NIS2 Directive: How EV charging companies comply with the new EU-wide cybersecurity legislation

The pace of digitalisation in virtually every industry is growing, and with it the risks of cybersecurity threats and attacks. And that’s no different for the EV industry. At Virta, we've always prioritised the security and integrity of our systems and data, and as an industry leader, we're prepared for the upcoming EU legislation – the Network and Information Security (NIS2) Directive. 

In this blog we’ll talk about the NIS2 Directive, why it is important for the EV industry players, and how Virta’s solutions help your business stay compliant. 

What is the NIS2 Directive? 

Data is gold, they say. And as we would with actual gold, we need to protect data from malicious intent as best as possible. This is where various legislative frameworks bring direction and guidelines on how to go about it. The NIS2 Directive is the latest cybersecurity legislation introduced by the European Union to get the overall level of cybersecurity across member states to a new standard. 

NIS2 is supposed to come into effect on October 17th, 2024, and it brings new responsibilities and standards to make our digital infrastructure more resilient and secure. The focus is on greater cybersecurity measures, incident reporting obligations, supply chain security requirements, and risk management practices. 

Why is NIS2 important for the EV charging industry? 

This regulation specifically targets critical sectors, including energy and transport, which are vital to our economy and society. As the EV charging industry is at the crossroads of both of these critical industries, the EV charging network is seen as critical infrastructure and was put under the directive’s scope. 

Charging networks rely on digital platforms for charger management and billing, making them highly vulnerable to cyberattacks. EV charging companies also deal with large amounts of data, from personal to payment data, and possible data breaches could cause major disruptions to our electrical grids. 

Due to this, it’s in all EV charging companies’ and solution providers’ best interest to pay attention to this new legislation and adhere to its requirements. 

What are the NIS2 requirements for EV charging companies? 

Several requirements must be met for the affected sectors and industries. Let’s examine those affecting the EV charging industry. 

Enhanced cybersecurity measures 

To comply with NIS2, businesses must introduce stricter measures and policies for incident handling, network security, and vulnerability management. 

Risk management  

Your business must evaluate and identify its cybersecurity risks and implement measures to mitigate and manage them. 

Incident reporting  

Your business is required to have a system in place to report any cybersecurity incidents and threats without delays, in some cases, within 24 hours. You should also include a suggested incident resolution and inform about all possible impacts. 

Supply chain security 

The NIS2 directive states that it’s not enough to ensure your own business’ compliance alone; you must also ensure the compliance of your partners, suppliers, and service providers, such as hardware manufacturers and software providers. Otherwise, your business could be potentially accountable for the security risks of those you’re partnering with. 

Business continuity  

Your business must have a plan in the event of a cyber incident to ensure that your services can be quickly recovered without significant disruptions to your operations. 

Corporate accountability  

As mentioned in the directive, your business's management team is responsible for overseeing all cybersecurity measures and addressing potential risks. That’s why regular cybersecurity training should be introduced for your management (and staff) to equip them with the necessary knowledge and skills to recognise and respond to cybersecurity threats as best as possible.

Does the NIS2 Directive apply to the UK? 

As NIS2 is an EU Directive, the UK will not implement it. However, the country is planning some revisions and updates to its own Network and Information Systems (NIS) regulations to strengthen the protection of essential services against cyber threats. 

However, if your UK business operates in the European Union, you must comply with the NIS2 directive. 

Virta's proactive approach to cybersecurity 

“At Virta, we believe that security should be a part of everyday life. That’s why we focus on providing our customers with not only the necessary compliance, but the most secure and reliable EV charging solutions possible.” - Sanna Moilanen, Chief Information Security Officer 

At Virta, we've always focused on adopting the best cybersecurity practices. The cybersecurity landscape is constantly evolving, and so are we. Our security experts continuously monitor for new threats and update our systems and practices accordingly. 

Virta has held the ISO 27001 certification for information security since 2019. 

A great example of our early adoption approach to cybersecurity is the ISO 27001 certification, which we’ve held since 2019. This internationally recognised standard for information security management systems (ISMS) shows our long-standing commitment to protecting sensitive information. 

Our early adoption of ISO 27001 has positioned us well for NIS2 compliance, as many of the regulation's requirements align with the practices we've already implemented. 

Enhanced cybersecurity measures 

We’ve established multiple layers of security across all components of our charging platform including network security, application security, endpoint security, and data security. For our IT systems and facilities, we have encryption, access controls and physical security protocols in place in line with the ISO 27001 certification. To assess our security controls and their effectiveness, we undergo SOC 2 Type 2 audits tailored to the specifics of EV charging systems on a yearly basis.

Risk management 

We’re continuously monitoring possible risks to identify any potential gaps in our security systems and developing strategies to mitigate any identified risks. Our risk management processes are integrated into our quality assurance process, so we’re able to identify potential quality and compliance risks throughout the EV charging system lifecycle. 

Incident reporting 

In the event of an incident, we at Virta have a comprehensive incident management process. This includes having an established protocol for notifying relevant authorities about the security incident or a data breach, setting up clear communication channels to notify internal and external stakeholders about system status and recovery progress during and after an incident and documenting and reviewing the incident to improve future security measures. 

Supply chain security 

We’ve implemented robust processes to ensure that our entire supply chain complies with strict security standards. This includes careful vetting of suppliers, regular security assessments, and maintaining clear communication channels to address any potential vulnerabilities quickly. We make sure to hold all our suppliers and vendors to the same quality and compliance standards by conducting regular audits and reviews. 

Prepare for NIS2 – with Virta 

At Virta, we're not just meeting all the requirements of NIS2 – we're exceeding them. This aligns perfectly with the NIS2 directive's emphasis on adapting to new challenges and threats in the digital realm. 

Would you like to discuss more about NIS2 and how Virta helps you become compliant? Let’s talk!