Skip to main content

Game Engines and the CRA: Unity, Unreal, Godot & Custom Builds

Game engines are the backbone of modern game development. Whether you are using Unity, Unreal Engine, Godot, or your own custom-built engine, the EU Cyber Resilience Act (CRA) has implications.

Engines as Products

If a game engine itself is sold or licensed as a standalone product in the EU (think of paid versions of Unity or Unreal, or if you sell your custom engine to other developers), then the engine itself is a "product with digital elements" (PDE) under the CRA (Article 3,) Point 1). The engine developer then has direct CRA obligations for the engine, like ensuring its security and managing vulnerabilities.

Your Responsibility with Any Engine

Even if you're using a free engine like Godot, or a free tier of Unity/Unreal, your game built with that engine is still your PDE. You, the game developer, are the "manufacturer" of the game.

The CRA requires manufacturers to exercise due diligence when integrating components sourced from third parties, which includes game engines (Article 13, Paragraph 5). This means you need to consider the security of the engine as a component of your game. You are responsible for the overall security of the game you place on the market.

Custom Engines

If you have developed your own custom engine for your game, you are responsible for the security of that engine as an integral part of your game product. The CRA's essential cybersecurity requirements regarding secure design, development, and vulnerability handling apply directly to your entire codebase, engine included (Annex I).

Vulnerability Management

If a vulnerability is found in an engine you use, and it affects your game, you will need to address it as part of your vulnerability handling obligations under the CRA (Article 13, Paragraph 6; Annex I, Part II). This might involve applying patches from the engine provider or implementing your own mitigations.

Key Takeway

Regardless of the engine used, game developers are responsible for the CRA compliance of the games they release. If you use a third-party engine, exercise due diligence. If it is custom, you own its security. If an engine is sold as a product, it also falls under CRA directly.