Jurriaan Jansen (partner) and Jasper Geerdes (senior associate) from the business law firm Norton Rose Fulbright explain what game developers and publishers need to be aware of when it comes to new European Union legislation around cybersecurity.
The video games industry has never been more dynamic – or more exposed to cyber threats. As the sector has grown, so too has its appeal to cybercriminals. Today, both developers and players face a complex web of risks, from cheating tools that undermine fair play to sophisticated attacks targeting personal data and digital assets. Regulators, especially in the European Union (EU), are responding with sweeping new rules that will reshape how studios and publishers approach security.
The evolving threat landscape
Fair play has always been at the heart of gaming, but maintaining it is an ongoing battle. Cheating tools not only disrupt the competitive balance, but can also land companies in legal trouble. Studios are in a constant race to detect and prevent these threats, striving to protect both the integrity of their games and the trust of their communities.
But the risks go far beyond gameplay. The rise of in-game currencies and digital items has created new opportunities for malicious actors. Exploiting bugs or vulnerabilities, hackers can duplicate or steal valuable assets, destabilising virtual economies and damaging reputations. These incidents can have serious legal consequences.
Data breaches are another pressing concern. The 2022 Rockstar Games incident, which saw confidential details about Grand Theft Auto 6 leaked online, is a stark reminder of what is at stake. Vast amounts of personal data flow through gaming platforms, such as payment information, identifiers, and behavioural analytics, which makes them prime targets for cyberattacks. The fallout from a breach can be severe, ranging from financial loss and reputational harm to regulatory penalties, especially under strict data protection laws like the EU’s GDPR.
The new legislative landscape
Against this backdrop, the EU is raising the bar for cybersecurity with two major legislative updates: the NIS2 Directive and the Cyber Resilience Act (CRA). Both are set to have a significant impact on game developers and publishers operating in or selling to the EU. Although game companies must already take into account the requirements under the GDPR to implement appropriate technical and organisational measures in respect of protecting personal data, these new legislative frameworks add a new level of more proscriptive measures.
This responsibility cannot be outsourced, and breaches may result in management liability
The NIS2 Directive replaces the original NIS Directive, introducing tougher cybersecurity standards and stricter enforcement. Whether a company falls under NIS2 depends on its size, whether it operates in a sector classified as “essential” or “important” in the Directive, and whether it operates within the EU. Although the games industry is not explicitly listed as “essential” or “important” in the legislation, the key point is that many gaming companies utilise technology (such as cloud computing, content delivery networks, or data centres) that is governed under NIS2, on the basis of which gaming companies might be within the scope of the directive.
If NIS2 does apply, the expectations are clear. In-scope companies must register up-to-date information about their operations and where they offer services with competent authorities. Cybersecurity is no longer just an IT issue; senior management is ultimately responsible for overseeing and approving security measures, and boards must be trained to address cyber risks. This responsibility cannot be outsourced, and breaches may result in management liability, fines, or even temporary bans from management roles.
On the technical side, companies are expected to implement comprehensive measures to manage risks. This includes everything from risk analysis and incident handling to business continuity planning and supply chain security, as well as regular cybersecurity training. Encryption, access controls, and multi-factor authentication are all part of the new baseline. When incidents do occur, companies must act fast – significant breaches require an early warning within 24 hours and a full notification within 72 hours. There is also an expectation of voluntary cooperation in sharing information about threats and vulnerabilities.
Non-compliance can lead to substantial fines and administrative sanctions
The CRA, which came into force in December 2024 with a three-year transition period, sets uniform cybersecurity standards for “products with digital elements.” This includes software, hardware and their remote data processing solutions. The CRA is particularly relevant for companies offering physical products with digital elements, such as consoles or connected accessories. Most video games will fall into the “non-important or critical” category, which means a self-assessment of cybersecurity compliance is required, along with security-by-default principles. Higher-risk products, like password managers or network tools, face stricter obligations, including external audits.
Security must now be integrated from the design phase and maintained throughout the product’s life cycle. Regular vulnerability testing and timely updates are mandatory, and any identified security vulnerabilities must be reported to the European Union Agency for Cybersecurity (ENISA), especially if they are actively exploited. Non-compliance can lead to substantial fines and administrative sanctions, raising the stakes for companies operating in the EU. Existing products are only subject to the CRA if they undergo substantial modifications, and technical details for product categories are still being finalized by the EU Commission.
What should developers and publishers do now?
For studios and publishers, the first step is to assess whether these new rules apply. Review your company’s size, the services you offer, and your operational dependencies. If you use or provide digital infrastructure, you may be in scope for NIS2 – even if your core business is game development or publishing.
It is also time to bring cybersecurity into the boardroom. Senior management must be trained and actively involved in overseeing cyber risk. This is not just about compliance; it extends to protecting your business and your players.
Make sure you can detect breaches quickly and meet the tight reporting deadlines set by NIS2
On the technical front, now is the moment to reassess your security measures. Comprehensive risk analysis, robust incident response plans, business continuity strategies, and supply chain security are all essential. Staff should receive regular security training, and technical controls such as encryption, access management, and multi-factor authentication should be standard practice.
Incident reporting processes need to be watertight. Make sure you can detect breaches quickly and meet the tight reporting deadlines set by NIS2. For companies developing products with digital elements, start integrating security from the outset. Conduct self-assessments, maintain up-to-date vulnerability management, and prepare for potential audits if your products fall into higher-risk categories.
Staying informed is crucial. Keep an eye on national implementation of NIS2 and the finalization of CRA technical standards and be ready to adjust your compliance strategies as new details emerge.
Shaping business strategy
Cybersecurity is no longer a back-office concern – it’s a business imperative. The question is no longer whether a company will face a cyberattack, but when. Proactive measures not only ensure legal compliance, but also protect your reputation and build consumer trust.
Regulators are increasingly holding boards and senior management personally responsible for cybersecurity. This shift means that security cannot be delegated or treated as a purely technical issue. Companies that invest in robust cybersecurity and compliance can set themselves apart in a crowded market, reassuring partners and players alike.
The EU’s new rules mark a turning point for the games industry. Developers and publishers who act now to understand their obligations, upgrade their security posture and embed compliance into their business strategy will be best placed to navigate the evolving threat landscape and regulatory environment.
