The massive rollout of electric vehicle charging infrastructure (EVSE) comes with major cybersecurity challenges. Connected charging stations, user interfaces, and supervision systems represent potential entry points for attacks that could disrupt charging access, manipulate consumption data, or compromise user trust.

In this context, the Cyber Resilience Act (CRA) adopted by the European Union marks a key milestone. By establishing cybersecurity requirements for all digital products placed on the European market, it mobilizes all stakeholders in the value chain. Mobena partners see this regulation as an opportunity to strengthen ecosystem resilience and collectively prepare the future of connected electric mobility.

Understanding the CRA: key takeaways

The Cyber Resilience Act, set to come into force by the end of 2025, imposes obligations on manufacturers, importers, and distributors:
– Integrate cybersecurity “by design” throughout the entire product lifecycle
– Provide security updates throughout the product’s expected lifetime (at least 5 years)
– Notify ENISA of any actively exploited vulnerability within 24 hours of discovery (Article 11)
– Identify and document components (via a Software Bill of Materials – SBOM)
– Conduct a cybersecurity risk assessment, including for third-party components
– Establish appropriate policies and procedures for vulnerability management

• Integrate cybersecurity “by design” throughout the entire product lifecycle
• Provide security updates throughout the product’s expected lifetime (at least 5 years)
• Notify ENISA of any actively exploited vulnerability within 24 hours of discovery (Article 11)
• Identify and document components (via a Software Bill of Materials – SBOM)
• Conduct a cybersecurity risk assessment, including for third-party components
• Establish appropriate policies and procedures for vulnerability management

Non-compliance may result in fines of up to €15 million or 2.5% of the offender’s global annual turnover.

A product falls within the CRA’s scope if it meets several criteria:
– It is a digital product (not a standalone service)
– It is placed on the European market (including B2B)
– It includes a digital software or hardware element
– It is directly or indirectly connected to a network or another device

• It is a digital product (not a standalone service)
• It is placed on the European market (including B2B)
• It includes a digital software or hardware element
• It is directly or indirectly connected to a network or another device

Why e-mobility is particularly affected

Charging infrastructures combine multiple technical layers: physical equipment, embedded software, connectivity, remote supervision, and payment systems. This complexity makes them a prime target for cyberattacks:
– Service disruptions (DoS or ransomware)
– Theft of personal or billing data
– Exploitation of vulnerabilities in cloud systems or APIs
– Phishing via manipulated QR codes or displays

• Service disruptions (DoS or ransomware)
• Theft of personal or billing data
• Exploitation of vulnerabilities in cloud systems or APIs
• Phishing via manipulated QR codes or displays

Products with digital elements — hardware or software — placed individually on the market are explicitly included in the CRA’s scope. Only certain categories are excluded, such as:
– Vehicles already covered by UNR155
– Medical devices (MDR)
– Non-commercial open-source software
– Defense or national security products
– Cloud services already covered by the NIS2 Directive

• Vehicles already covered by UNR155
• Medical devices (MDR)
• Non-commercial open-source software
• Defense or national security products
• Cloud services already covered by the NIS2 Directive

New responsibilities across the value chain

THE CRA requires coordination across every link of the value chain:
– Charging station and embedded software manufacturers: define product lifetime, provide updates, document risks, and disclose vulnerabilities
– Charging Point Operators (CPOs): ensure compliance of integrated products, implement cybersecurity governance aligned with NIS2
– Cloud service providers or IT platforms: adopt recognized standards, ensure IT system integrity, compliance, and resilience

• Charging station and embedded software manufacturers: define product lifetime, provide updates, document risks, and disclose vulnerabilities
• Charging Point Operators (CPOs): ensure compliance of integrated products, implement cybersecurity governance aligned with NIS2
• Cloud service providers or IT platforms: adopt recognized standards, ensure IT system integrity, compliance, and resilience

The industry also supports a differentiated approach between B2B and B2C products to avoid over-regulating professional solutions.

Beyond individual obligations, the CRA enshrines a principle of shared responsibility: in case of a cyberattack, the consequences no longer stop with the weakest link. The entire chain can be affected — from the manufacturer to the operator and the IT service provider. A compromised charging station could lead to service interruptions, customer data loss, or even reputational damage to the entire network. This domino effect calls for stronger collaboration among stakeholders to anticipate, detect, and contain incidents. This paradigm shift moves us from a “weakest link” mindset to one of “collective resilience.”

Preparing collectively: Mobena’s recommendations

At Mobena, we encourage all ecosystem players to anticipate the CRA by:

1. Mapping all affected products and interfaces (using the CRA decision tree).
2. Integrating cybersecurity standards from the design stage (“security by design”).
3. Adopting responsible vulnerability disclosure processes and incentive-based policies (CVD), such as ISO/IEC 29147.
4. Regularly testing system resilience (penetration testing, audits).
5. Collaborating with European standardization and certification bodies

Our ambition is to co-build an electric mobility system that is secure, interoperable, and trustworthy.

The CRA, a trust driver for the future of charging

Cybersecurity is no longer optional — it’s a condition for service continuity, regulatory compliance, and user trust. The Cyber Resilience Act provides a shared framework to meet this challenge. As a collaborative platform, Mobena calls on all partners and stakeholders in the industry to act now and engage in building a safer, stronger European electric mobility ecosystem.