Mavenir wins first BSI NESAS 5G Packet Core cert in Germany

Mavenir has received BSI NESAS certification for its Network Repository Function (NRF), making it the first tier-one telecoms software vendor to achieve the accreditation for a 5G Packet Core component under Germany's mandatory scheme. The certificate, awarded by the Federal Office for Information Security (BSI), confirms the NRF meets the security requirements for deployment as a critical component in public 5G mobile networks in Germany.

The certification requirement took effect on 1 January 2026 under the German Telecommunications Act (TKG) and the BSI Act (BSIG). Mavenir says it is now working to extend the accreditation across its full Packet Core and IMS portfolio, with completion targeted for Q3 2026.

The certification

BSI NESAS builds on the internationally recognised GSMA NESAS security assurance framework, but adds mandatory product security testing on top of the development and lifecycle process assessments already required under GSMA's scheme. The combined approach sets a higher bar than GSMA NESAS alone, and Germany is currently the only European country to have made NESAS-derived certification a legal prerequisite for network equipment deployment.

Fabian Hodouschek, Head of Certification at the BSI, said the certificate "confirms that Mavenir's Network Repository Function, including its development and lifecycle processes, meets the standards of the internationally recognized NESAS security framework." The NRF is the service-discovery component of a 5G standalone core, responsible for registering and locating network functions; its security posture directly affects the integrity of signalling across the entire core network.

Omar Shahdad, Senior Vice President of Operations at Mavenir, said the accreditation validates the company's commitment to software that meets "the most rigorous national cybersecurity standards" and that Mavenir is ready as European regulators raise the bar for network security.

Market context and regulatory read-across

Germany's move to legislate BSI NESAS compliance is widely seen as a template that other EU member states could follow, particularly as the European Electronic Communications Code and NIS2 Directive push member states toward tighter critical-infrastructure security obligations. The EU's 5G toolbox already recommends risk-based exclusions for high-risk vendors; mandatory certification of remaining suppliers' components is a logical next step.

For Mavenir, the timing is commercially significant. The company competes in the Open RAN and cloud-native core market alongside Ericsson, Nokia and a set of newer software-led entrants. A first-mover certification position in the German market, where operators are required to replace previously excluded vendors' equipment in core network positions, creates a procurement advantage that rivals will need to match. Named mobile operators in Germany have not yet been disclosed as deployment customers, but the certification is a necessary precondition for any compliant contract award.

Broader European certification momentum is building: ENISA has been developing a candidate European cybersecurity certification scheme for 5G networks under the EU Cybersecurity Act, and convergence with national schemes such as BSI NESAS is expected to form part of that framework. Vendors that have completed national certifications early will be better positioned to demonstrate compliance readiness once a harmonised EU scheme matures.

Mavenir says the BSI certificate for NRF version CC 24.4.2 p4 is publicly available on the BSI website. The company's full portfolio certification, if completed on schedule in Q3 2026, would allow German operators to deploy an end-to-end compliant, cloud-native 5G core from a single software vendor for the first time under the new rules.