Is my product in scope? / Unity / mobile game
CRA compliance for Unity and mobile games
Mobile games are doubly named in CRA guidance: as mobile apps and as games. A Unity game with EU players — even free with ads — is in scope. The Unity-specific twist is dependency opacity: much of your attack surface arrives via the engine, asset-store packages and ad-mediation SDKs.
What this means for you specifically
- ▸Asset Store packages with native plugins are third-party components: they belong in the SBOM and need vulnerability tracking like any npm package.
- ▸Ad mediation stacks (LevelPlay, AdMob, AppLovin…) embed many networks' SDKs at once — enumerate them; several have shipped exploitable CVEs.
- ▸IL2CPP builds don't exempt you: compiled form does not change component obligations.
- ▸Unity's own runtime updates matter: note the engine version per release in your tech file so you can answer 'which releases are affected?' in an Art. 14 report within 24h.
The pitfall that catches most teams
No inventory of which SDK versions shipped in which build. When an exploited CVE in an ad SDK hits, the 24-hour reporting clock does not wait for you to reverse-engineer your own binaries.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.