Germany’s Federal Office for Information Security (BSI) published a report on EV charging IT security in 2026. One finding: only 12% of charge points globally support TLS, the encryption standard that protects communication between a charge point and its management platform.

Most operators believe their network is covered. They selected a security profile for each charge point when setting it up in their management platform, and that record is in the system. But selecting a security profile and running a secured network are two different things, and the distance between them is where real exposure tends to live.

What the security gap looks like

Every charge point connected to the network maintains a live, persistent connection to the charging management platform. Through that link, the charge point reports status, receives session commands, transmits payment data, and accepts firmware updates. That connection is the operational backbone of the network: its reliability and security determine availability, liability exposure, and regulatory standing.

NIS2, the European cybersecurity directive that has applied to charge point operators since October 2024, classifies CPOs as critical infrastructure and mandates, among other requirements, explicit encryption policies across the network.

The four OCPP security levels explained

A security profile is the combination of encryption and authentication governing how a charge point connects to its management platform. OCPP (Open Charge Point Protocol), the industry-standard communication protocol between charge points and management platforms, defines four of these levels.

The connection itself runs over a protocol called WebSocket. Plain WebSocket (WS) transmits data unencrypted; anyone who can observe the traffic can read it. Secure WebSocket (WSS) encrypts that traffic using TLS (Transport Layer Security). Whether a charge point uses WS or WSS, and what authentication it provides, determines its security level.

The four OCPP-defined levels are:

Level 0: No authentication. The charge point connects without identifying itself: no password, no certificate. Whether or not the connection is encrypted, the device never proves who it is.

Level 1: A password is required, but transmitted over an unencrypted connection. The password travels in plain text and can be intercepted by anyone observing the traffic.

Level 2: An encrypted connection (WSS) combined with password authentication. The charge point also verifies the platform’s identity through a root certificate installed on the device, confirming it is connecting to a legitimate, trusted system. This is the current industry-recommended minimum for secure deployments.

Level 3: Mutual TLS: both the charge point and the platform present certificates. The highest security tier defined by the OCPP standard. Level 3 is already referenced in enterprise tender requirements in several markets and represents the direction enterprise specifications are moving on authentication.

Level 0 and Level 1 leave session data, credentials, and commands exposed; Level 2 does not.

Charge Point Security in AMPECO: manage what matters, not just configure it - Selecting an OCPP security profile and running a secured charge point are two different things. See how AMPECO surfaces the real security state of every charge point.

Three reasons configurations don’t always hold

Knowing the levels is one part of the picture. Knowing which level your charge points are actually running is another. Three conditions routinely create a gap between the level an operator configures and the level in active use. In practice, this gap is consistent and traceable, most common in charging networks with older hardware or commissioning done without a completed security audit:

Hardware limitations. OCPP 1.6, still the certification basis for 91% of OCPP-certified products according to the BSI report, treats TLS as optional. Many charge point models were built with this in mind: the security level an operator selects in the platform may exceed what the hardware can actually deliver. Hardware commissioned before a network’s security policy was established, and older OCPP 1.6-only devices, are the most common source of this gap.

On-site configuration gaps. Enabling TLS on a charge point requires physical steps at the device: setting the encrypted connection URL, defining a password, and installing root certificates on the device’s trust store. Manufacturers rarely support these steps remotely. If the technician at commissioning did not complete them, the intended security profile was never applied, and the charge point is running at a lower level than the platform record suggests.

Incomplete OCPP implementations. Some hardware vendors implement the OCPP standard partially. A charge point may connect over an encrypted channel but fail to complete password authentication, which places it at Level 0 despite appearing online. The platform registers a connected device. The connection is not secured in the way the operator intended.

A configured security level is a record of intent, not confirmation of what is running.

How AMPECO closes the security gap

The capability: see your network’s real security state

AMPECO gives operators visibility into the actual security state of every charge point in their network: not just the intended configuration, but what is running right now, and whether a recent configuration change was applied, is pending, or was rejected by the charge point. Where intended and actual levels diverge, operators can act from the platform.

How it works

For each charge point, AMPECO’s three-signal visibility surfaces three distinct values:

Desired security profile: the level you configured. What you asked for.

Current security profile: the level the charge point is actually running, detected directly from the connection itself when the charge point connects.

Hardware-enabled security profile: the maximum level the device supports, reported during the initial connection handshake; this determines whether a higher configuration can actually take effect.

Charge Point Security in AMPECO: manage what matters, not just configure it - Selecting an OCPP security profile and running a secured charge point are two different things. See how AMPECO surfaces the real security state of every charge point.

When all three align, the configuration is live and verified. When they differ (desired is Level 2, current is Level 0) the platform shows the gap, charge point by charge point. These three values are visible in the charge point detail view and across the full charge point list.

Two additional signals complete the picture. A per-charge-point security profile status shows whether a requested configuration change was APPLIED, PENDING, REJECTED, or not yet attempted. The REJECTED status is particularly useful: it confirms that the charge point actively refused the security upgrade, rather than leaving the operator to diagnose why a change did not take effect. A network-level security lens lets operators filter the entire charge point list by security profile and status, turning per-device data into a network-wide view of security posture.

For charge points that have drifted from their intended configuration due to a credential issue, a failed upgrade, or hardware maintenance, a Security Profile Reset action clears stored credentials and allows the charge point to reconnect cleanly, at whatever security level it supports. For credential and configuration drift, the most common source of profile mismatches, this can be initiated from the platform without dispatching a technician.

What operators gain

Mismatches become visible before they create exposure. Operators can see which charge points are running below their intended security level and prioritize remediation.

When a charge point rejects a security upgrade, it can be difficult to know whether the change failed to propagate or the device actively refused it. The REJECTED status removes that ambiguity: the platform records the outcome of every configuration request. The technician knows immediately, and the audit trail is there.

Compliance posture becomes reportable. NIS2’s mandatory requirements include encryption policies, and regulators will expect operators to demonstrate how those policies are applied and maintained across the network. The three-signal view AMPECO provides (desired, current, and hardware-enabled) makes that compliance posture reportable in a way a single configured value cannot: it shows what encryption is actually running, not just what was set at commissioning.

Remote resolution is possible for many issues. The Security Profile Reset action, combined with visibility into mismatches and rejected configurations, means most security configuration issues can be diagnosed and resolved from the operator dashboard.

Operators who actively manage their network’s security posture can also make a more consistent guarantee to drivers: session data, payment credentials, and vehicle information travel over an encrypted connection when the charge point is running at Level 2. That consistency builds driver trust alongside regulatory compliance.

Security is a state, not a setting

A charge point configured for Level 2 today may be running at Level 0 tomorrow: hardware replaced, credentials reset during a firmware update, original on-site setup never completed. None of these scenarios are unusual, and none of them announce themselves.

For any operator managing a charging network, what matters is not what was configured at setup. It is whether security is running across every charge point right now.

See your network’s real security state

To see how AMPECO’s charge point security management works in practice, book a demo with our team.

Author

Aleksandar Petkov

Product Marketing Manager

About the author

Alex is a highly skilled product marketing manager who transforms technical features into actionable insights, empowering CPOs to unlock the full potential of our platform.