Cybersecurity in check: eMobility sector calls for regulations to protect charging infrastructure

Electric vehicle (EV) charging points have become a critical component of the sustainable mobility ecosystem.

Their connectivity with the electrical grid, charge point operators (CPOs), and end users generates a continuous flow of data, rendering them an attractive target for cyberattacks.

Against this backdrop, Jakob Kleihues, CEO and co-founder of Enapi, says to Mobility Portal Europe:

“The EV charging space will constitute critical infrastructure. Therefore, in the future, should there be any form of international rivalries or disputes with certain regions, this network will require robust protection.”

In response to this concern, the industry anticipates a tightening of standards to ensure the security of the charging network.

“We expect a substantial increase in regulation within this sector, and we are already preparing for it,” asserts Kleihues.

To this end, the company is actively working on the implementation of ISO 15118.

This standard delineates how electric vehicles, charging stations, and management networks should communicate securely and efficiently.

Furthermore, security measures have been integrated into its cloud computing environment, which operates via AWS (Amazon Web Services).

It is noteworthy that each charging session entails the transmission of sensitive data, encompassing user authentication and billing for the energy consumed.

What regulatory framework does Europe enforce?

The NIS2 Directive, in effect since January 2023, establishes a common security framework for critical infrastructure across the European Union.

Although it does not focus exclusively on charging stations, its scope encompasses the energy and transport sectors, necessitating compliance with cybersecurity requirements by charge point operators (CPOs) from October 2024 onwards.

Alongside this directive, international standards such as IEC 62443 and ISO 27001 provide specific guidelines for managing security in industrial control systems and safeguarding sensitive data.

At present, risks such as the theft of users’ sensitive information persist.

To counter these threats, Enapi developed advanced security mechanisms to safeguard driver authentication.

Kleihues elaborates: “We assist our partners in ensuring that tokens are not easily retrievable.”

The company is also implementing measures to tackle various forms of fraud, which it detects regularly across Europe.

“We support CPOs and eMSPs in identifying fraudulent charging sessions between both parties, which proves highly beneficial,” he remarks.

AI as an ally in cybersecurity

One of the strategies to bolster security in charging infrastructure is the application of artificial intelligence (AI).

AI enables the real-time detection of anomalies, identification of fraudulent patterns, and enhancement of protection against cyber threats.

Numerous companies within the sector are deploying AI-driven solutions to automate threat detection and minimise human intervention in vulnerability identification.

Although AI is not Enapi’s core business focus, Kleihues underscores its significance: “Everything we build is AI-enabled, meaning that many processes within Enapi are AI-driven.”

Despite advancements in standards and technology, the challenge remains the effective implementation of these measures.

For many industry players, regulatory compliance and the adoption of new technologies pose financial and operational hurdles.

Nevertheless, the urgency of addressing these risks is undeniable.

As Kleihues states: “We currently conduct quarterly security audits, and in certain cases, even on a monthly basis.”

In this regard, one of the principal challenges lies in harmonising security requirements on a global scale, as each country is developing its own regulations.

In the United States, for instance, specific guidelines are being established for cybersecurity in charging stations, which may present interoperability challenges for businesses operating across multiple regions.

Read more: