The electric vehicle (EV) charging industry is experiencing explosive growth, driven by the global push for electric mobility and rising EV sales. However, this expansion spurs the need for improved cybersecurity. As EV charging infrastructure becomes increasingly interconnected and contains more and more digital access points, EV charging also becomes more vulnerable to cyberattacks.
Recognizing this growing threat to critical infrastructures, the European Union has introduced the NIS2 Directive, a comprehensive cybersecurity framework that significantly impacts the EV charging sector.
In this article, we'll discuss the details of NIS2, explaining what it means for companies in the eMobility industry. We'll identify the potential impact on Charge Point Operators (CPOs), eMobility Service Providers (eMSPs) and Charge Point Management Systems (CPMSs) providers. After that, we will reveal the steps you should take to comply with NIS2 and safeguard your organisation’s operations. Lastly, we’ll give an overview of the steps we have taken to be fully compliant and cyber resilient.
What is the NIS2 Directive?
The NIS2 Directive (the Directive on Security of Network and Information Systems 2) aims to ensure that EU countries better protect themselves against threats that could disrupt society or the economy. The goal is to strengthen critical sectors across the EU by establishing new rules on cybersecurity of network and information systems.
'NIS2 expands the scope of the original directive, covering a broader range of sectors and introducing stricter requirements for cybersecurity risk management and reporting.'
The NIS2 Directive demands that if your organisation falls under the directive, you have the following obligations.
- Duty of care – You should carry out a security risk assessment. After that, you should take appropriate measures to guarantee a continuation of services and protect the information you use.
- Duty to report – You are obliged to report severe incidents to the supervising authority within 24 hours. In case of a cyber threat, you must also report to the Cyber Security Incident Response Team (CSIRT). Whether an incident should be reported depends on factors like the number of people affected by the disruption, the duration, and the potential financial losses.
- Duty of supervision – Organisations covered by the NIS2 directive will be under supervision. The supervisory body will look at compliance with the directive. It is currently being worked out which sectors will fall under which supervisory body.
Which sectors are critical?
In addition to the sectors already covered by NIS1, such as energy, transport, healthcare, finance, water management and digital infrastructure, the NIS2 Directive will also apply to providers of public electronic communications services, more digital services such as social platforms, wastewater and waste management, manufacturing of critical products, postal and courier services, public administration, both at central and regional level or space.
So, NIS2 also covers your organisation when operating in the EV charging infrastructure.
NIS2 Directive adoption by EU member states
The NIS2 Directive has to be transposed into national law by mid-October 2024. However, only nine EU member states had done so by February 2025. Most countries will have NIS2 adopted by the end of 2025, although some EU member states haven’t announced specific timelines yet. In Germany, for example, the new elections postponed any decisions on the NIS2 transposition.
'The EV charging infrastructure has been identiefied as a critical sector under the NIS2 Directive.'
The Netherlands, the location of our GreenFlux HQ, is one of the EU members late in adopting the Directive. In the third quarter of 2025, the NIS2 Directive is projected to be incorporated into the Cybersecurity Act (Cyberbeveiligingswet).
National NIS2 commitment
EU member states will have to set up a list of operators of essential services while ensuring they are compliant with the directive. For instance, GreenFlux was identified by the Dutch government as a member of critical infrastructure, meaning they reached out to us to assess the measures we’ve taken to set up and monitor our cybersecurity and compliance.
The Dutch government has set up a couple of handy tools to assess whether your organisation falls under NIS2 and how to perform a quick scan to check whether your organisation is NIS2-ready. If your Dutch is up to par, go for it here. If not, check your national CSIRT for assessment tools in your language.
Security vulnerabilities in the EV charging industry
The EV charging infrastructure has been identified as a crucial sector for the economy and society as a whole. As it drives on (digital) technology, interconnectivity, and data, the industry has multiple vulnerabilities of which it should be aware.
The next step is identifying these vulnerabilities and taking appropriate action. The main vulnerabilities in eMobility are:
- Vehicle control: Hackers could potentially take control of a vehicle's systems, compromising safety and causing accidents, just like the Jeep Hack.
- Operational continuity: Any disruption in the EV charging infrastructure caused by cyberattacks can impact the availability and reliability of charging services.
- Data privacy: Electric vehicles collect a lot of personal data, such as driving habits, Personally Identifiable Information (PII), payment information and location information. Protecting this data from unauthorised access is essential.
- Charging infrastructure: Charging stations are often connected to the internet, making them vulnerable to cyberattacks. Hackers could disrupt charging processes or, again, steal sensitive information.
- Grid stability: Large-scale EV adoption already puts a heavy burden on the power grid. Secure communication and control systems are necessary to prevent disruptions.
- Economic impact: Cyberattacks on eMobility infrastructure could lead to significant financial losses for CPOs, eMSPs, CPMS providers and EV drivers. It will also damage the industry's reputation.
Recent examples of eMobility cybersecurity incidents
Many incidents have occurred in the past decade. Let’s look closely at a couple of recent examples.
> CPO data breach — In mid-November 2024, ‘a prominent threat actor exposed approximately 116,000 records of sensitive data from multiple global CPOs,' Upstream reported. It was found that these breaches involved ‘multiple CPOs using a common EV charging application developed by an Indian EV energy management provider.’
The stolen data was published on a deep web hacking forum and included Personally Identifiable Information, vehicle details, charging station locations and OCCP logs. The victims were from the UAE, Australia, Mexico, Puerto Rico, Guyana, Saudi Arabia, Oman, and India.
> Vehicle breach — In December 2024, a significant data breach was exposed at Volkswagen Group. Sensitive personal and location data of approximately 800,000 electric vehicle (EV) owners—including Volkswagen, Audi, Seat, and Skoda—could be found online for several months.
The breach was attributed to ‘a misconfigured Amazon cloud storage system managed by Volkswagen’s software subsidiary, Cariad,’ as Cybellum wrote.
> Charging stations breach — In 2024, Computest Security researchers gained access to three types of chargers during a hacking competition in Japan. They found similar vulnerabilities in the three different EV-charging facilities, allowing them to take full control of the investigated charging stations through Bluetooth.
As the cybersecurity company was also involved in gaining access to the Volkswagen Group car models, as mentioned above, Computest Security stated that the hacks ‘illustrate the lack of attention to security within the automotive industry’.
What are the consequences of NIS2 for your organisation?
For Charge Point Operators (CPOs), eMobility Service Providers (eMSPs) and Charge Point Management Systems (CPMSs) alike, the implications of NIS2 are profound. The directive enforces stricter risk management and reporting requirements. We have listed them below.
1. Expanded scope and classification
NIS2 broadens the definition of essential services, which now includes EV charging infrastructure. This means that CPOs, especially when operating significant networks, will fall under the directive, as will CPMS providers and eMobility Service Providers (eMSPs).
2. Enhanced cybersecurity risk management
All applicable organisations must implement robust cybersecurity risk management measures, such as risk assessments, incident response plans, and security policies. This involves adopting a comprehensive approach to security, addressing vulnerabilities across hardware, software, and network infrastructure, as we mentioned before.
3. Strict incident reporting obligations
NIS2 mandates timely and detailed reporting of cybersecurity incidents to national authorities (CSIRTs). CPOs, eMSPs and CPMS providers must establish clear procedures for detecting, reporting, and managing incidents, ensuring rapid response and mitigation. This includes reporting incidents without undue delay.
4. Supply chain security
The NIS2 Directive emphasizes the importance of supply chain security, requiring you to assess the cybersecurity practices of your suppliers and partners. This is particularly relevant for every operator in the EV charging industry, which relies on a complex network of hardware and software providers.
5. Governance and accountability
NIS2 holds management bodies accountable for cybersecurity compliance. Therefore, your organisation must ensure that leadership oversees, approves, and gets trained on the entity's cybersecurity measures and how to address cyber risks.
6. Penalties and enforcement
The directive introduces significant penalties for non-compliance, including substantial fines. National authorities will be responsible for enforcing NIS2, conducting audits, and taking corrective actions.
Eight steps to NIS2 compliance
To navigate the complexities of NIS2, your company should adopt a comprehensive cybersecurity and compliance approach.
Here are key steps to ensure you are compliant with NIS2. We do realise that the size of your organisation is decisive for the feasibility and extent of the steps you will take.
If you need any support in setting up proper security procedures, the Dutch CSIRT has provided a list of vital cybersecurity measures to identify. This is particularly helpful if you’re an SME and don’t have a huge team to take care of the required measures.
1. Conduct a comprehensive risk assessment
Identify potential cybersecurity risks and vulnerabilities in your organisation and across your EV charging infrastructure. Evaluate the impact of potential attacks and set up mitigation measures.
2. Develop a strong security policy
Establish clear cybersecurity policies and procedures, covering areas such as access control, data protection, and incident response. Most of you might already have the right standards in place, like ISO-27001.
It’s also vital to ensure that all employees and partners are aware of and adhere to your security policies.
3. Implement security measures
Deploy advanced security technologies, such as intrusion detection systems, firewalls, and encryption, to protect against cyber threats. Regularly update software and firmware to patch vulnerabilities and implement strong authentication measures.
Also, check the settings of all your equipment, software, and network and internet connections.
4. Establish an incident response plan
Develop an incident response plan that also covers your procedures for detecting, containing, and recovering from cyberattacks. Make sure to regularly test the plan’s effectiveness.
5. Ensure supply chain security
Assess the cybersecurity practices of suppliers and partners. To ensure you won’t be surprised by any shortcomings, conduct regular audits.
6. Provide cybersecurity training
Educate employees, leadership and partners on cybersecurity best practices to promote a culture of security awareness.
7. Maintain documentation and reporting
Document all cybersecurity measures and incident reports, maintain accurate records for compliance purposes and establish clear reporting lines.
8. Stay updated with regulatory changes
Cybersecurity is changing all the time. Ensure your organisation is always aware of the latest regulatory changes and cyber threats in the EV charging industry.
How GreenFlux complies with NIS2
We’re happy to inform you of what NIS2 means for the EV charging sector and your organisation. However, do we also practice what we preach?
In 2024, GreenFlux made significant progress to ensure compliance with the NIS2 directive. Here’s an overview of the steps we’ve taken:
- Conducted a gap analysis between NIS2 and our ISO 27001 framework to identify necessary enhancements.
- Mapped NIS2 requirements to our Information Security Management System (ISMS) and aligned them with our Business Continuity Management System (BCMS) for operational resilience.
- Updated internal processes, policies, and incident management protocols to meet the directive’s expectations.
- Conducted internal audits over the summer and finalised compliance during an external audit in October 2024.
This provisional compliance reflects our commitment to aligning with NIS2, even as the Dutch government is in the process of translating the directive into national legislation. As mentioned earlier, this is expected to materialise in the third quarter of this year.
Foundation of the EVC-ISAC
Besides updating GreenFlux’s policies, security systems and protocols, we’ve also been active in setting up a cross-sector security organisation: the Dutch EVC-ISAC. An ISAC is an Information Sharing and Analysis Centre that should have strong ties to your local government and Cyber Security Incident Response Team.
It provides a safe and trusted environment where participants can exchange confidential information about threats, vulnerabilities, and other cybersecurity-related incidents. For GreenFlux, this has been a highly valuable collaboration, setting aside any competitiveness and truly focusing on improving the EV sector as a whole.
The future of NIS2 and EV charging security
NIS2 represents a significant step forward in securing the EV charging infrastructure and the players active in that industry. With that, companies in the EV charging industry will have to set up proper security protocols, ensuring they are ready when faced with a cyberattack.
For CPOs, eMSPs and CPMS providers, compliance with the NIS2 Directive is not merely a regulatory obligation but a must-have to stay ahead and secure in a fast-growing sector. By investing in robust cybersecurity measures and adhering to global standards, you can build trust with your customers, protect your company’s assets, and contribute to the safe and sustainable growth of the EV charging industry.
The transition to electric mobility is here to stay, and cybersecurity must be a foundational element of this transformation. That’s why you need to make security a cornerstone of your business.
By implementing the principles of NIS2, the EV charging industry as a whole—and your organisation in particular—can ensure a secure and reliable future for electric transportation. And that’s for the greater good of all!
Do you have any questions about implementing NIS2 or setting up a robust security policy? Would you like to know more about what GreenFlux has done to safeguard the company's security? Or, is your organisation interested in joining the EVC-ISAC? Let us know, we're happy to help!
