plarium logo
About usGamesNewsContactsVacancies
en
News

Engineering Trust: Our Ongoing Journey to CRA Compliance at Plarium

articles
01/28/2026

Author: Rinat Sherf, Privacy Counsel at Plarium

This Global Privacy Day, the gaming world is focusing more than ever on cybersecurity resilience with the arrival of the EU Cyber Resilience Act. For us at Plarium, the CRA is part of a continuous journey to refine and consolidate the elements that collectively define our Security by Design framework. We are currently assessing our products and existing workflows to identify and bridge operational gaps while fine-tuning internal controls to ensure full alignment with upcoming regulatory requirements. Here is a look at the work we’re doing.

Mapping the Ecosystem

Since the CRA covers any product with digital elements in the EU, our first priority has been mapping our product line and defining our role, primarily as a manufacturer. While most mobile games and services fall under the default category, we are proactively assessing if certain components should be categorized as "Important Products" (Class I). This effort requires full transparency and cooperation from stakeholders. Our project lead is focused on building this engagement, ensuring that every team is committed to the process and that information flows efficiently across the organization.

A Layered View of Risk

To ensure our products meet the applicable security requirements in Annex I and Annex II and are ready for the conformity declaration and if required an external audit, we conduct a comprehensive cybersecurity risk assessment. To make this assessment truly effective across our complex ecosystem, we have adopted a multi-layered approach.

The player interface of each product is assessed against the security checklist mandated by the Act, which includes rigorous vulnerability testing and threat modeling of both the player journey and the technical attack surface to identify and mitigate any foreseeable misuse. In parallel, we assess the cybersecurity risk and compliance of our shared backend services; because these servers handle real-time state synchronization and vital API endpoints, the CRA treats them as an integral part of the product itself. The third layer focuses on supply chain security management, where we are reviewing our third-party onboarding processes, contract templates, and product-critical suppliers to ensure full alignment with CRA requirements for transparency, coordinated vulnerability disclosure, and long-term security support.

Our earlier investment in automating the system inventory for GDPR ROPA provides the foundation for mapping our assets and will enable the creation of a Software Bill of Materials (SBOM) for each product.

Of course, moving toward compliance comes with hurdles. The CRA requires us to report exploited vulnerabilities to ENISA within a 24-hour window, a significant shift from the traditional scope of reportable breaches and timelines. To meet this, we’ve connected our vulnerability reporting into a single internal hub. This centralized dashboard allows us to assess reports and bugs from across the entire company instantly and decide if a formal notification is needed.

We are also tackling the "reachability" problem. Just because a third-party library has a vulnerability doesn't mean our game is at risk. By implementing Vulnerability Exploitability eXchange (VEX) alongside our SBOMs, we can determine if a threat is actually reachable, allowing our engineers to focus on fixing real risks rather than chasing ghosts in the code.

The Road Ahead

The timeline is clear: while the reporting incidents begin in September 2026, the full weight of the law, including the mandatory CE marking, arrives in December 2027. Our goal is to have our groundwork, conformity declarations, and any necessary audits finished before the deadline.

Ultimately, building a resilient company provides a distinct competitive edge. The CRA and our Declaration of Conformity will serve as a powerful testament to this commitment: we are engineering environments that deserve player trust for the long term.

This overview is provided for general informational purposes only and does not constitute legal advice.

Most Popular
raid_article
Plarium launches collection RPG RAID: Shadow legends on iOS and Android devices
game preview
How to Create Animations for a Collection RPG
article preview
Simple Yet Accurate: Calculating a LTV prediction for games, without being a Data Scientist
preview image
Pixel Padding and Bleeding Detection in 3D Modeling
Similar Articles
raid_article
events
02/28/2019
Plarium launches collection RPG RAID: Shadow legends on iOS and Android devices
game preview
articles
08/13/2020
How to Create Animations for a Collection RPG
article preview
articles
10/11/2020
Simple Yet Accurate: Calculating a LTV prediction for games, without being a Data Scientist
preview image
articles
07/15/2020
Pixel Padding and Bleeding Detection in 3D Modeling
Company
Vacancies
Games
Contacts
Public Relations
Legal
Plarium
Take the world
  • Facebook
  • Youtube
  • Instagram
  • Artstation
  • Vimeo
English
© 2010-2026 Plarium
© 2010-2026 Plarium