- Latest available (Revised)
- Original (As made)
The Electric Vehicles (Smart Charge Points) Regulations 2021
You are here:
- UK Statutory Instruments
- 2021 No. 1467
- SCHEDULE 1
What Version
More Resources
Status:
This is the original version (as it was originally made). This item of legislation is currently only available in its original format.
Regulation 12
SCHEDULE 1Security
This schedule has no associated Explanatory Memorandum
General principles
1. A relevant charge point must be designed, manufactured and configured to provide appropriate protection—
(a)against the risk of harm to, or disruption of, the electricity system;
(b)against the risk of harm to, or disruption of, the relevant charge point;
(c)for the personal data of the owner and any other end-user of the relevant charge point.
Passwords
2. A relevant charge point must be configured so that where passwords are used on it—
(a)the password is unique to that relevant charge point and not derived from, or based on, publicly-available information, or is set by the owner; and
(b)the password cannot be reset to a default password applying to both that relevant charge point and other charge points.
Software
3.—(1) A relevant charge point must incorporate software which is able to be securely updated.
(2) In sub-paragraph (1), securely updated means updated using adequate cryptographic measures to protect against a cyber-attack.
(3) A relevant charge point must be configured so that—
(a)it checks, when it is first set up by the owner, and periodically thereafter, whether there are security updates available for it;
(b)it verifies the authenticity and integrity of each prospective software update by reference to both the data’s origin and its contents and only applies the update if the authenticity and integrity of the software have been validated;
(c)by default, it provides notifications to the owner about prospective software updates;
(d)the owner can implement software updates without undue difficulty.
(4) A relevant charge point must be configured so that—
(a)it verifies, via secure boot mechanisms, that its software has not been altered other than in accordance with a software update which has been validated in accordance with sub-paragraph (3)(b) above;
(b)if an unauthorised change to the software is detected, it notifies the owner and does not connect to a communications network other than for the purposes of this notification.
Sensitive security parameters
4.—(1) A relevant charge point must be configured so that—
(a)where security credentials are stored on the relevant charge point, these are protected using robust security measures;
(b)its software does not use hard-coded security credentials.
(2) In this paragraph—
(a)“hard-coded” means data forming part of the relevant charge point’s source code and which is unalterable except by means of modification of the source code;
(b)“security credentials” means ways of verifying that the relevant charge point is being used or accessed by a person properly authorised to do so.
Secure communication
5. A relevant charge point must be configured so that communications sent from it are encrypted.
Data inputs
6.—(1) A relevant charge point must be configured so that—
(a)data inputs are verified so that the type and format of the data is consistent with that expected for the function to which the data relates;
(b)if such data cannot be verified, it is discarded or ignored by the relevant charge point in a safe manner.
(2) The data inputs referred to in sub-paragraph (1) include data that is inputted via a user interface, an application programming interface or a communications network.
Ease of use
7.—(1) A relevant charge point must be configured so as to minimise the inputs required from the owner in connection with the set-up and operation of the charge point.
(2) A relevant charge point must be configured so that any personal data can be deleted from it by the owner without undue difficulty.
Protection against attack
8.—(1) A relevant charge point must be designed and manufactured to provide an adequate level of protection against physical damage to the charge point.
(2) In particular, a relevant charge point must incorporate a tamper-protection boundary to protect the internal components of the charge point.
(3) A relevant charge point must be designed and manufactured to provide an adequate level of protection—
(a)for its user interfaces; and
(b)against use or attempted use of the relevant charge point other than through the user interfaces.
9. A relevant charge point must be configured so that—
(a)if there is an attempt (whether or not successful) to breach the tamper-protection boundary, it notifies the owner;
(b)its software runs with only the minimum level of access privileges required for it to deliver its functionality;
(c)any logical or network interfaces that are not required for the normal operation of the relevant charge point, or otherwise to comply with the requirements in these Regulations, are disabled;
(d)software services are not available to the owner unless necessary for the relevant charge point to operate;
(e)any hardware interfaces that are used for the purposes of testing or development, but not otherwise during the operation of the relevant charge point, are not exposed.
Security log
10.—(1) A relevant charge point must incorporate a security log.
(2) In this paragraph, “security log” means an electronic record on the relevant charge point of events relevant to the security of the relevant charge point including attempts (whether or not successful) to—
(a)breach the tamper-protection boundary;
(b)tamper with the relevant charge point; or
(c)gain unauthorised access to the relevant charge point.
(3) Entries in the security log must record, by reference to Coordinated Universal Time, the time and date on which the event occurred.
Provision of information
11.—(1) When a relevant charge point is sold, information complying with the requirements in sub-paragraphs (2) to (4) must be supplied with it.
(2) The information must specify how the owner can report concerns or problems identified regarding the security of the relevant charge point, including regarding its vulnerability to a cyber-attack. In particular, the information must provide contact details to which such concerns or problems can be reported.
(3) The information must specify the period, if any, for which software updates will be provided by or on behalf of the relevant charge point manufacturer.
(4) The information must—
(a)provide guidance on how to set up the relevant charge point with adequate security protection;
(b)include instructions on how to delete personal data from the relevant charge point.
Options/Help
Print Options
PrintThe Whole Instrument
PrintThis Schedule only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Opening Options
Different options to open legislation in order to view more content on screen at once
Explanatory Memorandum
Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as enacted version that was used for the print copy
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Impact Assessments
Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:
- Why the government is proposing to intervene;
- The main options the government is considering, and which one is preferred;
- How and to what extent new policies may impact on them; and,
- The estimated costs and benefits of proposed measures.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as made version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.