ISO 27001 Is Now Mandatory for Türkiye's EV Charging Operators — A Practical Readiness Guide
Türkiye now requires CPO software and remote-access infrastructure to comply with TS ISO/IEC 27001. A calm, practical readiness path before the ~March 2027 deadline.
If you operate electric-vehicle charging stations in Türkiye, the rules around your software just changed in a meaningful way. On 23 March 2026, an amendment to the Charging Service Regulation (Şarj Hizmeti Yönetmeliği, Official Gazette No. 33202) introduced a new requirement under Article 18/2: the software, charging devices and remote-access infrastructure operated by charging-point operators (CPOs) must comply with TS ISO/IEC 27001, the national adoption of the international information-security standard.
This isn't a paperwork footnote. It signals that EV charging is now treated as part of Türkiye's critical infrastructure — and that the systems behind every charge session are expected to meet a recognised security baseline. The good news: the change is manageable, the timeline is reasonable, and you do not need to panic. This guide explains what the rule says, what ISO 27001 actually means in plain terms, and how to approach readiness in sensible stages.
What Article 18/2 actually says
Stripped of legal language, the requirement is straightforward: the digital backbone of your charging operation — the management software, the chargers themselves, and the channels you use to reach them remotely — must conform to TS ISO/IEC 27001. In practice that means demonstrating you have a structured, documented way of protecting information and the systems that handle it.
It's worth being precise about wording. The regulation requires compliance with the standard. Certification through an accredited body is the most credible and practical way to evidence that compliance, but operators should confirm the exact certification expectation against the regulation's transitional provisions and any guidance from EPDK (the Energy Market Regulatory Authority). Our consistent advice: treat full ISO 27001 compliance as the goal, and certification as the route most likely to satisfy auditors and partners.
On timing, existing operators are not expected to flip a switch overnight. The transitional provision (Geçici Madde 4) gives current operators roughly one year to come into line — landing around March 2027. That is enough time to do this properly without cutting corners, provided you start now rather than in the final quarter.
This requirement also sits alongside a broader shift. Türkiye's Cybersecurity Law No. 7545 brings energy and other critical-infrastructure sectors under tighter security expectations. EV charging touches the energy grid, so it increasingly falls within that wider conversation. ISO 27001 readiness is a strong foundation for whatever further obligations follow.
ISO 27001 in plain terms: securing the house, not just the front door
It helps to think of ISO 27001 the way you'd think about protecting a home. Most people imagine security as a single strong lock on the front door. But a genuinely secure house is more than one lock. It's knowing which doors and windows exist, deciding which valuables need the most protection, agreeing house rules so everyone locks up consistently, and checking now and then that the alarm still works.
ISO 27001:2022 — the current version of the standard — is essentially that mindset written down for an organisation. It asks you to build an Information Security Management System (ISMS): a living set of policies, responsibilities and routines that together keep your information safe. It's less about buying one clever gadget and more about running the household with discipline. The certificate isn't a trophy on the wall; it's evidence that you actually live by the house rules, day after day.
That framing matters for CPOs because your "house" is unusually exposed. You don't just have an office network — you have hundreds or thousands of devices sitting on streets, in car parks and at service stations, all reachable over the internet.
Why charging operators have a tougher security problem
A typical office only has to worry about laptops and a few servers. A charging network is a different shape of problem entirely, and ISO 27001 readiness has to reflect that.
- Remote access everywhere. Chargers are managed remotely — for firmware updates, diagnostics, pricing and session control. Every remote-access path is a door, and every door needs a strong lock, a record of who holds the key, and a way to spot if someone tries the handle.
- Operational technology (OT), not just IT. A charger is an industrial control system (ICS): physical hardware delivering real power. Securing OT is different from securing email. A failure here can affect availability, safety and the grid connection — not just data.
- Protocols built for function, not hardening. Communication standards like OCPP keep stations talking to back-ends, but they have to be deployed carefully — encrypted channels, authenticated devices, segmented networks — or they become an easy way in.
- A long supply chain. Hardware vendors, software platforms and roaming partners all touch your systems. ISO 27001 expects you to manage that third-party risk rather than assume someone else has.
None of this is a reason for alarm. It simply means a credible readiness programme has to cover the field equipment and remote-access layer, not only the head office — and that's exactly where many generic security efforts fall short.
A staged, honest path to readiness
You do not need to solve everything at once. The most reliable route is incremental, and each stage delivers value even before certification.
- Gap assessment first. Before changing anything, get an honest map of where you stand against ISO 27001:2022. This identifies the real risks — usually a handful of meaningful gaps rather than hundreds — and gives you a prioritised plan instead of guesswork.
- Build the ISMS. With the gaps known, you put the management system in place: clear policies, defined ownership, access controls, incident-response routines, supplier checks, and the OT-specific controls your charging estate needs. This is the substance of compliance.
- Sustain it with ongoing oversight. An ISMS isn't a one-off project; it has to keep running. Many operators bridge the gap with a virtual CISO (vCISO) arrangement — senior security leadership on a fractional basis — so the system stays alive between audits without the cost of a full-time hire.
A word of honesty here. We are an independent readiness adviser, not a certification body. We cannot — and would never — promise you a certificate, because the certification decision rests with an accredited registrar after their own audit. What we do is get you genuinely ready: so that when the registrar arrives, the evidence is real, the controls work, and there are no surprises. Anyone guaranteeing you a pass is misunderstanding how the process works.
Where to start
With the practical deadline around March 2027, the operators who will find this easiest are the ones who begin with a clear-eyed gap assessment in 2026 — well before the rush. The work is very doable; it simply rewards starting early.
If you'd like a calm, no-pressure conversation about where your charging operation stands against Article 18/2 and ISO 27001:2022, we're happy to walk through it with you and sketch a realistic, staged plan. No jargon, no fear — just a clear picture of the road ahead.
Need help with this?
Our team can help you assess where you stand and build a practical remediation plan. Free 30-minute consultation — no obligation.
Book a Free Consultation