Skip to main content

Is Your Game a "Product with Digital Elements" Under the CRA?

Let's get straight to it. The EU Cyber Resilience Act (CRA) talks a lot about "products with digital elements" (PDEs). So, the big question is: does your game count as one?

Defining a PDE

A product with digital elements, according to the CRA, is essentially any software or hardware product and its remote data processing solutions that can connect, directly or indirectly, to a device or network (Article 3,) Point 1).

Think about your game:

  • Does it have online multiplayer?
  • Does it connect to a server for updates or authentication?
  • Does it feature in-app purchases that process online?
  • Does it simply run on a PC, console, or mobile device that itself connects to the internet?

If you answered yes to pretty much any of these, then your game, whether it is a complex MMO or a simpler mobile app with an online leaderboard, is very likely a PDE.

Software and Components

The CRA clarifies that "software or hardware components being placed on the market separately" also fall under this definition (Article 3,) Point 1). This means if you are developing a game, which is software, or even a distinct software component for a game that gets distributed, it's covered. This also includes game engines or specific paid libraries if they are sold as standalone products.

Remote Data Processing

The CRA also includes "remote data processing solutions" tied to your product (Article 3,) Point 1, 2). If your game relies on a backend server you operate for critical functions (e.g., saving progress, managing user accounts), that server software is part of the PDE scope for your game.

Key Takeway

Most games, from online AAA titles to indie games with basic connectivity, will be considered "products with digital elements" under the CRA. This means the Act's requirements for design, development, vulnerability handling, and documentation will apply.