Introduction
The global electric vehicle revolution has created significant demand for charging infrastructure, with millions of new charging stations deployed across developed and emerging markets. This rapid expansion has occurred within an increasingly complex regulatory environment where standards and compliance requirements vary substantially across geographic jurisdictions. Unlike mature infrastructure sectors that have benefited from decades of standardization, EV charging standards remain actively evolving, with regional variations and competing technical approaches creating substantial operational and financial complexity for charging point operators (CPOs).
Understanding the global standards landscape is essential for CPOs seeking to deploy compliant charging networks that function seamlessly across jurisdictions. The regulatory environment encompasses communication protocol standards governing how charging equipment communicates with vehicles and management systems, cybersecurity frameworks protecting infrastructure from digital threats, data privacy regulations protecting consumer information, and payment processing standards governing financial transactions. This analysis examines the foundational standards, regulatory requirements, and compliance frameworks that define the EV charging ecosystem globally.
Part 1: Communication Protocol Standards
ISO 15118: Vehicle-to-Charger Communication and Authentication
ISO 15118 represents the international standard for secure communication between electric vehicles and charging stations. The standard fundamentally changes how EV owners interact with charging infrastructure through Plug & Charge functionality, which enables authenticated charging sessions without manual authorization steps[1]. The protocol leverages Transport Layer Security (TLS) encryption and Public Key Infrastructure (PKI) with X.509 certificate-based authentication mechanisms[1][2].
The standard provides multiple protective functions including end-to-end encrypted communication channels protecting session data from eavesdropping, secure payment and billing information exchange between vehicles and charging infrastructure, vehicle identification and authorization capabilities, and comprehensive contract certificate management systems enabling cross-network charging operations[1]. The technical architecture places certificates at the center of charging session authentication, requiring both vehicles and charging stations to present valid credentials before establishing charging operations.
Regulatory implementation of ISO 15118 has accelerated across major markets. In the European Union, ISO 15118 compliance became mandatory for all alternating current (AC) charging stations deployed from June 2025 onwards, with additional requirements mandating compliance for new and renovated private charging installations by January 2027 pursuant to ISO 15118-20:2022[3]. This regulatory mandate represents a significant shift for European charging infrastructure, establishing certificate-based authentication as the baseline security architecture. The United States has similarly adopted ISO 15118-3 as a technical requirement for NEVI-funded infrastructure, requiring charging equipment to be hardware-capable of supporting ISO 15118-2 and ISO 15118-20 implementations[4].
The transition to ISO 15118 requires substantial investment in Public Key Infrastructure systems. Charging networks must establish processes for certificate issuance, distribution, renewal, and revocation. Certificate authorities must operate reliably to handle millions of vehicle certificates and charging station certificates across geographic regions. The complexity increases substantially when considering that vehicles from different manufacturers may operate across networks managed by different CPOs, requiring interoperable certificate management systems[5].
However, ISO 15118 compliance alone does not guarantee comprehensive security. Recent academic research has identified architectural limitations where the standard addresses vehicle-to-charger communication security through encryption and certificate-based authentication but does not provide mechanisms to verify charger integrity or detect compromised charging equipment that maintains valid certificates while executing malicious firmware[6]. This means attackers who compromise a charging station's software could theoretically deliver over-voltage or over-current conditions to connected EV batteries while maintaining valid certificates, as the authentication standard does not guarantee the equipment's internal behavior[6].
OCPP: The Charging Station Management Protocol
The Open Charge Point Protocol (OCPP) defines the technical specifications for communication between charging stations and central management systems operated by CPOs[7]. OCPP functions as the operational backbone of charging networks, enabling remote monitoring, configuration, and control of deployed charging equipment. The protocol defines multiple security profiles with increasing security requirements.
OCPP Security Profile 2 requires TLS 1.2 or higher encryption with server-side certificate authentication and password-based client authentication[7][8]. This profile provides basic protection for communications between charging stations and management systems. Security Profile 3 adds mutual certificate-based client authentication, requiring charging stations to present valid certificates when connecting to management systems[8]. These security specifications address communications eavesdropping, charger impersonation, and apply channel encryption to all sessions.
The United States NEVI Program mandates OCPP 2.0.1 compliance by 2025 for federally funded infrastructure, establishing this as the baseline protocol for new deployments receiving federal investment[4]. The earlier OCPP 1.6 remains widely deployed in existing infrastructure, though regulatory pressures are accelerating upgrades. OCPP 2.0.1 introduces enhanced security capabilities compared to 1.6, including improved authentication mechanisms and stronger cryptographic defaults[8].
OCPP operates as a critical integration point between multiple systems. Charging stations communicate with CPO management systems through OCPP, reporting charging session data, equipment status, and transaction information. Management systems use OCPP to configure charging equipment, set pricing, manage access controls, and implement firmware updates. This central role in charging network operations makes OCPP security particularly important, as compromised OCPP communications could enable attackers to manipulate charging behavior across entire networks[7].
OCPI: Cross-Network Roaming and Data Exchange
OCPI 2.2.1 enables roaming functionality and data sharing between CPOs and eMobility Service Providers (eMSPs), facilitating secure credential exchange, authorization token validation, encrypted roaming data transmission, and settlement and billing security across independent charging networks[9]. OCPI enables seamless user experience where drivers can charge at networks managed by different operators using single credentials or payment methods.
The regulatory environment mandates OCPI adoption across major markets. The United States NEVI Program requires OCPI 2.2.1 compliance by 2025 for federally funded infrastructure[4]. The United Kingdom Public Charge Point Regulations require OCPI compatibility for reference data and availability data sharing in machine-readable formats[10]. AFIR (Alternative Fuels Infrastructure Regulation) in the EU requires network-to-network data sharing enabling cross-border roaming and transparent pricing[11].
OCPI compliance introduces additional complexity for CPOs, as it requires secure API integrations with other networks and credential exchange procedures. CPOs must establish trust relationships with roaming partners, manage data sharing agreements, and implement API authentication and encryption. The cross-network nature of OCPI creates potential lateral movement risks, where a security compromise affecting one roaming network participant could potentially provide attackers access to consumer data across multiple associated networks[9].
IEC 62443: Industrial Control System Security
IEC 62443 provides comprehensive security requirements applicable to EV charging infrastructure components and systems[12]. The standard specifies security requirements across network layer, transport layer, and application layer implementations with mandatory Public Key Infrastructure (PKI) integration[12]. IEC 62443 requirements include tamper resistance mechanisms preventing physical attacks, cabling security for energy management connections, least privilege enforcement for system access, cryptographic protection of wide-area network communications, resilience against denial-of-service attacks, logical network segregation, and automated key and password management systems[12].
IEC 62443 represents a substantial increase in required security maturity for charging equipment manufacturers. The standard's stringent requirements for device hardening, network segmentation, and cryptographic protection have driven significant engineering investments across the industry. Charging equipment manufacturers must implement security features that may increase hardware costs and product development timelines[12].
The standard provides a structured approach to security maturity, with different implementation levels reflecting varying security capabilities. This tiered approach enables manufacturers to implement baseline security features while supporting advanced deployments requiring comprehensive hardening[12].
Part 2: Data Protection and Privacy Standards
GDPR: The European Privacy Baseline
The General Data Protection Regulation (GDPR) establishes strict obligations for handling personal data in EV charging across the European Union and European Economic Area[13]. GDPR mandates data minimization (collecting only essential personal data), explicit consent before data collection and processing, transparent privacy notices, and comprehensive user rights including access, portability, erasure, rectification, and objection[13]. These requirements apply to any CPO serving EU residents, regardless of where the CPO's operations are located.
Personal data protected under GDPR in the EV charging context includes charging session data (timestamps, duration, energy consumed), location data (GPS coordinates of charging station locations), user identification data (user accounts, RFID identifiers, vehicle identifiers), payment and billing information, roaming identifiers for cross-network charging, authentication credentials and tokens, behavioral data reflecting charging patterns, and communication metadata[13]. This comprehensive data collection needed for charging network operations creates substantial data protection obligations.
CPOs must implement data protection by design, integrating privacy considerations into system architecture from initial conception rather than adding privacy as an afterthought[13]. Data collection must be limited to information strictly necessary for charging service provision, payment processing, and infrastructure maintenance. CPOs cannot store personal data indefinitely; Article 5(1)(e) requires defined retention periods with automatic deletion when retention purposes are fulfilled[13].
The GDPR breach notification requirement establishes one of the most stringent timelines in global privacy law. Organizations must notify supervisory authorities within 72 hours of becoming aware of any personal data breach[14][15]. This timeline creates significant operational pressure on CPOs to maintain rapid incident detection, investigation, and notification capabilities. Failure to meet this timeline without reasonable justification triggers substantial penalties, with fines potentially reaching €10 million or 2% of global annual revenue[15].
PCI DSS: Payment Card Industry Standards
PCI DSS compliance has become mandatory for any EV charging operator processing credit or debit card payments[16][17]. The standard defines four compliance levels based on transaction volume, with Level 1 (highest volume) requiring quarterly network scanning by Payment Card Industry Approved Scanning Vendors and annual on-site security assessments by Qualified Security Assessors[16].
PCI DSS requirements include advanced encryption for all transaction data, multi-factor authentication for payment processing, tokenization to replace sensitive card data with non-sensitive equivalents, real-time fraud detection and prevention systems, and prohibitions against plaintext logging of sensitive payment data[17]. CPOs must never store CVV/CVC security codes and must ensure cardholder data environments (CDEs) maintain segregation from other systems[16][17].
Many CPOs address PCI DSS requirements through payment tokenization and point-to-point encryption, ensuring that charging equipment never directly handles unencrypted payment card data[17]. However, integration complexity increases substantially when CPOs offer multiple payment methods including credit/debit cards, digital wallets (Apple Pay, Google Pay), RFID payment cards, and NFC contactless payments. Each payment method introduces distinct security requirements and compliance obligations[17].
SOC 2 Type II Certification
SOC 2 Type II certification, established by the American Institute of Certified Public Accountants (AICPA), verifies that organizations maintain rigorous controls to safeguard customer data over extended periods[18]. The certification covers Trust Services Criteria including security, availability, processing integrity, confidentiality, and privacy[18]. SOC 2 Type II has become the industry standard for EV charging management platforms and is increasingly an implicit requirement in enterprise procurement processes[18][19].
SOC 2 Type II certification requires organizations to demonstrate continuous control effectiveness over audit periods typically spanning 12 months, providing evidence of systematic security practices, secure development processes, access controls, and incident response procedures[18]. For EV charging platform providers and large CPOs, SOC 2 Type II certification has become essential for enterprise partnerships, with many energy companies and fleet operators refusing to integrate with uncertified platforms[18][19].
ISO/IEC 27001: Information Security Management
ISO/IEC 27001 establishes comprehensive information security management frameworks applicable to EV charging backend systems, data handling policies, and risk management procedures[20]. The standard requires risk assessment and treatment, establishment of robust policies and procedures for securing information, continuous improvement through regular monitoring and review, and systematic vendor relationship management[20].
ISO/IEC 27001 certification has become increasingly required in public tenders and enterprise partnerships for EV charging operators[20]. The certification demonstrates institutional commitment to systematic information security management rather than ad-hoc security practices[20].
Part 3: Regional Regulatory Requirements
United States: NEVI Program Minimum Standards
The National Electric Vehicle Infrastructure (NEVI) Program establishes minimum standards for federally funded EV charging infrastructure, creating binding requirements for any CPO seeking federal investment[21]. Customer data protection requirements mandate that charging operators collect, process, and retain only personal information strictly necessary to provide charging services, maintain PCI DSS compliance for payment data, take reasonable measures to safeguard customer data, and securely measure, communicate, store, and report energy, status, pricing, and uptime data[21].
Cybersecurity measures are mandatory for states applying for NEVI funding, requiring charging equipment to guarantee physical security and protect driver personal information[21]. NEVI-funded infrastructure must achieve 99% network uptime and must support contactless payment methods, transparent real-time pricing, and open data access[21].
Technical requirements mandate ISO 15118-3 compliance with hardware capable of supporting ISO 15118-2 and ISO 15118-20, OCPP 2.0.1 compliance by 2025, and OCPI 2.2.1 compliance by 2025 for roaming functionality[4]. These mandates have created a tight compliance timeline for CPOs deploying federally funded infrastructure, requiring simultaneous upgrades to communication protocols, payment systems, and network management systems within the 2025 deadline[4].
European Union: AFIR and NIS2
The Alternative Fuels Infrastructure Regulation (AFIR), effective April 13, 2024, mandates minimum service requirements for EV charging across the EU[11]. Payment requirements specify that ad-hoc payment must be mandatory for charging points deployed after April 13, 2024, contactless payment is required for chargers exceeding 50kW, transparent pricing per kWh and per minute must be clearly displayed, and pricing must remain non-discriminatory across user categories[11].
Connectivity and smart charging requirements mandate that all stations deployed from April 2024 must be digitally connected supporting smart charging, real-time bidirectional communication with grid and EVs, and remote monitoring and control capabilities[11]. Data accessibility requirements (Article 20) mandate that beginning April 14, 2025, all CPOs must report static and dynamic data to National Access Points with public API access and free data access to end-users[11].
The NIS2 Directive implements European cybersecurity requirements for critical infrastructure, with EV charging networks considered critical infrastructure within member states[22]. Requirements include strong access controls, encryption requirements, and continuous monitoring systems, with regulatory authorities empowered to enforce compliance through substantial penalties[22].
United Kingdom: Public Charge Point Regulations
The UK Public Charge Point Regulations (PCPR) 2023, effective July/November 2023, impose specific compliance obligations[23][24]. Reliability requirements mandate 99% minimum network reliability for rapid charge points (above 50kW), measured annually across a CPO's entire rapid network[23][24]. Contactless payment requirements mandate contactless payment capability for new 8kW+ chargers and all existing 50kW+ rapid chargers by November 24, 2024[24].
Pricing transparency requires that total cost in pence per kWh be displayed on chargers or accessible through apps or websites without signup requirements[23]. CPOs must maintain 24/7 staffed telephone helplines with visible contact information at all locations[23]. Open data requirements mandate OCPI availability with updates within 30 seconds, roaming capability through at least one provider, and annual reporting beginning 2026[24]. Non-compliance penalties reach £10,000 per non-compliant charge point, creating substantial financial liability for operators with large networks[24].
China: Mandatory Certification Requirements
China implemented mandatory China Compulsory Certification (CCC) requirements for all EV charging equipment effective March 1, 2025, pursuant to CNCA Announcement No. 25 (2024)[25]. Implementation rules designated as CNCA-C25-01:2024 require compliance with GB/T 20234.2 for AC connectors, GB/T 20234.3 for DC connectors (permitting up to 250kW at 1000V and 250A), and GB/T 27930 for interoperability[25]. China Quality Certification Center (CQC) guideline CQC-C2501-2025 provides conformance criteria for AC and DC charging equipment[25].
The CCC requirement applies to all charging equipment manufactured for or imported into China, creating barriers to entry for non-compliant manufacturers but enabling market consolidation around certified suppliers[25].
India: Bureau of Indian Standards Certification
India requires Bureau of Indian Standards (BIS) IS 17017 certification for all EV charging equipment, with alignment to international IEC 61851 and IEC 62196 standards[26]. Each EVSE model must undergo type testing by accredited agencies or laboratories, with certificates valid for three-year periods[26]. The Ministry of Power appointed the Bureau of Energy Efficiency as the Central Nodal Agency, issuing guidelines in June 2024 requiring compliance with BIS standards, Bharat Standards (AC001, DC001), and CEA regulations[26].
Open communication protocols (OCPP) are recommended for demand response between utilities and public charge points, enabling grid operators to manage charging loads during peak demand periods[26].
Part 4: Implementation Considerations and Compliance Strategies
Regional Compliance Roadmap
Given divergent regulatory requirements across regions, CPOs should develop region-specific compliance strategies:
EU Region: EU CPOs should prioritize ISO 15118 compliance for AC charging (mandatory by June 2025), establish comprehensive GDPR data protection programs, implement AFIR payment and data accessibility requirements, and prepare NIS2 critical infrastructure compliance frameworks[11][27]. Resource allocation should prioritize PKI implementation and certificate management systems supporting ISO 15118 authentication[27].
US Region: North American CPOs should focus on NEVI compliance for federally funded infrastructure, requiring OCPP 2.0.1 deployment by 2025, PCI DSS payment processing compliance, and state-specific privacy regulations such as CCPA in California[21][28]. Charging networks should implement contactless payment capability and real-time pricing transparency systems meeting NEVI requirements[21].
Asia-Pacific Region: CPOs operating in this region must navigate diverse regulatory environments requiring India BIS certification, China CCC mandatory certification (effective 2025), Taiwan VPC cybersecurity certification, and emerging privacy regulations[25][26]. Manufacturer partnerships and supply chain planning should begin immediately to ensure certification compliance for 2025 Chinese market entry requirements[25][26].
Standards Integration and Interoperability
The technical complexity of deploying compliant charging networks extends beyond meeting individual standards to ensuring that different standards work together cohesively. ISO 15118 vehicle authentication integrates with OCPP charging station management, which in turn integrates with OCPI roaming capabilities. A failure in any component compromises the entire value chain.
CPOs must ensure that implemented standards function together effectively. Certificate management systems supporting ISO 15118 must integrate with OCPP management platforms. Payment processing systems must maintain PCI DSS compliance while supporting contactless payment methods required by AFIR. Data handling systems must satisfy both GDPR retention requirements and NEVI data accessibility mandates[4][11][21].
Vendor Selection and PKI Management
Standards implementation depends critically on vendor selection. CPOs must evaluate charging equipment manufacturers, software vendors, and platform providers based on their demonstrated compliance with relevant standards. This includes reviewing security certifications, audit reports, and technical documentation confirming compliance[29].
Public Key Infrastructure management represents a particular focus area. CPOs should engage Certificate Authorities participating in CharIN (Charging Interface Initiative) consortiums providing neutral PKI governance aligned with ISO 15118 requirements[29]. Proper PKI governance requires careful Certificate Authority selection, rigorous processes for managing certificate lifecycles, secure storage of private keys through Hardware Security Modules or trusted execution environments, and reliable certificate revocation capabilities[29].
Multi-Year Transition Planning
Standards compliance typically cannot be achieved immediately across deployed networks. Many existing charging networks operate older communication protocols or lack modern security features. CPOs should develop multi-year transition plans that prioritize equipment upgrades based on risk and regulatory deadlines[30].
High-value locations or frequently used stations should be prioritized for upgrades to modern standards[30]. Equipment in regions with imminent regulatory deadlines should receive accelerated upgrade schedules. Legacy equipment should continue receiving security patches throughout transition periods[30].
Conclusion: The Standards Framework Matures
The EV charging standards landscape continues evolving, with regulatory requirements becoming increasingly stringent and technically sophisticated. The period from 2024 through 2026 represents a critical transition window where multiple major regulatory deadlines converge—NEVI OCPP 2.0.1 compliance by 2025, EU ISO 15118 AC charging requirements by June 2025, AFIR data accessibility requirements by April 2025, China CCC mandatory certification by March 2025, and UK contactless payment requirements already in effect.
CPOs successfully navigating this transition will establish competitive advantages through demonstrated regulatory compliance, interoperable infrastructure, and reliable operations across geographic regions. The standards discussed in this analysis provide the technical frameworks enabling this transition, establishing baseline security requirements, data protection obligations, and operational standards that define the modern EV charging ecosystem.
Future standards evolution will likely address remaining gaps in current requirements, including enhanced security guarantees from charging equipment, improved demand-response capabilities for grid integration, and more comprehensive cybersecurity requirements for critical infrastructure. CPOs implementing current standards with flexibility for future enhancements position themselves well for continued evolution of the regulatory landscape.
References
[1] Switch EV. (2018). "The case for ISO 15118 and OCPP 2.0." https://switch-ev.com/the-case-for-iso-15118-and-ocpp-2-0
[2] VicOne. (2024). "Securing the Charge: Hidden Risks in ISO 15118." https://cdn.vicone.com/wp-content/uploads/2024/11/Securing-the-Charge-Hidden-Risks-in-ISO-15118.pdf
[3] EUR-Lex. (2024). "Alternative Fuels Infrastructure Regulation (AFIR) - ISO 15118 Requirements." https://eur-lex.europa.eu/
[4] EDRV. (2024). "US Minimum Standards for EV Charging Infrastructure." https://edrv.io/blog/us-minimum-standards-for-ev-charging-infrastructure
[5] Link Power Charging. (2025). "How to overcome Implementing plug and charge with ISO 15118." https://www.linkpowercharging.com/how-to-overcome-implementing-plug-and-charge-with-iso-15118/
[6] ScienceDirect. (2024). "Enhancing Security in the ISO 15118-20 EV Charging Protocol." https://www.sciencedirect.com/science/article/pii/S2666281724000647
[7] Lemberg Solutions. (2025). "OCPP 1.6 vs 2.0 vs. 2.1 Comparing: Benefits, Limitations." https://lembergsolutions.com/blog/ocpp-16-vs-20-vs-21-comparing-benefits-limitations-and-features
[8] ENCS. (2024). "Security threat analysis for EV charging infrastructure." https://encs.eu/en/security-threat-analysis-for-ev-charging-infrastructure/
[9] Open Charge Alliance. (2024). "OCPI 2.2.1 Specification." https://www.openchargealliance.org/
[10] UK Government. (2023). "The Public Charge Point Regulations 2023." https://www.legislation.gov.uk/
[11] EUR-Lex. (2024). "Alternative Fuels Infrastructure Regulation (AFIR)." https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1804
[12] IEC. (2024). "IEC 62443 - Industrial communication networks - Network and system security." https://www.iec.ch/
[13] EUR-Lex. (2016). "General Data Protection Regulation (GDPR)." https://eur-lex.europa.eu/eli/reg/2016/679/oj
[14] Clarip. (2018). "GDPR 72 Hour Data Breach Notifications." https://clarip.com/data-protection/gdpr-72-hour-data-breach-notifications/
[15] Thoropass. (2024). "Understanding the GDPR breach notification timeline." https://www.thoropass.com/blog/gdpr-breach-notification-timeline
[16] PCI Security Standards Council. (2024). "PCI DSS Requirements." https://www.pcisecuritystandards.org/
[17] Driivz. (2025). "Payment Terminals for EV Charging." https://www.driivz.com/blog/payment-terminals-for-ev-charging/
[18] AICPA. (2024). "SOC 2 Type II Certification." https://www.aicpa.org/
[19] Vanta. (2024). "SOC 2 Compliance Guide for SaaS Companies." https://www.vanta.com/
[20] ISO. (2024). "ISO/IEC 27001:2022 Information security management systems." https://www.iso.org/standard/27001
[21] US Department of Transportation. (2024). "National Electric Vehicle Infrastructure (NEVI) Program Standards." https://www.transportation.gov/
[22] EUR-Lex. (2022). "NIS2 Directive on security of network and information systems." https://eur-lex.europa.eu/eli/dir/2022/2555/oj
[23] UK Office for Zero Emission Vehicles. (2023). "Public Charge Point Regulations Guidance." https://www.gov.uk/
[24] Zap-Map. (2024). "UK Public Charge Point Regulations explained." https://www.zap-map.com/
[25] CNCA. (2024). "China Compulsory Certification (CCC) for EV Charging Equipment." http://www.cnca.gov.cn/
[26] Bureau of Indian Standards. (2024). "IS 17017 - Electric vehicle supply equipment." https://www.bis.gov.in/
[27] European Commission. (2024). "EV Charging Infrastructure Deployment Guidelines." https://ec.europa.eu/
[28] California Privacy Protection Agency. (2024). "California Consumer Privacy Act (CCPA)." https://cppa.ca.gov/
[29] CharIN. (2024). "Charging Interface Initiative - PKI for Plug & Charge." https://www.charin.global/
[30] NIST. (2022). "NIST Cybersecurity Framework for EV Charging Infrastructure." https://www.nist.gov/