Cyber Resilience Act

zisaMan · May 28, 2025, 2:49pm

Hello everyone.
Does anyone knows something about EU Cyber Resilience Act and how to comply building games with Unity? In particular a single player mobile game free to play with no in app purchase?
Thank you.

Ryiah · May 28, 2025, 4:19pm

Based off of the following articles it sounds like video games fall under the non-critical status which means verifying yourself that there are no security vulnerabilities and reporting them if they do occur. With single player games I would think that’s just tracking if Unity has found any vulnerabilities applying any patches from them and passing the info along to the EU.

fisehara · June 3, 2025, 8:25pm

I’m working with the Linux Foundation and the Open Source Security Foundation (OpenSSF) to understand the EU Cyber Resilience Act (CRA). Here’s an aggregated page for information: EU Cyber Resilience Act – Open Source Security Foundation

In short, the EU CRA regulates any product with digital elements, including software-only products like games. The complexity of implementation will vary based on the product’s risk level.

The CRA defines a ‘manufacturer’ as

(13) ‘manufacturer’ means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;

It’s important to note that offering a product free of charge does not change the obligations under the CRA. While there are many nuances, game developers may generally need to understand the essential cybersecurity requirements outlined here (Annex I): Regulation - 2024/2847 - EN - EUR-Lex and how they apply to their games.

I’m currently trying to better understand the specific needs for EU CRA compliance within the game development domain. Let me know if you need further guidance.

Ryiah · June 3, 2025, 8:37pm

Thank you, ChatGPT. Seriously though just in case this is a human your post has very common GPTisms in it.

fisehara · June 3, 2025, 8:46pm

No ChatGPT, I’m actively working on the EU CRA implications. Here is my talk about risk assessments:

I use Generative AI to fix typos and linguistic culprits as English is my second language.

And yes, I’m offering help, a conversation or anything to help you and understand the needs.

fisehara · July 3, 2025, 7:17pm

Hi again, I’m just dropping more details on the EU CRA and the conformity assessment here:

We now know that the EU CRA regulates all products with digital elements that are not already regulated by other legislations like: Medical Devices, In-Vitro Diagnostics, Aviation, Motor Vehicles, and Machinery.

Software-only products, here especially Games, are also a “product with digital elements.”

The CRA defines a manufacturer as the entity introducing the product to the EU market linked to any monetary compensation or linkage to monetary business. This includes service fees, paid licenses, embedded Ads, or support through paid support channels.

Not in scope are Cloud-only services that don’t come with any shippable product. Think of it as Hero Wars being web based game accessed through a web browser. But the Hero Wars installable Apps are again regulated.

For this context here, we can just assume that you’re not publishing important or critical software products, as they have a much higher bar to conduct the conformity assessment.

Example default cybersecurity category games are:

All installed mobile games and client installed games. I’m not completely sure but I would even consider games for closed ecosystems like Switch, Playstation or XBox being regulated.

What you should also understand here is, that not only the final game is a EU CRA regulated product, but also your library, engine or any kind of software component that you sell for a license or charge fees for profesional services.

For those kinds of games or game components you have to fulfil specific obligations:

Define the intended purpose, the intentional use, and the reasonable foreseeable misuse. This isn’t just about what you design your game or component to do, but also how users might reasonably try to use it in ways you didn’t intend, or even misuse it.
Conduct a cybersecurity risk assessment for the intended purpose, use, and foreseeable misuse. This needs to be an ongoing process; you’ll need to continuously monitor and update this risk assessment, as it’s definitely not a one-and-done thing.
Justify the applicability or non-applicability of the essential cybersecurity requirements from EU CRA Annex I based on your risk assessment and implement applicable requirements.
Provide security updates free of charge for the expected lifetime of the game, but at least 5 years if the expected lifetime isn’t reasonably shorter (think disposable games: promotion / ad game only published for a short term event).
- You need to clearly communicate the security updates impact, solved vulnerabilities and how you addressed them.
- You need to clearly communicate the End-of-support
Create an internal (not public) technical documentation in compliance with EU CRA Annex VII. This includes a Software Bill of Materials (SBOM) listing all components, even third-party and open-source ones, and any known vulnerabilities associated with them. It also includes documented design, development, and cybersecurity assurance of your game.
Create user instructions that clearly outline how to securely set up and use the game or component and make them available with your game or component.
Actively report exploited vulnerabilities to national authorities in the EU within 24 hours of becoming aware of them. If you identify a severe incident, that needs reporting too. You need a “Vulnerability Disclosure Policy”
Issue a Declaration of Conformity with minimum required information in compliance with https:// eur-lex.europa.eu/eli/reg/2024/2847/oj/eng#anx_V. This basically means you’ve checked all the boxes and your product meets the CRA requirements.
Label your game or component with a CE marking.

Now you’ve done everything you need to do to continue shipping your game into the European Market. But be aware that the market surveillance authorities are allowed and are encouraged to request the technical documentation and the conformity assessment for your game.

PS: If the cybersecurity of your game is depending on remote data processing (aka. SaaS / Cloud) that you host, you need to include this SaaS/Cloud solution into the obligations above. Think of update distribution, anti-fraud technique or secure user data storage and end-to-end encryption between game and cloud.

I hope it helps!

DragonCoder · July 3, 2025, 8:31pm

Sounds reasonable even for indies. Seems like most of those points can be covered by a premade form filled out. Regarding the security aspects, it’s really in your own best interest to not be tooo sloppy.

Jessica6601 · December 12, 2025, 10:52am

This is something that has also been on my mind. According to what I’ve read, software that handles sensitive data or poses security issues is the primary target of the CRA. There shouldn’t be many issues with a straightforward single-player mobile game, particularly if it doesn’t gather user data. However, more precise instructions from Unity would undoubtedly be beneficial.

Topic		Replies	Views
Unity Platform Protection: Take Immediate Action to Protect Your Games and Apps CVE Q&A Official	4	259845	March 10, 2026
How to protect Unity games from copying/abuse Unity Engine	48	20299	September 13, 2008
Cryptography and U.S. Export Compliance Unity Engine iOS , Platforms	1	1191	March 16, 2016
How to avoid pirated version of game using Relay resources? Unity Services Relay , Question	28	1501	October 22, 2025
Unity cracked Unity Engine	45	87497	January 14, 2015

Cyber Resilience Act

Related topics