Cybersecurity for the Open Charge Point Protocol as a Blue Print for Complex CRA Ecosystems
Vertical standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
The work addresses the fundamental challenge that cybersecurity in certain product categories extends well beyond the immediate user and device. The EV charging infrastructure for example represents a highly interconnected and protocol-diverse ecosystem involving multiple stakeholders, including charging station manufacturers, metering vendors, charging station operators, roaming platforms, and grid actors. Yet the EU CRA imposes strict requirements for end-to-end security that must hold across the entire lifecycle and communication chain, regardless of how fragmented the system is in terms of vendors, protocols, or regulatory frameworks.
My contribution will focus on analyzing how existing standards and regulations, such as the Open Charge Point Protocol (OCPP), EU Measuring Instruments Directive, EU Alternative Fuels Infrastructure Regulation, and EU Network and Information Security Directive 2, can be reconciled under the cybersecurity objectives of the EU CRA. This includes identifying conflicting requirements, protocol gaps, and areas lacking formal security assurances.
What is the expected result and impact of this activity?
Based on this analysis, a comprehensive blueprint for a future harmonized cybersecurity vertical standard tailored to the e-mobility domain will be drafted. This blueprint will start with a systematic assessment of OCPP - already a CENELEC standard - analyze the reamining gaps to e.g. EN 18031, and extend to adjacent protocols like OCPI, ISO 15118, and OpenADR. The goal is to define common cybersecurity controls, assurance levels, and update mechanisms applicable across the entire e-mobility stack, providing regulatory clarity and technical feasibility for manufacturers and operators alike.
Ultimately, this work will support the development of a standards-based cybersecurity reference architecture that is compliant with the EU CRA, while being pragmatic enough to ensure broad adoption in the e-mobility sector and beyond. This will help to reduce costs for compliancy, speed up the evolution of the protocols and standards and help operators under EU NIS-2 to ensure uptime even after firmware updates, cybersecurity and fast response times in case of failures, attacks and other unforseen events.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
The focus of my work lies in operationalising the horizontal requirements of the EU Cyber Resilience Act within a vertical and highly fragmented contex: The e-mobility sector. This includes:
- End-to-End Security Requirements: Translating the CRA’s abstract cybersecurity and vulnerability handling obligations into concrete "secure by design/default" principles that apply coherently across multi-party, multi-protocol environments.
- Lifecycle Security Controls: Implementing CRA Article 10–15 requirements across long-lived, safety-relevant infrastructure such as charging stations including machine readable conformity declarations, incident reporting, secure monitoring, mandatory in-field firmware update testing, and post-market security support.
- Assurance Level Mapping: Mapping CRA assurance levels to existing certification frameworks and domain-specific practices e.g. BSI TR-03109 (SMGWs), metrological conformity modules, energy safety (IEC / EN 61851), payment (PSD2). The aim is to provide harmonised guidance for manufacturers operating under multiple overlapping regulatory regimes.
