A CDM is what actually decrypts DRM-protected media. The player provides encrypted segments via MSE; the CDM holds the content key (obtained from a license server via EME); and the CDM decrypts each fragment before it reaches the decoder. The CDM is loaded by the browser or OS, runs in a process the application cannot inspect, and on hardware platforms is anchored in a Trusted Execution Environment (TEE) that the OS cannot read.
Each DRM system has its own CDM. Widevine's CDM ships with Chrome, Edge, Firefox and Android; PlayReady's ships with Windows, Edge and many smart TVs; FairPlay's ships with iOS, macOS and tvOS. Some CDMs come in security tiers: Widevine L1 (hardware-backed, full HD/4K allowed), L2 (decrypt in TEE, decode in software), L3 (software-only, often capped at SD). PlayReady has SL150 (software) and SL2000/SL3000 (hardware-backed). Content providers configure license policy per CDM tier.
For an OTT engineer, the CDM is mostly invisible — the player sets up EME, the CDM is selected based on key system, license requests flow through the right URLs. The visibility comes when something fails: a Widevine L1 device that fails to upgrade firmware loses 4K, an old PlayReady SL150 client can only get SD content, or a CDM revocation list pushes a security update that breaks last-gen smart TVs.
