Why Resilient Software Is the New Foundation of Trust

The electric vehicle charging network in Europe has quietly graduated from a convenience for early adopters into a piece of critical infrastructure. Hotels rely on it to attract guests, fleet operators rely on it to keep vans on the road, and cities rely on it to meet climate commitments. When a charger fails, a payment is intercepted, or a roaming session is hijacked, the damage is not just commercial. It erodes public trust in the entire transition to electric mobility.

That is why cybersecurity in EV charging is no longer a topic for a small group of specialists. It belongs in every conversation about how we design, operate, and scale this network.

The Threat Surface Is Wider Than People Think

An EV charger is not a single device. It is a system of systems: firmware on the unit itself, the OCPP link to the back office, the OCPI roaming interface to other operators, payment processors, mobile apps, fleet portals, and a long chain of third party software libraries that hold it all together. Each of those layers is a potential entry point.

The risks are concrete and well documented:

• Tampered firmware can underreport energy delivery or open a path into the operator’s back office.
• Insecure OCPP sessions can be hijacked to start unauthorised charging sessions or read driver data.
• Vulnerabilities in the OCPI 2.2.1 interoperability layer can ripple across the entire European roaming network in hours, not days.
• Leaked secrets in source code repositories can hand attackers production credentials before anyone notices.
• Unpatched dependencies can carry well known CVEs straight into a regulated charging service.

Regulators have already drawn the line. The NIS2 Directive classifies essential service providers in the energy sector under stricter security and reporting obligations. The Cyber Resilience Act (CRA) extends product security obligations across the software supply chain. EV charging operators of meaningful size now sit squarely inside both frameworks.

In short, secure software is no longer a competitive nicety. It is a licence to operate.

What We Validated in the CONSOLE Project

Parity Platform P.C. (operating brand: EV Loader) has successfully completed the External Validation Activity (EVA) of the CONSOLE project under our EVC Guardian sub-grant, funded under Horizon Europe.

Over the past five months we worked alongside the CONSOLE consortium to validate the platform’s capabilities on a regulated, production grade EV charging code base. The validation focused on three pillars:

1. Static code analysis across the EV Loader services, looking for known vulnerability patterns, insecure cryptography, and risky API usage before code ever reaches production.
2. Secret scanning across our repositories and CI pipelines, to catch leaked tokens, keys, and credentials at commit time rather than after an incident.
3. Unified reporting that ties findings from multiple tools into a single, auditable view that maps cleanly to NIS2 and CRA evidence requirements.

We deliberately put the OCPI 2.2.1 interoperability surface at the centre of the exercise. OCPI is the layer that connects our platform to roaming partners across Europe. It is where a vulnerability stops being an internal problem and becomes a shared one. Validating CONSOLE against this surface gave us hard signal on whether the tooling can support not just our own service, but the wider ecosystem we are part of.

Results: Every Objective Met, Above Target

Every technical and business objective declared in our approved proposal was achieved above target.

What that meant in practice:

• Findings were triaged faster, with fewer false positives reaching engineers.
• The unified reporting layer accelerated our NIS2 documentation cycle, turning what used to be a quarterly scramble into a continuous, evidence driven process.
• The work directly informed the EVC Guardian Cybersecurity-as-a-Service blueprint that we will offer to Charge Point Operators across the EU.

In other words, the validation was not just a tick box exercise on a research project. It changed how we build and how we will help others build.

EVC Guardian: Cybersecurity-as-a-Service for Charge Point Operators

The EV charging market is full of operators who know they need to harden their software stack but do not want to build a dedicated security function from scratch. EVC Guardian is being designed for exactly that audience.

The service combines:

• Unified, audit ready reporting aligned to NIS2 and CRA evidence requirements.
• Advisory support for vulnerability response, secure development practices, and roaming partner due diligence.

The goal is simple: let operators focus on building a great charging experience while we take on the heavy lifting of keeping the software stack defensible.

Let’s Talk

We are actively looking for partners on the next phase of this work.

• Charge Point Operators who want to onboard early to EVC Guardian Cybersecurity-as-a-Service.
• Research consortia and SMEs building proposals under Horizon Europe, Digital Europe, or related funding lines, where secure EV charging software is in scope.
• Roaming partners and platform vendors who want to align on a higher security baseline across the OCPI ecosystem.

Contact us to discuss a new research project, a joint proposal, or an EVC Guardian engagement for your operation. We are happy to share what we learned during CONSOLE and to scope concrete next steps for your environment.

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.