Cybersecurity for electric vehicle charging points is becoming an increasingly pressing concern for European authorities. In Luxembourg, the issue was the subject of a parliamentary question raised by an MP  (Piraten), who questioned the government about the risks identified in a recent report by the Bundesamt für Sicherheit in der Informationstechnik (BSI), the German cybersecurity authority.

In his reply, the Minister for the Economy, Energy and Tourism,  (DP) states that the government has analysed the findings of the German report. The report confirms that the public charging infrastructure constitutes “a complex and interconnected system” in which various potential vulnerabilities exist, particularly in terms of communication protocols, software implementations and the management of digital certificates.

The tone of the BSI report, however, appears more alarmist than the ministerial response suggests. The German authority now regards charging infrastructure as a strategic component of the energy and digital ecosystem. According to the authority, public charging points are no longer simply equipment for distributing electricity, but systems connected to vehicles, charging operators, payment platforms, mobility providers and, increasingly, smart grids.

Even the network could be at risk

The report highlights that a successful attack could prevent or manipulate charging, disrupt mobility, cause significant economic damage and, in certain scenarios, affect the stability of the electricity grid. The BSI even believes that a compromise of certain control systems related to charging could theoretically lead to overloads or targeted power cuts.

German researchers have identified 87 publicly known vulnerabilities relating to charging infrastructure and point out that international cybersecurity competitions continue to uncover significant flaws. The Pwn2Own Automotive competitions have thus uncovered 54 new vulnerabilities across ten models of charging stations over the past two years. Around half of these allowed code execution on the targeted equipment, sometimes with full administrator privileges.

The report also highlights that charging points are currently one of the most vulnerable links in the chain. As they are physically accessible to the public, often managed remotely and connected to multiple IT systems, they present a particularly large attack surface. The BSI cites, in particular, cases of IT services left accessible, insufficient authentication mechanisms, and update procedures that can be exploited.

Penetration test before the end of the year

In light of these risks, the Luxembourg government is highlighting the regulatory requirements that are already in force. In particular, public charging points must comply with the European provisions set out in the Regulation on alternative fuels infrastructure. Communication between the vehicle and the charging point must comply with ISO 15118-2, whilst data exchanges between the charging point and central systems must be encrypted and based on a public key infrastructure (PKI), designed to ensure data authentication and integrity.

Lex Delles also points out that new requirements will come into force on 1 January 2027. All new charging points or replaced equipment must comply with the ISO 15118-20 standard, which strengthens several safety mechanisms. Operators will also be subject to the requirements of the NIS2 Directive regarding risk management, monitoring and incident reporting.

With regard to the Luxembourg public charging networks Chargy and SuperChargy, the Minister states that several security measures have already been implemented by the concessionaire and, prior to that, by the network operators. These include penetration tests carried out on the central systems, the most recent of which dates back to 2025, the automation of access monitoring and activity logs, continuous monitoring of known vulnerabilities, and secure communication with charging points via a dedicated APN.

The system still needs to be strengthened. A new penetration test is planned before the end of 2026. The concessionaire also plans to install a Web Application Firewall to further protect access to central systems, expand monitoring capabilities and complete work to ensure compliance with the NIS2 Directive.

Two rooms, two atmospheres

When asked about the risk that charging points could be used as a means of attacking other critical infrastructure, particularly the electricity grid, the minister highlighted the separation of systems, the encryption of communications, the authentication of equipment and the monitoring of networks. These mechanisms are designed to prevent the compromise of a charging point from being exploited to target other components of the energy system.

The German report nevertheless considers that the issue now extends beyond electric mobility alone. With the development of smart charging control, energy management systems and, eventually, ‘vehicle-to-grid’ technology, charging infrastructure is gradually becoming an integral part of the electricity system itself. The BSI summarises this development by stating that charging infrastructure now constitutes “a key node within a network of critical infrastructure, the protection of which must be an absolute priority”.

As the number of electric vehicles and charging points increases, the issue is no longer solely about the availability of charging points or the speed of charging, but also about the ability to protect an infrastructure that is set to play an increasingly important role in Europe’s energy balance.