UK Smart Charging cyber security (Schedule 1)

UK legislation requirements

The Electric Vehicles (Smart Charge Points) Regulations 2021 came into force on 30th June 2022. The legislation applies to any non-public electric vehicle charge point rated at <50kW that is sold in England, Wales and Scotland.

Regulation 12 of the legislation is applicable from 30th December 2022 and specifies how charge points must provide ensure the security of the smart charging functionality ("Schedule 1").


Zaptec statement of compliance

The compliance statement (and any relevant Enforcement Undertaking) for each model of Zaptec charger can be downloaded from the links at the end of the article UK Smart Charging

The statements below apply to all models of Zaptec charger. The relevant Technical File for each model of Zaptec charger is also available on request by visiting


General principles

The charge point is designed and configured to prevent harm to or disruption of the electricity system and charge point, and to provide appropriate protection of the personal data of the owner and any other end-user of the charge point. This is achieved though the adoption of the security measures described in this section.



Access to the charge point configuration requires the use of a PIN. All charge points are shipped from the factory with a random PIN. This PIN is not derived from or based on any publicly available information. There is no default PIN and it is not possible to reset the PIN to a default that is shared with other charge points.



The charge point incorporates software that can be securely updated. Software updates are provided via a secure over-the-air mechanism that uses cryptographic measures to verify the origin and integrity of the update.

The charge point verifies the authenticity and integrity of each prospective software update by checking:

  • The origin of the update using TLS certificate
  • The integrity of the update using a checksum

The update is only downloaded if the origin check is successful and only applied if the checksum test is successful.

Additional measures to prevent the installation of non-verified software may be present, depending on the model of charger.


Sensitive security parameters

The software does not use hard-coded security credentials. 

The degree of encryption and protection of sensitive security parameters is dependent on the model of charger.


Secure communication

All communication via MQTT and HTTPS is encrypted using SSL.


Data inputs

All data inputs are subject to validation. The inputs are discarded if they do not meet the validation criteria.


Ease of use

The charge point is designed for simple configuration using the minimum number of inputs from the owner for set-up and operation. To request the removal of any personal data from Zaptec systems, visit and request for your account to be deleted


Protection against attack

The charge point outer cover is secured using either a Zaptec SmartKey or Torx screws, depending on the model of charger. The internal electronics are further protected by a non-removable internal cover.

Depending on the model of charger, active tamper detection may also be present to notify the owner of any attempt to access the tamper protection boundary.


Security log

The charger records and transmits an electronic, timestamped record of the following security-related events to the Zaptec portal:

  • Charge authorisation (success/fail)
  • OTA firmware update (success/fail)
  • Certificate update (success/fail)

Depending on the model of charger, additional security events may also be recorded.


Provision of information

Every Zaptec charger is designed to provide the highest possible level of security. The user manual supplied with the charger provides details of how it should be configured.

If you have any concerns or problems regarding the security of your charger, please notify us by visiting



Was this article helpful?
1 out of 1 found this helpful