CRA and EVSE: technical implications for charging products
1. Why CRA directly impacts EVSE
The Cyber Resilience Act (CRA) requires products with digital elements to meet cybersecurity requirements across design, manufacturing, and maintenance.
A modern EVSE is clearly in scope: embedded firmware, connectivity, OTA updates, OCPP integrations, and remote service dependencies.
This means cybersecurity becomes part of product conformity evidence, not an optional feature.
2. Key EU dates
- 10 Dec 2024: Regulation (EU) 2024/2847 entered into force.
- 11 Sep 2026: Vulnerability and incident reporting obligations apply.
- 11 Dec 2027: General CRA application starts for products on the EU market.
- Mar 2026: The Commission published draft implementation guidance.
For EVSE manufacturers, 2026 is the practical architecture and process window to avoid late 2027 redesigns.
3. Core technical implications
3.1 Secure-by-design and secure-by-default
- Remove unnecessary network services from factory images.
- Use unique credentials and avoid shared default passwords.
- Apply hardening and least-privilege policies on embedded systems.
3.2 Firmware chain and OTA
- Secure boot, signed images, and integrity checks at each boot.
- Signed OTA updates with anti-rollback and controlled recovery.
- A documented patching strategy during the declared support period.
3.3 Vulnerability operations
From 11 September 2026, response speed and reporting capability become mandatory operational capabilities.
- Classify CVEs and map impact by deployed firmware version.
- Collect telemetry and forensic logs to detect real field compromise.
- Run reporting workflows aligned with 24h / 72h / final report milestones.
3.4 PKI and end-to-end trust
- Manage TLS certificate lifecycle for OCPP and backend APIs.
- Support certificate governance for Plug and Charge where relevant.
- Handle renewal and revocation remotely without disrupting charger uptime.
4. Business and operations impact
CRA changes cost structure and operating models, not only compliance documents.
- Higher early platform-security investment with lower late redesign risk.
- Stricter supplier contracts for embedded software and communication modules.
- Explicit support and patch commitments for CPO and B2B customers.
5. Recommended EVSE roadmap
- Q2 2026: CRA gap assessment by hardware platform and product line.
- Q2-Q3 2026: close secure boot, signed OTA, and logging architecture.
- Q3 2026: run incident drills and reporting workflows.
- Q4 2026: complete technical file, risk matrix, and security evidence.
- 2027: industrialize audit and release governance before go-to-market.
6. Conclusion
CRA makes cybersecurity a structural EVSE product requirement.
Teams that treat 2026 as a transition year will reach 2027 with lower regulatory risk and smoother commercialization.
Official references
- European Commission - Cyber Resilience Act
- Official CRA Q&A
- Draft implementation guidance (March 2026)
- Implementing Regulation (EU) 2025/2392
Note: this content is technical and informational, not legal advice.