Skip to main content

Game Assets & Third-Party Libraries: CRA Due Diligence

Modern game development rarely happens in a vacuum. You are likely using assets from stores, third-party libraries for specific functionalities (like networking or physics), or various SDKs. The EU Cyber Resilience Act (CRA) expects you to be smart about this.

Your Due Diligence Obligation

As a game developer (the "manufacturer" under the CRA), you are responsible for the overall cybersecurity of your game. This includes any components you integrate, even if you did not create them yourself (Article 13, Paragraph 5).

The CRA states that manufacturers must "exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements". This applies to:

  • Graphical assets that might contain malicious scripts.
  • Audio libraries.
  • Networking libraries.
  • Analytics SDKs.
  • Ad network SDKs.
  • Any paid or free open-source libraries.

What Due Diligence Looks Like

This does not mean you need to personally audit every line of code in every asset or library. However, you should:

  1. Source Reasonably: Prefer reputable sources for assets and libraries.
  2. Stay Updated: Keep track of known vulnerabilities in the libraries you use. The CRA emphasizes identifying and documenting components, including drawing up a Software Bill of Materials (SBOM) (Annex I, Part II, Point 1). An SBOM helps track dependencies.
  3. Assess Risk: Consider the permissions a library requests and the data it accesses. Does it need that much access?
  4. Isolate and Test: Where feasible, test new components in an isolated environment.

Vulnerabilities in Components

If you discover a vulnerability in a third-party component used in your game, the CRA expects you to report it to the entity manufacturing or maintaining that component. You also need to address and remediate the vulnerability in your game (Article 13, Paragraph 6).

Key Takeway

Using third-party assets and libraries is standard in game development, but under the CRA, you must perform due diligence. Understand what you are integrating, keep components updated, and be prepared to manage vulnerabilities originating from these external sources as they affect your game.