The question of whether cheat software is inadmissible under copyright law has been a constant issue for the games industry for years. The ruling by the Federal Court of Justice (BGH) on July 31, 2025 (case no. I ZR 157/21 – “Action Replay II”) has now provided clarification from the highest court: The distribution of cheat software for the PlayStation Portable (PSP) does not infringe copyright if the game’s program code remains untouched and only values in the main memory are changed while the game is running. At first glance, this seems like a “free pass” for cheats. In fact, the implications lie in the details of the Software Directive and its implementation in the Copyright Act (UrhG) – and in the clear distinction from other legal instruments such as the protection of technical measures, fair trading law and publishers’ contract law.

The starting point of the proceedings was a conflict between Sony as the platform operator and rights holder of the PSP titles in question and Datel as the provider of tools such as “Action Replay PSP” and “Tilt FX”. The tools do not modify the source or object code of the game, but overwrite certain variables in RAM while the game is running. The result is visible advantages for players – such as additional skills, unlocked content or modified game physics. The key legal issue is therefore not the “morality” of cheating, but the question of whether the resulting interventions qualify under copyright law as a “modification” or other act of use of the protected computer program.

The legal framework under EU law results from Directive 2009/24/EC on the legal protection of computer programs. This protects the form of expression of a computer program – i.e. in particular the source and object code – and not the underlying ideas, algorithms or functional principles. Section 69a (2) UrhG expressly reflects this distinction; it is the specific form of the program that is protected, not its function or the process as such. Consequently, Section 69c No. 2 UrhG refers to “translation, adaptation, arrangement and other alterations”. The offence requires a change to the work itself, i.e. a modification of the protected form of expression – regularly a change to the program code or a copy of the program.

This is precisely where the now established case law comes in: If the code is not altered and no altered program copy is created, but only the game-internal states generated in RAM are temporarily overwritten, there is no reworking within the meaning of Section 69c No. 2 UrhG. The temporary modification of the game result concerns the sequence of the program logic, but not the protected form of expression. The BGH thus consistently follows the interpretation of the Court of Justice of the European Union, which clarified in the preliminary ruling proceedings (Case C-159/23) that the scope of protection of software copyright does not “extend” to all program-based processes, but remains limited to the expression – the code. In other words: The boundary does not run at “influencing the game”, but at “influencing the program code or a copy of the program”.

However, this does not mean that every form of cheat software is permissible. The decisive factor is the technical design. If, for example, the tool actually injects code, patches binary parts or replaces executable sequences (“hot patching”), it is no longer a matter of merely rewriting RAM values, but of changing the form of expression. Such measures can constitute a reworking (§ 69c No. 2 UrhG) or an unauthorized act of reproduction (§ 69c No. 1 UrhG), especially if a modified program copy is created by loading it into RAM. The line is technically fine: hooking mechanisms that only react to API events and change parameter-related RAM values remain on the permissible side in principle. Procedures that replace instructions close to machine code or bend jump targets cross it.

In addition to copyright law, the protective barrier of Section 69d UrhG must be taken into account. It allows the observation, examination or testing of the functioning of a program in order to determine its ideas and principles – mind you, within the framework of a legally loaded program. This norm does not justify cheat exploitation, but is an expression of the same system: ideas and functional principles are not protected, but their concrete form. Anyone who cheats exploits this non-protectability; it only becomes relevant under copyright law when the form of expression is affected.

Section 95a UrhG draws a second, often practically more important line. The standard protects “effective technical measures” that are intended to prevent or restrict acts that are not permitted by the rights holder. If an effective anti-cheat measure – such as signature-based integrity checking, an encrypted communication channel with server-side challenge-response tests or code integrity monitoring – is circumvented, the circumvention as such may already be prohibited, regardless of whether the code remains unchanged in the end. This results in a clear compliance path for publishers: the legally secure lever shifts from copyright in the code to the design of robust technical protection measures that can be classified as “effective” and their consistent enforcement. Without such measures, the copyright lever against pure RAM cheats can remain blunt.

The third building block is unfair competition law. The distribution of cheat software can constitute an unfair hindrance of competitors (Section 4 No. 4 UWG) if it deliberately interferes with the competitive development of a publisher, for example by systematically destroying game balance, matchmaking fairness or online economy. A breach of law (Section 3a UWG) is also conceivable if a prohibition applies elsewhere – for example via Section 95a UrhG – and the act of circumvention is instrumentalized for market purposes. The assessment under unfair competition law is always case-specific and requires a balance to be struck between the tool provider’s entrepreneurial freedom of development and the publisher’s affected market regulations.

The fourth building block is contract law. Publishers have an effective set of instruments consisting of end user license terms (EULA), terms of use and game rules. Cheats can be contractually prohibited; violations regularly entitle to blocks and terminations as well as claims for damages in individual cases. The control of general terms and conditions (Section 307 BGB) requires transparency and proportionate sanctions. Clauses that prohibit manipulative interventions, botting or match-fixing are customary in the industry and legally viable if they are clearly worded, serve the purpose of maintaining a fair gaming environment and provide for graduated measures. For the B2C sector, clear, pre-contractual information about possible blocking consequences, data collection through anti-cheat mechanisms (keyword: GDPR compliance) as well as objection and complaint channels is recommended. The enforceability of the EULA is not affected by the fact that copyright claims in the core area are excluded; rather, the focus of legal enforcement shifts.

There are compliance guidelines for tool manufacturers. What remains permissible is what works without code intervention, does not circumvent any effective technical measures, does not participate in the market in an unfair manner and does not use any third-party property rights (no use of proprietary keys, no infiltration of signed modules, no circumvention of console security chains). Technical and legal documentation is recommended, stating that the functional depth is limited to RAM value manipulation, that no integrity checks are circumvented and that the software does not contain any proprietary content. You should avoid “universal loader” functionalities that load signed areas without authorization or override signature-based checks; even a “purpose of use” clause (“for single players only”) is not a legal shield if practice shows otherwise.

A bundle of technical, contractual and organizational measures is recommended for publishers and developers. Technically, anti-cheat mechanisms should be implemented in such a way that they clearly exceed the “effectiveness” threshold of Section 95a UrhG (documented, dynamic protection concepts; server-side plausibility checks; tamper-resistant, signed client modules; telemetry-supported abuse detection with data protection justification via legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR). Contractually, the EULA and rules of the game should contain clear definition clauses (“cheat”, “bot”, “exploit”), graduated sanctions, transparency regarding evidence and audit options. In organizational terms, internal “play integrity” processes, a de-escalation path with warnings, logging concepts and audit-proof evidence are useful in order to provide a reliable basis for measures under fairness or contract law.

The decision extends beyond the pure console context. For PC titles with modding-friendly architectures, it clarifies the dividing line between permissible modifications (content mods that work via officially provided interfaces) and impermissible interventions (code patching, non-signature binary changes). The risk of pure client cheats is reduced for cloud and live service games, where the main game logic is on the server side: the tort and contractual situation shifts to the interaction layer between client and server anyway, including protection against manipulative requests and packet replays. The decision does not create a “cheat amnesty” for esports. League rules, house rules and contracts remain valid; violations can be sanctioned regardless of whether a copyright infringement has occurred. The clear definition of the rules and the provability of the respective manipulation remain important.

Dogmatically, the line is convincing: software protection remains expression protection. The object of protection is the code, not the game result. If every interference with the flow of a program logic were to be considered a copyright infringement, the boundary between work and function protection would collapse; debugging tools, performance analyzers or accessibility aids could hardly be clearly located. At the same time, the decision does not close its eyes to real market disruptions. It shifts the debate to the protection instruments that are appropriate to the system: technical measures, contractual compliance and fair trading law. The fact that this route is more demanding than simply relying on Section 69c UrhG is not a mistake, but the intention of the legislator, who deliberately limited the Software Directive to forms of expression.

It remains unclear where exactly the technical and legal demarcation line is drawn when RAM manipulation turns into “soft” hooking, which actually replaces executable sequences without permanently changing the binary code. The qualification of modern “kernel-level” anti-cheat drivers and their circumvention also pose practical questions of demarcation: Are mere monitoring hurdles overcome or does the attacker interfere with signed code paths? In the first case, there is much to be said for an examination via Section 95a UrhG (effectiveness and circumvention); in the second case, Section 69c comes to mind again. Finally, the question remains as to what extent publishers must set limits on telemetry in terms of product law or data protection law: The more deeply anti-cheat systems interfere with the operating system, the more carefully purpose limitation, transparency and proportionality must be designed.

In practice, a “three-pillar” approach is recommended for publishers: Firstly, technical measures that are not only in place but can be qualified as “effective”, with documented threat analysis and dynamic updating. Secondly, contractual frameworks that precisely address manipulative interventions and provide for graduated reactions, including transparent communication and remonstration processes. Thirdly, a strategy under fair trading law against commercial cheat providers aimed at targeted obstruction or systematic circumvention of the law. This results in a robust, coordinated legal position, which is also valid if the main claims under copyright law are ruled out in individual cases.

For tool providers, the focus is on technical self-restriction, verification and distancing themselves from circumvention activities. A clean architecture that only addresses RAM values, leaves integrity checks untouched and does not use proprietary content significantly reduces the risk. In addition, marketing statements and user communication should not create false incentives (“bypasses all protection”, “unbannable”); such statements encourage accusations of unfair competition. For creator communities pursuing legitimate modding interests, the use of official interfaces and toolchains is recommended in order to avoid suspicion of code tampering or circumvention of protection measures in the first place.

The BGH’s ruling is therefore not an invitation to lose control, but a systemic decision in favor of clearly defined software copyright law. It forces the industry to use the right levers: effective technical protection measures, good contracts, clear rules and consistent enforcement. Those who take this to heart can ensure a fair gaming experience even in an environment with “legal” RAM cheats. And those who offer tools now know in which corridor innovation can move in a legally secure manner. Since then, the decisive sentence has been: Not every intervention in the gameplay is an intervention in the copyrighted computer program. The line is drawn at the code – and at its effective shielding.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.