Any sufficiently advanced technology is indistinguishable from magic

declared Arthur C. Clarke, the renowned co-author of “2001: A Space Odyssey.”

That sentiment applies to much of modern technology, but it hasn’t fully reached the world of EV charging – at least not for everyone. There is, however, one group of drivers who’ve been living that “it just works” experience for years: Tesla owners.

Tesla operates a closed ecosystem with complete control over the hardware and software of their EVs and chargers, delivering a seamless and convenient charging experience to their users.

What if there was a way to expand this seamless experience to all EV manufacturers and charger manufacturers, regardless of brand or geographic location? This is where Plug & Charge, or PnC, enters the stage, an innovative and advanced technology that wholeheartedly embraces the notion of “magic”.

A helpful way to think about Plug & Charge is to compare it to Apple Pay. With Apple Pay, your device already holds a secure credential, so payment happens automatically when you tap. Plug & Charge works the same way for EV charging: the vehicle carries a secure contract certificate that represents your charging contract, so when you plug in, authentication and billing happen automatically in the background. No RFID cards, no apps, no payment screens – just plug in and charging starts.

And it enables true machine-to-machine automation that is not only convenient, but also more reliable than RFID readers or card terminals, and it’s highly secure by design. The outcome is a noticeably smoother and more reliable charging experience. And, for operators embracing this technology, better driver loyalty and retention.

In fact, it can be more convenient than filling up a petrol car. There’s no kiosk to walk to, no payment terminal to deal with. The authorisation is already done for you as soon as you plug your EV into the charger. And in many cases, it’s also cheaper than paying with a credit or debit card.

Doesn’t that sound like the charging experience we’ve all been waiting for?

Let me walk you through the tech behind it, where Plug & Charge is being rolled out around the world, and which network operators and car manufacturers already support it (spoiler: it’s probably more than you think).

In this article, we’ll break down how Plug & Charge actually works: the trust model behind it, the roles each player in the ecosystem performs, where it’s being deployed today, and how different markets affect adoption.

The trust model and roles behind Plug & Charge

The user-convenient Plug & Charge technology is based on the EV-to-charger communication standard ISO 15118.

The reason you don’t need RFID cards, apps, or payment terminals to start a charging session (although these are still supported in ISO 15118) is because the EV and charger can identify and trust each other automatically. They do this using digital certificates – essentially cryptographic ID cards that prove a device or service is who it claims to be.

By placing a digital certificate called the contract certificate inside the EV, we eliminate the need for manual authentication methods. The EV can now prove your identity and authorise charging and billing on your behalf, silently in the background, within a few seconds. The contract certificate links the vehicle to your energy billing account, which is provided by the mobility service provider (MSP) of your choice. Authentication (verifying identity) and authorisation (checking that you’re allowed to charge) both happen automatically – no apps, no cards, no friction.

To do Plug & Charge justice, we need more than a single article. There’s the cryptography behind it, the public key infrastructure (PKI) that keeps it secure, and the question of how certificates actually make their way into the EV, the charger, and the wider ecosystem. So we’ll take this step by step.

This would be a great time to tell me what part of Plug & Charge you’re particularly interested in. Leave a comment or send me an email, and I’ll make sure your questions will be answered.

This article focuses on the core idea: how Plug & Charge works in principle, where it stands in terms of market rollout, and who supports it today. In the following articles, we’ll go deeper, layer by layer, so you’ll come away with a full, 360-degree understanding of the ecosystem – and what it really takes to make Plug & Charge work reliably at scale.

CIA – The three pillars for seamless & secure EV charging

No, it’s not the CIA you may be thinking of. I’m referring to the acronym that represents three pillars of secure digital (machine-to-machine) communication. The basic principles that allow the EV and charger to ‘talk’ to each other in a secure way: confidentiality, data integrity and authenticity.

1. Confidentiality: When your EV exchanges information with a charging station (or wall box) it needs to make sure that no unauthorised third party can listen in on the conversation.

2. Data Integrity: The data that the EV and charging station exchange must be secure, and any malicious third-party attempts to manipulate the conversation

   must be detected on both sides.

3. Authenticity: The EV must identify and be able to verify the charger to which it is physically connected as a trustworthy charger, and vice versa.

The big value of Plug & Charge lies in the fact that businesses can offer their customers not only the most seamless, reliable, and convenient but also the most secure charging experience without compromising on data security.

A quick word on Autocharge

You may have heard of Autocharge, which is a mechanism that resembles the seamless experience of just plugging in, using simply the car’s MAC address as an identifier. A MAC address is a unique hardware identifier assigned to a network interface, and Autocharge relies on each EV exposing a stable, vehicle-unique MAC address so the charger can recognise and authorise it – but not all manufacturers enable this, which limits Autocharge compatibility. Autocharge also lacks a sufficient level of data security. I wouldn’t recommend it for public charging and tamper-proof billing, but it does have its place in e.g. fleet depots. It’s often used by charging networks as a stopgap solution until Plug & Charge has been thoroughly implemented, tested, and rolled out. I’ll dive deeper into Autocharge and how it compares to Plug & Charge in a future article.

OK, now you know what confidentiality, data integrity and authenticity means. But the question still remains: How do we facilitate this seamless, secure charging experience?

That’s where we enter the realm of cryptography – symmetric and asymmetric ciphers, digital signatures, and digital certificates. Data encryption ensures confidentiality, digital signatures and certificates are the tools to ensure data integrity and to verify the authenticity of the communicating counterpart. Managing these digital certificates securely requires not just technology, but an entire system of roles, policies, and procedures for issuing, validating, and revoking certificates. This system is known as a public key infrastructure, or PKI.

If that piqued your curiosity, you’ll enjoy next week’s article – we’ll dig into the underlying crypto principles and how a PKI actually works.

PKIs are nothing new. You’ve been relying on them for decades without even noticing – every time you browse the web, message someone on WhatsApp or Signal, or search on Google, the same cryptographic principles are at work. What’s unique in ISO 15118 isn’t the cryptography itself, but the way digital certificates are issued, managed, and trusted across all the players in the EV charging ecosystem.

While the structure of the Plug & Charge-specific PKI is defined in ISO 15118, its governing rules are set in the application rule VDE-AR-E 2801-100-1, which I co-authored and is titled “Handling of certificates for electric vehicles, charging infrastructure and backend systems within the framework of ISO 15118.”

The “Plug & Charge-magic” only works because several parties across the EV charging ecosystem trust each other – and that trust is established and verified using digital certificates. Each participant plays a distinct role in enabling that seamless experience.

The market roles behind the Plug & Charge ecosystem

The electric vehicle (EV) is the one initiating the process. When you plug in, the EV presents its contract certificate – essentially a cryptographic ID linked to your energy contract – to the charger. This certificate tells the charger which billing account to use, referred to as the e-mobility account identifier (EMAID). That EMAID itself contains a three-character sequence, called the provider ID, which identifies the mobility service provider who issued and digitally signed this contract certificate.

The EV manufacturer (OEM) installs two key certificate types during production: one or more V2G Root CA (CA = Certificate Authority) certificates and OEM provisioning certificates. The Root CA certificates allow the EV to recognise and trust authorised charging stations – much like your web browser comes with pre-installed root certificates that allow it to verify secure websites. The OEM provisioning certificate, in turn, is used to securely request and receive (i.e. provision) the contract certificate that links the vehicle to the driver’s (or vehicle owner’s) billing account.

The charging station presents its own digital identifier called SECC certificate during the Transport Layer Security (TLS) handshake, which is what establishes the confidentiality mentioned above. The EV verifies its validity by following the certificate chain: the SECC certificate is signed by a Sub-CA, and that Sub-CA certificate is sent along with it. The Sub-CA is, in turn, signed by the V2G Root CA. Because the EV already stores the V2G Root CA certificate, it can validate each signature in the chain and confirm that the charger belongs to the trusted Plug & Charge ecosystem.

How exactly this whole chain-of-trust mechanism works is something we’ll have to explore in one of my next articles when we dig a bit deeper into the cryptographic principles behind a PKI.

After secure communication is established, the EV sends its contract certificate, which the charging station then needs to validate before granting access to energy. Some parts of the verification can be performed directly on the charger (e.g. verifying the digital signature of the certificate and checking it’s expiry date), while others are passed to the backend – the charge point management system (CPMS).

That backend belongs to the charge point operator (CPO), who runs the charging network. The CPO’s platform contacts the mobility service provider (MSP) who issued the contract certificate to check whether or not the billing account is still active and valid before before energy can start flowing.

Quick sense check: remember how the CPO knows which MSP to contact?

If you’re still with me, you’ll recall the three-letter provider ID embedded in the EMAID, which in turn sits inside the contract certificate. That small identifier is what links the vehicle to your chosen mobility service provider. Several countries have established identifier registries for businesses where you can look up both operator IDs (for CPOs) and provider IDs (for MSPs). In the UK, for example, it’s the EV Roam registry, in Germany it’s the Energy Codes & Services GmbH.

OK, back to our market roles.

The CPO is also responsible for making sure the charger has up-to-date SECC certificates installed to establish the trusted, TLS-encrypted communication with the EV. There are actually a couple more certificates required on the charger, but let’s cover the cryptographic principles and concept behind a chain-of-trust PKI first before we go down this rabbit hole. Next week’s article will cover this in more depth.

The driver is ultimately authenticated by the mobility service provider (MSP)1, the company providing their charging contract. You may have noticed by now that there are no payment details transmitted between EV and charger, only identification details. The payment method (such as your bank account or credit card) is linked to the MSP’s energy contract, which you eventually sign up for once you choose an MSP of your liking.

The MSP issues the contract certificate in the first place and is ultimately the party that pays the CPO for the energy, based on a B2B (business-to-business) tariff negotiated between CPO and MSP. The MSP may bill the driver a different price for the same amount of energy, depending on the B2C (business-to-customer) plan or tariff it offers to the driver. The MSP uses a technical integration (see Open Plug & Charge Network Communication Protocol) with the car OEM to notify them of a newly created contract certificate so that the car OEM can install said certificate via an over-the-air update into the electric vehicle.

To make all of this secure and interoperable, we need a trusted anchor. That role is fulfilled by the V2G Root Certificate Authority (Root CA) – the highest level of trust in the Plug & Charge ecosystem. Many certificates the EV and charger use must ultimately trace back to this root authority to verify their validity in this chain of trust.

Finally, there are the organisations that manage the data pools and public key infrastructure (PKI) to issue, distribute, update, and revoke certificates. These are the behind-the-scenes trust-service operators that make sure each party receives the right certificate at the right time – and that compromised or outdated certificates are removed from circulation. Without them, Plug & Charge would simply not work.

Need a refresher on the various market roles in the EV charging world, and their responsibilities beyond Plug & Charge? Then this article is just what you need:

Behind the plug: Who's who in the EV charging ecosystem

Marc Mültin

·

Oct 19

A warm welcome

Read full story

The state of play of Plug & Charge in 2025

As of November 2025, the technology is gaining traction across multiple markets, though adoption rates vary significantly by region and stakeholder type.

A great source of information is Hubject’s ecosystem overview, which shows an ever growing variety of companies that are either currently onboarding or have already launched products with live (and Hubject-certified) implementations.

You’ll find the providers organised by category: CPOs, backend platforms, MSPs, charger and vehicle manufacturers, and even test system providers.

Here are some examples of well-known EV charging networks (CPOs) supporting Plug & Charge across the globe:

• Europe: Allego, Aral Pulse, Atlante, Electra, IONITY, Mer, Shell Recharge, Smatrics, Vattenfall

• United Kingdom: IONITY, Shell Recharge

• United States: Chargepoint, Electrify America, IONNA

On the vehicle manufacturer side, you’ll find Audi, BMW, Cupra, Ford, Genesis, Hyundai, Kia, Lucid, Mercedes, MAN, Mini, Nissan, Polestar, Porsche, Renault, Vinfast, Volkswagen, Volvo and more.

If you’re looking for charger manufacturer who are up to the game, you might want to talk to ABB, Alpitronic, Autel, Defa, Delta, Ekoenergetyka, Enersys, Huawei, i-Charging, IOCharger, Kempower, Liteon, Mennekes, Power Electronics, StarCharge, Vestel, XCharge, or Zerova, to name just a few.

Some of the MSPs already embracing Plug & Charge are Deftpower, Digital Charging Solutions, Elli, Ford, Mobilize, Octopus Electroverse, Plugsurfing, Porsche, and Shell Recharge.

According to my sources at Hubject, more than 3.5 million EVs and about 30% of DC fast (150 kW+) chargers in Europe already support Plug & Charge.

And the list of CPOs, EV OEMs, charger manufacturers, and MSPs is growing by the day as more companies embrace this technology and understand the benefits it brings to their customers – and to their own business.

PKI operators on the rise

Hubject is currently the most widely adopted Plug & Charge PKI operator in the market, but it’s no longer alone. Irdeto and roaming platform Gireve are also building Plug & Charge PKI operator capabilities. In June 2025, the three companies announced a partnership enabling mutual platform access, so CPOs, MSPs, and even vehicle OEMs can choose any of the three to issue their certificates while still maintaining interoperability across the others.

In parallel, the Sustainable Transport Forum (STF) is working on an EU-wide governance framework to ensure that Plug & Charge remains interoperable across all market players, regardless of which PKI operator they use.

Car OEMs and MSPs: Ensuring a level playing field

A truly open Plug & Charge ecosystem depends on one key capability: every EV must be able to store and manage multiple contract certificates, so drivers can choose their preferred MSP just as easily as they choose an energy supplier or mobile network today. That means EVs must offer simple controls for installing, updating, removing, and prioritising these certificates, ideally directly via the in-car display or companion app. This gives the driver full autonomy and ensures that any EV can charge at any public charging station using any compatible service provider.

Several OEMs already support this approach. BMW and the Volkswagen Group have offered multi-contract Plug & Charge for years, and Porsche has adopted an open model in the Macan. Volvo and Polestar also allow drivers to install the contract certificate of their choice, even if the onboarding flow still varies in polish. Other OEMs are preparing to follow, refining their customer journeys before switching these capabilities on at scale.

The direction is clear: the market is moving toward open Plug & Charge by design. And with the Sustainable Transport Forum (STF) working on EU-level guidance to guarantee non-discriminatory access, we’re likely to see multi-contract support become an expected baseline. That’s reassuring for MSPs who have been concerned that OEM-controlled in-car interfaces could otherwise be used to steer customers toward proprietary charging services. The momentum – both regulatory and intrinsic – now points firmly toward a level playing field where drivers decide who they charge with, not the car.

Bolted-on vs built-in: Plug & Charge in OCPP 1.6 vs 2.0.1

If you browse Hubject’s ecosystem overview you’ll see a mix of OCPP 1.6 and OCPP 2.0.1 in the wild. That matters because only OCPP 2.0.1 natively supports ISO 15118 Plug & Charge. OCPP 1.6 implementations bolt it on via the DataTransfer mechanism, essentially tunneling 2.0.1-style certificate and authorisation messages through 1.6 based on an application note published by the Open Charge Alliance. However, know that using DataTransfer for overlapping features can create interoperability issues across vendors, complicate certification, and make future upgrades bumpier. This approach also excludes ISO 15118 smart-charging use cases unless you move to OCPP 2.0.1. In practice, 1.6-based Plug & Charge can work – but it increases the chance of CPMS/charger mismatches (e.g. differing message wrapping or vendor IDs), whereas 2.0.1 gives you the standardised, end-to-end path.

OCPP 2.0.1 has been around since 2020. It’s time to say goodbye to OCPP 1.6 and embrace the benefits this new version brings to the table.

Why this matters: If you’re planning large-scale Plug & Charge rollout, prioritise OCPP 2.0.1 to reduce edge-case behaviour and ease certification and upgrades. Use 1.6+ DataTransfer only if necessary, and with tightly controlled vendor combos and extensive interoperability testing.

Key challenges

While Plug & Charge works in the field today, the ecosystem is still maturing – especially when it comes to ensuring seamless interoperability across all EV and charger combinations. Hubject currently provides a certification program, which has helped accelerate early adoption, but the industry still lacks a unified, neutral certification framework backed by a central test system. CharIN has been developing such a program for several years, and once it becomes widely available, it will provide the common reference point the market needs to ensure that “Plug & Charge just works,” everywhere.

Until that framework is fully rolled out, interoperability relies on periodic CharIN Testivals and bilateral testing between OEMs and charger manufacturers. These efforts are valuable – they show what works, reveal edge cases, and build shared implementation experience – but they don’t yet guarantee seamless behaviour across the entire ecosystem. Closing this gap is one of the key remaining challenges to date.

Plug & Charge is most commonly found on high-power DC chargers today because DC charging requires Power Line Communication (PLC) to operate at all. Since this specific PLC modem (HomePlug Green PHY) is already part of every DC charger’s hardware stack, adding the extra memory and secure hardware needed for certificate handling has a relatively small impact on the overall bill of materials – especially given the already higher cost of DC fast chargers.

AC chargers are a different story. AC charging uses a simple, analogue PWM duty-cycle signal and does not require PLC to deliver energy, so many AC chargers were originally designed without PLC hardware, without space to store multiple certificates, and without a secure element for fast cryptographic operations. Most of them run on low-cost microcontrollers with limited RAM and no hardware acceleration for asymmetric crypto, which means they cannot perform certificate validation quickly enough to meet ISO 15118’s tight timing requirements, leading to message timeouts.

This isn’t something firmware can fix; the limitation is purely hardware. To support Plug & Charge, legacy AC chargers would need a HomePlug Green PHY PLC modem and a controller upgrade – typically to a Linux-class processor paired with a dedicated hardware security module (HSM) capable of performing cryptographic operations at the required speed. The next generation of professional AC chargers should be planned with those hardware components in mind.

Regulatory adoption in Europe, the UK, and the US

Europe has emerged as the primary regulatory driver of Plug & Charge deployment through the Alternative Fuels Infrastructure Regulation (AFIR), which became effective in April 2024. This sweeping mandate requires all newly installed or renovated public DC chargers to support ISO 15118-2 from summer 2025, with an accelerated timeline for full ecosystem adoption. The regulation escalates further on January 1, 2027, when both public and private chargers across Europe must support the advanced ISO 15118-20 standard, effectively forcing a continent-wide infrastructure transformation. This regulatory approach has already spurred network operators to front load deployments and push manufacturers to achieve compliance ahead of deadlines.

AFIR requires the ISO 15118 standard, not Plug & Charge per se, which is one application of that standard. A charger could theoretically be ISO 15118-20 compliant but not specifically implement the Plug & Charge authentication feature. However, this distinction may be rather academic as it just makes little sense to support the newest ISO 15118-20 without any Plug & Charge support.

However, the AFIR regulation does state:

Where such recharging points offer automatic authentication and authorisation services, such as plug-and-charge, they shall comply, for interoperability and security purposes, with both standard EN ISO 15118-2:2016 and standard EN ISO 15118-20:2022

Interoperability between ISO 15118-2 and -20 isn’t always straightforward. One common stumbling block is that the newer ISO 15118-20 expects a more modern security setup than the older standard (i.e. TLS 1.3 vs TLS 1.2). If the car and charger don’t handle this gracefully, their attempt to “speak securely” can fail. When that happens, both sides may simply give up on Plug & Charge altogether and fall back to regular methods like an RFID card, an app, or a payment terminal.

Note that all newly installed or renovated publicly accessible AC and DC charge points must comply with EN ISO 15118-2 from 8 January 2026. In practical terms, this means every new AC and DC charger in Europe will need to be equipped with (HomePlug Green PHY) PLC modem and fully functional ISO 15118 capability from early 2026, effectively accelerating the transition and closing the gap between the 2025 and 2027 milestones.

It’s easy to get confused about the various timelines and what is required when, so here’s a quick summary of the AFIR mandate regarding ISO 15118:

• Summer 2025: Public DC only, ISO 15118-2:

  All new or renovated public DC fast chargers must support ISO 15118-2. AC chargers are not yet included, and ISO 15118-20 is not required.

• 8 January 2026: Public AC & DC, ISO 15118 base stack:

  All new or renovated publicly accessible AC and DC chargers must comply with ISO 15118-2 (including HPGP). This is the first time AC chargers are pulled fully into the ISO 15118 mandate.

• 1 January 2027: All chargers, public & private, ISO 15118-20:

  Every newly installed charger – AC or DC, public or private – must support ISO 15118-20, bringing the entire market (including home and workplace charging) into next-generation Plug & Charge–ready infrastructure.

That doesn’t leave too much time, so make sure you’re ready when the deadline hits!

The United States has adopted a similar but slightly less prescriptive approach through the National Electric Vehicle Infrastructure (NEVI) program, which conditions federal funding eligibility on Plug & Charge capability. NEVI requirements mandate that all chargers conform to ISO 15118-3 standards and possess hardware capable of implementing both ISO 15118-2 and ISO 15118-20 protocols. However, the US timeline is more flexible: charger software must initially conform to ISO 15118-2 with Plug & Charge capabilities operational within one year of the final regulatory rules, allowing manufacturers a grace period for full compliance compared to Europe’s immediate mandates.

Both regulatory regimes underscore that Plug & Charge has transitioned from an optional premium feature to a mandatory infrastructure requirement. This regulatory pressure is the primary factor driving CPO investment and manufacturer development priorities, particularly for charger hardware redesigns and backend system migrations. Without these regulatory mandates, market-driven adoption would likely remain concentrated among premium vehicle manufacturers and flagship networks, leaving much of the charging network without Plug & Charge support.

The United Kingdom has, so far, adopted a distinctly non-prescriptive approach to Plug & Charge, with no explicit ISO 15118 mandates in its regulatory framework. The Public Charge Point Regulations 2023 and oversight by the Office for Zero Emission Vehicles (OZEV) focus on contactless payment access, reliability, pricing transparency, and open data – but contain no requirements for ISO 15118 or Plug & Charge support. Unlike AFIR’s January 1, 2027 deadline for ISO 15118-20 across the EU, the UK has no equivalent legal requirement – yet.

That’s it for today. We’ve covered the core idea: Plug & Charge relies on digital certificates and a public key infrastructure to create a secure chain of trust between the EV, the charger, and the services behind them. But there’s much more to explore. We haven’t yet looked at how these certificates find their way into the vehicle and charger, how the authentication handshake unfolds step-by-step, or how the trust chain is managed and maintained across the ecosystem.

We’ll also look at the practical side: what technical requirements you should consider when bringing a Plug & Charge–ready product to market. For example, how many certificates your EV or charger needs to store to remain future-proof, which secure hardware modules are available, and what their lead times look like.

We’ll dive into those topics in the next articles, building up your understanding layer by layer. And because I’m writing this for you, I’d love to know what you want to go deeper on. Reply, comment, or message me with what you’re most curious about, and I’ll shape the next part of the series around the questions that matter most to you.