CRA Compliance Checklist: EV Charging Equipment
Important Class I or II depending on deployment context — public charging infrastructure may be critical infrastructure
EV charging equipment sits at the intersection of energy infrastructure, payment systems, and connected vehicles — making it a high-priority CRA compliance target. Residential chargers are typically Default class, while public charging networks connected to grid management systems may be classified as critical infrastructure under NIS2 and face Annex III Important product classification under the CRA. The OCPP (Open Charge Point Protocol) ecosystem introduces supply chain complexity that manufacturers must address.
1. Classification & Scope
Classify residential EV chargers as Default class — confirm no grid management or SCADA integration changes this
Standalone home chargers with no grid demand response integration are Default class. Grid-integrated 'smart' chargers connected to energy management systems may be Class I Important.
Review Annex III Class I classification for chargers integrated with smart grid or demand-response systems
Chargers that participate in grid demand-response, V2G (vehicle-to-grid), or utility management may be classified as energy management tools — Annex III Class I Important Products.
Determine if public charging network software qualifies as critical infrastructure under NIS2
Large-scale public charging network operators may be Essential or Important Entities under NIS2. NIS2 and CRA obligations must be coordinated.
Compile SBOM covering charger firmware, OCPP client, payment module, and cloud backend
EV charger stacks include OCPP client libraries, payment processing modules, cellular modem firmware, and power electronics firmware. All must be tracked.
2. OCPP & Communication Security
Implement OCPP 2.0.1 with TLS 1.2+ for all charge point to CSMS communication
OCPP 1.6 WebSocket without TLS is insecure and should not be used in new products. OCPP 2.0.1 with mutual TLS provides encrypted, authenticated communication.
Implement certificate-based authentication between charge point and CSMS
Each charge point must have a unique device certificate. Shared group credentials are not acceptable.
Implement OCPP security events — log and report authentication failures, firmware tampering, and configuration changes
OCPP 2.0.1 defines security event notifications. Implement and forward these to the CSMS for monitoring.
Restrict CSMS connectivity to authorised backend only — prevent rogue CSMS connections
Chargers that accept connections from any WebSocket endpoint are vulnerable to hijacking. Pin to known CSMS certificates.
3. Payment & User Authentication Security
Implement PCI DSS compliance for any charger that processes payment card data directly
CRA and PCI DSS requirements overlap significantly for payment-capable chargers. Achieving PCI DSS compliance contributes to CRA Annex I conformity.
Implement tamper detection for payment terminal hardware (if integrated)
Physical tamper detection prevents card skimmer installation. Hardware tamper detection with alert is required for payment-capable chargers.
Encrypt RFID card data and prevent card cloning via replay attack protections
Many chargers use RFID for user authentication. RFID communication must be encrypted and replay-resistant.
4. Firmware & Update Security
Implement signed firmware updates — reject unsigned or tampered updates before installation
Charger firmware controls power delivery. Unsigned firmware would allow an attacker to modify charging behaviour or disable safety protections.
Support OCPP 2.0.1 signed firmware update mechanism (FirmwareStatusNotification)
OCPP 2.0.1 defines a signed firmware update flow. Implement this rather than a proprietary update mechanism.
Implement secure boot to verify firmware integrity at startup
Secure boot prevents modified firmware from running even after physical access to the charger.
5. CVD & Incident Reporting
Publish a CVD policy covering charge point hardware, firmware, and CSMS software
EV charging security research is growing rapidly. A CVD policy creates a structured channel for responsible disclosure.
Establish Article 14 monitoring for exploitation of EV charger vulnerabilities in the wild
EV charger vulnerabilities affecting public charging networks may constitute critical infrastructure incidents. Monitor threat intelligence specifically for your OCPP implementation.
Pre-establish Article 14 notification relationships with national CSIRTs and energy sector CERTs
EV charger incidents affecting public infrastructure should be reported to both general CSIRTs and sector-specific energy CERTs.
Track your EV Charging Equipment compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
We make home chargers with no smart grid features — do we still need to comply with the CRA?+
Yes. Any EV charger with network connectivity (Wi-Fi, cellular, Ethernet) is a product with digital elements in scope for the CRA. Even a basic home charger with smartphone app connectivity must comply with Annex I security requirements, maintain an SBOM, and have a CVD policy. The conformity assessment is self-assessment (Default class).
Our chargers use OCPP 1.6 — do we need to upgrade to OCPP 2.0.1 for CRA compliance?+
OCPP 1.6 without TLS does not meet CRA Annex I requirements for encrypted communication. You can maintain OCPP 1.6 if you implement it over WebSocket Secure (WSS/TLS), but OCPP 1.6 lacks the security profile features of OCPP 2.0.1. The most straightforward path to CRA compliance for new products is OCPP 2.0.1 with security profile 3 (TLS + mutual certificate authentication).
How does the CRA interact with EN 17483-1 (the EV charging cybersecurity standard)?+
EN 17483-1 is the harmonised European standard for EV charging cybersecurity and covers OCPP security, charge point authentication, and firmware update security. Compliance with EN 17483-1 is likely to be recognised as evidence of CRA Annex I compliance once the standard is formally harmonised with the CRA. Manufacturers should implement EN 17483-1 as their primary technical standard.
Need a CVD policy for EV Charging Equipment?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.