Grace period for EV charge point manufacturers is over

With the Electric Vehicles (Smart Charge Points) Regulations 2021 coming into effect from today, this seems a good moment to assess the likely impact of the delayed (security) requirements in Schedule 1 of the Regulations, which will apply from the end of this year.

Let’s first take a deeper look at the legislation, and how it might influence the development practices of charge point manufacturers. The legislation is primarily offering protection for both the national grid and for consumers: “Cyber and data security – CPs must include robust cyber security measures to mitigate the risk that EV smart charging presents to the stability of the grid, in addition to protecting individual consumers.”

An earlier impact assessment (from July 2021) highlights the critical role that charge points play within a growing ecosystem of smart energy devices. It also recognises that charge points must have appropriate cyber security measures, and that partial industry adoption of ‘basic’ cyber security measures is simply not going to cut the mustard. At the same time, there appears to be little faith in the sector’s willingness to adopt ‘robust’ security measures, indeed, the assessment flags that ‘some CPs include basic cybersecurity vulnerabilities’, which we can very much corroborate from some of the work we are doing here at CyTAL.


So, by the beginning of 2023, charge point manufacturers (in the UK) are mandated to implement a range of cyber security protections – and charge point manufacturers will need tools and support in order to comply with Schedule 1 of the legislation.

One of the cheapest and most effective ways to keep your implementations robust and free from vulnerabilities is to embrace automated fuzz testing early. Indeed, fuzz testing is referenced as a best practice in the ETSI EN 303 645 standard under section 5.13 Validate input data provision ‘Automated tools such as fuzzers can be used by attackers or testers to exploit potential gaps & weaknesses that emerge as a result of not validating data.’

You can read more about CyTAL’s fuzzing solution here.

Lawmakers recognise that some charge point manufacturers are not yet committed to cyber security best practices (and the problems that might present down the line) and these new regulations are a step in the right direction. However, looking more widely, systems often need to be ‘interoperable’ and manufacturers must carefully consider the dependencies with third party suppliers of hardware/software and how their respective systems might interact in future.

The grace period has come to an end. Progressive charge point manufacturers must now step up to the challenge of delivering cyber secure systems.