Skip to main content

Cloud Gaming, Streaming Services, and CRA Implications for Your Game

Cloud gaming and game streaming services (like GeForce Now, Xbox Cloud Gaming, or PlayStation Plus Premium) are changing how players access games. If your game is available on these platforms, what does the EU Cyber Resilience Act (CRA) mean for you, the game developer?

Who is the "Manufacturer"?

This is the crucial question. The CRA places primary obligations on the "manufacturer" of the "product with digital elements" (PDE) (Article 13).

  • Your Game is Still Your PDE: Even when streamed, the game software itself is your product. You are responsible for its inherent security, including designing it to be secure and handling its vulnerabilities as per Annex I. The way your game is delivered (streamed vs. locally installed) does not negate your obligations for the security of the game code itself.

  • The Streaming Platform as a Separate Entity: The cloud gaming platform (the infrastructure, the streaming client software they provide, their servers) is a service provided by another entity (e.g., Nvidia, Microsoft, Sony). That platform provider has its own obligations regarding the security of their service and software components. Directive (EU) 2022/2555 (NIS2 Directive) might apply to them as providers of digital services, for instance.

CRA Implications for Your Game on Streaming Platforms

  1. Secure Design of Your Game: Your game must still meet the essential cybersecurity requirements of Annex I, Part I. This includes secure coding practices, protection against known vulnerabilities in your code, and secure handling of any data your game processes locally, even if that "local" environment is a virtual machine in the cloud.
  2. Vulnerability Handling for Your Game: You are still responsible for the vulnerability handling requirements in Annex I, Part II for your game software. If a vulnerability is discovered in your game code, you need to address it, create a patch, and communicate it. How that patch is then deployed on the streaming platform might involve coordination with the platform provider.
  3. Remote Data Processing by You: If your game, even when streamed, connects to your own backend servers for features like accounts, multiplayer, or cloud saves (distinct from the streaming platform's infrastructure), then those remote data processing solutions fall under your CRA obligations (Article 3,) Point 2).

Interaction with Platform Security

The streaming service is responsible for securing the streaming environment itself. However, a vulnerability in your game could potentially still be exploited within that environment. Your game should not introduce risks to the platform or other users due to its own insecurities.

Key Takeway

As a game developer, you remain the CRA "manufacturer" for your game software, even when it's delivered via a cloud gaming service. You are responsible for its inherent security and vulnerability management. The platform provider is responsible for the security of their streaming service and infrastructure.