ISO 15118 & OCPP Deployment Reality in 2026

---

Authoring Organization: EVB Charging Solutions

Perspective: Charger Manufacturer & System Integrator

Scope: ISO 15118, Plug & Charge, PKI governance, OCPP 1.6 / 2.0.1, edge intelligence, V2G monetization, cybersecurity & regulatory compliance

---

Executive Summary (For Decision Makers)

By 2026, ISO 15118 and OCPP are no longer optional standards or future-facing capabilities — they have become mission-critical prerequisites for compliant, scalable, and commercially viable EV charging infrastructure.

However, EVB’s deployment experience shows that many projects still fail not because standards are unavailable, but because trust governance, certificate lifecycle management, system integration boundaries, response-latency constraints, and regulatory obligations are underestimated.

Key takeaways for executives and investors:

• ISO 15118 has evolved from a communication protocol into a trust and identity governance framework, centered on PKI, certificate lifecycle management, and revocation handling.
• Plug & Charge reliability depends more on certificate governance, offline continuity, and backend coordination than on charger hardware alone.
• While OCPP 1.6 can technically support Plug & Charge, in 2026 it increasingly represents accumulated technical debt, driven primarily by cybersecurity maintenance and integration overhead.
• V2G readiness is no longer just about bidirectional power flow — grid revenue participation depends on response latency, local control logic, and Smart Charging orchestration.
• Cybersecurity and regulatory compliance (e.g., EU CRA) have become economic risk factors, not merely technical considerations.

This paper outlines EVB’s technical position on how ISO 15118 and OCPP should be deployed together in 2026 to minimize risk, preserve trust, and enable long-term operational flexibility.

---

1. Why ISO 15118 and OCPP Are Still Misunderstood

In tenders, policy documents, and technical specifications, ISO 15118 and OCPP are often grouped together as generic interoperability requirements. In practice, they govern fundamentally different responsibilities at distinct system layers.

EVB’s deployment experience shows that many failures are not caused by missing standards, but by:

• Supporting standards at the wrong architectural layer
• Treating protocol compliance as a one-time integration task
• Underestimating ongoing responsibilities such as certificate renewal, revocation, and trust-anchor governance

By 2026, successful deployments are defined less by connectivity and more by how trust is established, maintained, and enforced across the charging ecosystem.

---

2. System Architecture Reality: EV ↔ Charger ↔ Backend

Inside the EVSE, the “Integration Gap” is explicitly implemented as a Message Translation Engine.)

Core message to convey:

ISO 15118, OCPP, and IEC 61851 govern distinct, non-overlapping layers.

Deployment instability most often arises at the EVSE integration layer, where ISO 15118 trust and session logic must be translated into OCPP business workflows.

The Message Translation Engine inside the EVSE is responsible for:

• Mapping ISO 15118 authentication and certificate logic into backend authorization flows
• Aligning charging intent with OCPP session control, billing, and Smart Charging logic
• Enforcing trust decisions locally when backend connectivity is degraded

Misalignment at this layer remains one of the most common root causes of real-world failures.

---

3. What ISO 15118 Support Means in Practice (2026 Baseline)

Core message to convey:

Plug & Charge is not a one-time feature, but an ongoing operational system.

In practice, most failures occur during certificate renewal, revocation checks, and trust-chain updates, which are frequently underestimated during planning.

In production deployments, ISO 15118 support does not imply full specification coverage.

The effective baseline observed in successful projects includes:

• Reliable Plug & Charge (ISO 15118-2 or ISO 15118-20)
• Stable certificate exchange, validation, and revocation handling
• Backend authorization compatibility across multiple eMSPs
• Interoperability with multiple OEM implementations

Advanced Scenarios: ISO 15118-20, DASH, DLM, and High-Density Charging Hubs

In large multi-bay charging hubs, ISO 15118-20 introduces additional complexity through DASH (Dynamic Association and Selection Hierarchy).

Dynamic vehicle-to-charger association becomes a non-trivial challenge, requiring tight coordination between EVSE logic and backend orchestration, especially critical for automated valet charging and multi-vehicle depot scenarios, including heavy-duty truck fleets and logistics hubs.

In 2026 deployments, DASH increasingly operates in conjunction with Dynamic Load Management (DLM).

Under grid power constraints, the purpose of DASH is not merely to establish connectivity, but to enable local decision logic that determines which vehicle is prioritized for ISO 15118 session allocation when available capacity is limited.

In such environments, EVSE-level local engines play a critical role by:

• Evaluating real-time grid and site power constraints
• Prioritizing vehicles based on departure time, fleet policy, or operational urgency
• Coordinating ISO 15118 handshake allocation accordingly

This tight coupling between ISO 15118-20, DASH, and DLM is essential for scalable, high-density charging operations.

V2G Beyond Technology: Grid Revenue Enablement and Response Latency

In 2026 VPP and grid-service scenarios, the value of ISO 15118-20 lies not only in enabling bidirectional energy flow, but in supporting millisecond-level response latency through local control logic.

Frequency regulation and similar grid services impose strict response-time requirements that cannot be met through cloud round-trip communication alone.

Successful monetization therefore depends on local decision-making, coordinated via ISO 15118-20 and OCPP 2.0.1 Smart Charging profiles.

---

4. OCPP Versioning and the Reality of Technical Debt

4.1 OCPP 1.6 in ISO 15118 Projects

Many deployed networks still operate on OCPP 1.6. While Plug & Charge can be supported via application notes and DataTransfer mechanisms, this approach increasingly represents technical debt in 2026.

Beyond basic operational cost, the primary burden lies in cybersecurity maintenance and integration overhead, including:

• Custom security patches to meet evolving regulatory requirements
• Manual or semi-manual certificate provisioning and renewal workflows
• Vendor-specific adaptations to compensate for missing native security constructs

As a result, the cost of keeping OCPP 1.6 compliant is no longer driven by day-to-day operation, but by continuous security retrofitting and integration effort.

In many 2026 deployments, the cumulative cost of cybersecurity maintenance and integration overhead on OCPP 1.6 exceeds the cost of migrating to OCPP 2.0.1, even before accounting for long-term scalability and compliance risk.

4.2 OCPP 2.0.1 as the Structural Baseline

OCPP 2.0.1 provides native ISO 15118 support, clearer security models, and built-in Smart Charging profiles.

EVB views OCPP 2.0.1 as the structurally correct architecture for long-term deployments, even when phased migration is required.

---

5. Common Deployment Pitfalls Observed by EVB

Pitfall 1: Multi-Root Trust Anchor Complexity

• Root Cause: Multiple OEMs introduce parallel trust anchors, creating complex validation paths.
• Observed Impact: Inconsistent Plug & Charge behavior across brands.
• Mitigation Strategy: Explicit multi-root trust-anchor management and unified validation logic.

Pitfall 2: Treating ISO 15118 as a One-Time Integration

• Root Cause: Viewing ISO 15118 as firmware functionality instead of an operational system.
• Observed Impact: Scaling failures across PKI ecosystems.
• Mitigation Strategy: Lifecycle-oriented certificate management and continuous interoperability testing.

Pitfall 3: Delayed ISO 15118-20 Consideration

• Root Cause: Postponing V2G readiness until after hardware rollout.
• Observed Impact: Costly retrofits and lost grid-participation opportunities.
• Mitigation Strategy: Hardware and firmware readiness at procurement stage.

Pitfall 4: OCPP Version Lock-In

• Root Cause: Over-customized OCPP 1.6 implementations.
• Observed Impact: Backend dependency and upgrade barriers.
• Mitigation Strategy: Defined migration path to OCPP 2.0.1.

Pitfall 5: Network Latency and TLS Timeouts

• Root Cause: ISO 15118 TLS handshakes and certificate checks are sensitive to network latency.
• Observed Impact: Plug & Charge failures in underground garages or weak 4G/5G environments.
• Mitigation Strategy: Local certificate pre-caching and edge pre-validation to reduce real-time connectivity dependency.

---

6. EVB Technical Position

EVB’s technical position is rooted in a design philosophy that prioritizes operational stability, cybersecurity resilience, and long-term adaptability over mere specification compliance.

Our charger platforms embody this philosophy through:

• Native support for ISO 15118 Plug & Charge architectures
• Hardware and firmware readiness for ISO 15118-20 bidirectional charging
• Secure main control boards with Hardware Security Modules (HSMs) for cryptographic key protection, supporting secure boot and secure firmware update mechanisms to establish a complete end-to-end chain of trust
• Alignment with emerging regulatory expectations such as the EU Cyber Resilience Act (CRA) and U.S. cybersecurity requirements
• Compatibility with both OCPP 1.6 (defined application profiles) and OCPP 2.0.1
• Interoperability-first development validated through multi-vendor testing
• Support for local controller and edge-proxy architectures to maintain Plug & Charge continuity during intermittent connectivity

Crypto Agility and Regulatory Premium

EVB’s technical position further incorporates cryptographic agility as a core design principle.

As global TLS certificate lifetimes continue to shorten — reaching 200 days from March 2026 and trending toward even shorter validity periods — long-term ISO 15118 deployments require automated and adaptable certificate management.

EVB platforms support automated certificate lifecycle management mechanisms, including ACME-based workflows, and are designed with crypto-agility to accommodate evolving cryptographic requirements. This includes readiness for future post-quantum cryptography (PQC) transitions without requiring hardware replacement.

In parallel, EVB recognizes the growing regulatory premium associated with cybersecurity compliance.

With the EU Cyber Resilience Act (CRA) enforcing mandatory vulnerability reporting and remediation obligations from September 2026, EVB aligns its development and operational processes with structured Vulnerability Management Processes (VMP).

This approach reduces downstream compliance risk for Charge Point Operators (CPOs), helping them avoid regulatory penalties while maintaining long-term system resilience.

---

7. Strategic Outlook Beyond 2026

As EVs become integral components of intelligent energy systems, competitive advantage will increasingly depend on:

• Trust governance rather than raw connectivity
• Edge intelligence rather than centralized control
• Economic integration with energy markets rather than isolated charging sessions

---

8. EVB Deployment Readiness Checklist (2026 Edition)

A practical self-assessment for CPOs and OEMs

• PKI Agnostic? Support multiple OEM root certificates simultaneously
• Offline Continuity? Local certificate caching and validation during network outages
• Cyber-Resilient? Private keys stored in HSMs with secure boot and secure firmware update
• V2G Monetizable? OCPP 2.0.1 Smart Charging profiles enabled for grid services
• Migration-Ready? OTA-supported migration from OCPP 1.6 to 2.0.1

For executive presentations and procurement evaluations, this checklist can be visualized as a radar chart comparing traditional deployments with EVB’s 2026-ready architecture.

---

Conclusion

In 2026, ISO 15118 and OCPP define the trust, control, and economic foundation of modern EV charging infrastructure.

EVB’s position is clear: sustainable success is achieved not through maximal protocol coverage, but through correct trust architecture, cryptographic agility, edge intelligence, regulatory readiness, and resilient system integration.