
Six frameworks. All active. All requiring evidence simultaneously.
NIS2. EU CRA. GSMA NESAS. ETSI EN 303 645. 3GPP SA3. IEC 62443. X-DLM™ produces evidence for all of them from one governed Black Duck + Siemens Polarion workflow.
Active regulatory frameworks for telecom software
NIS2 — Directive (EU) 2022/2555
In force — national transposition ongoing, enforcement active 2026Article 21 — Supply chain security measures for Essential Entities
NIS2 classifies telecom operators and their software suppliers as Essential Entities under Annex I (digital infrastructure). Article 21 requires documented supply chain security measures including policies on the use of software, security in supplier relations, and vulnerability handling practices. Article 23 requires 24-hour early warning, 72-hour incident notification, and 30-day final report for significant cybersecurity incidents. Article 32 holds management bodies personally accountable and allows temporary executive bans for persistent non-conformity. Penalties under Article 34: up to €10 million or 2% of global annual turnover, whichever is higher. X-DLM™ produces continuous Article 21 supply chain evidence and Article 23 incident response documentation from one Polarion-governed workflow. Source: NIS2 Directive (EU) 2022/2555.
EU CRA — Regulation (EU) 2024/2847
Vulnerability reporting: September 11, 2026 · Full enforcement: December 11, 2027Machine-readable SBOM and 24-hour exploited vulnerability reporting for telecom software Products with Digital Elements
EU CRA applies to telecom equipment software, OSS/BSS platforms, network management software, and private 5G infrastructure software placed on the EU market as Products with Digital Elements under Annex I and II. From September 11, 2026, actively exploited vulnerabilities must be reported to ENISA within 24 hours, early warning within 72 hours, final report within 14 days. From December 11, 2027, full conformity is required including machine-readable SBOM in SPDX or CycloneDX format, vulnerability handling processes, and technical documentation. Penalties: 2.5% of global annual turnover or €15 million — plus EU market exclusion. X-DLM™ produces CRA-compliant SBOM continuously and manages exploited vulnerability ENISA reporting timelines in Polarion. Source: EU CRA Regulation (EU) 2024/2847, Articles 13–14, 52.
GSMA NESAS 2.0
Ongoing — operator qualification criterion for major network vendorsProduct Development & Lifecycle Management Process Audit — 20 security requirements
GSMA NESAS (Network Equipment Security Assurance Scheme), jointly defined by 3GPP and GSMA, evaluates network equipment vendors against 20 defined security requirements in a Product Development & Lifecycle Management Process Audit. Requirements include: software composition management, vulnerability handling process, secure coding standards, change control documentation, and security testing evidence. NESAS conformity is a vendor qualification criterion for major operators including Ericsson, Nokia, Vodafone, and Deutsche Telekom. Siemens Polarion provides the lifecycle system of record that NESAS auditors are trained to evaluate. X-DLM™ connects Black Duck SCA findings into the same governance trail, producing NESAS-evidenceable supply chain documentation continuously.
ETSI EN 303 645
Active — cybersecurity requirements for consumer and enterprise telecom equipmentCybersecurity provisions for consumer IoT and enterprise network equipment
ETSI EN 303 645 establishes cybersecurity provisions for consumer IoT — directly applicable to private 5G equipment, enterprise network devices, and connected telecom infrastructure sold in EU and UK markets. Requirements include: no universal default passwords, implement a means to manage reports of vulnerabilities, keep software updated, securely store credentials, communicate securely, minimise exposed attack surfaces, ensure software integrity, ensure personal data is secure, make systems resilient to outages, examine system telemetry data, and make it easy for users to delete personal data. Black Duck governs open-source vulnerability exposure against ETSI EN 303 645 security requirements. X-DLM™ routes compliance findings through Polarion. Source: ETSI EN 303 645 v2.1.1.
3GPP SA3 Security Specifications
Ongoing — cybersecurity specifications for 5G network softwareSecurity architecture and authentication specifications for 5G RAN and core software
3GPP SA3 (Security Working Group) defines the cybersecurity specifications for 5G networks including: 3GPP TS 33.501 (5G security architecture), 3GPP TS 33.511–33.519 (Security Assurance Specifications for 5G network functions), and SCAS (Security Characteristics and Test Specifications). Telecom software companies producing 5G RAN, core network, and network management software must demonstrate conformity with applicable 3GPP SA3 security specifications in operator qualification processes. Siemens Polarion governs requirements traceability to 3GPP SA3 security specifications. Black Duck identifies open-source vulnerabilities in 5G software stacks with specific SA3 security relevance. X-DLM™ connects both.
IEC 62443
Active — industrial cybersecurity standard for telecom OT and network infrastructureSecurity for industrial automation and control systems — applicable to telecom network infrastructure
IEC 62443 (Industrial Automation and Control Systems Security) applies to private 5G deployments, network management systems, and telecom OT infrastructure. IEC 62443-4-1 defines security requirements for product development lifecycle. IEC 62443-4-2 defines technical security requirements for network components. EU CRA cites IEC 62443 as a baseline standard for demonstrating conformity. Siemens Polarion governs IEC 62443-4-1 product development lifecycle documentation. Black Duck governs open-source component security against IEC 62443-4-2 component requirements. X-DLM™ produces unified IEC 62443 lifecycle and component evidence from one workflow.
X-DLM™ evidence mapping for telecom
NIS2 Article 21 — continuous supply chain risk management documentation in Polarion. EU CRA — machine-readable SBOM in SPDX/CycloneDX with ENISA exploited vulnerability reporting timeline management. GSMA NESAS — lifecycle documentation for 20 audit requirements in Polarion. ETSI EN 303 645 — open-source vulnerability governance against EN 303 645 provisions. 3GPP SA3 — requirements traceability to security specifications in Polarion. IEC 62443 — product development lifecycle and component security evidence. All from the same Black Duck + Siemens Polarion + X-DLM™ workflow.