Communicating Security Info to Game Users: Annex II for Games

The EU Cyber Resilience Act (CRA) isn't just about building secure games; it's also about being transparent with your players regarding security. Annex II of the CRA outlines the information manufacturers must provide to users. For game developers, this means clear communication.

What Your Players Need to Know (Annex II Overview)

Think of this as the security section of your game's manual or support page. Key items you will need to communicate include:

1. Manufacturer Details (Item 1): Your name, registered trade name/trademark, postal address, email/digital contact, and website. Players need to know who made the game.
2. Single Point of Contact for Vulnerabilities (Item 2): Where can players or security researchers report a vulnerability they found in your game? This should also point to your coordinated vulnerability disclosure policy.
3. Product Identification (Item 3): Game name, type, version number – so everyone knows which specific product is being referred to.
4. Intended Purpose & Security Properties (Item 4): What is the game supposed to do, and what are its key security features? For example, "Online multiplayer shooter with end-to-end encrypted chat."
5. Known Cybersecurity Risks (Item 5): Any known or foreseeable cybersecurity risks associated with using the game (e.g., "Using public Wi-Fi for online play may carry risks if not secured with a VPN").
6. Link to EU Declaration of Conformity (DoC) (Item 6): If applicable, the web address where your game's DoC can be found.
7. Security Support and End Date (Item 7): What kind of security support do you offer (e.g., patches for critical vulnerabilities)? Crucially, the end date of the support period during which vulnerabilities will be handled and security updates provided. This must be clearly stated (Article 13, Paragraph 19). 8