Plug & Charge is being promoted precisely to address this challenge. Enabled by the ISO 15118 standard, this mechanism allows the charging station to automatically authenticate the user and initiate charging without the need for a badge or mobile application. Originally designed to standardize communication between the vehicle, the charging station and the grid, ISO 15118 paves the way for a more seamless charging experience—often summed up by the promise: “plug in and it charges.” 

However, this apparent simplification on the user side actually relies on a significant increase in complexity across the underlying trust chain and technical mechanisms: digital certificates, Public Key Infrastructure (PKI), ISO 15118 communications, new authentication flows, and dependencies on trusted third parties. In other words, behind a frictionless charging experience, Plug & Charge introduces new points of failure and expands the attack surface that operators must now address as critical cybersecurity concerns. 

In this article, we take a closer look at three risks directly associated with the deployment of Plug & Charge and ISO 15118: 

• availability loss resulting from a compromise of the V2G (Vehicle-to-Grid) PKI; 
• availability loss caused by the exploitation of vulnerabilities on the ISO 15118 interface; 
• the theft of charging station certificates and its implications in terms of fraud. 

Risk 1: availability loss resulting from a compromise of the V2G PKI 

To understand this risk, it is first important to recall that Plug & Charge relies on a digital trust chain that enables the vehicle and the charging station to automatically authenticate each other using certificates and then initiate charging without any manual action from the user. 

As illustrated in Figure 1, a Plug & Charge session follows a multi-step sequence: 

1. Establishment of the ISO 15118 communication channel between the vehicle and the charging station, along with mutual authentication,  
2. Verification of the mobility contract followed by authorization, 
3. Start of charging session. 

If any of these steps fails due to a breakdown in digital trust, the charging session cannot be initiated. 

Figure 1: Steps of a Plug & Charge session 

This mechanism relies on a shared PKI across the ecosystem, known as the V2G PKI, whose role is to ensure interoperability between vehicles, charging stations, and operators. This architecture is built on root and intermediate certificate authorities that issue and validate the certificates used throughout the charging session (Figure 2). 

Figure 2: V2G PKI architecture 

In Europe, this ecosystem currently relies on a limited number of key trusted players—such as Hubject, Gireve, and Irdeto—which combine the role of root certification authority (V2G Root CA) with Plug & Charge certificate management and interoperability services. 

Within this architecture, the CPO holds a pivotal position: charging stations must be integrated into this trust chain and, depending on the chosen model, the operator may run certain PKI components in-house (make) or rely on a specialized provider (buy). In both cases, the CPO becomes dependent on a trust infrastructure whose compromise, misconfiguration, or unavailability can have a direct impact on service availability. 

The risk, therefore, lies in a loss of service availability caused by an incident affecting the V2G PKI. Several scenarios are plausible: compromise of a root or intermediate authority, expired certificates that were not renewed, corruption of a trust store, or unavailability of a component involved in the certificate lifecycle. In all these situations, the operational outcome is the same: the charging station or the vehicle can no longer establish a valid trust relationship, and the Plug & Charge session fails before charging even starts. 

Key takeaways 

With Plug & Charge, PKI no longer only secures communications, it becomes a critical production component. An incident affecting the trust infrastructure is therefore not just a security or compliance issue, but a potential source of partial or large-scale service disruption. 

The choice between make and buy does not eliminate this risk; it shifts where control lies. A make strategy provides greater control to the CPO, but requires mature PKI governance, robust operational capabilities, and strict discipline over certificate lifecycle management. A buy strategy accelerates deployment but increases dependence on a third party for what has become a critical function, implying stronger requirements in terms of contractual oversight, auditability, and monitoring. 

From a cybersecurity standpoint, the implication is clear: the V2G PKI must be treated as a critical operational asset within the charging stations information system. This entails explicit governance of trust roles, continuous monitoring of certificate lifecycles, regular resilience and continuity testing, and the definition of degraded operating modes to prevent a PKI incident from escalating into large-scale service disruption. 

Risk 2: loss of charging infrastructure availability through the exploitation of vulnerabilities in ISO 15118 communication 

This risk stems directly from the increasing complexity of the communication channel. Where charging historically relied on relatively simple interactions—primarily based on electrical signaling and a limited set of basic messages—ISO 15118 introduces a high-level dialogue built on a much richer protocol stack (Figure 3). 

Figure 3: OSI model applied to ISO 15118 

This shift from a minimalist protocol to a full-fledged application layer—including device discovery, IPv6 address allocation, authentication, certificate management, and cryptographic operations—mechanically expands the attack surface. This is particularly true because the communication interface via the charging connector is inherently accessible, with no physical barriers. Any vulnerability in these exchanges (e.g., manipulation of application messages, injection into PLC traffic, improper certificate validation) could disrupt the charging session—or, in a worst-case scenario, lead to a full compromise of the charging station. 

Exploiting such vulnerabilities, however, requires physical access to the charging point: the attacker must be able to interact with the communication channel between the vehicle and the station. In practice, this involves specialized equipment to connect to the PLC network, such as a HomePlug Green PHY compatible interface and a physical adapter for the charging connector. While this constraint makes the exploit harder, it does not eliminate the risk. Several research efforts have demonstrated the feasibility of lab setups capable of observing, relaying, or disrupting ISO 15118 communications directly at the cable or connector level. 

 Figure 4: Equipment required to exploit a vulnerability on the ISO 15118 interface 

Key takeaways 

To mitigate these risks, CPOs must ensure the security level of their vendors’ products, for example through audits, and assess their cybersecurity maturity, particularly regarding processes for maintaining security over time. 

They must also implement vulnerability management processes across their asset base, including maintaining inventories such as SBOMs and HBOMs (Software and Hardware Bills of Materials), as well as robust patch management practices. This enables operators to identify vulnerable assets and respond effectively when attackers attempt to exploit vulnerabilities on this new communication channel. 

Risk 3: theft of charging station certificates 

The theft of a charging station certificate is not only a cryptographic incident: in an ecosystem built on digital trust, it amounts to a compromise of machine identity. For a CPO, such an incident directly impacts the integrity of exchanges and may open the door to charging fraud. 

Two attack scenarios must be distinguished here: 

• Extraction of the private key associated with the certificate, following a software compromise or a physical attack on an insufficiently protected component, 
• Impersonation of a charging station when obtaining a certificate, for example through an insufficiently authenticated enrolment process between the station and the CPMS (Charge Point Management System).  

Figure 5: attack paths to obtain a charging station V2G certificate 

Once in possession of a valid certificate, an attacker can impersonate a legitimate charging station and abuse the ecosystem’s trust for malicious purposes. In a Plug & Charge context, this could allow an attacker to make a vehicle believe it is establishing a normal session, and then relay the proof of possession of the victim’s contract certificate into another session—effectively charging a different vehicle at the victim’s expense. This relay attack scenario has been demonstrated in academic literature and illustrates how a single compromised charging station certificate can enable tangible, operational fraud. 

Figure 6: exploitation of fraud through relay of the EV’s proof of possession 

This type of attack is facilitated in implementations based on ISO 15118-2, where Plug & Charge security relies on a more limited model, particularly in terms of end-to-end authentication and certificate handling. By contrast, ISO 15118-20 strengthens communication security—especially through the widespread use of TLS and a move toward mutual authentication—making such fraud more difficult to exploit, although not eliminating it if machine identities are not properly protected. 

This risk is all the more realistic because it does not require large compromise: a single valid certificate can be sufficient. An attacker may therefore target the least protected charging station or attempt to fraudulently obtain a certificate through a weak enrolment process or inadequately secured backend. For the CPO, the challenge is not only to protect already deployed certificates, but to secure the entire lifecycle of charging station identities from issuance to storage and renewal. 

Key takeaways 

To mitigate the risk of private key compromise, CPOs must ensure that charging stations provide secure storage capabilities for cryptographic material, for example by integrating a TPM (Trusted Platform Module). 

Preventing impersonation during certificate issuance requires a different approach. CPOs must guarantee the authenticity of certificate requests processed by the V2G PKI. 

This relies on authenticating the charging station when establishing the communication channel with the CPMS. In practice, the protocol used on this channel, OCPP, supports mutual certificate-based authentication (mTLS) from version 2.0.1 onwards. The charging station therefore presents a certificate to authenticate itself to the CPMS. Once the session is established, certificate enrolment requests (including ISO 15118 certificates) are authenticated, significantly reducing the risk of impersonation. 

However, this architecture introduces a prerequisite: deploying a dedicated certificate used to authenticate the charging station on the CPO network. This certificate is distinct from the ISO 15118 certificate used for Plug & Charge, as it serves a different scope and purpose. 

It is therefore necessary to implement a dedicated PKI, operated by the CPO, which can be referred to as a “Product PKI.” This PKI issues the certificates used to secure OCPP communications. The certificate management challenges described earlier also apply to this PKI. CPOs must therefore establish the organizational and technical capabilities required to operate such an infrastructure, including certificate lifecycle management, incident handling, and upskilling of teams. 

We thus arrive at a target architecture in which each charging station embeds multiple certificates issued by distinct PKIs, each serving a specific role in authentication across critical communication channels involved in the charging session (Figure 7). 

 Figure 7: target architecture for Plug & Charge deployment 

Risk summary 

The introduction of Plug & Charge and the ISO 15118 standard is progressively transforming charging infrastructures into a true digital trust chain, where service availability now depends as much on cybersecurity as on the electrical operation of the stations. 

The scenarios analyzed show that the main risks no longer relate solely to technical compromise of isolated components, but have broader impacts on: 

• Service continuity, 
• Charging fraud, 
• User trust, 
• And, ultimately, the operator’s reputation. 

The table below summarizes the identified risks using an approach inspired by EBIOS Risk Manager, based on an assessment of: 

• The likelihood of each scenario (scale from 1 to 4), 
• Its severity for the operator (scale from 1 to 4), with the highest impact being a nationwide loss of trust in the charging infrastructure, for instance, in a scenario where a significant portion of charging stations would no longer allow charging, 
• And the resulting overall risk level. 

Table 1: Summary of risks related to Plug & Charge on charging infrastructure 

This analysis, however, should be nuanced: the scenarios presented deliberately take a cautious, even pessimistic, view of likelihood. In practice, such attacks remain difficult to carry out. They often require advanced technical skills, specific physical or logical access, a deep understanding of ISO 15118, and the capability to exploit or manipulate complex trust mechanisms. 

As such, these risks should be seen as plausible scenarios to anticipate, rather than threats that are currently trivial or widely observed in real-world operations. Their “medium” to “low” risk level reflects this balance: a still-limited probability, but potentially significant impacts if such attacks were to scale. 

Conclusion 

Plug & Charge simplifies the charging experience but introduces a strong dependency on a digital trust chain built on ISO 15118, the V2G PKI, and charging station certificates. This dependency creates new risks for charging infrastructures, potentially leading to service disruptions and, ultimately, a loss of trust from users toward the CPO. 

While these attack scenarios remain difficult to execute, their potential impact justifies addressing them early starting from the design phase. For CPOs, the challenge is therefore no longer limited to securing charging stations but extends to securing the entire identity and trust chain that underpins the charging process. 

Cet article Plug & Charge and ISO 15118: what are the new cyber risks for charging stations?  est apparu en premier sur RiskInsight.

This trajectory, however, relies on the availability of a dense, reliable, and properly dimensioned charging network across the entire territory. Whether for public charging (motorways, public roads, shopping centers) or private charging (homes, businesses), this infrastructure forms the backbone of the electric mobility ecosystem. At the heart of this ecosystem, Charging Point Operators (CPOs) play a structuring role, being responsible for the installation, operation, and maintenance of charging stations. 

Cyber risk is now emerging as a major threat to charging infrastructures, in a context where electrical networks are increasingly targeted by cybercriminal groups and state-sponsored actors12.  For CPOs, this reality is a game changer: mastering cyber risk becomes a prerequisite for service reliability and ecosystem protection. As charging networks expand and grow more complex, cybersecurity challenges become central: data protection, service continuity, securing financial flows, and managing third‑party risks. 

This article is part of a series of three papers exploring three structuring challenges faced by electric mobility stakeholders, with the aim of analyzing their implications from a cybersecurity perspective. 

Rethinking charging infrastructure: balancing operational requirements and emerging cyber constraints 

In the context of strong growth combined with the gradual structuring of the market, CPOs are facing a demanding economic equation. The deployment of charging infrastructures requires significant upfront investments – land acquisition, grid connection, purchase and installation of charging points, supervision, and maintenance – while utilization rates remain heterogeneous across regions and site typologies. Added to this are the volatility of electricity prices, increasing competitive pressure, and the rapid evolution of technological standards, which require regular upgrades. 

As public subsidies tend to be streamlined and investors increasingly expect clearer profitability trajectories, optimizing the economic performance of assets becomes imperative. Maximizing availability rates, fine‑tuning operating costs, improving utilization levels, and diversifying revenue streams are no longer secondary levers, but essential conditions for the long‑term sustainability of CPOs’ business models. 

Charging infrastructures, as designed today, illustrated in Figure 1, generally rely on static power control managed by a central supervision system, the Charging Point Management System (CPMS). This operating model does not allow, or significantly limits, the CPO’s ability to adapt power distribution in real time to usage patterns and site-specific constraints. 

Figure 1: Architecture of a conventional charging infrastructure 

Therefore, several optimization levers can be implemented. 

First, it is possible to enhance the site’s energy flexibility, particularly to support fast charging without having to oversize the grid connection. To achieve this, the deployment of a Battery Energy Storage System (BESS) proves to be an effective solution: this stationary battery storage acts as a buffer, capable of storing energy when it is available and releasing it during peak demand, thereby improving the site’s stability and resilience. 

The next step consists in integrating local, low‑carbon energy production directly at charging sites, making it available for immediate use or storage through the addition of photovoltaic systems. Solar panels, installed on rooftops or canopies, provide this renewable generation layer. Their effectiveness, however, relies on their integration with appropriate control and storage systems, ensuring the environmental coherence of electric mobility. 

Finally, to enable the proper integration of these energy production and storage assets at charging sites, a global control system has emerged: the Energy Management System (EMS). This system supervises and adjusts energy flows on site in real time, aligning them with demand, local constraints, and grid connection agreements. It controls power distribution, anticipates variable charging demand, and maximizes the use of local energy production, thereby transforming a conventional electrical installation into a dynamic and intelligent system. 

Thanks to intelligent energy management via an EMS, battery storage, and the integration of solar generation, this architecture (illustrated in Figure 2) enables performance optimization while keeping costs under control and thus represents a key step towards the next phase of the energy transition. 

Figure 2: Architecture of a next-generation charging infrastructure 

In the remainder of this article, we will focus on three new sources of cybersecurity risk introduced by the integration of Energy Management Systems (EMS) into CPOs’ charging infrastructures. 

The EMS: an optimization lever that has become a critical risk point 

EMS have become a key component of charging infrastructures, enabling CPOs to finely optimize power management and charging strategies. This central role makes EMS a critical point in terms of cybersecurity – their compromise can result in major operational impacts for a CPO: 

• Unavailability of a part of the charging stations. 
• Degradation of energy optimization, resulting in direct financial impacts. 
• Load imbalances that may lead to service limitations or outages at site level. 

Beyond these incident scenarios, the introduction of EMS also fundamentally reshapes the risk landscape to which charging infrastructures are exposed. 

Increased reliance on third‑party infrastructures 

The deployment of EMS solutions is most often based on turnkey offerings, combined with vendor‑operated management platforms hosted in cloud environments. These platforms enable CPOs to centrally manage their entire EMS fleet and support a range of use cases, including optimization of available power, performance monitoring, and remote control of charging strategies. 

This architecture, however, introduces a direct dependency on third‑party infrastructures that lie outside the CPO’s perimeter of control. As a result, it expands the attack surface and increases CPOs’ exposure to supply‑chain‑related risks. 

This issue is further compounded by the fact that these vendors are often small, highly specialized players whose level of cybersecurity maturity can be heterogeneous. A compromise of these platforms may therefore lead to widespread impacts, potentially resulting in the unavailability of a significant share of the EMS fleet operated by a CPO and, by extension, a risk of charging station outages. 

In addition, the compromise of EMS cloud platforms may also lead to breaches of data confidentiality, as it could enable an attacker to collect sensitive operational information, which could notably be exploited for espionage purposes, including: 

• Detailed mapping of charging sites and deployed energy assets. 
• Energy management strategies, revealing the optimization logics implemented by the CPO. 
• Consumption and power data across the CPO’s entire portfolio of sites. 

Local communications relying on weakly secured protocols 

These new architectures also extend the attack surface at the local network level, particularly through communications with energy-related equipment, which still largely rely on weakly secured industrial protocols.  

Unlike exchanges between supervision systems (CPMS) and charging stations, which benefit from the standardization provided by OCPP, communications between the EMS and other components (BESS, charging points, etc.) still predominantly rely on Modbus. 

Originally designed for closed industrial environments, this protocol does not natively implement security mechanisms such as authentication or encryption. In practice, each EMS vendor deploys its own protective measures, resulting in heterogeneous security levels. For CPOs, this diversity complicates the securing of the fleet and may introduce new exploitable weak points within the local network. 

Levers to secure next‑generation charging infrastructure 

Securing next‑generation charging infrastructures relies on a structured approach that makes it possible to reconcile operational performance with effective cybersecurity risk management. 

Ensuring the resilience of charging architecture 

The evolution of charging infrastructures introduces a single point of failure for CPOs: the EMS. To address this risk, it is necessary to design resilient architectures capable of maintaining continuity even in the event of an EMS failure. This can notably be achieved through: 

• The implementation of monitoring and alerting mechanisms, enabling rapid detection of EMS failures and activation of fallback mechanisms. 
• The deployment of degraded operating modes, allowing charging stations to continue operating even in the event of EMS unavailability. 
• The definition of business continuity and disaster recovery strategies that explicitly include EMS failure scenarios. 

Securing dependencies on unmanaged third–party infrastructures 

The evolution of charging infrastructure architectures requires CPOs to address both supply‑chain‑related risks and risks inherent to the interconnection between the CPMS and EMS vendors’ cloud infrastructures. 

To reduce supply‑chain risks, CPOs must implement robust vendor qualification processes, including in particular: 

• Assessment of the vendor’s cybersecurity maturity level. 
• Evaluation of product security, notably through penetration testing. 
• Contractual governance of supplier relationships, including, where appropriate, the implementation of Security Assurance Plans (SAPs). 

Beyond supply‑chain risk management, CPOs must also account for the risks introduced by the interconnection of their infrastructure with EMS vendors’ environments (EMS cloud). Securing these interconnections requires a strong control of data flows between the CPO infrastructure and these external environments. This can be achieved through three main levers: 

• Implementing traffic filtering and control mechanisms between the local charging infrastructure network and external networks, to restrict communications strictly to legitimate third‑party infrastructures. 
• Formalizing secure architectural standards and ensuring their effective implementation during EMS deployment in the field, guaranteeing a consistent application of cybersecurity best practices. 
• Implementing isolation mechanisms to contain potential EMS cloud failures and prevent their propagation across the entire charging infrastructure fleet. 

Securing communications relying on industrial protocols 

Communications between EMS and energy‑related equipment, particularly BESS, still largely rely on industrial protocols such as Modbus, which do not provide native security mechanisms. In this context, securing these exchanges cannot rely on the protocols themselves, but must instead be addressed at the infrastructure architecture level. 

This notably involves: 

• Implementing strict network segmentation within the local network, isolating EMS, BESS, and other components to limit exposure surfaces. 
• Applying fine‑grained control over communications by locally restricting data flows to strictly necessary exchanges (filtering, whitelisting, limitation of authorized commands). 
• Deploying communication monitoring mechanisms to detect abnormal or unauthorized behavior. 

Establishing a structured cybersecurity governance 

To address the diversity of components and infrastructures operated across their charging networks, it is essential for CPOs to structure their environment around clear governance, including in particular: 

• Clarification of cyber roles and responsibilities across the entire value chain (CPOs, suppliers, service providers, etc.). 
• Definition of security standards applicable to all projects and suppliers, ensuring overall architectural consistency. 

By combining rigorous supplier risk management, a solid governance framework, and strict control of data flows, CPOs can fully leverage the operational gains offered by EMS while securing their infrastructure in a sustainable manner. 

Optimizing without compromising: the challenge of charging infrastructure 

To conclude, the rise of Energy Management Systems (EMS) is profoundly transforming charging infrastructures, providing essential optimization levers while also introducing new cybersecurity risks. For CPOs, the challenge is no longer limited to deploying these solutions but extends to securing them within a comprehensive approach that encompasses supplier risk management, the definition of secure architectures, and the establishment of structured cybersecurity governance. In this context, cybersecurity is now emerging as a prerequisite for the sustainable performance of charging infrastructures. 

Cet article Electric vehicle charging infrastructure: energy performance and new cybersecurity challenges est apparu en premier sur RiskInsight.

The Radio Equipment Directive (RED) establishes a European framework for regulating all equipment that communicates via radio waves. This includes any device using technologies such as Wi-Fi, Bluetooth, LoRaWAN, or cellular networks like 4G and 5G. 

In this context, August 1st 2025, marks a key milestone: from that date onward, the RED’s cybersecurity requirements will become mandatory! Economic operators (including manufacturers, importers and distributors) who fail to comply with these obligations may face sanctions ranging from the withdrawal of their products from the EU market to significant administrative fines, depending on the applicable legislation in each member state. 

This article aims to break down the directive and highlight the key takeaways. If you are behind in your compliance efforts, you will also find guidance here on how to get started! 

RED explained: What you need to know 

Adopted in June 2014, the RED (2014/53/EU) aims to standardize the marketing of radio equipment within the EU. Its primary objective is to ensure that devices that transmit or receive radio waves (such as smartphones and Wi-Fi routers) comply with health, safety, electromagnetic compatibility, and efficient use of the radio spectrum requirements. 

However, it was not until 2022 that cybersecurity was integrated into the RED, nearly eight years after its creation. The introduction of delegated act 2022/30 marked a new phase by adding specific requirements aimed at enhancing the resilience of radio equipment against digital threats. 

Scope of application of RED 

Definition of radio equipment 

According to Article 2.11 of the RED, radio equipment is defined as: 

“An electrical or electronic product that intentionally emits and/or receives radio waves for the purpose of radio communication and/or radio navigation” 

Specifically, this includes any device that uses wireless communication protocols such as Wi-Fi, Bluetooth, Zigbee, LTE, 5G, NFC, or LoRa to transmit or receive data via the radio spectrum. 

These technologies form the basis of many everyday devices, particularly in the fields of home automation and the Internet of Things (IoT). The RED directive therefore covers a very wide range of products. 

Sectors excluded from the scope 

The RED directive does not apply to all radio equipment. Some categories are explicitly excluded from its scope, particularly for reasons of sovereignty, specific regulatory frameworks, or usage contexts. 

Sectors subject to their own regulations: 

• Marine equipment: excluded are devices already covered by the Marine Equipment Directive (MED) 
• Aeronautical equipment: excluded are devices already regulated under the Common Rules in the Field of Civil Aviation (CRFCA) 
• Automotive equipment: excluded are devices already subject to the New General Safety Regulation (GSR II) 
• Defense and public security: devices used by national authorities within the scope of national defense or any public security activity 

Equipment for non-commercial purposes: 

• Customized research equipment (R&D): tailored for experimental purposes, not intended for commercial use 
• Amateur radio equipment: when not commercially available but built and used by amateurs in a non-commercial setting 

Economic operators subject to the directive and their responsibilities 

The RED directive does not concern only manufacturers of radio equipment. It applies to the entire supply chain, from design to market placement. Each economic operator plays a key role in ensuring product compliance, safety and reliability. To this end, RED defines separate requirements for three main categories of actors: manufacturers, importers and distributors. 

It is important to emphasize that the same company may fulfil several of these roles at once, and that this may vary for the same company from one product range to another. 

Manufacturers 

The manufacturer is on the front line. They are the ones who design, produce or brand an eligible product. They are therefore responsible for most of the actions required to bring products into compliance with RED. They must: 

• Ensure that the product complies with the essential requirements of the RED 
• Ensure that the product remains compliant in the event of modifications 
• When appropriate given the risks, carry out sample testing, keep a test record and keep distributors informed of the test history 
• Carry out or have carried out a conformity assessment 
• Provide an EU declaration of conformity 
• Affix the CE marking 
• Prepare the technical documentation and user instructions and retain them for 10 years 
• Withdraw or even recall a product from the market in case of non-compliance 
• Communicate with the authorities in the event of non-compliance or upon request 

Importers 

When a product is manufactured outside the EU, the importer is responsible for transporting it from its country of origin to the EU. The importer becomes responsible for its compliance when it enters the European market. The importer must: 

• When appropriate given the risks, perform sample testing, maintain a record of the tests and inform distributors of the test history 
• Ensure that product storage and transport conditions do not compromise compliance 
• Verify that the manufacturer has used an approved certification method 
• Check for the presence of the CE marking 
• Ensure that the technical documentation, declaration of conformity and user instructions are compliant, and retain a copy for 10 years 
• Withdraw or recall a product from the market in case of non-compliance 
• Communicate with the manufacturer and relevant authorities in case of identified non-compliance or upon request 

Distributors 

The distributors is the operator who makes the product available on the market to the customer or end user. They have a duty of care regarding the work carried out upstream by the manufacturer and importer. They must: 

• Ensure that storage and transport conditions do not compromise product compliance 
• Verify the presence of the CE marking and the availability of an EU declaration of conformity 
• Ensure that the technical documentation and user instructions are compliant 
• Withdraw or recall a product from the market in case of non-compliance 
• Communicate with the manufacturer, importer and competent authorities in case of identified non-compliance or upon request 

Key cybersecurity requirements under RED 

In 2022, RED introduced 4 essential cybersecurity requirements. These requirements are subject to eligibility criteria based on the characteristics of the product and are therefore not applicable to all devices. Rather than prescribing a fixed list of security measures to implement, the requirements represent broader security concepts to be integrated into product design. 

Network security 

Eligibility criteria: Applies to all devices connected to the Internet, either directly or indirectly. These measures are designed to prevent such devices from compromising network stability or performance. 

Cyber requirements: On the one hand, equipment must be designed to use the radio spectrum efficiently, without causing harmful interference. This ensures seamless coexistence between different devices without interference or disruption. On the other hand, they must not be capable of degrading, disrupting or hijacking network operations. 

Protection of personal data 

Eligibility criteria: Applies only to equipment that processes personal data. It aims to ensure user privacy. 

Cyber requirements: Devices must incorporate data protection mechanisms such as encryption to prevent unauthorized access. This involves securing information not only in transit but also during storage. 

Protection against fraudulent use 

Eligibility criteria: Specifically applies to equipment involved in money transfers, such as payment terminals or certain smartphones. This aims to limit the risk of fraud via this equipment. 

Cyber requirements: The regulation requires the integration of anti-fraud features, without prescribing a single solution. Among the possible approaches, multi-factor authentication (MFA) can be an effective measure, adding an extra layer of security during transactions. However, other mechanisms may also be considered depending on the context of use and the level of risk identified. 

Software authenticity 

Eligibility criteria: Applies to all equipment. The goal is to prevent the installation or execution of unauthorized software on a given device. 

Cyber requirements: Implement features that verify the software and hardware combination prior to any installation. This may include secure boot, signature/certificate verification, hash checking or any other method ensuring authenticity. 

Steps to ensure compliance with RED 

Methods for ensuring compliance 

Compliance with RED directive can quickly become a complex exercise, particularly when it comes to identifying the applicable cybersecurity requirements. To this end, CENELEC published RED related harmonized standard EN 18031 in early 2025. This standard clarifies the requirements and provides an official framework for RED compliance. 

However, it is important to emphasize that the use of EN 18031 is not mandatory. Certifying a product as compliant with EN 18031 is only one of the ways to achieve conformity with RED. A decision tree provided by RED allows for determining (depending on the product), which conformity assessment method is permitted. One of these methods is self-assessment, meaning a self-evaluation of compliance with the essential requirements, provided that the technical measures implemented and the associated justifications are thoroughly documented. 

However, these tools (EN 18031 and decision trees), although very useful remain complex to implement due to a margin for interpretation left on some aspects.

Standard procedure for manufacturers 

Based on Wavestone’s experience in cybersecurity compliance projects related to regulations and more specifically regulations targeting products, we offer a framework structured around 10 key steps: 

1. Inventory: Conduct an inventory of radio equipment marketed in the EU that does not fall under excluded sectors 
2. Requirements: Apply product specific eligibility criteria to identify the applicable essential requirements  
3. Strategy: Use the decision tree to identify possible certification methods and validate the chosen strategy for each product based on risk 
4. Framework: Specify (EN 18031) or interpret (legal text) the applicable framework by translating it into concrete, auditable security control points 
5. Gaps: Compare the current state of products and processes against the control points of the chosen framework to develop a remediation plan 
6. Remediation: Implement the remediation plan at both the product and cross-functional levels to ensure long-term compliance 
7. Documentation: Document and justify the decisions made and actions taken with respect to RED and/or EN 18031 requirements 
8. Instructions: Document best usage practices and safety instructions to ensure operation in compliance with the requirements 
9. Self-assessment / Third-party certification: Conduct a self-assessment or an audit via a certification body depending on the chosen strategy 
10. Communication: Affix the CE marking and liaise with authorities and other involved economic operators 

Positioning of RED within the cybersecurity regulatory framework for connected products 

The RED directive and the Cyber Resilience Act (CRA) clearly operate within a shared regulatory domain. For readers not yet familiar with the CRA a detailed analysis is available here. The scope of application of the RED is included in the CRA and the essential requirements of the CRA go beyond what is established by the RED. In this sense, compliance with the CRA implies compliance with the RED. As the CRA is set to become fully applicable in December 2027, there are ongoing discussions at the European level regarding the possibility that RED’s cybersecurity requirements may only remain in force until that date, with the CRA subsequently taking over. While such a transition would indeed be coherent, no official communication has been issued to that effect as of today. 

Nevertheless, achieving compliance with the RED as of now enables companies to effectively prepare for the implementation of the CRA. Both regulatory frameworks are based on similar compliance approaches and the harmonised standards for the CRA are currently being drafted by CENELEC, the same body that developed EN 18031, the harmonised standard under the RED.  

While RED compliance will become mandatory as of August 2025, it should also be viewed as a strategic opportunity to prepare for the CRA and future European regulatory requirements concerning product cybersecurity. 

Cet article ​​Radio Equipment Directive: A first step toward securing European connected products​ est apparu en premier sur RiskInsight.

OT Probes: A tool for monitoring industrial networks 

Figure 1: Listening to the network to assess and detect 

A detection probe is a piece of equipment, virtual or physical, connected to the information system (IS) in order to map and monitor it. It consists of sensors distributed across the network to collect data. And typically, a central console to aggregate, correlate and analyse this data. Probes for industrial environments – which we will refer to simply as OT probes here – are characterized by their passive, non-invasive listening on the network, and their understanding of industrial protocols and behaviour. Many players are present on the market, you can find our market overview here: https://www.riskinsight-wavestone.com/2021/03/les-sondes-de-detection-en-milieu-industriel-notre-vision-du-marche/  

All their probe solutions work on the same principle: network traffic is collected using flow duplication (SPAN, ERSPAN …) or physical duplicator like taps, etc. Packets are inspected in real time to provide several types of data: flow inventory and mapping, asset and vulnerability management, and finally anomaly and incident detection. 

This variety of possible use cases of these data and the types of users involved (operational and business team, cybersecurity team, etc.) is what makes OT probes so popular.  

However, procuring and deploying these solutions are costly. The organisation must have a clear understanding of their needs, a view of potential users and the exact added value required before embarking on such a project. 

Let’s take two very different examples 

Imagine two companies are considering deploying OT probes on their industrial sites.  

1st Company: WavePetro 

WavePetro is a company with a large sensitive site, which has a good level of cybersecurity maturity, as well as a segmented architecture. The company wants to deploy OT probes to be compliant with regulations and to improve its detection capabilities. 

Considering its architecture and detection requirements, numerous listening points will be needed on the site. WavePetro can rely on its local teams for expertise and site knowledge to support this complexity. 

2nd Company: RenewStone 

RenewStone has numerous scattered and unmanned small sites with different cybersecurity maturity levels. The sites are connected to central Group infrastructure. 
The company wants to deploy OT probes to gain visibility on its sites using inventory and vulnerability management features.  

With this configuration, RenewStone needs to standardize a turnkey OT probe roll-out and run service with as little local complexity as possible.  

Figure 2: 2 companies, 2 reasons to deploy OT probes, 2 implementation plans 

What is required for a successful roll-out? 

Although these two companies have different drivers and maturities, they will go through the same 5 key stages, albeit with different approaches.  

1.Perform a Proof of Concept 

Let’s start with the first step: the proof of concept. The objective for both companies is to test the feasibility and challenge the value this tool brings to the organisation. 

While WavePetro have to validate feasibility on a reduced perimeter in the factory, RenewStone has to validate OT probe added value validation on few different sites. 

The PoC is key in identifying what can be valuable for both companies. To get the most of it, it is important to: 

• Adapt vendors selection to your needs: The market is quite diversified between pure players, those specializing in industry or extending their IT solutions …  
  Do I want strong detection capabilities? Do I want a managed service? Do I want a unified solution for IT and OT?  
• Select the PoC scope: Identify a representative scope with resources to test on so that results can be reproduced at scale.  
• Draft a target architecture before the PoC: This allows to test an architecture that will be representative of what would be deployed at scale, in order to validate the tests carried out. 

PoC is an essential step to ensure that the tool provides value to your company, but also to be able to convince businesses to deploy especially when not constrained by regulations. 

2.Build the associated operating model  

Even from the early stages, before rollouts, it is important to remember that the end goal of the probes deployment will be to get value from its operation. To be able to do so, it is essential to: 

• Define an operating model for handling alerts, managing the inventory and managing the probes themselves. While WavePetro can have an operating model heavily relying on local knowledge and expertise, RenewStone must build a central operation model to include group teams such as SOC, OT security, network, infrastructure and so on. 
• Decide whether to call on a third party or manage your probes in-house: Few vendors also propose managed service, so you would need to create your own model, which could also rely – wholly or partly – on externalization. 
• Create a RACI: Considering the different use cases and the number of players involved in using or maintaining probes, a RACI is key to ensuring that all stakeholders are involved. 

This stage must be addressed upstream to facilitate the next steps. 

3.Prepare the roll-out  

Once the first step has demonstrated the added value of a probe and their operating model has been defined, let’s prepare for the roll-out. You need to define the final target: 

• Where you will deploy: Especially if you have many diverse sites, like RenewStone, you need to be precise on, and prioritize, the scope: It will not be possible to deploy all sites at the same time. 
• When you will deploy: Work on budget estimates, even if not accurate, as soon as possible so that sites are able to plan a roll-out on the following year. Probes are an expensive solution, not only in terms of hardware and licensing, but also in terms of the resources required to deploy and operate them. 
• How you will deploy: In any case, you need to work on a standard architecture blueprint. But especially if you have many sites to deploy or very limited local resources, you should work on building a packaged service offer to deploy.  

This preparation part is key to avoid wasting time with deployments and guarantee their success. 

4.Deploy ! 

Let’s start deploying… The motto is the same for both companies: Start small and grow.  
The difference lies in the scale:  

• Gradually roll out across the site for WavePetro: It will take some time to be able to listen everywhere effectively. Focus on the expected data to prioritize where to place the probe at first and where to listen to the network. 
• Learn and improve from one roll-out to the next for RenewStone: Rollouts are centralized and more standardized, so teams will learn and improve from one roll-out to the next. There should be a first ring of roll-out that is comprised of representative sites to test and improve the deployment model on.  
• Include change management: in all cases, the deployment of a new tool must absolutely include awareness-raising and training if probes are to find their users. 

Deploying OT probes can be a long and tedious process, but do not get discouraged, because there is still one big step left! 

5.Fine-tune OT probe console 

A probe roll-out is not a “1-and-done” kind of project. This is a tool for continuous improvement and needs to learn to deliver value. You should therefore dedicate time to: 

• Fine-tune OT Probes dashboard: Take time to improve the detection model (whitelist some behaviors, prioritize sensitive assets …), the automatic asset inventory and mapping (enrich inventory, import data, tag VLANs …), and so on. This fine-tuning needs to be done by someone with site-specific knowledge.  
• Integrate with other technologies: You can integrate OT probes consoles with your other solutions and tools such as the SIEM, firewalls or CMDBs to make the most of the data collected by the probes. 
• Try adding features: once you have gained some maturity over the solution, you can go even further with the features available like performing active queries to enrich the inventory and go even further with the features available. 

Fine-tuning enables the solution to reduce the amount of data it retrieves, so that it can focus on security data and alerts that will bring value to your company and its security level. 

Figure 3: Takeaways from 5 key steps towards an OT probes service 

Conclusion 

These 2 examples have taught us a lot about OT probes, and the many challenges involved in deploying and using them. If tomorrow, I were facing a customer wondering what to do with this OT Probe project on his roadmap, I would pick out 3 main elements: 

Figure 4: The 3 keys to a successful probe project 

Before deploying: Is it worth it ? 

Without clearly identified use cases and defined objectives, you may end up with probes providing unused or no real added value information. OT probes are expensive, both financially and in terms of time. You need to make sure they are worth it, and then gives you the means to fully exploit them. 

To do this, take the time to evaluate the quality and value of the information provided by the OT probes with your different teams (cybersecurity, operations, business…). 

Start small and grow 

Don’t be afraid to start small and grow progressively, whether that is in the number of monitored sites, assets or use cases. 

The long-term operation of OT probes is complex and builds over deployments. Take the time to take care of the solution adoption: if you want teams to use the solution, train them and demonstrate OT probes value! 

Rely on continuous improvement 

As for any robust cybersecurity process, continuous improvement should be at its core. Cyber threats are constantly evolving, from attacker techniques to OT exposure due to process digitalization. 

In parallel OT Probes can provide a wide of capabilities from incident detection to cartography, vulnerability management and even more yet to be released by editors. 

Focus first on capabilities that reduce your OT risks, progressively improving the services as it gains maturity! 

Cet article Detection probes for OT : The keys to a successful deployment est apparu en premier sur RiskInsight.

In a few words, if you either manufacture, import or resell a product with digital elements, you will surely be affected by the CRA, and need to ensure compliance. This article is intended to shed light on: What does this regulation entail? Who is affected? How can compliance be achieved? 

What is the cyber resilience act and what does it entail?   

To understand the necessity of the Cyber Resilience Act, it’s crucial to consider the broader context of cybersecurity in Europe. The CRA is an ambitious regulation designed to ensure the security of EU citizens by addressing the currently observed low levels of cybersecurity in products with digital elements through a European Union policy intervention. In response, comprehensive studies focusing on the cybersecurity of digital products were conducted, leading to the proposal of legislation defining the obligations for the whole products supply chain actors, from manufacturers to distributors.  

Wavestone’s involvement in this process underscores its commitment to enhancing cybersecurity standards. We participated in an in-depth exploratory study commissioned by the EU, engaging with a broad spectrum of stakeholders involved to varying degrees in the products ecosystem, including national authorities, EU bodies, hardware and software manufacturers, trade associations, consumer organizations, researchers, academia, and cybersecurity professionals.  

Through Wavestone’s position as a global, and particularly European leader in the field of cybersecurity, several interviews, focus groups and workshops were conducted.  Valuable insights were gathered from a wide range of different interlocutors, providing a comprehensive view that takes into account the perspectives of all stakeholders and allowed the foundation for the development of the CRA. 

Definition and Scope 

The Cyber Resilience Act is a legislative proposal defining the obligations of manufacturers, importers, and distributors of products containing digital elements marketed in the EU, all of which must bear the CE mark across all sectors. As defined in the regulation, this includes “any software or hardware product and its remote data processing solutions, encompassing components that can be marketed separately”. The regulation’s aim is not only to secure standalone products but also to ensure the security of data transmission chains and central infrastructures through the application of this standard. 

To this notion of product is added a notion of criticality, therefore the CRA differentiates two types of products: products with digital elements and critical products with digital elements. As detailed below in “Checklist for CRA compliance”, it will affect how compliance can be achieved. 

A few examples of products with digital elements include consumer products, smarts cities and non-essential software. Critical products with digital elements include for example industrial control systems and firewalls. The detailed list of concerned products can be found in the regulation’s annexes. 

However, as is detailed below in “A complex ecosystem”, the CRA does not apply universally; products in some specific sectors do not have to comply to the requirements 

Stakeholders and Responsibilities 

The CRA impacts the entire lifecycle of digital products, from development by manufacturers, importers, distributers to the final consumer, but also the vulnerability management from conception to the product end-life, through a share responsibility. 

Essential Requirements 

As said earlier, the CRA’s objective is to allow a sufficient level of cybersecurity in products with digital elements. To do so, it introduces essential requirements built on three pillars: 

• Product Security: Ensuring products are designed, developed, and manufactured to meet appropriate cybersecurity levels and are free from known exploitable vulnerabilities. 
• User Documentation: Providing documentation to ensure safe use from commissioning to end of life. 
• Vulnerability Management: Identifying and documenting vulnerabilities, conducting regular security tests, and implementing a vulnerability disclosure policy. 

In the event of non-compliance with the essential requirements, sanctions may be applied on any of the three stakeholders. Like GDPR, each Member State shall determine the penalties applicable to infringements of this Regulation. Penalties are based on the company’s annual turnover and the severity of the infraction, with fines reaching up to 15 million euros or 2.5% of the total worldwide annual turnover for significant breaches.  

How to achieve compliance with the CRA? 

Timeline of the CRA 

The CRA has been a long-term project, with almost 10 years from identification of the need to application, reflecting the complexity of establishing comprehensive cybersecurity regulations: 

Businesses have until the 2026 to achieve compliance, with interim obligations. Similar requirements can be found in other regulations, such as NIS2, but contrary to other regulations, the CRA does not need a national transposition. The CRA was passed by the European Parliament in March 2024, and it is awaiting a vote by the European Council to become a law. 

A complex ecosystem 

One of the major concerns raised during the preparation of the Cyber Resilience Act was how to navigate the multitude of existing regulations and achieve regulatory harmony, particularly in sectors where safety, privacy, and cybersecurity standards intersect.  

The CRA aims to foster interoperability by aligning with the general product safety framework, the Cyber Security Act’s requirements for ICT products, processes, and services, and the CE marking standards for European compliance. 

To streamline compliance, the CRA includes presumptions of conformity with existing regulations such as the RED Directive, the AI Act, and certain sector-specific rules.  

However, the CRA does not apply universally; some sectors, such as medical, aviation, and automotive, are already governed by established regulations and are thus exempt from the CRA’s provisions. 

Checklist for CRA compliance 

Compliance with the CRA involves a thorough understanding of the regulation’s core text and two annexes, which detail: the list of concerned products, essential requirements, the obligations for manufacturers, importers, and distributors and national competent authorities and sanctions.  

The certification process varies based on product criticality: 

• For non-critical products : a self-assessment is necessary 
• For critical products  : third-party assessment is necessary, meaning the product compliance to the CRA will be assessed by a certified entity. At the time of writing this article, the exact certification schemes have yet to be specified but in France, the CESTI certification is in discussion.  

Five main checkpoints are to be considered to achieve compliance:  

1. Legislative Gap Analysis: Identify discrepancies between current practices and the requirements of the CRA by reviewing existing cybersecurity policies, processes, and controls to pinpoint areas needing improvement. 
2. Product Security Assessment: Conduct thorough assessments to ensure product identification and security.  
3. User Instructions Update: Provide clear and comprehensive user documentation by ensuring that all products are accompanied by documentation in adequation with the regulation standards. 
4. Vulnerability Management: Set up a process for identifying and sharing vulnerabilities. 
5. Internal Organization Review: Implement a permanent procedure to ensure compliance, covering the above-mentioned key points and enforce a watch on product or legislation changes that may imply new gaps to remediate.

In conclusion, the Cyber Resilience Act represents a comprehensive framework to enhance the cybersecurity of digital products within the EU. Compliance with this legislation requires thorough preparation. For businesses, adhering to the CRA is not just a legal obligation but also an opportunity to enhance their standing in a market increasingly aware of cybersecurity issues.  

Cet article Cyber Resilience Act: A revolution redefining product security and transforming the ecosystem est apparu en premier sur RiskInsight.