CRA Archives - AUTOCRYPT

As the technological capabilities of ADAS and AI-driven systems continue to mature, the barriers to mass adoption of autonomous vehicles are no longer primarily technical. Real–world applications, ranging from robotaxis and logistics delivery robots to autonomous truck fleet operations are already emerging through industry partnerships and evolving regulatory frameworks.

Increasingly, the primary barrier to autonomous vehicle adoption is shaped by user perception rather than technological readiness. Psychological and behavioral factors are beginning to influence demand, with public sentiment playing a critical role in determining adoption trajectories.

Even a single incident or news of investigations by regulatory bodies can trigger widespread concern, resistance, and skepticism. These reactions reinforce the perception that autonomous systems should not operate on public roads, creating a mental barrier to full autonomy, and in turn, slowing investment and business development initiatives.

Understanding this behavioral dimension is critical. The key question for mobility innovators now extends to whether users will continue to trust the system when something goes wrong. This shift calls for cyber resilience — the ability to maintain secure and reliable operations even under disruption — to serve as a foundation for sustaining user trust and enabling scalable adoption in a smart mobility ecosystem.

Complexity of Modern Vehicle Systems

Mobility is no longer a standalone product; it is evolving into an interconnected system of systems. The boundaries between mobility domains are increasingly blurred, with vehicles exhibiting robotic characteristics and distinctions between various modes of transportation gradually converging.

As vehicle platforms evolve — from connected cars to software-defined vehicles, and ultimately AI-driven systems — their internal architecture has expanded significantly. What was once centered on hardware, electrical, electronic, and software components now extends to include on-demand applications, service-based functionalities, and AI-powered capabilities.

While this evolution enables greater functionality, it also introduces increased system interdependencies and, consequently, higher levels of unpredictability. This transformation is not occurring in isolation, but driven by a self-reinforcing cycle.

Standard Convergence: Common frameworks and regulations align across industries, enabling interoperability and shared development baselines.
Technology Convergence: Shared architectures, platforms, software stacks are adopted across domains, accelerating cross-industry innovation.
Industry Interdependencies: Automotive, robotics, infrastructure and adjacent sectors become tightly interconnected, increasing system-level reliance.
Economies of Scale: Wider adoption reduces costs and barriers, enabling faster deployment and reinforcing shared ecosystems.

This cycle continuously amplifies system connectivity and complexity, ultimately resulting in tightly coupled environments where disruptions are difficult to isolate and contain. They must be designed to function reliably within uncertain and dynamic environments. This requires not only protection against threats, but also the ability to maintain predictable behavior, ensure operational continuity under disruption, and support consistent system performance.

In response to this shift, cyber resilience gains strategic importance. Cyber resilience refers to the ability of a system to withstand, recover from, and continue operating despite cyberattacks. It is no longer an enhancement, but a core requirement for ensuring that complex, interconnected systems remain stable, predictable and operable in real-world environments.

Enhancing User Trust through Cyber Resilience

While cyber resilience defines how systems operate under failure, its ultimate impact is measured in user trust. Research from University of New South Wales (Link) highlights that trust in autonomous vehicles is highly sensitive to cyber incidents, where even a single attack can undermine public confidence at scale. The study further emphasizes that trust is shaped by how effectively organizations prepare for and respond to such events in ways that align with user expectations.

In this context, cybersecurity maturity becomes a critical determinant of adoption. Organizations that fail to demonstrate adequate preparedness risk eroding public confidence, which can slow adoption, reduce usage, and ultimately hinder the broader development of the autonomous mobility ecosystem.

Recognizing the relationship between user trust and long-term business viability, systems must incorporate safeguards that reinforce user confidence. This includes enabling predictable behavior, supporting controlled responses and maintaining stable operation throughout the system lifecycle. As complexity increases across interconnected environments, trust evolves into a system-level requirement, extending beyond individual products to vehicles, services and networks.

Enabling this shift requires more than optimizing individual technologies; it demands an integrated infrastructure approach that operates seamlessly across system boundaries — an approach that AUTOCRYPT is actively advancing. Through CRA-aligned regulatory readiness, in-vehicle cybersecurity solutions, and V2X security services, AUTOCRYPT supports OEMs and Tier 1 suppliers in building cyber-resilient systems, representing a natural evolution beyond traditional cybersecurity.

Additional Resources

Learn more about our CRA Compliance solution: https://autocrypt.io/solutions/cyber-resilience-act-cra/
Learn more about our Products and Offerings: https://autocrypt.io/all-products-and-offerings/

EV charging infrastructure sits at the center of the electric mobility transition. Yet according to the The HERE-SBD EV Index 2025, limited charging access remains the top barrier to EV adoption, with more than half of respondents (53%) citing a perceived lack of charging access as their primary concern.

Expanding the availability of charging stations is crucial, but so is securing the digital backbone that supports them. Public charging points are no longer simple power outlets, but digital infrastructures that handle sensitive information such as personal identifiers, payment credentials and vehicle contract certificates. Without robust safeguards, these data can become points of vulnerability, slowing adoption.

This blog explores three cornerstone frameworks shaping EV charging security — ISO 15118-2 (2014), the Open Charge Point Protocol (OCPP) 2.0.1 (2020), and the EU Cyber Resilience Act (CRA) (2023). By examining their roles and how they interconnect, we aim to simplify compliance in the EV charging ecosystem and highlight how integrators like AUTOCRYPT can help turn these standards and regulations into practice.

I. Interconnected Pillars of EV Charging Security

Securing EV charging infrastructure depends on three complementary pillars, each addressing a different layer of the ecosystem.

A) ISO 15118-2 (2014): Securing the EV, Charger Interface

The ISO 15118 multi-part standard (i.e. Part 1 – 2013, Part 2 – 2014, Part 3 – 2015, Part 20 – 2022) defines secure, interoperable communication between the vehicle and the charging station. While each part addresses different aspects of EV-EVSE interaction, Part 2: Network and application protocol requirements is especially significant as it lays out the technical implementation for managing secure communication flows.

ISO 15118-2 (2014) mandates that EV and EVSE establish a TLS-secured channel for direct current (DC) charging using certificate-based authentication. Within this secure channel, the Plug&Charge contract exchange is executed: the EV presents its contract certificate and the charger verifies it with the backend, enabling seamless authentication and billing. Later updates in ISO 15118-20 (2022) expand these provisions to cover both alternating current (AC) and direct current (DC) charging, as well as Vehicle-to-Grid (V2G) bidirectional energy flows.

Together, these measures ensure that the EV-charger handshake is both seamless and secure, protecting against spoofing and unauthorized access.

B) Open Charge Point Protocol (OCPP) 2.0.1 (2020): Securing the Charger, Backend Interface

The Open Charge Point Protocol (OCPP) 2.0.1 provides an open, interoperable standard for communication between charging stations and backend systems such as Charging Station Management System (CSMS) and mobility operators (MO).

OCPP 2.0.1 requires charging stations and backend systems to establish a TLS 1.2-secured channel with mutual authentication. Over this protected connection, OCPP defines operational protocols ranging from standardized message formats for anomaly reporting to the use of digitally signed meter values that ensure billing accuracy.

By embedding these measures, OCPP ensures chargers remain trusted, manageable and interoperable throughout their operational life.

C) Cyber Resilience Act (CRA) (2023): Hardware and Software Lifecycle

Although the Cyber Resilience Act (CRA) does not specifically target EV charging infrastructure, it strengthens EVSE security by covering hardware, firmware and backend systems under the category of “products with digital elements.”

Under the baseline obligations of the CRA, all EVSE must be secure at launch and throughout use, with manufacturers required to conduct conformity assessments before placing products on the market. Moreover, the CRA mandates secure update mechanisms such as OTA updates, vulnerability handling processes including coordinated disclosure, and obliges manufacturers to report actively exploited vulnerabilities.

In doing so, the CRA provides the regulatory umbrella that ensures ISO 15118 and OCPP implementations are maintained securely and transparently across both hardware and software layers.

Interconnected Security Chain

Viewed together, these three pillars create a security chain rather than isolated requirements. ISO 15118-2 secures the EV-charger interface, OCPP 2.0.1 governs charger-backend communications, and the EU Cyber Resilience Act sets mandatory cybersecurity obligations across hardware and software. Combined, they form an interconnected framework that strengthens resilience, ensures compliance, and builds trust throughout the entire EV charging ecosystem.

II. Autocrypt as the Integrator

AUTOCRYPT combines a deep understanding of standards-based requirements with practical expertise to deliver a wide range of solutions for securing EV charging infrastructure. By aligning with ISO 15118 and OCPP, and offering dedicated guidance on CRA compliance, AUTOCRYPT acts as an integrator that embeds end-to-end trust across the entire EV charging chain.

A) AutoCrypt® PnC

The AutoCrypt® PnC protocol incorporates mechanisms for both secure communication and PKI-based certificate management. Built on the ISO 15118 PKI authentication framework, it secures the vehicle-to-grid (V2G) communication interface through encryption and certificate-based trust. Moreover, designed for integration with OCPP, AutoCrypt PnC ensures contracts verified in the backend are securely delivered to the vehicle.

In doing so, it bridges front-end communication between the EV and charger with back-end contract flows, creating an unbroken chain of trust.

B) EVIQ™ Platform

Addressing the growing need for a unified and secure EV charging ecosystem, the EVIQ™ Platform combines applications, charger tools and management systems into one solution. Supporting Plug&Charge protocol outlined in ISO 15118 and fully compliant with OCPP 1.6, EVIQ provides both user-facing and operator-facing functions.

Together, these components make EVIQ a comprehensive platform which strengthens both user convenience and operator control.

C) CRA Consulting Service

With the EU Cyber Resilience Act (CRA) set for full enforcement in 2027, AUTOCRYPT’s CRA Consulting Service helps stakeholders systematically prepare for compliance. This includes support for OEMs, CPOs and mobility operators on security-by-design requirements, vulnerability management and update processes, compliance documentation.

By guiding clients through each step, AUTOCRYPT ensures ISO 15118 and OCPP implementations are maintained securely and transparently, offering a clear pathway to regulatory readiness well ahead of the enforcement deadline.

III. Safeguarding the EV Charging Security Chain

The path to secure EV charging is not defined by a single standard or regulation, but by the interconnected security chain of ISO 15118, OCPP and the EU Cyber Resilience Act. Together, they safeguard the EV-charger handshake, protect the charger-backend connection, and ensure the long-term resilience of hardware and software systems.

AUTOCRYPT plays a pivotal role in uniting these layers. Through solutions such as AutoCrypt® PnC, EVIQ™ Platform and CRA Consulting Service, the company translates complex standards and regulatory requirements into practical, operational security across the charging ecosystem.

As EV adoption accelerates worldwide, AUTOCRYPT remains committed to building end-to-end trust and driving sustainable growth by continually expanding its suite of solutions for EVSE manufacturers, operators and mobility providers.

Learn more about our products and solutions at https://autocrypt.io/all-products-and-offerings/.

Tag: CRA

Cyber Resilience: Foundation for Sustaining User Trust