NIS2 and EV Charging

NIS2 in Practice

With the NIS2 Directive (EU 2022/2555), the European Union specifies requirements for cybersecurity, risk management and management accountability in defined sectors. The directive addresses organisations, not technologies or infrastructures as such.

reev has assessed the applicability of the NIS2 Directive as part of an internal evaluation. Based on this assessment and taking into account the German transposition under the amended BSIG framework, reev treats itself as an entity within scope classified as an “important entity.” The requirements of the directive are integrated into existing governance and management structures.

Scope and Categorisation

NIS2 distinguishes between “essential entities” and “important entities.” Both categories are subject to comparable security requirements. Differences primarily concern the intensity of supervisory oversight.

Whether an organisation falls within scope depends on:

• national transposition
• sector classification
• applicable size or relevance thresholds

Applicability must therefore be assessed on an individual basis.

Core Requirements under NIS2

Risk Management and Resilience

Organisations are required to implement appropriate and documented measures covering in particular:

• prevention of cyber threats
• detection of security incidents
• response and recovery
• business continuity and crisis management

These measures must be risk-based and fall under the responsibility of the management body.

Incident Notification Obligations

Article 23 establishes a three-stage reporting process:

• early warning within 24 hours of becoming aware of a significant incident
• updated notification within 72 hours including an initial assessment of impact
• final report within one month

Organisations must also maintain structured internal processes defining responsibilities, decision-making pathways and documentation standards. Reporting obligations therefore concern both timing and formalised communication with competent authorities.

Management Accountability

Management bodies are required to approve cybersecurity risk management measures and oversee their implementation. National transpositions may introduce training and information obligations for members of management.

Supervisory authorities are granted enforcement powers that may include administrative fines, binding orders, audits and inspections.

Supply Chain Security

Organisations must systematically address risks arising from third-party relationships. This includes:

• assessing the security posture of critical suppliers
• implementing appropriate contractual safeguards
• documenting and monitoring supply chain risks

Documentation and evidentiary requirements form part of the regulatory framework.

ISO 27001 and NIS2

reev operates an Information Security Management System (ISMS) aligned with ISO 27001. This provides the structural basis for risk management, incident management, business continuity and supplier governance.

As part of an internal gap analysis, the requirements of the NIS2 Directive were compared with existing ISO 27001 structures. While ISO 27001 covers key elements of information security management, it does not replace a dedicated NIS2 compliance framework.

NIS2 introduces additional formal requirements, including:

• registration with competent authorities
• defined regulatory reporting timelines
• expanded documentation obligations
• explicit management accountability
• formalised communication with supervisory authorities

These additional requirements have been incorporated into existing governance, reporting and supplier management processes and formally embedded within organisational structures.

System Architecture in a Regulatory Context

Regulatory obligations must be supported operationally.

In charging operations, a backend system — commonly referred to as a CPMS (Charge Point Management System) — typically functions as the central management and control layer of the charging infrastructure. Energy management systems (EMS) may also be integrated to manage grid connection, load distribution and energy optimisation.

System architecture constitutes a technical component of regulatory implementation capability, particularly in relation to:

• access control
• logging
• traceability of security-relevant events
• support for documented processes

NIS2 compliance remains an organisational responsibility of the respective entity and encompasses governance, contractual and procedural measures beyond the technical layer.

The Role of the reev Energy and Charging Platform

The reev energy and charging platform is designed to technically support structured security and documentation processes within charging operations.

It enables, among other things:

• implementation of granular access controls and multi-factor authentication
• structured logging of security-relevant events
• support for audit-related documentation requirements
• controlled integration of third-party systems

These capabilities support the technical implementation of regulatory requirements.

The platform itself does not constitute NIS2 compliance. Compliance with regulatory obligations remains the responsibility of the respective organisation.

Conclusion

NIS2 specifies requirements relating to risk management, management accountability, reporting processes and supervisory oversight in the area of cybersecurity. reev treats the directive as an applicable regulatory framework and integrates its requirements into existing ISMS and governance structures. Technical system architecture supports this implementation but does not replace organisational responsibility.