ISO 15118 Plug & Charge: What OEM Partners Need to Implement Before 2027

OEM partners shipping DC chargers into the EU, UK, or North America after 2027 will need ISO 15118-20 Plug & Charge support at the hardware, firmware, and PKI level — not as a future firmware promise, but baked into the unit on day one. That means a PLC-capable CCS communication controller, a secure element for X.509 certificate storage, TLS 1.3 stack, OCPP 2.0.1 integration on the backend, and a signed contract with at least one root certificate authority such as Hubject or Eonti. Skip any of those layers and your charger becomes a brick on every major network that adopts Plug & Charge as a baseline requirement.

Why 2027 Is the Real Deadline, Not 2025

The original ISO 15118-2 standard has been around since 2014, but adoption stayed slow because the business case was thin. That changed when the EU’s AFIR regulation made Plug & Charge a hard requirement for publicly funded fast-charging sites by 2027, and when major OEMs — Ford, Mercedes, Porsche, Lucid — started shipping vehicles that expect it natively.

What’s happening in 2026 is the transition window. Networks like Ionity, Electrify America, and Fastned are already accepting ISO 15118-2 sessions, but their procurement teams are quietly refusing new charger orders that don’t include a clear ISO 15118-20 roadmap. If your product line still relies on EIM (External Identification Means, i.e. RFID or app) as the only authentication path, you’re already behind.

For context, a European CPO we work with told us they downgraded an order of 400 units in late 2025 specifically because the supplier couldn’t commit to a -20 firmware path. That’s the kind of conversation happening across the industry right now.

The Hardware Layer: What Has to Be Inside the Charger

Plug & Charge isn’t a software-only upgrade. It depends on physical components that have to be specified before the PCB goes to production.

Powerline Communication (PLC) modem

You need a HomePlug Green PHY chipset integrated into the CCS communication controller. Qualcomm’s QCA7000-series is the de facto standard, but newer designs are moving to the QCA7006AQ for higher SNR and better noise immunity on long DC cables. Skimping here causes intermittent SLAC (Signal Level Attenuation Characterization) failures — one of the most common field complaints we see.

Secure element for certificate storage

Contract certificates and the charger’s own OEM provisioning certificate must be stored in a tamper-resistant secure element — typically an Infineon OPTIGA Trust M, NXP A71CH, or Microchip ATECC608B. Storing private keys in flash is not compliant and will fail security audits at certification.

Sufficient MCU headroom

TLS 1.3 handshakes with ECDSA secp521r1 are computationally heavier than most legacy chargers anticipated. A Cortex-M4 at 168 MHz works, but you’ll feel it on session-start latency. Cortex-M7 or a dedicated Linux-based comm board is the safer path for next-gen designs.

This hardware foundation is what separates a charger that can be updated to -20 from one that physically cannot. For a deeper look at how power module architecture interacts with these communication boards, see our guide on modern DC charger efficiency.

The PKI Layer: Who Signs Your Certificates Matters

Plug & Charge is fundamentally a public key infrastructure problem. There are five certificate types involved in a single session: OEM provisioning, contract, charge point, Mobility Operator (MO), and V2G root. If any one of them is misconfigured, the session fails silently — and the driver just sees a generic error.

Choosing a root authority

In Europe, Hubject’s V2G Root CA dominates because it’s bundled with the Intercharge roaming network. In North America, Eonti and CharIN’s North American Root CA are emerging as alternatives. For OEMs shipping globally, you typically need contracts with at least two roots, plus a fallback for markets like Japan and Korea.

Provisioning workflow

Each charger needs a unique OEM provisioning certificate burned in at the factory, signed by your sub-CA, which is in turn signed by the V2G root. This means your factory needs an HSM (Hardware Security Module) integrated into the end-of-line test station. It’s not optional — a single leaked private key can invalidate an entire production batch.

For instance, a Tier 2 OEM in Shenzhen had to recall and re-provision 1,200 chargers in 2024 after a contractor stored signing keys on a USB drive. That recall cost more than the entire PKI infrastructure investment would have.

ISO 15118-2 vs. ISO 15118-20: Which Should You Ship in 2026?

Honest answer: both, if you can swing it. -2 is what’s actually deployed in vehicles today, while -20 is what the network operators are demanding for new procurement. The good news is that a well-architected charger can support both with the same hardware — it’s a firmware configuration.

The key differences come down to cryptographic strength, native bidirectional charging support, and dynamic scheduling. -20 also adds wireless power transfer (WPT) and ACDP (Automatic Connection Device, Pantograph) profiles, which matter if you sell into electric bus charging or pantograph-equipped fleets.

Our recommendation: ship -2 active by default, with -20 ready as a remote firmware activation once vehicle population catches up in your target market. This avoids breaking sessions with older vehicles while keeping your fleet future-ready.

OCPP 2.0.1 Is the Backend Half of the Equation

Plug & Charge doesn’t end at the charger. The charge point operator’s backend has to relay contract certificate requests up to the Certificate Provisioning Service (CPS) and the eMobility Service Provider (eMSP). That handoff is defined in OCPP 2.0.1’s ISO 15118 extensions — and OCPP 1.6 simply cannot do it.

If your firmware still speaks 1.6J, you can authenticate but you can’t complete a Plug & Charge transaction end-to-end. This is the single biggest gap we see in OEM products that claim “ISO 15118 ready” on their datasheet. Authenticating locally is not the same as completing a billable, network-recognized session.

The relevant OCPP 2.0.1 messages to verify in your stack:

• Authorize.req with idToken.type = eMAID
• Get15118EVCertificate.req for contract certificate retrieval
• GetCertificateStatus.req for OCSP stapling
• SignCertificate.req for charge point certificate renewal

If your firmware team can’t tick all four boxes, you’re not Plug & Charge ready — regardless of what the marketing sheet says.

Certification Bottlenecks You Need to Plan For

There are currently fewer than ten labs worldwide accredited for full ISO 15118-20 conformance testing — and lead times are already stretching to 6–9 months. CharIN’s Testival events help, but they’re interop checks, not formal certification.

If you start the certification process in Q3 2026 expecting a Q1 2027 certificate, you’re going to miss your window. Realistic timelines look more like this:

• Internal interop testing: 2–3 months
• Pre-compliance with simulator (e.g. Vector vTESTstudio, Keysight SL1500A): 1–2 months
• Lab booking lead time: 4–6 months
• Formal conformance + interop testing: 1–2 months
• Issue resolution and re-test: 1–3 months

That’s roughly a 12-month roadmap. If your product is currently at the “we’ll add it in a future firmware” stage, you should be writing your test plan this quarter.

A Real-World OEM Implementation Path

Here’s a concrete example of how this plays out. A European fleet integrator approached us in early 2025 needing 180 DC fast chargers for last-mile depots, with the explicit requirement that all units support Plug & Charge by mid-2026 to align with their van OEM’s contract authentication flow.

The integration path looked like this:

• Month 1–2: Hardware revision to add OPTIGA Trust M secure element and upgrade the comm board MCU.
• Month 3–4: Firmware port to TLS 1.3 stack with ISO 15118-2 active, -20 stubbed.
• Month 5: Hubject root contract signed, factory HSM commissioned.
• Month 6–7: Backend integration with the customer’s CPO platform via OCPP 2.0.1.
• Month 8: Hubject Testival passed, first units deployed.

The whole project took eight months from kickoff to live deployment. The lesson: it’s not a six-week firmware patch, and treating it as one is the fastest way to burn a customer relationship. For fleet-specific charging context, our heavy-duty truck charging site design notes cover related logistics challenges.

What to Ask Your Charger Manufacturer Right Now

If you’re a distributor, EPC, or fleet operator evaluating chargers in 2026, here are the questions that separate serious Plug & Charge-ready products from datasheet theater:

• Which secure element are you using, and where in the BOM is it specified?
• What OCPP version does your firmware speak today, and which 15118 extensions are implemented?
• Have you completed a Hubject Testival or CharIN interop event? Which one, and on what date?
• Which root CA contracts are in place, and what is the factory provisioning workflow?
• Can you provide a firmware roadmap document showing -2 to -20 transition milestones?
• What is your remote certificate renewal mechanism for chargers in the field?

An answer like “we support ISO 15118” without specifics is a red flag. The standard is too broad and the implementation details too critical for vague answers to be acceptable in 2026.

Planning the Next 18 Months

ISO 15118-20 Plug & Charge isn’t a marketing feature — it’s becoming table stakes for any DC charger sold into developed markets after 2027. Hardware decisions made today determine whether your product line is upgradeable or obsolete by the time AFIR enforcement kicks in. PKI contracts, OCPP 2.0.1 backend readiness, and certification lab bookings all need to be in motion now, not next year.

At evaisun, we engineer our OEM and ODM commercial EV charging platforms with the secure element, communication board, and firmware architecture needed for full ISO 15118-20 support — so partners can ship today and activate Plug & Charge as their markets demand it. If you’re building a procurement spec or weighing supplier roadmaps, talk to us early. We’d rather help you choose the right hardware now than retrofit chargers later.