X-DLM™ integration: Siemens Polarion and Black Duck for telecom software

NIS2 doesn't fail telecom audits for bad code. It fails them for missing supply chain evidence.

Telecom engineering teams are building compliant network software. They are not building compliant supply chain evidence.

NIS2 Article 21 requires documented supply chain security measures. EU CRA mandates machine-readable SBOM and vulnerability evidence for telecom software placed on the EU market. GSMA NESAS audit evaluates the product development lifecycle against 20 defined security requirements. Operator qualification RFPs now require SBOM as a condition of vendor evaluation. The evidence chain that satisfies all of these is the same chain — and it has to be built continuously, not assembled under deadline pressure.

X-DLM™ connects Black Duck's component intelligence to Siemens Polarion so that NIS2 supply chain evidence, EU CRA SBOM, and GSMA NESAS lifecycle documentation exist from the first sprint — operator-ready as you build, not assembled the week before a qualification deadline.

Lead in cybersecurity withSiemens Polarion ALM logo — lifecycle governance for telecom cybersecurity evidenceandBlack Duck logo — software composition analysis and SBOM intelligence for telecom

What NIS2 auditors and EU CRA assessors are finding in telecom software

87% of telecom codebases contain high or critical open-source vulnerabilities. NIS2 and EU CRA both require documented evidence of how you govern them.

87%

Of telecom codebases contain at least one high or critical open-source vulnerability. Every one is a potential NIS2 Article 21 supply chain risk finding or an EU CRA disclosure obligation. Source: OSSRA 2026.

20

GSMA NESAS security requirements evaluated in a Product Development & Lifecycle Management Process Audit. Requirements include software composition management, vulnerability handling, and secure development lifecycle documentation — all producible from Siemens Polarion.

317K+

Known vulnerabilities in Black Duck's knowledge base — with 63,000+ exclusive BDSA advisories covering 5G RAN software, OSS/BSS middleware, and network management CVEs not in NVD or public databases.

48h

Time to first SBOM from Black Duck integration — no pipeline rebuild required. SPDX and CycloneDX output ready for EU CRA submission, operator qualification, and GSMA NESAS evidence package immediately.

Sources: OSSRA 2026. GSMA NESAS 2.0. EU CRA Regulation (EU) 2024/2847. Black Duck BDSA product documentation.

The gap is not development quality. It is the governed evidence chain NIS2 auditors and GSMA NESAS assessors require.

01

Component intelligence across every telecom source

Black Duck scans source code, binaries, containers, firmware, 5G RAN C/C++ libraries, and AI-generated snippets — identifying every third-party component, version, license, vulnerability, and malware signal. Your NIS2 Article 21 supply chain component inventory is generated, not manually assembled.

02

NIS2 supply chain documentation — maintained, not reconstructed

Polarion links system requirements → software requirements → architecture → unit tests → integration tests → release documentation. The NIS2 supply chain evidence package is a byproduct of normal engineering activity. Not a pre-audit construction project.

03

EU CRA SBOM generation for operator and regulatory submission

Black Duck generates machine-readable SPDX and CycloneDX SBOMs aligned to EU CRA Annex I minimum elements. X-DLM™ version-controls and links each SBOM to the corresponding Polarion release record — operator-ready for every build.

04

Vulnerability response through governed Polarion workflows

Every component vulnerability, license conflict, or malware detection is routed into a Polarion work item with assigned owner, NIS2 and CRA risk classification, remediation timeline, approval chain — producing the supply chain risk management record the NIS2 auditor expects.

What the GSMA NESAS audit requires

GSMA NESAS Product Development & Lifecycle Management Process Audit evaluates 20 security requirements including: software composition management, vulnerability handling process, secure coding standards enforcement, change control documentation, and security testing evidence. Siemens Polarion provides the system of record that NESAS auditors are trained to evaluate. X-DLM™ connects Black Duck SCA intelligence into the same governance trail.

If it is not in Polarion, it did not happen.

See how Siemens Polarion and Black Duck become one governed software risk workflow

X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, and continuously maintained NIS2 evidence.

The most common engineering objections — answered

"We already have a component list in Confluence."

A list is not an SBOM. EU CRA requires machine-readable SPDX or CycloneDX format. NIS2 requires documented supply chain risk management evidence linked to vulnerability response records. Neither is satisfied by a Confluence page. Black Duck generates the SBOM. X-DLM™ maintains it through every build.

"Our vulnerability tracking is in Jira."

NIS2 Article 21 requires documented supply chain security measures with evidence of implementation. GSMA NESAS audit evaluates your vulnerability handling process with documentation. Jira issues without Polarion governance traceability are not defensible supply chain risk management evidence for either.

From component inventory to operator-ready SBOM. Without a pre-deadline sprint.

See how X-DLM™ integrates Black Duck and Siemens Polarion to automate NIS2 supply chain documentation, EU CRA SBOM generation, GSMA NESAS lifecycle evidence, and vulnerability governance — in a technical walkthrough built for telecom engineering teams.