New EU Cybersecurity Regulations: Essential Information for Game Developers and Publishers

Experts from Norton Rose Fulbright, Jurriaan Jansen and Jasper Geerdes, outline the key aspects of the new European Union legislation on cybersecurity that game developers and publishers must be aware of. The video game industry is experiencing unprecedented growth and exposure to cyber threats, with both developers and players facing a complex array of risks, from cheating tools to sophisticated attacks on personal data and digital assets. In response, regulators, particularly in the EU, are introducing sweeping new rules to reshape the industry's approach to security. Maintaining fair play is a continuous challenge, with cheating tools disrupting competitive balance and potentially leading to legal issues. The rise of in-game currencies and digital items has created new opportunities for malicious actors, who can exploit bugs or vulnerabilities to duplicate or steal valuable assets, destabilizing virtual economies and damaging reputations. Data breaches are another pressing concern, as seen in the 2022 Rockstar Games incident, which highlights the importance of protecting personal data flowing through gaming platforms. The EU is raising the bar for cybersecurity with two major legislative updates: the NIS2 Directive and the Cyber Resilience Act. Both will have a significant impact on game developers and publishers operating in or selling to the EU, introducing tougher cybersecurity standards and stricter enforcement. Although game companies must already comply with GDPR requirements for protecting personal data, these new legislative frameworks add a new level of prescriptive measures. The NIS2 Directive replaces the original NIS Directive, introducing tougher cybersecurity standards and stricter enforcement. Companies must register up-to-date information about their operations and services with competent authorities, and senior management is ultimately responsible for overseeing and approving security measures. On the technical side, companies must implement comprehensive measures to manage risks, including risk analysis, incident handling, business continuity planning, and supply chain security. The CRA sets uniform cybersecurity standards for products with digital elements, including software, hardware, and remote data processing solutions. Most video games will fall into the "non-important or critical" category, requiring a self-assessment of cybersecurity compliance and security-by-default principles. Higher-risk products face stricter obligations, including external audits. For studios and publishers, the first step is to assess whether these new rules apply, reviewing their company size, services offered, and operational dependencies. It is also essential to bring cybersecurity into the boardroom, with senior management trained and actively involved in overseeing cyber risk. On the technical front, companies must reassess their security measures, including comprehensive risk analysis, robust incident response plans, and supply chain security. Incident reporting processes must be watertight, with the ability to detect breaches quickly and meet reporting deadlines. Companies must stay informed about national implementation of NIS2 and CRA technical standards, adjusting their compliance strategies as new details emerge. Cybersecurity is no longer a back-office concern but a business imperative, with proactive measures ensuring legal compliance, protecting reputation, and building consumer trust. Regulators are increasingly holding boards and senior management personally responsible for cybersecurity, and companies that invest in robust cybersecurity and compliance can set themselves apart in a crowded market. The EU's new rules mark a turning point for the games industry, and developers and publishers who act now to understand their obligations, upgrade their security posture, and embed compliance into their business strategy will be best placed to navigate the evolving threat landscape and regulatory environment.