Skip to main content

Online Features & Multiplayer Servers: Your CRA Game Plan

Got online leaderboards, multiplayer battles, or server-side game logic? The EU Cyber Resilience Act (CRA) has something to say about how you secure these aspects of your game.

Your Game and Its Connections

If your game connects to a device or network, it's a "product with digital elements" (PDE) (Article 3,) Point 1). Online features inherently mean connections.

Securing Remote Data Processing

The CRA specifically includes "remote data processing solutions" in its scope if they are designed and developed by or on behalf of the game manufacturer and are essential for the game to perform one of its functions (Article 3,) Point 2). This means the backend servers and services you run for:

  • Multiplayer gameplay: Handling game state, player interactions.
  • Authentication: Verifying player identities.
  • Cloud saves: Storing player progress.
  • Matchmaking: Connecting players.

These backend systems need to be designed and developed with security in mind, just like your client-side game code, to meet the CRA's essential cybersecurity requirements (Annex I). This includes protecting data confidentiality and integrity, ensuring availability, and preventing unauthorized access.

Due Diligence for Third-Party Services

If you are using third-party services for parts of your online infrastructure (e.g., a BaaS provider, dedicated server hosting), remember your due diligence obligations (Article 13, Paragraph 5). You are still responsible for the overall security of your game as experienced by the player. Choose reputable providers and understand their security practices.

Vulnerability Handling for Servers

Your vulnerability handling processes must cover your server-side software too (Annex I, Part II). If a vulnerability is found in your server code that could impact players, you need to address it promptly.

Key Takeway

The CRA extends to the servers and backend systems that power your game's online features if you (the manufacturer) are responsible for their design and development. Secure design, development, and ongoing vulnerability management are required for both your game client and these critical remote data processing solutions.