The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s cybersecurity law that strengthens requirements for managing cyber risk and reporting incidents across a wide range of sectors and digital service providers. It replaces and expands the original NIS Directive, introducing clearer security obligations, stronger supervision, and broader coverage across the EU.
Who NIS2 applies to
NIS2 applies to organizations considered essential entities or important entities, based on their sector and size, and includes many providers that support critical services through digital infrastructure or managed services. Coverage can include:
– Operators of critical services (sector-dependent)
– Digital infrastructure and ICT service providers
– Managed service providers and cloud/hosting-related services
– Organizations whose operations depend on network and information systems in ways that impact service continuity
Key requirements under NIS2
NIS2 requires organizations in scope to implement cybersecurity risk management measures and to report significant incidents. Core expectation areas typically include:
– Security policies and risk analysis
– Incident handling and incident response processes
– Business continuity and crisis management (backup, disaster recovery)
– Supply chain and third-party security controls
– Secure development and vulnerability management
– Access control, MFA, and identity governance
– Logging, monitoring, and detection capabilities
– Encryption and secure communications where appropriate
Incident reporting obligations
NIS2 introduces structured incident reporting expectations to national authorities (e.g., CSIRT/competent authority), typically requiring:
– Rapid notification when a significant incident is detected
– Follow-up reporting with impact, root cause, and mitigation actions
– Final reporting after resolution, including lessons learned and prevention measures
Governance and accountability
NIS2 strengthens management-level accountability for cybersecurity:
– Senior management involvement in approving security measures
– Training and awareness expectations for leadership and relevant personnel
– Documented governance, roles, and oversight for security controls and risk ownership
Why NIS2 matters for EV charging and e-mobility
EV charging ecosystems rely on connected systems that can be operationally critical:
– Chargers, gateways, and back-office platforms (CPMS) connected over public networks
– Protocol-driven communications (e.g., OCPP) and remote control functions
– Payment and billing systems, user data, and roaming integrations
– High availability expectations (uptime, MTTR) that can be disrupted by cyber incidents
NIS2 pushes operators and suppliers to formalize security controls, monitoring, and incident response across both IT and operational technology (OT) environments.
Practical implications for charging operators and OEMs
Common NIS2-aligned actions in EV charging contexts include:
– Segmented networks and hardened site connectivity (network segmentation)
– Strong authentication for admin portals (MFA, RBAC)
– Secure update and firmware management processes
– Continuous monitoring and alerting, with clear escalation paths
– Third-party risk management for installers, hosting, and managed services
– Incident reporting playbooks and evidence-ready logs
Related glossary terms
Cybersecurity audits
Incident response plan
Network segmentation
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Secure update pipeline
Data encryption
OCPP
CPMS
Uptime