  • Data manipulation to undermine trust or distort markets

Why Immediate Action Is Needed

The RKEG demands technical, organizational, and personnel resilience. Key vulnerabilities remain:

  • Employees are the primary entry point – not firewalls.
  • Supply chains are increasingly complex and often insufficiently vetted.
  • Critical processes are digitized but not always securely integrated.
  • Reporting obligations create time pressure, which can lead to mistakes under stress.

TOrganizations that treat security as mere compliance unknowingly leave gaps for attackers to exploit – from human reconnaissance to structural weaknesses. A modern approach combines resilience, systematic background checks, continuous awareness programs, and professional OSINT monitoring to establish robust protection.

Critical infrastructure must recognize that attackers exploit human and organizational weaknesses as much as technical ones – and that proactive intelligence on personnel, partners, and supply chains is a central pillar of security. Only a holistic approach allows facilities to meet the RKE requirements and maintain long-term operational resilience.

What Modern Resilience Entails

Under the RKEG, resilience extends beyond IT security to include:

  • Early detection of espionage (digital and human)
  • Protection of sensitive information – including outside IT
  • Robust emergency and crisis procedures
  • Employee training and awareness programs
  • Monitoring of supply chains and partners
  • Scenarios for hybrid attacks (cyber + physical + disinformation)

Modern security architecture focuses not on eliminating all risk, but on strengthening critical processes against hybrid threats. The goal is to detect disruptions early, contain them effectively, and maintain operational continuity even under pressure, preventing attacks from escalating into reportable security incidents.

A Practical Look: Where Companies Are Most Vulnerable Today

From a professional perspective and based on my experience, three areas are particularly critical:

  • Identity and access management – attackers target people, not systems
  • Shadow IT and uncontrolled data flows – especially in hybrid work environments
  • Lack of situational awareness – companies often don’t know who is targeting them or why

Under the RKEG, undetected attacks can quickly escalate into reportable incidents, with significant legal, financial, and reputational consequences.

To effectively address such threats, essential facilities need a reliable situational overview of people, partners, and processes. Systematic security vetting provides transparency regarding trust and insider risks, continuous awareness programs strengthen human security competence in day-to-day operations, and professional OSINT monitoring makes external information risks visible at an early stage. Only the combination of these measures enables timely detection of hybrid attacks and ensures the sustainable resilience of critical services.

Conclusion: RKEG as an Opportunity to Enhance Resilience

The RKEG forces companies to confront their vulnerabilities. Viewing it solely as a regulatory obligation misses the chance to strengthen strategically.

Organizations that approach it as an opportunity to address economic espionage, hybrid threats, and organizational resilience holistically position themselves not only in legal compliance but also for long-term security and competitiveness.

Norphluchs Guest Post

Written by: Mischa Zöberer