The Electric Vehicle (EV) sector is on a tighter timeline than most are prepared for. Europe has introduced two major frameworks that are changing the way EV charging infrastructure is designed, deployed and maintained: The Radio Equipment Directive (RED) and the Alternative Fuels Infrastructure Regulation (AFIR).
RED enforces cybersecurity for all wireless-enabled devices, including EV chargers, while AFIR lays the groundwork for interoperable, accessible and reliable charging across the EU.
The compliance window is shrinking quickly and staying ahead means adapting now.
RED mandates cybersecurity at the core
Initially passed in 2014, the Radio Equipment Directive (2014/53/EU) gained real weight with Delegated Regulation (EU) 2022/30. As of August 1, 2025, manufacturers and vendors of any radio-enabled equipment sold in the EU, including EV chargers, backend gateways and mobile charging apps, must comply with stricter cybersecurity rules. The regulation specifically targets devices that connect over Wi-Fi, Bluetooth, cellular or any form of wireless communication.
Three new legal obligations matter most for the EV ecosystem:
- Protect network infrastructure (Article 3.3(d))
EV chargers and backend systems must be designed so they can’t damage or misuse the communication networks they connect to. That includes protecting against unintended signaling floods, malware propagation or bandwidth abuse. - Safeguard personal data (Article 3.3(e))
Any radio device that processes personal information – user identity, payment details, charging behavior – must incorporate strong protections. This applies not only to the device interface but also the mobile apps and cloud Application Program Interfaces (APIs) tied to them. - Prevent fraud and abuse (Article 3.3(f))
Devices must defend against impersonation, tampering, man-in-the-middle attacks and other vulnerabilities that can compromise the integrity of billing, authorization and session control.
This came after a wave of public vulnerabilities:
- German researchers exposed smart chargers via unsecured APIs
- A ransomware attack in the Netherlands shut down large parts of a public network
- UK-based backend flaws leaked payment credentials of EV users
The EV charging stack is a complex web of software, connectivity, identity and data services. RED recognizes that, and places legal accountability on everyone in the supply chain. That includes:
- OEMs making embedded control units with wireless radios
- CPOs deploying and operating charge points
- Backend vendors offering cloud platforms, authentication or monitoring tools
- App developers connecting drivers to charging networks
That said, complying with RED requires a security-by-design approach that spans firmware, APIs, cloud services and mobile interfaces. ETSI EN 303 645 requirement sets the baseline for connected device cybersecurity, while EN 18031 supports secure software lifecycle practices. But even full alignment with these won’t cover every nuance of RED.
The key is compliance and durability. Vulnerability assessments must be continuous, cryptographic protocols must be current and most importantly, testing must be ongoing, not one-and-done.
For EV ecosystem players, the RED regulation is clear: If your devices talk to a network, you’re responsible for keeping that conversation secure.
AFIR sets the new standard for usability
While RED tackles digital defenses, AFIR focuses on usability and infrastructure standards.
In effect since April 13, 2024, AFIR is a key part of the European Commission’s Fit for 55 plan package and aims to make EV charging more consistent, convenient and transparent, regardless of who operates the infrastructure.
The headline change: Starting 2027, all new public chargers must support Plug and Charge (PnC). This means drivers will no longer need mobile apps, RFID cards or QR codes to start a session. Authentication and billing happen automatically when the vehicle connects.
It’s seamless on the surface, but behind the scenes, this requires a tightly coordinated ecosystem.
At the center of this is ISO 15118, a communication protocol that enables encrypted data exchange between the EV and the charger. To comply, OEMs must equip vehicles with the right hardware and certificate management while the CPOs and backend providers must deploy secure, standards-based authentication infrastructure that can work across brands, vendors and countries.
But PnC is just one part of a much broader mandate. AFIR also establishes:
- Minimum coverage: Chargers must be deployed at regular intervals along the Trans-European Transport Network corridors to assure availability on key transport routes
- Real-time data transparency: Operators must provide accurate, live data on charger availability, operational status and pricing to public databases and navigation platforms
- Universal payment access: All public chargers must support ad hoc payments, including contactless debit or credit cards, so users can pay without prior contracts
- Performance standards: Infrastructure must meet strict uptime targets, with reliability thresholds nearing 99% in some use cases
These aren’t just suggestions, they’re minimum requirements for participating in the EU charging ecosystem.
"The European Commission has adopted a new Implementing Regulation to support the uniform and effective provision of compatible, interoperable and real-time alternative fuels infrastructure data, further advancing the goals set out in the Alternative Fuels Infrastructure Regulation (AFIR)."
- European Commission statement on AFIR
Start before the deadlines closes in
If you’re one of the stakeholders that needs to prepare for the upcoming changes, here are all the answers.
2027 isn’t far away and regulatory compliance isn’t something to scramble for last-minute.
Talk to our experts now and get ahead of RED and AFIR without slowing down your roadmap.
/Images/Module%20-%20footer/spiral.svg)
/Logos/Module%20-%20Page%20footer/footer-logo.svg){kind=logo}
