Skip to main content

Is Your Game, App, or Software Eligible for Self-Assessment?

The good news for many software developers of games, apps, and uncritical software components is that the Cyber Resilience Act (CRA) often allows for self-assessment of conformity. This is done using the "internal control" procedure, known as Module A.

The General Rule: Self-Assessment is Standard

According to Recital 91, conformity assessment for products with digital elements that are not listed as "important" or "critical" can be carried out by you, the manufacturer, under your own steam using Module A. This means if your game, utility app, or uncritical paid library doesn't have high-risk functionalities as defined by the CRA, self-assessment is likely your path. Article 32, Paragraph 1, lists internal control (Module A) as one of the primary procedures manufacturers can use.

When Self-Assessment Isn't Enough

Self-assessment is not a universal ticket. The CRA identifies specific categories of software that pose higher risks and require more stringent conformity assessment procedures, often involving third-party notified bodies:

  • Important Products with Digital Elements: These are listed in Annex III of the CRA. If your software has the core functionality of a product category in Annex III (e.g., some types of network management systems, operating systems, browsers, password managers), then self-assessment under Module A is only possible if you fully apply relevant harmonised standards, common specifications, or specific European cybersecurity certification schemes. If not, or if these don't exist, you'll generally need a third-party assessment (Article 32, Paragraph 2).
  • Critical Products with Digital Elements: These, listed in Annex IV, may eventually require mandatory European cybersecurity certification or, failing that, will follow the stricter conformity routes similar to important products Class II (Article 8; Article 32, Paragraph 4).

For the niche of games, general consumer apps, uncritical paid libraries, and game/app engines not performing functions listed in Annex III or IV, self-assessment remains the standard.

Key Takeway

If your software product (like most games, general apps, or uncritical libraries) is not classified as an "important" (Annex III) or "critical" (Annex IV) product under the CRA, you are generally eligible to perform a self-assessment (Module A) to declare conformity.