The EU age verification framework: a new pillar of online child protection and platform compliance

The European Commission has taken a decisive step in its efforts to protect minors online by unveiling a harmonised, privacy preserving EU age verification framework, together with the EU age verification app. On 15 April 2026, Commission President Ursula von der Leyen and Executive Vice-President Henna Virkkunen announced that the app is “technically ready” and will soon be available for citizens to use. On 29 April 2026, Executive Vice-President Virkkunen held a press conference presenting the Commission Recommendation on age verification and stating that “effective and privacy-preserving age verification is the next piece of the puzzle” for making the online space safe for children. This initiative aims to address a long standing enforcement gap in the EU’s online safety rules and to significantly raise compliance expectations for digital platforms operating in the European Union.

This age verification solution enables users to prove that they are above a given age threshold (such as 18+ or 13+) without disclosing any additional or unnecessary personal data. In practice, users will be able to set up the solution using reliable methods, such as identity document checks or certified third party verification tools. Once registered, they can reuse it to demonstrate their age whenever requested by an online platform. The solution uses Zero-Knowledge Proof cryptography to ensure unlinkability by design, meaning the link between the user and the proof provider is cut after the proof of age is issued, and no further data is exchanged. It reflects the Commission’s long standing position that effective protection of children online must go hand in hand with strict respect for privacy and data protection principles.

Member States may roll out the solution as a standalone app or integrate it into the future European Digital Identity Wallet. This wallet, currently under development, is intended to allow users to store and share information such as official identification and bank details in a secure manner, in order to access public and private services across the EU. A pilot roll-out is under way with front-runner Member States – currently Denmark, France, Greece, Italy, Spain, Cyprus and Ireland – which plan to integrate the app into their national EUDI Wallets, with additional Member States expected to join during 2026. The solution was developed under a contract awarded to the T-Scy consortium, composed of Scytáles AB (Sweden) and T-Systems International GmbH (Germany). Age verification forms part of a broader regulatory framework, notably under the Digital Services Act (DSA), which requires online platforms to ensure a high level of privacy, security, and safety for minors. In this context, simply asking users to self declare their age or including age restrictions in terms and conditions is no longer sufficient.

In parallel, on 29 April 2026, the Commission adopted a Recommendation designed to pave the way for EU wide access to age verification tools based on anonymous proof of age technologies. This Recommendation explicitly aims to ensure the highest possible standards of privacy and data protection across Member States while promoting a consistent approach to age verification within the internal market.

The Recommendation also sets out actions for Member States, including using the EU age verification blueprint, preparing implementation plans, cooperating with Digital Services Coordinators, and ensuring compliance with relevant cybersecurity and privacy standards through independent third-party review. The Commission will also establish an EU Age Verification Scheme defining the governance framework, trust model and requirements for entities seeking to act as issuers of age verification solutions or proof-of-age attestations. Under that scheme, the Commission will maintain lists of trusted proof-of-age providers and age verification solutions to support reliability, security and accountability. Trusted providers of proof-of-age attestations must be established in the EU, reflecting the Commission’s wider objective of strengthening EU digital sovereignty.

The present article outlines the key features of the EU age verification framework, its interaction with the DSA, GDPR and AI Act, and the practical implications for online platforms, e commerce operators and digital service providers. It also sets out concrete steps businesses should take now to implement compliant, risk-based age assurance solutions and adapt their governance, product design and vendor relationships accordingly.

Why age verification is now a platform governance issue

For many years, online age gates were little more than a digital speed bump. A user clicked “I am over 18”, the platform recorded a tick box, and the business moved on. That approach is rapidly becoming outdated. The policy problem is easy to understand. Children can access adult content, gambling services, age restricted goods, addictive platform features and targeted advertising with limited friction. At the same time, platforms that try to solve this by collecting passports, selfies or full dates of birth risk creating a new privacy problem. The EU age verification framework is the Commission’s attempt to solve both issues at once: stronger protection for minors, but without turning age checks into identity surveillance. That makes age assurance more than a trust and safety feature. It affects onboarding, advertising, product design, checkout flows, recommender systems, vendor procurement, data protection impact assessments, consumer journeys and regulatory exposure. A streaming service may need to decide when users can access mature content. An e-commerce platform may need to prevent minors from buying alcohol or other age restricted products. A gaming company may need to distinguish between low risk gameplay, social chat, loot boxes and mature rated content. A social media platform may need to limit targeted advertising, recommendation features or private messaging for minors.

In each case, the key question is not simply “do we know the user’s age?” It is: “can the business justify the method used, the data collected and the residual risk?”

The regulatory backdrop: DSA, GDPR and AI Act

The DSA is the most important starting point. Article 28 requires online platforms accessible to minors to put in place appropriate and proportionate measures to ensure a high level of privacy, safety and security for minors. The DSA also restricts platforms from presenting advertisements based on profiling where they are aware with reasonable certainty that the recipient is a minor. The Commission’s July 2025 guidelines on the protection of minors under the DSA are also important. They take a risk based approach and set out examples of proportionate measures to protect children from risks such as grooming, harmful content, problematic and addictive behaviours, cyberbullying and harmful commercial practices. The Commission has stated that it will use these guidelines as a reference point when assessing compliance with Article 28(1) DSA, although following them does not automatically guarantee compliance.

The GDPR then sets the privacy boundary. More reliable age checks do not give platforms a free pass to collect more data. Any age assurance method must still comply with data minimisation, purpose limitation, transparency, security and storage limitation. On 11 February 2025, the European Data Protection Board adopted Statement 1/2025 on age assurance, setting out ten principles for compliant processing of personal data when determining a person’s age or age range.

The AI Act may become relevant where age assurance technology uses AI, for example facial age estimation, liveness detection, fraud scoring or biometric analysis. The AI Act applies progressively, with certain rules already in force and transparency rules due to apply from August 2026. The practical result is a layered compliance challenge. The DSA asks whether minors are protected. The GDPR asks whether the data processing is necessary and proportionate. The AI Act may ask whether the underlying technology is transparent, fair and properly governed.

What the EU framework is trying to achieve

The Commission’s framework is not just another app. It is a common technical and governance layer for age verification across the EU. The solution allows users to prove they are over a certain age, starting with 18+ for adult restricted online content such as pornography, gambling and alcohol purchases. It can also be adapted for other thresholds, such as 13+ or 65+. The Commission describes the solution as user friendly, privacy preserving and fully interoperable with future EU Digital Identity Wallets.

This is a crucial design choice. In a well-designed flow, an online gaming platform does not need to know that a user was born on a specific date. It only needs to know whether that user is old enough to access a particular feature. A streaming service does not need to collect a passport scan just to decide whether an account can access 18+ content. It needs a reliable answer to a limited question. The Commission’s blueprint also points towards an open source, interoperable model. The blueprint was made available on 14 July 2025 and became feature ready on 15 April 2026. This should help reduce fragmentation across Member States and avoid a situation where pan-European platforms have to integrate 27 completely different solutions.

Key obligations and timelines

The framework should not be read as a single new compliance deadline for all platforms. The hard obligations come from the surrounding legal regimes, especially the DSA, GDPR, national rules on age restricted goods and services, and potentially the AI Act. The age verification framework gives businesses a practical route to meet those expectations.

The key dates are:

• 15 April 2026: the EU age verification solution became feature ready and available for customisation by Member States and market players.
• 29 April 2026: the Commission adopted its Recommendation on a common approach to EU wide age verification technologies.
• Summer 2026: the Special Panel on child safety online, established by President von der Leyen and announced in the 2025 State of the Union address, is set to present its final report and recommendations to the President on 13 July 2026. The panel, which was set up to help develop a strong and practical European approach to keep children safe online, has brought together youth representatives and specialists in health, neuroscience, psychology, computer science, child rights and digital literacy.
• 31 December 2026: Member States are encouraged to ensure access to robust and privacy preserving age verification tools by this date.
• End of 2026: EU Digital Identity Wallets are expected to launch, with Member States required to provide wallets under the European Digital Identity framework.

The practical message is simple: businesses should not wait until national apps are fully rolled out. Product, privacy, commercial and procurement teams should already be mapping where age assurance is needed and what technical model will be defensible.

Practical action points

Map every age-relevant user journey. This includes obvious use cases, adult content, gambling and alcohol sales, but also less obvious ones: personalised advertising, direct messaging, social sharing, livestreaming, in-game purchases, loot boxes, influencer content, age-based promotions and recommendation algorithms.

Define the legal trigger. Is the age check needed because of the DSA, GDPR consent rules, national alcohol or gambling laws, consumer protection rules, advertising restrictions or internal safety policies? Different triggers may require different thresholds and different levels of assurance.

Apply a risk-based model. Not every interaction needs passport-level verification. A low-risk newsletter sign-up may justify a lighter approach. Access to online gambling, adult content or alcohol sales will require stronger proof. A streaming platform may use lighter age assurance for general content controls, but stronger age verification for mature content libraries.

Run a data protection / AI impact assessment where the technology involves identity documents, biometrics, device data, behavioural signals or third-party attestations. The DPIA should address necessity, proportionality, retention, security, bias, false positives, false negatives and user redress.

Update internal DSA documentation. Platforms should be able to explain why their chosen age assurance method is appropriate and proportionate, what alternatives were considered and how children's rights and privacy were taken into account.

Contracting with age verification vendors

Vendor contracts deserve close attention. Age verification providers may sit at a sensitive point in the user journey, handling identity evidence, biometric checks, fraud signals or proof-of-age attestations. Standard processor wording is unlikely to be enough.

The contract should clarify whether the vendor acts as processor, independent controller or joint controller. This cannot be solved by labelling alone. It depends on who determines the purposes and means of processing, whether the vendor reuses data, and whether the vendor provides attestations across multiple platforms.

Contracts should include strict purpose limitation. Data collected for age verification should not be reused for advertising, analytics, profiling, product training or unrelated fraud products without a clear legal basis and explicit contractual permission. Where AI is involved, the contract should also address training data, model improvement, accuracy testing, bias monitoring and explainability.

Security obligations should go beyond generic references to "appropriate technical and organisational measures." Businesses should ask for encryption, access controls, deletion periods, independent security testing, vulnerability disclosure, incident notification timelines and audit rights. If the vendor claims alignment with the EU blueprint or future trusted-provider schemes, that claim should be backed by evidence, warranty language and termination rights if the status changes.

Commercially, contracts should also cover availability, fallback methods and failed verification flows. If an e-commerce platform cannot verify age at checkout, does the transaction fail, pause or move to manual review? If a gaming platform wrongly blocks a lawful adult user, what support process applies? If the vendor suffers downtime during a major product launch, who carries the loss?

Conclusion: age assurance is becoming part of platform governance

The EU age verification framework marks a shift in online compliance. It does not mean every platform must identify every user. It means platforms must be able to distinguish adults from minors where the law, risk profile or product design requires it, and they must do so in a way that respects privacy.

For businesses offering digital products, online platforms or age sensitive services in the EU, this is the moment to move age assurance out of the narrow trust and safety box and into the wider compliance programme. The right questions are not only technical. They are legal, commercial and strategic: Which products are in scope? Which age thresholds apply? What data is truly necessary? Which vendor can evidence compliance? How will the business justify proportionality if challenged? The organisations that prepare now will be better placed to launch safer products, negotiate stronger vendor contracts and respond confidently to regulators. The ones that wait may find that the old “click here if you are over 18” model no longer survives contact with EU platform regulation.

Key takeaways

• Age verification is moving from a formality to an enforcement priority: Regulators increasingly expect robust mechanisms to prevent minors from accessing restricted content, and legacy self-declaration models are unlikely to withstand scrutiny.
• The EU is setting a new standard for privacy-preserving compliance: Businesses will be expected to verify age effectively without collecting excessive personal data, raising the bar for data protection design.
• Regulatory exposure is multi-dimensional: Non-compliant age assurance can trigger risks not only under the DSA, but also GDPR enforcement and, where relevant, the AI Act.
• One size will not fit all use cases: Companies must justify a proportionate, risk-based approach to age assurance across different products, features and user journeys.
• A harmonised EU approach is taking shape: The new framework and upcoming Digital Identity Wallet will push convergence, making fragmented national solutions less defensible over time.
• Third-party providers create both solutions and risks: Businesses remain accountable for their vendors and must ensure contracts adequately address data use, security, and regulatory compliance.
• The implementation window is now: With the EU solution already available and Member State rollout expected by the end of 2026, waiting increases both compliance and operational risk.
• Age assurance is becoming a board-level issue: It directly affects platform governance, commercial strategy, product design and regulatory positioning.
• Early adopters will be better positioned: Companies that implement defensible, user-friendly solutions now will gain a competitive and regulatory advantage.