← CRA Compliance Checklists
Consumer ElectronicsDeadline: September 2026

CRA Compliance Checklist: Gaming Consoles & Peripherals

Default — gaming consoles and peripherals are consumer products with digital elements; not listed in Annex III unless they incorporate critical infrastructure connectivity

Gaming consoles and connected peripherals are consumer products with digital elements fully in scope for the CRA. They involve complex software ecosystems, online multiplayer services, digital storefronts, and user account systems — each presenting distinct cybersecurity risks. While classified as Default, gaming platforms process significant personal and payment data, making robust security practices essential.

16
checklist items
12
high priority
September 2026
deadline
Consumer Electronics
sector
Track progress free →
CRA Classification:Default — gaming consoles and peripherals are consumer products with digital elements; not listed in Annex III unless they incorporate critical infrastructure connectivity

1. Scope & Classification

Confirm all network-connected gaming consoles, handheld devices, and smart peripherals are in scope for CRA

highArticle 3(1)

Consoles, online-capable handhelds, and peripherals with firmware are products with digital elements. Purely offline cartridges or non-digital accessories are not in scope.

Compile a comprehensive SBOM covering console OS, game engine runtimes, middleware, and all bundled software

highArticle 10(6)

Gaming platform software stacks are large and complex. Include the OS, graphics drivers, network stack, store client, and any bundled game engines.

Assess companion mobile apps and PC clients — they are separate products with digital elements requiring their own CRA analysis

mediumArticle 3(1)

Companion apps for controllers, headsets, or consoles are separately in scope. Map the full product ecosystem.

2. Product Security (Annex I Part I)

Implement account security with support for multi-factor authentication for all user accounts

highAnnex I, Part I(2)

Gaming accounts are high-value targets for credential stuffing. MFA support is a minimum expectation under CRA secure-by-default requirements.

Apply code signing for all first-party and third-party software executed on the platform

highAnnex I, Part I(9)

All code — system updates, game patches, DLC — must be cryptographically signed and verified before execution. This prevents malicious code injection.

Implement automatic security update delivery for the console OS and bundled system software

highAnnex I, Part I(9)

Security patches must be delivered promptly. Implement an opt-in or automatic system update mechanism that can be deployed without user interaction for critical patches.

Apply least-privilege isolation between games, system software, and network services

highAnnex I, Part I(7)

Games should not have direct access to system credentials, account data, or other games. Sandbox isolation reduces the blast radius of a compromised game.

Encrypt user account credentials and payment data at rest on the device

highAnnex I, Part I(3)

Stored user credentials, saved payment methods, and session tokens must be encrypted using hardware-backed key storage where available.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy with a dedicated security research contact and a bug bounty programme if feasible

highArticle 13(1)

Gaming platforms attract significant security researcher interest. A well-run bug bounty programme produces better security outcomes and demonstrates CRA compliance intent.

Define security support lifecycle for each console generation with published end-of-support dates

highAnnex I, Part II(5)

Console generations have well-defined lifecycles (typically 7–10 years). Publish security support commitments per generation from launch.

Establish a process for third-party game developers to report security vulnerabilities in platform APIs

mediumArticle 13(5)

Platform SDKs and APIs may contain vulnerabilities discovered by licensed developers. Create a confidential channel for developer security reports.

4. Article 14 Incident Reporting

Monitor for active exploitation of console vulnerabilities — including jailbreaks that enable piracy or cheating at scale

mediumArticle 14(1)

Not all jailbreaks trigger Article 14 — the threshold is significant impact. A jailbreak enabling mass account compromise or malware distribution likely qualifies.

Maintain a documented escalation process for security incidents affecting user account data or payment information

highArticle 14(2)

Breaches of user account or payment data on gaming platforms may trigger CRA Article 14 and also GDPR Article 33. Coordinate both reporting tracks.

5. CE Marking & Technical Documentation

Prepare technical file including platform security architecture, SBOM, penetration test results, and CVD policy

highArticle 23, Annex V

Gaming platform technical files should address the full security perimeter: hardware, OS, online services, and third-party app runtime.

Issue EU Declaration of Conformity and affix CE marking before placing products on the EU market

highArticle 20, Article 22

Both the console hardware and any bundled software must be covered by the DoC.

Confirm RED compliance for wireless controllers and accessories with Bluetooth or Wi-Fi

mediumArticle 6, CRA / RED Directive 2014/53/EU

All wireless gaming peripherals must comply with RED. CRA cybersecurity requirements add to, not replace, RED obligations.

Track your Gaming Consoles & Peripherals compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Do third-party game developers need to comply with CRA, or just the platform manufacturer?+

Both. A game distributed on the EU market is itself a product with digital elements (or software) in scope for the CRA. The platform manufacturer is responsible for the platform; individual game studios are responsible for their games. Platform manufacturers may impose CRA-aligned requirements on developers through their developer agreements.

Our console's online services are cloud-based — are they in scope for CRA?+

Services that are purely cloud-based (Software as a Service) are generally excluded from CRA scope, which focuses on products with digital elements. However, the console hardware and its firmware are in scope. If the console ships with a mandatory online account system or online services are bundled, the overall system must address CRA requirements.

A security researcher found a vulnerability in our game engine — what are our Article 13 obligations?+

Under Article 13, you must acknowledge the report within a reasonable timeframe (48 hours is good practice), conduct a triage, work with the researcher on a fix, and coordinate disclosure. You must provide remediation without undue delay. If the vulnerability is actively exploited before you can patch it, Article 14 reporting to ENISA is triggered.

Related compliance checklists

Consumer Routers & Modems

Consumer Electronics

Smart Home Devices

Consumer Electronics

E-Readers & Consumer Tablets

Consumer Electronics

Wearable Devices & Fitness Trackers

Consumer Electronics

Need a CVD policy for Gaming Consoles & Peripherals?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →