Regulation Bullish 7

Mavenir Secures First BSI NESAS 5G Core Certification, Full Portfolio by Q3 2026

· 4 min read · Verified by 2 sources · By Cyber Intelligence Brief Editorial
Share

Key Takeaways

  • Mavenir becomes the first major network software vendor to certify a 5G Packet Core network function under Germany’s mandatory NESAS cybersecurity scheme, bolstering network security for public telecoms and setting a new compliance benchmark.

Mentioned

Mavenir company Federal Office for Information Security (BSI) government agency NESAS security framework 5G Packet Core technology Network Repository Function (NRF) technology Fabian Hodouschek person Omar Shahdad person German Telecommunications Act (TKG) regulation BSI Act (BSIG) regulation

Key Intelligence

Key Facts

  1. 1Mavenir is the first major telecommunications infrastructure software provider to receive BSI NESAS certification for a 5G Packet Core network function.
  2. 2The certification covers the Network Repository Function (NRF), a critical 5G core component, confirming its security for public telecom networks in Germany.
  3. 3Germany’s mandatory NESAS certification requirement for critical telecom components took effect on January 1, 2026, under the Telecommunications Act (TKG) and BSI Act (BSIG).
  4. 4Mavenir plans to complete certification for its full 5G Packet Core and IMS portfolio by Q3 2026.
  5. 5The Federal Office for Information Security (BSI) hailed the certification as an important contribution to securing Germany’s mobile networks.
  6. 6NESAS (Network Equipment Security Assurance Scheme) is an internationally recognized framework developed by 3GPP and GSMA.

By issuing the first BSI NESAS cybersecurity certificate to the manufacturer Mavenir, we make an important contribution to securing Germany's mobile telecom networks. It is the first certificate for a critical 5G core network component used by operators of public 5G mobile networks in Germany.

Fabian Hodouschek Head of Certification, Federal Office for Information Security (BSI)

Upon issuing the first BSI NESAS certificate to Mavenir

Analysis

Germany’s push to harden critical telecom infrastructure reached a milestone as Mavenir’s 5G core function clears the BSI’s rigorous NESAS evaluation. This certification isn’t just a regulatory checkbox—it’s a blueprint for embedding security by design in the 5G core, and it will shape procurement decisions across Europe’s surveillance-conscious market.

The certification of Mavenir’s 5G Packet Core Network Repository Function (NRF) under Germany’s BSI NESAS scheme marks a turning point in telecom security compliance. On June 15, 2026, Mavenir announced it had become the first tier-1 network software infrastructure provider to receive the BSI NESAS cybersecurity certificate for a critical 5G core network component. The achievement not only validates the company’s cloud-native, AI-driven software design but also signals a new era in which national security mandates directly shape procurement in the telecom supply chain.

The certification of Mavenir’s 5G Packet Core Network Repository Function (NRF) under Germany’s BSI NESAS scheme marks a turning point in telecom security compliance.

The NESAS (Network Equipment Security Assurance Scheme) framework, jointly developed by 3GPP and GSMA, was adopted by Germany’s Federal Office for Information Security (BSI) as a cornerstone of its Telecommunications Act (TKG) and BSI Act (BSIG) amendments. Effective January 1, 2026, these laws require that all critical components deployed in public 5G networks hold a BSI NESAS certificate, covering both the product’s security properties and the vendor’s development and lifecycle processes. By securing this first certification, Mavenir positions itself at the forefront of a regulatory wave that is likely to sweep across Europe and beyond.

The NRF is a foundational element of the 5G Service-Based Architecture, responsible for service discovery and registration—making it a high-value target for threat actors. Fabian Hodouschek, Head of Certification at BSI, underscored the national security stakes, stating that the certificate “makes an important contribution to securing Germany’s mobile telecom networks.” The endorsement removes a significant barrier for mobile network operators (MNOs) that must now prove their vendors meet these standards before deployment. For Mavenir, this translates into a clear first-mover advantage in one of the world’s most security-conscious telecom markets.

Mavenir’s ascendancy is rooted in its software-centric, cloud-native approach. Unlike legacy hardware vendors, Mavenir builds network functions as containerized microservices designed to run on generic cloud infrastructure. This architecture inherently aligns with the NESAS process, which scrutinizes secure development, testing, and patching workflows. Omar Shahdad, Mavenir’s SVP of Operations, noted that the certification validates the company’s ability to meet “the most rigorous national cybersecurity standards” while delivering industry-leading 5G software. The achievement also answers lingering questions about whether virtualized, software-only cores could satisfy state-level security regimes—a doubt that has slowed cloud adoption in critical telecom environments.

The certificate currently covers only the NRF, but Mavenir is racing to complete certification for its full Packet Core and IP Multimedia Subsystem (IMS) portfolio by the end of Q3 2026. That timeline is ambitious but critical: competitors such as Ericsson, Nokia, and emerging Open RAN players will view the NRF certification as a template and accelerate their own applications. The gap between Mavenir’s first-mover status and its full-portfolio coverage represents both a window of competitive differentiation and a risk if delays emerge. Should Mavenir meet its Q3 target, it will become the only major software vendor with a completely certified 5G core suite under Germany’s rules, potentially locking in operator relationships for years.

Beyond Germany, the implications ripple outward. The European Commission’s 5G Cybersecurity Toolbox has urged member states to impose stricter requirements on equipment vendors, and the BSI NESAS model is viewed as a benchmark. Countries such as France, Italy, and the Netherlands have been monitoring Germany’s implementation closely. A BSI certificate could therefore serve as a passport for Mavenir to other European tenders, reducing duplicative audits and lowering time-to-market. For operators, choosing pre-certified software becomes not just a compliance exercise but a strategic risk-management decision.

What to Watch

However, the certification process is neither trivial nor cheap. NESAS requires two separate evaluations: an ISO/IEC 17065-accredited security evaluation of the product based on defined security assurance specifications, and an audit of the vendor’s development and lifecycle processes against GSMA’s Network Equipment Security Assurance Group requirements. The timeline from application to approval can extend over a year, and marginal costs for smaller vendors may be prohibitive. This dynamic could concentrate the 5G software supply around a handful of well-resourced players, fundamentally reshaping the competitive landscape.

Looking ahead, Mavenir’s certification likely serves as a bellwether. As national cybersecurity authorities raise the bar, software-only network function providers will be pressured to obtain similar credentials. The NESAS framework, initially developed by industry bodies, is now being weaponized by regulators to enforce security by design. For Mavenir, the immediate task is execution: completing the certification of its remaining portfolio on schedule. For the broader industry, this moment reinforces that in the 5G era, security compliance is no longer a feature—it is a prerequisite to market access.

Timeline

Timeline

  1. Mandatory NESAS Certification Effective

  2. NRF Certification Announcement

  3. Full Portfolio Certification Target

Sources

Sources

Based on 2 source articles

Related Stories

Regulation

60% of Australian agencies keep AI use secret, stoking government cyber risk

Failure to disclose how agencies deploy AI creates opaque digital environments where security vulnerabilities, algorithmic manipulation and data‑poisoning risks go unchecked. The transparency fiasco exposes weak internal governance and signals a larger attack surface for adversarial AI exploits.

Regulation

US Blocks Anthropic's AI After 'Jailbreak' Claim—3-Day-Old Model Offline

A U.S. export control order grounded in an alleged jailbreak forced Anthropic to suspend its most capable AI models, spotlighting the delicate balance between AI safety, national security, and offensive cyber capabilities.

Regulation

US forces Anthropic to disable 2 AI models over jailbreak that exposed software flaws

The U.S. government’s unprecedented export control order on Anthropic’s Fable 5 and Mythos 5 models highlights a new frontier in cybersecurity: direct restriction of AI tools capable of vulnerability discovery. This raises critical questions for researchers about the balance between national security and the open research needed to harden global software.

Regulation

Fable 5 & Mythos 5 Offline: Export Controls Hit AI Cybersecurity Models

Cybersecurity fears that prompted Anthropic to restrict Mythos 5 now collide with export controls, forcing both models offline. The move aims to prevent foreign exploitation of advanced AI capabilities.

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.

Signal on this pageWhat it tells you
Verified by N sourcesIndependent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly.
Impact score (1-10)Regulatory + financial + operational weight. 8+ signals an experienced-operator action item.
SentimentFive-tier classification trained on labeled cybersecurity-specific corpora.
TimelineWhere applicable, the related-events sequence that contextualizes today's development.