Video gaming and cybersecurity: Navigating legal and technological challenges

Key cyber risks in the video gaming industry

In-game integrity: Protecting fair play and digital assets

In the early days cybersecurity in the context of video gaming mostly focused on ensuring the integrity of gameplay. Cheating tools, for example, disrupt the competitive balance of games, undermining the player experience, and in some cases, their use can result in criminal or civil wrongs. Game companies work continuously to detect and prevent these threats to maintain a fair gaming environment.

In addition to gameplay integrity, protecting in-game currencies and digital items is also a pressing concern. Malicious actors may attempt to exploit bugs or vulnerabilities in order to duplicate valuable in-game items, disrupting virtual economies and damaging the reputation of the game.

Data breaches and confidentiality

Game companies, like other businesses, are vulnerable to cyber threats, with some being exposed to a higher risk due to the ‘tech-savviness’ of their user base.

A notorious example is the data breach that occurred with Rockstar Games in 2022, where confidential information about Grand Theft Auto VI was leaked online. Such breaches can lead to significant financial losses, reputational damage and legal liabilities, particularly in cases involving user data or trade secrets.

The video gaming industry’s vulnerability to cyberattacks is further compounded by the high volume of personal data stored by companies, including payment information, personal identifiers and player behaviour analytics. Game companies are required to adhere to strict data protection regulations, such as the General Data Protection Regulation (GDPR) in the EU and implement robust security measures to safeguard sensitive information.

Impact of new EU Legislation: NIS2 and the Cyber Resilience Act

EU legislation on cybersecurity, such as the NIS2 Directive and the recently adopted Cyber Resilience Act, imposes additional cybersecurity requirements on certain businesses, potentially including video game companies.

NIS2 Directive

The NIS2 Directive introduces a new standard of cybersecurity in the EU, designed to strengthen security requirements and enforcement and replacing the NIS Directive 2015/1148/EC.

The NIS2’s applicability to an entity is subject to three cumulative requirements:

• The entity must employ at least 50 people and have an annual turnover and/or annual balance sheet total of at least EUR 10 million.
• The entity must operate in a sector classified as “essential” or “important” in Annex I and II of the NIS2. 
• The entity must provide its services or carry out its activities within the EU. 

As regards the second requirement above, it is important to note that the video gaming sector itself is not explicitly listed as an in-scope sector under the NIS2 Directive.

However, the reach of NIS2 extends beyond the sectors named directly in its annexes, as it applies to a range of digital infrastructure and digital service providers that may underpin or be integrated into gaming services.

For example, if a video game company provides, or relies on, cloud computing services, content delivery networks or data centre services as part of its operations, these elements may bring the company within the scope of NIS2. This is because such services are specifically referenced in Annex I of the Directive as part of the "digital infrastructure" sector.

As a result, while the core activity of game development or publishing may not trigger NIS2 obligations, the use or provision of certain digital services that are essential to the delivery of gaming experiences can bring game companies within the scope of the Directive’s requirements. Such indirect applicability means that many game companies, particularly those of medium or large size, must carefully assess their service offerings and operational dependencies to determine whether NIS2 compliance is required.

NIS2 was due to be transposed into national law in all Member States by 17 October 2024.  However, as at the date of this publication, implementation legislation has not yet been adopted in several Member States.

Cyber Resilience Act

In addition to the NIS2 Directive, another recently adopted piece of EU legislation that may become relevant for video game companies is the Cyber Resilience Act (CRA). The CRA:

• Establishes uniform cybersecurity standards across the EU market for “products with digital elements”, which are software or hardware products and their remote data processing solutions.
• Aims to enhance the security of such products throughout their lifecycle, from design and development to long-term support.
• Mandates secure-by-design principles, vulnerability management, incident reporting and software updates for manufacturers of internet of things (IoT) devices. (The CRA's implementation will impact manufacturers globally who wish to sell their products within the EU market.)
• Has relevance for game companies that offer physical products with digital elements, such as gaming consoles or accessories with internet connectivity. Under the CRA, these products – depending on their risk classification – must meet stricter security requirements to ensure resilience against cyber threats throughout their lifecycle.

The CRA requires that applicable security standards be integrated throughout the entire development process, starting from the design phase. Products must undergo regular vulnerability testing and have the benefit of timely security updates to maintain system integrity and protect users from emerging threats.

Furthermore, any identified security vulnerabilities must be promptly reported to the European Union Agency for Cybersecurity (ENISA), especially if actively exploited.

Non-compliance can lead to substantial fines and administrative sanctions, increasing the regulatory burden on video game companies operating in the EU.

The CRA entered into force on 10 December 2024. A transition period of 36 months is applicable, giving companies until 2027 to comply.

Existing products are subject to the CRA only if they undergo substantial modifications.

Technical descriptions of the four categories of products with digital elements, set out above, are yet to be adopted by the EU Commission (ultimately this is required to be done by 11 December 2025).

What should game companies be doing in relation to the CRA right now?

For game companies developing, manufacturing or distributing products with digital elements in the EU, it is crucial to begin timely compliance efforts. Even non-critical software like video games will need to be subject to a self-assessment and be able to maintain cybersecurity standards, while hardware products with connectivity face more demanding requirements.

Given the increasing cyber threats targeting the video games industry – including account takeovers, malware, and ransomware attacks – adhering to the CRA will not only ensure legal compliance but will also enhance consumer trust and product security in a rapidly evolving digital landscape.

Final observations

The adage in cybersecurity is not if a company will be hacked, but when. By implementing pro-active cybersecurity measures, game companies can better protect themselves against  attacks and minimise the impact of breaches when they occur, while at the same time comply with NIS2 and the CRA (whether or not these are actually applicable in a particular instance).