Is my product in scope? / Steam / PC game
Does the EU Cyber Resilience Act apply to video games?
Yes — the Commission's own guidance names computer games among products subject to the CRA. A game sold on Steam, Epic, GOG or itch.io to EU players is a commercial product with digital elements, regardless of studio size or where the studio is based.
What this means for you specifically
- ▸Multiplayer/network code, embedded web views, mod loaders and anti-cheat components are your highest-risk attack surface — document them in the risk assessment.
- ▸Game engines and middleware (Unity, Unreal, FMOD, Wwise…) are components in your SBOM; engine CVEs propagate to every game that embeds them.
- ▸Free demos and early-access builds distributed to EU players count as making available on the market when part of commercial activity.
- ▸Live-service games have it easier for updates (you already patch constantly); premium single-release games must still honour a support period for security fixes.
The pitfall that catches most teams
Shipping and abandoning. 'We released it in 2027 and moved on' violates the support-period obligation if a exploitable CVE surfaces in year two.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.