Skip to main content

Age Ratings, Parental Controls, and the CRA in Games

Age ratings (like PEGI or ESRB) and parental controls are primarily about content suitability and child safety, not typically cybersecurity in the direct sense covered by the EU Cyber Resilience Act (CRA). However, the security of the systems that implement parental controls or manage age-related access can fall under CRA's purview.

CRA's Focus: Security of Digital Elements

The CRA is about ensuring your game—a "product with digital elements" (PDE)—is secure (Article 1). This includes how it protects data and prevents unauthorized access or manipulation (Annex I, Part I).

Where CRA Meets Parental Controls

If your game includes parental control features, consider these aspects:

  • Security of Control Mechanisms: The mechanisms that manage parental controls (e.g., PINs, account linking, settings) must be secure. If these can be easily bypassed due to a vulnerability, the control itself is ineffective. The CRA requires protection from unauthorized access by appropriate control mechanisms (Annex I, Part I, Point 2d).
  • Data Protection for Child-Related Settings: If parental controls involve storing or processing data related to a child’s access or restrictions, that data needs to be protected according to the CRA's requirements for confidentiality and integrity (Annex I, Part I, Point 2e, 2f). This is in addition to GDPR requirements if personal data is involved.
  • Secure by Default: While not directly for parental controls, the "secure by default" principle (Annex I, Part I, Point 2b) means your game should ship with reasonable security settings. If parental controls are a feature, their default state or ease of setup should contribute to a secure environment if activated.

Age Ratings and CRA

Age rating systems themselves are generally outside the CRA's direct scope, as they assess content. However, if your game connects to an online service to verify age or apply age-gated content, the security of that connection and data handling would be relevant under the CRA.

Important Products

Notably, "Internet connected toys...that have social interactive features...or that have location tracking features" and "personal wearable products...intended for the use by and for children" are listed as Important Products (Class I) under Annex III. This means they have more stringent conformity assessment requirements. While not all games are toys, games heavily targeted at young children with such features might warrant closer scrutiny of their overall security design, including how parental oversight features are secured.

Key Takeway

While age ratings focus on content, the CRA applies to the security of any systems within your game that manage parental controls or age-related access. Ensure these mechanisms are robust against unauthorized access or manipulation.