The chat responses are generated using Generative AI technology for intuitive search and may not be entirely accurate. They are not intended as professional advice. For full details, including our use rights, privacy practices and potential export control restrictions, please refer to our Generative AI Service Privacy Information. As this is a test version, please let us know if something irritating comes up. Like you get recommended a chocolate fudge ice cream instead of an energy managing application. If that occurs, please use the feedback button in our contact form!
Skip to content
Go to Marketplace

Cybersecurity Baseline for Marketplace Sellers and Digital Products

Version: 2.0 Last changed: May 2026

  1. Marketplace Seller must take appropriate organizational and technical measures to ensure the confidentiality, authenticity, integrity and availability of operations, products and services. These measures shall be consistent with applicable laws and regulations, such as EU Cyber Resilience Act (CRA) or Network and Information Security Directive 2 (NIS2), as well as good industry practice and shall include an appropriate information security management system consistent with standards such as ISO/IEC 27001 or IEC 62443 (to the extent applicable).

  2. "Operations" shall include all assets, processes and systems (including information systems), data (including Customer data), personnel, and sites, used or processed by Marketplace Seller.

  3. Should products or services contain software, firmware, chipsets, integrated circuits or generic functional blocks ("Digital Products"):

    • Marketplace Seller shall comply with safe and secure, state-of-the-art development methods including secure coding standards (such as OWASP standards, NIST Secure Software Development Framework SP800-218 or similar), equivalent checks, code reviews, as well as threat and risk analysis.

    • Marketplace Seller shall ensure that Digital Products shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks, including the minimization of negative impact on the availability on other products, connected devices or services.

    • Marketplace Seller shall ensure that Digital Products are made available with a secure-by-default configuration including secure data transfer, the possibility to reset to the original state with the secure and permanent removal of all data and settings.

    • Marketplace Seller shall ensure that Digital Products provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an option to disable this feature.

    • During the whole lifecycle of a Digital Product (including but not limited to design, development, production, delivery and maintenance), Marketplace Seller shall implement and maintain appropriate standards, processes and methods to prevent, identify, evaluate and repair any vulnerabilities, malicious code, and security incidents in the Digital Product in line with good industry practice and standards.

    • Marketplace Seller shall continue to support and provide services to repair, update, upgrade and maintain Digital Products including the provision of patches to Customer remedying vulnerabilities and other cybersecurity risks for the expected use time of the Digital Products.

    • Marketplace Seller shall provide to Customer or Siemens on request a software bill of materials, preferably in a commonly used and machine-readable format (e.g., CycloneDX version ≥ 1.4 or equivalent), and a bill of materials, both identifying Digital Products including all third-party Digital Products. The Digital Products shall contain all necessary security updates at the time of delivery to Customer.

    • Marketplace Seller shall grant to Customer and Siemens the right, but Customer and Siemens shall not be obliged, to test or have tested products for malicious code and vulnerabilities at any time, and shall adequately support Customer and Siemens.

    • Upon request of Customer or Siemens, Marketplace Seller shall promptly provide to Customer or Siemens all documents and information which are necessary to demonstrate the conformity of Digital Products with statutory requirements.

    • For integrity reasons, Marketplace Seller shall ensure that all software-related components provided to Customer are digitally signed.

  4. Should products or services include or be developed with the help of artificial intelligence ("AI") consistent with good industry practice (e.g. NIST Artificial Intelligence Risk Management Framework, OWASP Top 10 for Large Language Model Applications):

    • Without Customer consent, Marketplace Seller shall ensure that Customer data is excluded from being used as training data for such AI technologies.

    • Marketplace Seller shall ensure that any input or output of such AI is treated confidential.

    • Marketplace Seller shall provide Customer any information and documentation in connection with the use of AI if requested.

  5. Marketplace Seller shall provide Customer and Siemens a contact for all cybersecurity-related issues (available during business hours).

  6. Marketplace Seller shall promptly, and preferably in a structured and machine-readable format, notify Customer and the following Siemens Cybersecurity contact of all relevant cyber threats, incidents occurred or suspected and vulnerabilities discovered and/or actively exploited in any of its operations, products and services, if and to the extent Customer is or is likely to be materially affected: https://www.siemens.com/en-us/content/cert-services. The notification shall contain any information reasonably required to assess the impact and to enable Customer to comply with its statutory obligations. The notification shall be made before any public disclosure of fixed vulnerabilities, allowing Customer reasonable time to implement security updates or remediation measures.

  7. Marketplace Seller shall take appropriate measures to achieve that its subcontractors and suppliers shall, within a reasonable time, be bound by obligations similar to the provisions of this section.

  8. Upon request of Customer or Siemens, Marketplace Seller shall provide written evidence of its compliance with this section. Such evidence may include generally accepted audit reports (e.g. SSAE-18 SOC 2 Type II) and/or recognized certifications (e.g. ISO/IEC 27001:2022). If such evidence is not available, Marketplace Seller shall provide equivalent information by completing questionnaires requested by Customer or Siemens within a reasonable timeframe.

  9. Marketplace Seller shall comply with the regulations set out in the "Siemens Cybersecurity Rules for Business Partners" to ensure secure access to systems and data provided by Siemens, secure communication and collaboration with Siemens personnel as well as proper handling of confidential information and documents being exchanged: https://www.siemens.com/en-us/company/about/supply-chain-management/siemens-collaboration.

  10. Siemens may, but shall not be obliged to, assess the cybersecurity posture of Marketplace Seller by means of publicly available information and/or information requested from and provided by Marketplace Seller. If provided by Siemens, Marketplace Seller shall evaluate and resolve any issues identified in this assessment and provide status of mitigation to Siemens without undue delay.

  11. Violation of the requirements set forth in this section and/or results of cybersecurity posture assessment may result in contract termination and offboarding of the Marketplace Seller from Xcelerator Marketplace.

Contact us
© Siemens
Corporate InformationPrivacy noticeCookie noticeTerms of useDigital IDTrust centerWhistleblowing