In order to ensure the metering data transferred by households is protected, the connection maintained by a Smart Meter Gateway to an authorised market participant in the wide area network must involve mutual authentication of the communication partners. Accordingly, all communication takes place over an encrypted channel whose integrity is assured. In addition, the data to be sent by the Smart Meter Gateway is also encrypted and signed for the end recipient at the data level.

The PKI chosen for this scenario envisages a central, state-operated root as the anchor of trust within the gateway infrastructure. Subordinate to this root, private enterprises operate as sub CAs (certificate authorities): these enterprises are the PKI point of contact and support for market participants. The root implements legal requirements at the technical level and provides authorisation for the private enterprises to operate as sub CAs. The security requirements for issuing certificates in relation to technical systems, personnel and organisational matters are specified by the root in a Certificate Policy (root CP). Within the root CP, organisational and technical requirements are specified for the recognition, issuing, administration, use, revocation and renewal of certificates for communication between the gateway and market participants.

Since 1 March 2015, the effective operation of the root has been handled by a certification service provider under the supervision of the BSI. Market participants are also provided with various test systems in addition to the root, for the issuing of digital test certificates.