As 5G networks grow fast and rules around cybersecurity get stricter, it is more important than ever to make sure mobile network equipment is secure. That is where NESAS comes in. NESAS is a global system that helps check if mobile network equipment is built and tested in a secure way.
This article will help the mobile network equipment vendors and manufacturers better understand what NESAS is and why it matters. We asked Ignacio Hermosa, Brightsight’s security evaluator, to explain:
- Who should follow NESAS and why
- What kind of products it covers
- What’s new in the latest version
- How it connects with EU rules like CRA, RED, and EUCC
- Common challenges companies face
What is NESAS?
NESAS (Network Equipment Security Assurance Scheme) is a system created by the GSMA. It helps check two main things:
- If the company making the equipment follows secure processes during development.
- If the product itself meets certain security standards.
This way, NESAS makes sure both the product and the company behind it are focused on security. It also helps everyone in the industry—network operators, equipment makers, and regulators—work with the same rules.
Who should use NESAS?
NESAS is for companies that make equipment for mobile networks, especially for 4G and 5G. It is not a legal requirement (yet), but many mobile operators already ask for NESAS checks before buying equipment. Some governments also see NESAS as a trusted standard.
For equipment vendors, following NESAS shows they take security seriously. It can also help them enter new markets faster and prepare for future cybersecurity laws.
To be NESAS-compliant, vendors need to:
- Pass an audit of their development process (based on GSMA FS.15 and FS.16).
- Get their product tested by an approved lab (using FS.47 and a document called SCAS).
What products does NESAS cover?
NESAS applies to many types of mobile network equipment, such as:
- gNodeBs (gNBs) and eNodeBs
- 5G Core Network Functions
- Security Gateways (SEGs)
- Other parts that handle user data or control signals
Each product type has its own SCAS (Security Assurance Specification), which lists what needs to be tested. These documents are reviewed and approved by experts and are kept up to date.
What’s new in NESAS version 3.0?
In February 2025, NESAS documents were updated to Version 3.0. Some of the key changes include:
- Better instructions for preparing and reviewing evidence (FS.47)
- Updated security rules for product development (FS.16)
- Easier and clearer audit steps (FS.15 and FS.46)
These updates make the process more consistent and easier to follow. They also help NESAS stay in line with new threats and regulations.
How NESAS connects with EU rules
The EU is introducing new cybersecurity laws like the Cyber Resilience Act (CRA) and updates to the Radio Equipment Directive (RED). NESAS is not a law, but it supports these rules. For example:
- NESAS testing methods can help meet CRA goals.
- SCAS documents can be used as a base for future EU standards like EUCC.
So, NESAS can help vendors get ready for both global and EU markets.
Common challenges for vendors
Many companies agree with NESAS in theory, but doing it in practice can be hard. Here is why:
- Meeting all 41 security requirements in FS.16 takes time and effort.
- Preparing the right documents (like threat models and test results) is a big job.
- Testing must be done by approved labs, which also have strict rules.
For new 5G products, the process can be even more complex, especially if the company does not have experience with Common Criteria or similar standards.
How Brightsight can help
To make things easier, many vendors work with trusted partners like Brightsight—an official NESAS testing lab. We help companies:
- Understand what NESAS expects
- Prepare for product evaluations
- Align their documents and processes with SCAS requirements
If you want to avoid delays and mistakes, it is smart to check your readiness before starting a formal NESAS evaluation.
Need help in adding NESAS to your development process? Reach out to us. We will guide you through it to help you feel confident every step of the way.
Our decades of experience in security evaluations, combined with a deep understanding of the GSMA and 3GPP standards, enable us to navigate your challenges efficiently and effectively, and in a structured and predictable manner.
Ignacio Hermosa López, Security Evaluator at Brightsight
Ignacio is a cybersecurity ingineer, graduated from Universidad Rey Juan Carlos in Madrid, Spain. He specializes in penetration testing and evaluating solutions for compliance with international security standards, helping customers strengthen their product's digital security and meet global regulatory requirements.
Enjoyed this article?
Learn more about NESAS and our evaluation services.
Stay up-to-date with our news, updates and latest developments by following us on LinkedIn.
