Introduction

Cybersecurity risks associated with EV charging stations are escalating. To facilitate centralized management of these stations, whether situated in public spaces or private locations, Charge Point Operators need to operate several interconnected systems and are accountable for securing sensitive data such as user identities and payment information. The complexity and interconnection of those systems expose them to a range of cyber threats, including data breaches and potential disruptions to the power grid. Addressing these vulnerabilities is critical, necessitating robust security measures such as strong authentication protocols, encryption standards, and segmented network architectures. Regulatory frameworks, such as Europe’s NIS2 directive, aim to bolster cybersecurity standards for EV infrastructure, yet comprehensive industry collaboration remains vital to effectively safeguarding against evolving cyber threats.

The NIS 2 Directive, officially known as Directive (EU) 2022/2555, was published in December 2022 by the European Parliament and the Council. Its primary goal is to enhance cybersecurity across the European Union by establishing a high common level of security for network and information systems. This directive replaces its predecessor, the NIS Directive (Directive 2016/1148/EC), and expands its scope to include a broader range of sectors and entities. We will explore the impact of the NIS 2 Directive on the EV charging sector and provide references to how AMPECO can solve NIS2 challenges..

NIS 2 Directive overview

The NIS 2 Directive introduces several measures for improved cybersecurity risk management, reporting obligations, and cooperation mechanisms, targeting essential and important entities in critical sectors such as energy, transport, health, and digital infrastructure.

Recognizing the crucial role of CPOs in the transition to sustainable transportation, Charge Point Operators appear on the list of entities in the Energy sector of High criticality in Annex I of the NIS2 directive. Digital service providers who deliver cloud computing services, such as charge point management systems (CPMSs), also fall within the directive’s scope.

Below is an overview table summarizing key aspects of the directive.

Table 1. Key aspects of the NIS2 Directive

ampeco table key aspects of the NIS2 Directive

Impact on the EV charging sector

The NIS2 Directive emphasizes the adoption of an all-hazards approach to cybersecurity, compelling entities to protect their network and information systems comprehensively. According to Art.21, §2, the measures that aim to protect network and information systems and the physical environment of those systems from incidents include at least the following:

1. Policies on risk analysis and information system security

2. Incident handling

3. Business continuity, such as backup management and disaster recovery, and crisis management

4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

7. Basic cyber hygiene practices and cybersecurity training;

8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption;

9. Human resources security, access control policies and asset management;

10. Multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity.

Requirements for charge point operators

The NIS2 Directive requires entities across sectors to adopt an all-hazards approach to cybersecurity, emphasizing comprehensive protection of network and information systems. For charge point operators (CPOs), this translates into several specific requirements designed to mitigate cybersecurity risks and ensure compliance.

Comprehensive risk management: CPOs must implement appropriate technical, operational, and organizational measures to manage cybersecurity risks effectively.
Robust policies and procedures: This includes implementing policies for risk analysis, information system security, and incident handling. Additionally, CPOs should establish procedures for business continuity, including backup management and disaster recovery, as well as secure asset management.
Supply chain security: CPOs need to address security-related aspects concerning their relationships with direct suppliers or service providers.
Cryptography and secure communications: Policies regarding cryptography and encryption must be enforced, ensuring secured communications and emergency systems within the entity. Multi-factor authentication or continuous authentication solutions are vital for safeguarding these communications.
Reporting obligations: CPOs must notify their respective Computer Security Incident Response Team (CSIRT) or competent authority without undue delay in case of significant incidents. They should also communicate timely information about significant cyber threats to potentially affected service recipients, including recommended measures or remedies.
Continuous security training: Regular cybersecurity training for management bodies and employees is essential to maintain and implement cybersecurity measures effectively, ensuring commitment across all organizational levels.

Requirements for charge point management systems

To ensure CPO’s compliance with NIS2, charge point management system providers should translate their requirements into the product development process to ensure security requirements are met.

Advanced security protocols, proportionate to the risks to manage and monitor the cybersecurity health of the entire EV charging network.
Regular compliance checks and audits – CPMS providers must ensure that all suppliers comply with cybersecurity requirements by integrating regular compliance checks and audits through vetting and continuous monitoring of suppliers and service providers.
System security – should be integrated into the development and maintenance of the CPMS, thus ensuring vulnerabilities are promptly addressed. Continuous monitoring must be planned and executed on a regular basis to identify and mitigate new risks effectively.
Comprehensive training programs for staff and management must be incorporated into the general staff development strategy to raise awareness on the importance of NIS2 and be informed about the latest cybersecurity threats and practices.

ChargeUp Europe, representing the EV charging infrastructure industry across the EU, supports the enforced NIS2 directive and updated rules on network and information system security. With member companies operating over 175,000 charging points across all EU Member States, ChargeUp Europe emphasizes the critical importance of secure and reliable charging infrastructure to accelerate the adoption of zero-emission mobility. They advocate for EV charging infrastructure to be classified as critical infrastructure under the NIS Directive, ensuring robust security measures and privacy standards across the value chain. They also highlight the need for coherent definitions, multiple certification options, cost-effective compliance measures, and potential EU-level regulatory oversight to maintain a seamless and secure experience for EV drivers throughout Europe.

How AMPECO can help you with NIS2 compliance

As a leading White-Label EV Charging Management Software provider, AMPECO is fully committed to supporting Charge Point Operators (CPOs) in achieving and maintaining compliance with the NIS2 Directive. Our ISO 27001 certification ensures that our products meet high standards of information security management. Here’s how AMPECO’s robust software features align with the NIS2 requirements.

Advanced Security Protocols

AMPECO’s software integrates advanced security protocols to manage and monitor the cybersecurity health of your entire EV charging network. These protocols help mitigate risks and ensure that your infrastructure remains resilient against evolving cyber threats.

Data Encryption and Cryptography

To protect sensitive data such as user identities and payment information, AMPECO employs robust encryption standards. Our software ensures data encryption both in transit and at rest, adhering to the highest security standards and aligning with the cryptography policies mandated by NIS2.

Secure Development Practices

AMPECO’s development process follows stringent security practices, ensuring that our software is resilient against vulnerabilities. Regular updates and maintenance are carried out to promptly address new threats, ensuring your systems remain secure and compliant with NIS2 requirements.

Supplier Compliance and Monitoring

AMPECO thoroughly vets and continuously monitors all suppliers and service providers integrated into our software ecosystem. This ensures that every component of your charging network meets the necessary cybersecurity standards, facilitating a secure and compliant environment for your operations.

Incident Management

AMPECO is obligated to report any incidents related to the environment or data of the CPOs as a step of the Security Incident Management process. This would be the initial step towards the requirement of NIS2 for timely reporting to the local CSIRTs.

Business Continuity

AMPECO ensures business continuity by implementing practices for backup management, disaster recovery, and crisis management. These practices ensure that your CPMS operations can quickly recover and continue functioning smoothly in the event of an incident.

Multi-Factor Authentication

AMPECO supports multi-factor authentication (MFA) in our backend admin portal for added security, while the CPOs manage the end user MFA.

Important deadlines

By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply those measures from 18 October 2024. Directive (EU) 2016/1148 (the NIS Directive) is repealed with effect from 18 October 2024.

By 17 April 2025, Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.

Obligations for Non-EU entities operating in the EU

Non-EU entities providing services within the European Union under the NIS 2 Directive must appoint a representative in one of the Member States where the services are offered. This representative establishes the entity’s jurisdiction within the respective Member State, and in the absence of a representative, any Member State where services are provided can take legal actions for directive infringements. When assessing sector-specific Union legal acts, they must, at a minimum, align with or surpass the cybersecurity risk-management requirements specified in Article 21(1) and (2) of the NIS 2 Directive. Emphasizing an ‘all-hazard approach,’ these measures should not only safeguard network and information systems but also address physical and environmental security, protecting against events like sabotage, theft, fire, flood, telecommunication or power failures, and unauthorized physical access that could compromise data integrity and service availability.

Ensure your EV charging network is fully secure and compliant with the NIS2 Directive.

Book a Consultation

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_131368643_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
CONSENT	16 years 3 months 14 days 11 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_lfa	2 years	This cookie is set by the provider Leadfeeder. This cookie is used for identifying the IP address of devices visiting the website. The cookie collects information such as IP addresses, time spent on website and page requests for the visits.This collected information is used for retargeting of multiple users routing from the same IP address.
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

The CPO’s guide to the NIS2 Directive

Ivelina Kadiri