Resilience has long since become a key success factor for organizations that have to assert themselves in an increasingly uncertain and complex environment. The RKE Directive on the Resilience of Critical Entities provides a structured framework for this that helps to develop resilience not only reactively, but strategically and systematically.
Nevertheless, the background of RKE is unknown to many, so it is often used as a generic term for risk management, business continuity management and emergency management. Therefore, we track down developments over time.
A look at the historical development shows how different disciplines have emerged with the aim of securing and stabilizing organizations – and why this ultimately led to the need for an overarching regulatory framework.
1950s-1960s – Origins of Resilience
The origins of resilience thinking can be traced back to the 1950s, when mainframe computers were first used in companies. These early IT systems were highly centralized, expensive, and mission-critical. A failure meant not only a loss of productivity, but often a complete standstill of central functions.
At that time, neither BCM initiatives nor emergency management concepts existed. Instead, organizations developed technical precautionary measures to be able to cope with system failures. These included, among others:
- Redundant data storage
- alternative computing locations
- Defined restart processes
In retrospect, these measures are considered the forerunners of today’s disaster recovery and laid the foundation for later awareness to ensure business continuity. At that time, the focus was almost exclusively on the technical infrastructure, not on business processes or organization.
1970s-1980s – From IT protection to securing critical business processes
With increasing dependence on IT systems, it became clear that technical restoration alone was not enough. In the 1970s and 1980s, contingency planning began to gradually move away from a pure IT perspective and focus on critical business processes.
Large companies – especially from the financial sector in the USA and Great Britain – played a pioneering role in this. They developed the first guidelines and manuals.
1990s – Business Continuity Management as a Management Discipline
In the 1990s, the term business continuity management became increasingly popular. Continuity was no longer understood as a purely operational or technical issue, but as a management task with strategic relevance.
Organizations began to systematically embed BCMs, set up company-wide programs, and develop internal standards, policies, and governance structures. However, these standards were predominantly company-specific, industry-driven and nationally influenced. At that time, there was no internationally uniform standardisation.
2000-2010 -BCM and risk management move closer together
With the beginning of the new millennium, BCM, information security and risk management moved increasingly closer together. Global supply chains, digitalization and regulatory requirements led to a more holistic understanding of risk.
In addition, an increasing number of international frameworks have been published that have permanently changed BCM:
- ISO/IEC 17799 / ISO/IEC 27001 (Information Security) These standards define requirements and best practices for establishing, implementing, and continuously improving an information security management system (ISMS). They aim to systematically protect the confidentiality, integrity and availability of information and to manage risks appropriately.
- ISO 22301 (from 2012: Standard for BCM) ISO 22301 specifies requirements for a business continuity management system to increase the resilience of organizations to disruptions. The standard supports companies in identifying critical business processes, developing emergency plans and ensuring operational capability in the event of a crisis.
- ISO 31000 (Risk Management Basis) ISO 31000 provides an overarching framework and principles for effective risk management. It supports organizations in systematically identifying, analyzing, evaluating and treating risks – as a basis for strategic and operational decisions.
- ITIL (IT Service Continuity Management) ITIL defines IT Service Continuity Management (ITSCM) as a component of IT service management with the aim of ensuring the continuity of critical IT services. ITSCM ensures that IT restart and contingency plans are aligned with business continuity management requirements.
2010-2020 – Enterprise Risk Management
In the 2010s, enterprise risk management (ERM) continued to gain in importance. The increase in complex risks, such as cyber threats and dependencies in global supply chains, as well as increasing regulatory requirements, led to risk management, business continuity management and information security being more closely integrated into corporate governance.
BCM was no longer viewed in isolation, but as part of a holistic management system that identifies, evaluates and controls risks – both preventively and reactively.
At the same time, however, recurring structural weaknesses emerged:
- Parallel management systems with different terminology
- Unclear responsibilities between line, staff and crisis functions
- Strong focus on compliance rather than actual organizational adaptability
- Limited visibility into dependencies between processes, resources, and services
2020s to the present – Integrated resilience management
Recent crises such as the COVID-19 pandemic, energy and supply chain crises, and geopolitical tensions have highlighted the limits of traditional individual approaches. Organizations today need integrated resilience management that goes beyond mere emergency or risk aspects.
Against this background, the Resilience Core Element Model (RKE) was designed as a consciously developed regulatory and integration framework. The starting point was not the introduction of another standard, but the central question:
What basic skills does an organization need to possess in order to remain capable of acting even under crises?
The RKE bundles established disciplines such as:
- Risk Management
- Business Continuity Management
- Crisis and emergency management
- IT Service Continuity
- Information Security
- increasingly sustainability and digital resilience
The aim of the RKE is not to replace these disciplines, but to systematically connect them along common core elements, to make dependencies transparent and to establish resilience as a strategic organizational capability.
It is important to make a clear distinction: the RKE model is neither an additional management standard nor an operational emergency concept. Rather, it acts as an overarching framework that structures, prioritizes, and places existing systems in a common resilience context.
Conclusion – Origin of the RKE Directive
The development from technical emergency preparedness to business continuity management and risk management to integrated resilience approaches clearly shows that resilience is not created by individual measures, but by the coordinated interaction of several disciplines. With growing complexity and crisis density, the need for an overarching regulatory framework became increasingly evident.
The RCE Directive addresses this need and creates a European legal framework for the first time to systematically strengthen organisational resilience. It entered into force at EU level on 16 January 2023 and enshrines resilience as a governance-relevant requirement.
The resilience core element model serves as a conceptual frame of reference that makes the objectives of the guideline structured and operationalizable. It connects existing management disciplines along common core elements without replacing them.
In Austria, the directive has been implemented since 1 March 2026 by the Resilience Critical Facilities Act (RKEG) – and thus for the first time resilience has been transferred into organisational practice in a binding manner.
