A driver plugs a charging cable into the charging flap of an electric car at a public fast-charging park.
ENERGY & SUSTAINABILITY

ISO 15118-20 and Plug and Charge: the AFIR mandate for 2026 and 2027

From 8 January 2026 the European AFIR requires the communication standard ISO 15118 for new public charging points, from 1 January 2027 the extended version ISO 15118-20. This turns Plug and Charge, the automatic charging without app or card, from a comfort feature into an obligation. The real work rarely sits in the charger, but in the backend, the PKI and the processes behind it.

This article covers the AFIR mandate in seven steps: what changes, what Plug and Charge means in technical terms, why it is not the same as ad hoc payment, what the German starting point looks like, what needs to change in the backend, where the risks lie and what operators should do now.

Summary

ISO 15118 is the communication standard between the electric vehicle and the charge point and the technical basis for Plug and Charge. Plug and Charge means: you plug in the vehicle, it authenticates via a stored contract certificate, and the charging session starts without an app and without a charging card. The European Alternative Fuels Infrastructure Regulation, or AFIR, makes this standard mandatory in steps. From 8 January 2026 newly installed or substantially renovated publicly accessible AC charging points must support the ISO 15118-2 version. From 1 January 2027 the extended ISO 15118-20 version applies, also to new or renovated private charging points, with bidirectional charging, multi-contract handling and cross-signing of certificates. The distinction matters: according to the European Commission Plug and Charge is something different from ad hoc payment under Article 5 AFIR, which must still be possible with a widely used payment instrument, and at charging points of 50 kW and above via a card terminal. Germany counted around 200,000 public charging points on 1 April 2026, a 17 percent rise within a year. The real work sits in the backend: OCPP 2.0.1 or 2.1, secure certificate storage, mutually authenticated TLS connections and the connection to a public key infrastructure. The concentration of that PKI on a few providers such as Hubject and Gireve is at the same time the largest operational risk. For operators this means: procure only standard-ready hardware, upgrade the backend and set up the PKI connection as a permanent operation.

08 Jan 2026
ISO 15118-2 required for new public AC charging points
AFIR
01 Jan 2027
ISO 15118-20 required for new public and private points
AFIR
around 200,000
public charging points in Germany
Bundesnetzagentur, April 2026
+17 %
growth in charging points within a year
Bundesnetzagentur
14 Apr 2026
data provision required in the DATEX II format
all charge point operators
from 50 kW
card terminal required for ad hoc charging
AFIR Article 5

What changes: ISO 15118 becomes mandatory

From 2026 digital charging is no longer a comfort feature but an obligation. The European Alternative Fuels Infrastructure Regulation, or AFIR, has applied directly in all member states since 13 April 2024 and makes the communication standard ISO 15118 mandatory in steps.

Two deadlines matter. From 8 January 2026 newly installed or substantially renovated publicly accessible AC charging points must support the ISO 15118-2 version. From 1 January 2027 the extended ISO 15118-20 version applies, then also to new or renovated private charging points. The obligation covers new build, existing installations do not have to be retrofitted.

Date Requirement Scope
13 Apr 2024 AFIR in force, ad hoc charging and smart charging new public charging points
08 Jan 2026 ISO 15118-2 new or renovated public AC points
14 Apr 2026 data in DATEX II format via an interface all charge point operators
01 Jan 2027 ISO 15118-20 new or renovated public and private points

That sounds technical, but the consequence is clear: anyone building charging points from these dates must support the matching ISO 15118 version, otherwise the installation is not compliant. The deadline affects not only the charger, but the whole chain behind it.

What Plug and Charge means in technical terms

Plug and Charge means: you plug in the vehicle, it authenticates itself, the charging session starts without an app and without a charging card. This is made possible by a contract certificate stored in the vehicle and verified automatically when it is plugged in.

Plug and Charge is the automatic authentication and authorisation of a charging session based on a contract certificate stored in the vehicle. The communication standard ISO 15118 governs the exchange between vehicle and charge point, and the certificate is verified through a public key infrastructure and encrypted TLS connections.
Flow diagram of Plug and Charge: electric vehicle with contract certificate, charge point, CPO backend, V2G PKI and mobility provider authorise the session one after another.
The Plug and Charge flow. The vehicle sends its contract certificate through the charge point to the CPO backend, the V2G PKI verifies the certificate chain, the mobility provider authorises, and charging starts without app or card.

The extended ISO 15118-20 version can do more than its predecessor. It adds bidirectional charging, where the vehicle can not only draw power but also feed it back, it allows the handling of several contracts in the same vehicle, and it enables cross-signing of certificates. With cross-signing a contract certificate can be signed by several root authorities at once, for example the manufacturer root and the mobility provider root, so the system does not fail if a single root is compromised or drops out.

For grid integration the bidirectional capability is the real leap. It is the basis for vehicles working as mobile storage on the grid. How that turns into viable models is shown in the article on bidirectional charging under the MISPEL model.

Plug and Charge is not ad hoc payment

A common misunderstanding: Plug and Charge does not replace the obligation to allow spontaneous payment. The European Commission makes clear in its questions and answers that the two paths are to be treated separately. Operators must therefore offer both, the contract-based automatic path and the contract-free card payment.

Payments via Plug and Charge, that is communication through ISO 15118-2 or -20, are not relevant in the context of Article 5(1), as this article relates to recharging on an ad hoc basis.

European Commission, AFIR questions and answers

The difference lies in the contract. Ad hoc charging under Article 5 AFIR means that a user can charge without a prior contract and pay with a widely used payment instrument. At charging points of 50 kW and above a card terminal is mandatory, below that a PSD2-compliant QR code that leads to a secure payment page is enough. Plug and Charge, by contrast, requires an existing contract between the end user and a mobility service provider, which puts it outside the ad hoc case in the view of the Commission. Both paths stand side by side, neither replaces the other.

German and EU perspective

Germany has the base that the obligation applies to: around 200,000 public charging points on 1 April 2026. New build is the real challenge, because every new or renovated point falls under the standard requirement.

A long row of public fast-charging points at a motorway service area, with electric cars connected at several bays.
Every new or renovated public charging point falls under the ISO 15118 requirement. At around 200,000 points and continued double-digit growth, that adds up quickly.

On 1 April 2026 the Bundesnetzagentur counted around 149,002 normal charging points and 51,253 fast charging points, together more than 200,000. The stock grew by 17 percent within a year, fast charging points even by 34 percent, and the installed capacity rose from 6.38 to 8.28 gigawatts. At this pace the standard requirement is not a niche topic but affects most of the ongoing build-out.

In parallel, from 14 April 2026 all charging data must be provided in the DATEX II format through a standardised interface. In Germany, calibration-law-compliant billing is an additional requirement, so that charging electricity is measured and billed in a legally sound way. Anyone tackling these obligations separately risks three consecutive projects instead of one.

What this means in the backend

The deadline affects the whole chain behind the charger. ISO 15118 can only be implemented if hardware, backend and PKI work together. The core of the work rarely sits in the charger, but in the software and in the certificate handling.

A service technician kneels at the open service door of a public fast charger and checks the internal power and data cabling.
The real change sits behind the charger: secure certificate storage, an OCPP backend and the connection to a public key infrastructure.

Three building blocks are central. First, the backend must speak OCPP 2.0.1 or 2.1, because only these versions support the certificate handling for Plug and Charge. Second, the charge points need secure cryptographic storage, for example a Trusted Platform Module, and mutually authenticated TLS connections to the backend. Third, operators must connect to a V2G PKI and manage the full certificate lifecycle: issuance, storage, renewal and revocation.

This digital base is not a special case of charging infrastructure but follows the same logic as other building blocks of the energy transition. Secure device communication is familiar from EEBUS and home energy management, the grid-friendly control of flexible loads from section 14a EnWG. In the sense of that rule, a charge point is a controllable consumption device.

Challenges and risks

The PKI is strength and weakness at once. It makes automatic charging secure, but shifts the risk onto a few central instances and raises the complexity for everyone involved.

Building and running a unified certificate world is seen as demanding and costly, and different PKI systems such as Hubject and Gireve require interoperability testing. An outage of the V2G PKI, for example through compromised or expired certificates, can disrupt charging operations on a large scale, and the dependency on a few providers concentrates that risk. The move from simple signalling to application-layer communication also widens the attack surface. Certificate theft and relay attacks, where a different vehicle charges at the victim's expense, are conceivable. For manufacturers, the embedded implementation of TLS, EXI encoding and certificate verification is a high technical hurdle.

The biggest risk is not the single charger, but the dependency on the PKI. Anyone who plans the connection, the certificate renewal and a fallback mode for a PKI outage from the start makes Plug and Charge resilient. Anyone who treats the PKI as a side issue risks a central outage bringing down the whole charging park.

What companies should do now

Anyone who operates or plans charging infrastructure should treat the deadlines as a programme, not as a single firmware update. Four steps are the most pressing.

Four priority steps

  1. Move procurement to the standard

    Only tender hardware that demonstrably supports ISO 15118-2 today and ISO 15118-20 from 2027. That way no newly installed charging point fails the next deadline.

  2. Upgrade the backend to OCPP 2.0.1 or 2.1

    Only these versions support the certificate handling for Plug and Charge. Set up the certificate management as a permanent operation, not as a one-off project, because certificates expire and have to be renewed.

  3. Decide the PKI connection deliberately

    Clarify make or buy for the PKI: in-house operation demands mature governance, outsourcing increases the dependency on the provider. In both cases plan a fallback mode for the event of a PKI outage.

  4. Plan the data obligations together

    Tackle DATEX II data provision and calibration-law-compliant billing in parallel, so that three projects do not run one after another. That turns several separate obligations into one coordinated effort.

Charging communication does not stand alone. It ties into the same digitalisation as bidirectional charging, the control under section 14a EnWG and device communication via EEBUS and HEMS.

Further reading

Frequently asked questions

What is Plug and Charge? +

Plug and Charge means that an electric vehicle authenticates automatically at the charge point when it is plugged in and the charging session starts without an app or a charging card. The basis is a contract certificate stored in the vehicle and verified through a public key infrastructure. The communication standard behind it is ISO 15118.

When does ISO 15118 become mandatory under AFIR? +

From 8 January 2026 newly installed or substantially renovated publicly accessible AC charging points must support the ISO 15118-2 version. From 1 January 2027 the extended ISO 15118-20 version applies to new or renovated public and private charging points. AFIR has applied directly in all member states since 13 April 2024.

What is the difference between Plug and Charge and ad hoc payment? +

Plug and Charge requires an existing contract between the end user and a mobility service provider and authenticates automatically via a contract certificate. Ad hoc charging under Article 5 AFIR is payment without a contract using a widely used payment instrument. According to the European Commission the two paths are separate, and operators must additionally offer contract-free card payment. Charging points of 50 kW and above need a card terminal, below that a PSD2-compliant QR code is enough.

What role does the PKI play in Plug and Charge? +

The public key infrastructure (PKI) verifies whether the contract certificate in the vehicle is genuine and valid. ISO 15118-20 allows cross-signing for the first time, so a certificate can be signed by several roots and the system does not depend on a single instance. In Europe a few PKI providers such as Hubject and Gireve dominate. An outage of the V2G PKI is seen as one of the central operational risks.

What do charge point operators need to change in the backend? +

The backend must speak OCPP 2.0.1 or 2.1, because only these versions support the certificate handling for Plug and Charge. Charge points need secure cryptographic storage and mutually authenticated TLS connections to the backend. Operators must connect to a V2G PKI and manage the full certificate lifecycle. In parallel, from 14 April 2026 charging data must be provided in the DATEX II format.