Introduction

Cybersecurity risks associated with EV charging stations are escalating. To facilitate centralized management of these stations, whether situated in public spaces or private locations, Charge Point Operators need to operate several interconnected systems and are accountable for securing sensitive data such as user identities and payment information. The complexity and interconnection of those systems expose them to a range of cyber threats, including data breaches and potential disruptions to the power grid. Addressing these vulnerabilities is critical, necessitating robust security measures such as strong authentication protocols, encryption standards, and segmented network architectures. Regulatory frameworks, such as Europe’s NIS2 directive, aim to bolster cybersecurity standards for EV infrastructure, yet comprehensive industry collaboration remains vital to effectively safeguarding against evolving cyber threats.

The NIS 2 Directive, officially known as Directive (EU) 2022/2555, was published in December 2022 by the European Parliament and the Council. Its primary goal is to enhance cybersecurity across the European Union by establishing a high common level of security for network and information systems. This directive replaces its predecessor, the NIS Directive (Directive 2016/1148/EC), and expands its scope to include a broader range of sectors and entities. We will explore the impact of the NIS 2 Directive on the EV charging sector and provide references to how AMPECO can solve NIS2 challenges..

NIS 2 Directive overview

The NIS 2 Directive introduces several measures for improved cybersecurity risk management, reporting obligations, and cooperation mechanisms, targeting essential and important entities in critical sectors such as energy, transport, health, and digital infrastructure. 

Recognizing the crucial role of CPOs in the transition to sustainable transportation, Charge Point Operators appear on the list of entities in the Energy sector of High criticality in Annex I of the NIS2 directive. Digital service providers who deliver cloud computing services, such as charge point management systems (CPMSs), also fall within the directive’s scope. 

Below is an overview table summarizing key aspects of the directive. 

Table 1. Key aspects of the NIS2 Directive

ampeco table key aspects of the NIS2 Directive

Impact on the EV charging sector

The NIS2 Directive emphasizes the adoption of an all-hazards approach to cybersecurity, compelling entities to protect their network and information systems comprehensively. According to Art.21, §2, the measures that aim to protect network and information systems and the physical environment of those systems from incidents include at least the following:

1. Policies on risk analysis and information system security

2. Incident handling

3. Business continuity, such as backup management and disaster recovery, and crisis management

4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

7. Basic cyber hygiene practices and cybersecurity training;

8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption;

9. Human resources security, access control policies and asset management;

10. Multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity.

Requirements for charge point operators 

The NIS2 Directive requires entities across sectors to adopt an all-hazards approach to cybersecurity, emphasizing comprehensive protection of network and information systems. For charge point operators (CPOs), this translates into several specific requirements designed to mitigate cybersecurity risks and ensure compliance.

  • Comprehensive risk management: CPOs must implement appropriate technical, operational, and organizational measures to manage cybersecurity risks effectively.
  • Robust policies and procedures: This includes implementing policies for risk analysis, information system security, and incident handling. Additionally, CPOs should establish procedures for business continuity, including backup management and disaster recovery, as well as secure asset management.
  • Supply chain security: CPOs need to address security-related aspects concerning their relationships with direct suppliers or service providers.
  • Cryptography and secure communications: Policies regarding cryptography and encryption must be enforced, ensuring secured communications and emergency systems within the entity. Multi-factor authentication or continuous authentication solutions are vital for safeguarding these communications.
  • Reporting obligations: CPOs must notify their respective Computer Security Incident Response Team (CSIRT) or competent authority without undue delay in case of significant incidents. They should also communicate timely information about significant cyber threats to potentially affected service recipients, including recommended measures or remedies.
  • Continuous security training: Regular cybersecurity training for management bodies and employees is essential to maintain and implement cybersecurity measures effectively, ensuring commitment across all organizational levels.

Requirements for charge point management systems 

To ensure CPO’s compliance with NIS2, charge point management system providers should translate their requirements into the product development process to ensure security requirements are met. 

  • Advanced security protocols, proportionate to the risks to manage and monitor the cybersecurity health of the entire EV charging network. 
  • Regular compliance checks and audits – CPMS providers must ensure that all suppliers comply with cybersecurity requirements by integrating regular compliance checks and audits through vetting and continuous monitoring of suppliers and service providers. 
  • System security – should be integrated into the development and maintenance of the CPMS, thus ensuring vulnerabilities are promptly addressed. Continuous monitoring must be planned and executed on a regular basis to identify and mitigate new risks effectively.
  • Comprehensive training programs for staff and management must be incorporated into the general staff development strategy to raise awareness on the importance of NIS2 and be informed about the latest cybersecurity threats and practices.

ChargeUp Europe, representing the EV charging infrastructure industry across the EU, supports the enforced NIS2 directive and updated rules on network and information system security. With member companies operating over 175,000 charging points across all EU Member States, ChargeUp Europe emphasizes the critical importance of secure and reliable charging infrastructure to accelerate the adoption of zero-emission mobility. They advocate for EV charging infrastructure to be classified as critical infrastructure under the NIS Directive, ensuring robust security measures and privacy standards across the value chain. They also highlight the need for coherent definitions, multiple certification options, cost-effective compliance measures, and potential EU-level regulatory oversight to maintain a seamless and secure experience for EV drivers throughout Europe.

How AMPECO can help you with NIS2 compliance

As a leading White-Label EV Charging Management Software provider, AMPECO is fully committed to supporting Charge Point Operators (CPOs) in achieving and maintaining compliance with the NIS2 Directive. Our ISO 27001 certification ensures that our products meet high standards of information security management. Here’s how AMPECO’s robust software features align with the NIS2 requirements.

Advanced Security Protocols

AMPECO’s software integrates advanced security protocols to manage and monitor the cybersecurity health of your entire EV charging network. These protocols help mitigate risks and ensure that your infrastructure remains resilient against evolving cyber threats.

Data Encryption and Cryptography

To protect sensitive data such as user identities and payment information, AMPECO employs robust encryption standards. Our software ensures data encryption both in transit and at rest, adhering to the highest security standards and aligning with the cryptography policies mandated by NIS2.

Secure Development Practices

AMPECO’s development process follows stringent security practices, ensuring that our software is resilient against vulnerabilities. Regular updates and maintenance are carried out to promptly address new threats, ensuring your systems remain secure and compliant with NIS2 requirements.

Supplier Compliance and Monitoring

AMPECO thoroughly vets and continuously monitors all suppliers and service providers integrated into our software ecosystem. This ensures that every component of your charging network meets the necessary cybersecurity standards, facilitating a secure and compliant environment for your operations.

Incident Management

AMPECO is obligated to report any incidents related to the environment or data of the CPOs as a step of the Security Incident Management process. This would be the initial step towards the requirement of NIS2 for timely reporting to the local CSIRTs.

Business Continuity

AMPECO ensures business continuity by implementing practices for backup management, disaster recovery, and crisis management. These practices ensure that your CPMS operations can quickly recover and continue functioning smoothly in the event of an incident.

Multi-Factor Authentication

AMPECO supports multi-factor authentication (MFA) in our backend admin portal for added security, while the CPOs manage the end user MFA.

Important deadlines

By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply those measures from 18 October 2024. Directive (EU) 2016/1148 (the NIS Directive) is repealed with effect from 18 October 2024.

By 17 April 2025, Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.

Obligations for Non-EU entities operating in the EU

Non-EU entities providing services within the European Union under the NIS 2 Directive must appoint a representative in one of the Member States where the services are offered. This representative establishes the entity’s jurisdiction within the respective Member State, and in the absence of a representative, any Member State where services are provided can take legal actions for directive infringements. When assessing sector-specific Union legal acts, they must, at a minimum, align with or surpass the cybersecurity risk-management requirements specified in Article 21(1) and (2) of the NIS 2 Directive. Emphasizing an ‘all-hazard approach,’ these measures should not only safeguard network and information systems but also address physical and environmental security, protecting against events like sabotage, theft, fire, flood, telecommunication or power failures, and unauthorized physical access that could compromise data integrity and service availability.

Ensure your EV charging network is fully secure and compliant with the NIS2 Directive.

Author

Ivelina Kadiri

Policy Compliance Manager

About the author

Ivelina is a trend-seeking policy compliance manager who skillfully navigates complex regulatory landscapes and bridges the gap between sustainable transportation goals and actionable implementation.