you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu

02 October 2025
Schoenherr publication
austria poland

to the point: technology & digitalisation | October 2025

Welcome to the October edition of Schoenherr's to the point: technology & digitalisation newsletter!

We are excited to present a selection of legal developments in the area of technology & digitalisation in the wider CEE region.

As autumn settles in, many businesses shift from the summer's pace to planning, budgeting and sharpening priorities for the final stretch of the year. This edition of to the point. technology & digitalisation reflects that mindset: resilience, readiness and the smarter allocation of resources.

Our spotlight covers Austria's Critical Entities Resilience Act, which transposes the EU CER Directive, ushering in a more structured and enforceable approach to critical infrastructure protection. With tight compliance timelines, substantive risk, resilience duties and significant penalties, now is the time to assess your company's exposure, align governance, and coordinate with NIS2 and GDPR to avoid duplications and gaps. Think of it as autumn housekeeping: clear frameworks today help weather tomorrow's storms.

Financing growth remains a priority, with the EcoAustria blueprint for a national Scale-Up Fund aiming to channel capital into European growth vehicles and strengthen Austria's tech sector. Meanwhile, the replacement of WhoIs with RDAP (Registration Data Access Protocol) reshapes domain registration data access and standardises outputs, requiring an update of due diligence processes. In Poland, compliance is in the spotlight, as a major GDPR fine for improper ID scanning, as well as new mandatory drone insurance, highlight the increasing importance of accountability and risk management in tech-driven industries.

This season rewards disciplined preparation. We hope these insights help you prioritise: strengthen resilience programmes, readying compliance controls and revisiting risk strategies. As ever, our team stands ready to support you through the year-end agenda and into 2026.

Austria has taken a decisive legal step to strengthen its critical infrastructure protection obligations with the National Council's passage of the Critical Entities Resilience Act (RKEG), which transposes the EU's Critical Entities Resilience (CER) Directive into Austrian law. Whilst the legislation awaits final parliamentary approval and formal publication, organisations operating in potentially affected sectors should begin immediate preparatory assessments to understand their exposure under this emerging regulatory framework and position themselves for compliance once the Act takes effect.

Scope and application

The RKEG is intended to apply primarily to critical entities that fall within the sectors mentioned in the CER Directive. These include, for example, energy, transport, banking, financial market infrastructure, health, drinking and wastewater, digital infrastructure and production, and food processing and distribution.

The Federal Minister of the Interior must classify entities as critical by administrative decision. To qualify as a critical entity, organisations must meet four key criteria: they must operate domestically, have their critical infrastructure located domestically, provide an essential service and be susceptible to security incidents in the provision of this essential service. The determination considers factors such as the number of users who use the essential service and the possible effects of security incidents on economic and social activities, the environment, public order or security, and public health.

Core obligations

Once classified, covered critical entities are subject in particular to the following obligations:

·         A central contact point and contact person must be designated within four weeks of classification by administrative decision. Those entities that do not have a postal address in Austria must designate an authorised representative for service. Critical entities without an establishment in Austria must also designate a responsible representative.

·         Risk assessment: Critical entities must conduct a risk analysis for the first time within nine months of classification and subsequently when relevant risk factors change, but at least every four years.

·         Resilience measures: Within ten months of classification, critical entities must adopt appropriate and proportionate technical, security-related and organisational measures for their essential service, to be detailed in a resilience plan. These must address six areas, including preventing security incidents, considering disaster preparedness and climate change measures, and ensuring appropriate physical protection of critical infrastructure and premises.

·         Incident reporting: Within ten months of classification, critical entities must report security incidents without delay and no later than 24 hours after becoming aware of them, insofar as operationally possible.

Regulatory oversight and enforcement

The Federal Minister of the Interior serves as the primary administrative authority under the RKEG, with comprehensive supervisory powers, including the power to require critical entities to submit risk analyses, resilience plans and other evidence of compliance within a reasonable timeframe. An audit may also be possible.

Administrative penalties provide a significant deterrent effect, with violations punishable by fines up to EUR 500,000.

Timeline and next steps

Key provisions enter into force on the first day of the month following four months after publication of the final law. Once classified, entities face tight deadlines: designation of contact points within four weeks, completion of risk analysis within nine months, and implementation of resilience measures within ten months.

Organisations potentially within scope should begin immediate preparatory work. This includes conducting preliminary assessments against identification criteria, reviewing existing measures and frameworks (including a GAP assessment), establishing governance structures for resilience management, and developing incident response capabilities focusing on the stringent 24-hour reporting requirements.

The RKEG represents an additional layer of regulatory obligations towards comprehensive resilience thinking. Early preparation will prove essential given the compressed timelines once classification occurs and the substantial penalties for non-compliance. A legal review and coordination with other legal acts, such as NIS2 and the GDPR, should be carried out at an early stage to enable the greatest possible synergies.

The creation of a national Scale-Up Fund ("Dachfonds") has been part of Austria's new government programme, aiming to close the financing gap for start-ups in their growth phase. To provide the analytical foundation for its concrete design, the Federal Ministry for Economy, Energy and Tourism commissioned EcoAustria to conduct a study, published in September 2025. The study presents detailed scenarios, international benchmarks, and a proposed legal and governance framework for the planned Scale-Up Fund. Here is the link to the study.

Fund structure

According to the study, the Scale-Up Fund will be established as a Fund-of-Funds under the legal form of a GmbH & Co KG. This ensures a clear separation between management and investors, while an independent governance model shields the fund from political influence.

The management will be appointed via international tender and remunerated in line with international standards, i.e. through a mix of management fees and carried interest. The fund itself will not invest directly into enterprises but instead allocate capital to selected European venture capital and private equity funds. This approach provides diversification, mitigates risk and leverages the "home bias effect" by ensuring that a significant share of capital ultimately reaches Austrian start-ups. 

Volume and scenarios

The study outlines two scenarios:

·                Scenario 1 (Optimistic): EUR 500m in total volume, including EUR 100m from the state.

·                Scenario 2 (Conservative): EUR 300m in total volume, including EUR 60m from the state.

In both cases, EcoAustria assumes that around 60 % of total capital will flow into Austrian start-ups via the supported VC funds. The expected economic effects are substantial: in Scenario 1, up to EUR 1bln in additional long-term value creation and around 1,500 new jobs; in Scenario 2, about EUR 600m and 1,000 jobs.

International role models

Austria's design draws heavily on international precedents, in particular KfW Capital (Germany) and Vækstfonden (Denmark). Both demonstrate how state anchor investments can mobilise private capital at scale when embedded in independent, professionally managed fund structures.

Investment strategy

The Scale-Up Fund's investment focus will be on growth-stage funds active across Europe, ensuring both international diversification and a meaningful Austrian allocation. Through the home bias effect, an estimated 60 % of committed capital is expected to reach domestic start-ups.

Ticket sizes are envisaged to reflect international best practice: the fund will typically commit double-digit million amounts per target fund, enabling significant leverage for Austrian and European start-ups in the scale-up phase. This approach is intended to attract established European funds as well as encourage the professionalisation of domestic managers.

Timeline and next steps

The government has announced that implementation will move forward through an interministerial working group, with a legal setup targeted for 2026. Concrete next steps include establishing the GmbH & Co KG structure, defining governance and engaging with institutional investors.

When conducting an initial check on who owns a domain name, a WhoIs query has long been the standard procedure. For decades, it has been an essential resource in investigations prior to URDP or other domain-related proceedings, as well as for simply researching who might be responsible for the website hosted under the domain. Type in a domain name and you could often see who registered it and when it was created.

What is WhoIs?

Basically, WhoIs is a set of standardised rules for communication between a client (e.g. a PC) and the domain registrar responsible for the subject domain name, in order to retrieve ownership data. The specification was simple, without allowing for multiple tiers of data access and without detailed requirements for data formatting.

But suddenly, alongside WhoIs, a second – often identical – dataset has been made available by domain registrars (who maintain the respective WhoIs database for the domains registered with them): RDAP data.

RDAP replaces WhoIs

As with the GDPR, the simple design of WhoIs became more of an issue. To address this, ICANN proposed the introduction of the Registration Data Access Protocol (RDAP) by amending the Registry Agreements and Registrar Accreditation Agreements via a global amendment dated 7 August 2023.[1]

Since 3 February 2024, support for RDAP is mandatory for all registrars (and registries) of generic Top Level Domains.[2] This protocol provides certain advantages, as it allows multiple tiers of access (although this is not yet used as a standardised feature) and has a standardised output format.

Although ICANN's technical implementation guide stipulates that, in most cases, information on the registrant or owner of a domain name should be withheld,[3] this is not always the case. In practice, registrant information still appears to be available at times.

Notably, on 28 January 2025, RDAP became the definitive source for delivering registration information and the registrar's obligation to maintain WhoIs services ended.[4]

Therefore, only RDAP is now required to be supported and it provides the authoritative data that must be kept accurate. WhoIs has been deprecated and may still function, but there is no obligation to maintain it. Discrepancies between the two sources are rare but possible (e.g. due to different databases used in the background). In such cases, RDAP should be regarded as the authoritative source.



[1] https://www.icann.org/en/contracted-parties/registry-operators/global-amendments/2023-global-amendments?utm_source=chatgpt.com

[2] So-called Country Code TLDs are not within ICANN's jurisdiction to this extent and may still primarily support WhoIs or other self-specified protocols.

[3] https://www.icann.org/en/system/files/files/rdap-technical-implementation-guide-15feb19-en.pdf

In today's world, protecting personal data is crucial, especially in the banking sector where customers share sensitive information. The Polish Personal Data Protection Office (UODO) recently imposed a huge fine on one of the banks operating in Poland for improperly scanning customers' ID cards. This decision highlights how important it is for banks to thoroughly assess whether such actions are truly necessary.

The case covers the period from 1 April 2019 to 23 September 2020. During this time, the bank scanned ID cards not only in situations required by anti-money laundering (AML) regulations but also in other cases, such as handling complaints about ATMs. The UODO found that the bank did not conduct an individual risk assessment for each customer, as required by law. Instead, scanning became a routine practice, often required for dealing with simple matters.

The UODO President deemed this a violation of GDPR regulations, including the principles of lawfulness, purpose limitation and data minimisation. The bank processed data such as first names, surnames, PESEL numbers, dates of birth and images, which could expose customers to risks like identity theft and loan fraud. Although no specific harms were reported, the scale of the issue was significant, as the bank served over 4.7 million customers at the time.

As a result, the bank must pay a fine of PLN 18,416,400 (about EUR 4,314,000). This serves as a warning to the entire industry: before processing personal data, it is essential to ensure that it is justified and compliant with the law. The UODO's decision emphasises that protecting customer privacy should be a priority, not a routine. Banks need to adjust their procedures to avoid similar mistakes in the future.

Drones have come a long way from being just toys to essential tools in fields like photography, surveying, construction, energy, real estate and rescue operations. In Poland, around 300,000 registered operators use them for both fun and work.

As drones become more widespread, so do the damages they cause – most often to property, such as cars, windows, roofs or fences. While injuries to people are less common, they can result in significant costs for medical treatment, rehabilitation, compensation or long-term care.

Legally, drones are classified as aircraft. Under Article 206 of the Polish Aviation Law, operators are generally liable for any damage caused by their drones – unless the incident was the result of unavoidable circumstances, the victim's own fault or the actions of a third party.

Starting 13 November 2025, new regulations under the Polish Aviation Law will require all drone operators to carry civil liability insurance (OC) for drones weighing between 0.25 kg and 20 kg, regardless of whether they are used for personal or commercial purposes. Failure to comply may result in a fine of PLN 4,000 (about EUR 930). Until now, this insurance requirement applied only to drones over 20 kg.