A cyber-secure environment requires the implementation of data encryption mechanisms throughout the entire chain, from the vehicle (PKI) to the charging point and the management platform.
This is in compliance with the ISO 15118 standard and the Plug&Charge functionality (OCPP 2.0.1), which responds to the need to protect sensitive user and vehicle information, including banking data.
This is how Alejandro Valdovinos, Director of Institutional Relations and Prescription at Circontrol, explains it to Mobility Portal España, adding:
“Although it is not yet a requirement contemplated in any current law or regulation, work is underway to ensure that the entire charging ecosystem, from the electric car to the management platform, operates in a cyber-secure environment.”
The ISO 15118 and OCPP 2.0.1 standards not only facilitate secure communication between the car and the “refueling” device.
They also incorporate elements that automate identification and payment without user intervention.
This is in line with the provisions of the European AFIR Regulation, which came into force last year.
In this context, in 2023, the Instituto Tecnológico de la Energía (ITE) achieved a milestone by becoming the only Spanish company to obtain the OCPP 2.0.1 certification.
This provides a uniform solution for communication between charging stations and the charging station management system (CSMS).
This ensures that drivers can refuel their cars at various points, regardless of the manufacturer, without facing compatibility issues.
What advantages does this protocol offer to CPOs?
Not only does it optimize control of transaction data, but it also provides an additional layer of security, elevating the charging experience to the next level.
It also improves presentation and customer messaging, makes it easier to operate refuelling devices, ensures faster internet connectivity and contributes to reducing operating costs.
Its integration capacity with the ISO 15118 standard consolidates this solution.
And not only that
Artificial Intelligence (AI) is also emerging as a tool for CPOs.
Using advanced algorithms, it is possible to detect anomalies and automatically respond to threats in real time, protecting both the charging network and user data.
Is there a European cybersecurity regulation?
The NIS2 Directive, which came into force in October 2024, adds a new regulatory framework for cybersecurity in Europe.
This regulation considers charging networks as critical infrastructure due to their role in the energy and transport sectors.
To comply with NIS2, organizations must introduce stricter measures and policies for incident management, network protection and vulnerability management.
As well as evaluating and identifying cybersecurity risks and implementing measures to mitigate and manage them, among other aspects.
The directive states that it is not enough to ensure compliance solely by the company itself, but also by partners and service providers, such as hardware manufacturers.
Does this apply in Spain?
According to Article 41, it had to be transposed in all Member States, including the national territory, by 17 October 2024 at the latest, and became applicable on 18 October of that same year.
On 14 January, the Council of Ministers approved the draft of the Cybersecurity Coordination and Governance Act, with the aim of transposing Directive (EU) 2022/2555, also known as NIS2.
The ultimate goal of this regulation, developed by the State Secretariat for Security, is to strengthen the protection of information networks and systems.
The Council of Ministers has decided to give urgent administrative processing to the draft bill, so that it can be ratified by the Government in a second round as soon as possible and immediately begin parliamentary debate.
“The Ministry of the Interior will communicate the approval of this to the European Commission, given that the deadline for the transposition of the NIS2 Directive into Spanish internal law expired on October 17, 2024,” they said in a statement.
