EU court rules states can force age checks on foreign porn sites

The Court of Justice of the European Union yesterday handed down a Grand Chamber judgment that clarifies, for the first time at the EU's highest judicial level, the exact conditions under which a member state can legally impose age verification requirements on pornographic websites based in another country. The ruling arrives as digital marketers and platform operators across Europe watch regulators push harder on who is responsible for the audiences their services reach.

What the court decided

The judgment, issued today in Joined Cases C-188/24 and C-190/24, was delivered by a Grand Chamber of fifteen judges under President K. Lenaerts. Two separate disputes were bundled together because they raised the same core legal question: can France apply national rules to information society service providers established in other EU member states?

In Case C-188/24, the applicants were WebGroup Czech Republic and NKL Associates, both registered in Prague, which operate pornographic websites. France's audiovisual regulator ARCOM had issued formal notices to those companies under Article 227-24 of the French Criminal Code, which prohibits making pornographic content accessible to minors. A decree of 7 October 2021 set out the technical conditions for compliance. The companies challenged that decree before France's Conseil d'Etat, arguing the rules violated the country-of-origin principle embedded in the e-Commerce Directive - Directive 2000/31/EC of 8 June 2000 - under which a digital service is regulated by the member state where it is established, not by the member state where users access it.

The Conseil d'Etat referred the matter to Luxembourg. According to the court's press release, the CJEU today confirmed that the contested measures fall within the coordinated field covered by Directive 2000/31. That field, the court clarified, is not limited to subjects explicitly harmonised in the directive's own chapters on electronic contracts, intermediary liability, and codes of conduct. It extends in principle to any requirement concerning access to or the pursuit of an information society service - including criminal law provisions and public policy measures - provided those requirements are not expressly excluded.

Why the country-of-origin rule still governs

The e-Commerce Directive operates on a straightforward architecture. Under Article 3, paragraph 1, each member state ensures that service providers established on its territory comply with applicable national rules. Under paragraph 2, member states cannot, for reasons falling within the coordinated field, restrict the free movement of services from another member state. Those two paragraphs together mean that Czech-registered pornographic websites are, in principle, subject to Czech law - not French law.

France argued that its criminal law provisions, being general and abstract in nature, lay outside the coordinated field entirely. The court rejected that position. According to the judgment, the general and abstract character of a regulation does not remove it from the coordinated field. Criminal law rules and public policy rules can fall within the scope of the directive, provided they impose requirements on the access or conduct of an information society service.

That matters for marketers because it determines which country's regulators have primary jurisdiction over any digital service operating across EU borders. A platform registered in Ireland, the Netherlands, or any other member state remains - under the architecture the court confirmed today - regulated primarily by that member state, not by each country where its audience lives.

When France can override the home-state principle

Here is where the ruling gets specific. Article 3, paragraph 4 of Directive 2000/31 allows a member state of destination to derogate from the free movement principle, but only under a precise set of cumulative conditions. According to the judgment, the measures must be necessary for reasons including public policy - which the directive explicitly defines as covering the protection of minors and the fight against violations of human dignity. The measures must be directed at a specific information society service, not applied in a blanket way to entire categories of providers. And they must be proportionate to the objective pursued.

The court found that France's general and abstract criminal prohibition - Article 227-24 of the French Criminal Code - cannot itself satisfy the condition of being directed at a given information society service. A provision that applies indiscriminately to any person or company worldwide does not constitute a measure "taken against a given information society service" within the meaning of paragraph 4. General and abstract legislation of that kind fails the specificity test.

However, the court drew a meaningful distinction. Article 23 of Law No 2020-936 of 30 July 2020 empowers ARCOM's president to issue individualised formal notices to specific publishers who allow minors to access pornographic content. Those individual notices, directed at identified providers, can satisfy the specificity requirement. Likewise, where a provider has failed to take appropriate measures as described in Article 28 ter of the Audiovisual Media Services Directive - which explicitly lists age verification systems as among the tools video-sharing platforms must consider - a member state may require that specific provider to implement an age verification system.

Before doing so, the judgment specifies, the member state must follow the procedural conditions in Article 3, paragraph 4(b): it must first ask the member state where the provider is established to take appropriate measures itself, and must notify the European Commission and that home member state of its intention to act. In cases of urgency, Article 3, paragraph 5 allows derogation from those notification steps, with ex-post notification to the Commission.

What age verification actually means technically

French law, as set out in the Decree of 7 October 2021, required publishers to implement a "reliable technical process" for verifying that users wishing to access the service are adults. The Decree of 7 October 2021, cited in the Advocate General's opinion of 18 September 2025, specifies that ARCOM's president takes into account the reliability level of that technical process when assessing whether a publisher has complied.

The court found that this obligation - putting in place a technical system through which all users are confronted with an age-gating mechanism before reaching content - constitutes a requirement concerning the content and conduct of the information society service itself. It governs the way in which the provider pursues its activity online. That brings it squarely within the definition of the coordinated field in Article 2(h)(i) of Directive 2000/31, which covers "requirements concerning the behaviour of the service provider, the quality or content of the service."

The Audiovisual Media Services Directive, in Article 28 ter, paragraph 3(f), explicitly lists the establishment and operation of age verification systems as one of the appropriate measures video-sharing platform providers must implement to protect minors from content that may impair their physical, mental or moral development. That article has applied ratione temporis from 19 September 2020 to services providing programmes and videos. The court drew on that provision to establish that age verification is a proportionate response to the objective of protecting minors, consistent with the requirements of Articles 1 and 24 of the Charter of Fundamental Rights - which enshrine human dignity and children's rights respectively.

The European Media Freedom Act - Regulation 2024/1083 of 11 April 2024 - reinforced this framework. Its Article 15, which became applicable from 8 May 2025, established a structured cooperation mechanism allowing national regulatory authorities to request their counterparts in other member states to take enforcement action against video-sharing platform providers. That mechanism, the court noted, confirms the principle that measures protecting minors from harmful content are primarily the responsibility of the home member state, with the member state of destination able to act only when the directive's conditions are met.

The algorithm and hosting liability question

The judgment's second major holding, arising from Case C-190/24 involving Coyote System, addressed a question that reaches further into the digital economy: when does a platform's use of algorithms disqualify it from the hosting liability exemption under Article 14 of Directive 2000/31?

Article 14 exempts hosting providers from liability for user-generated content, provided the provider has neither knowledge of nor control over that information. The court today ruled that an operator who determines, by means of an algorithm, under what conditions, how, and in what order of priority information is distributed within its service exercises control over that information. That control - even if exercised through automated, passive-seeming algorithmic processes - removes the provider from the hosting exemption.

According to the judgment, the knowledge and control conditions in Article 14, paragraph 1, are alternative and autonomous. A provider that controls information through algorithmic curation loses the exemption even if it never personally reviews the content being distributed. The Advocate General in his opinion of 18 September 2025 had reasoned along similar lines, noting that an algorithm which consolidates, ranks, or removes user reports - as Coyote System's service does with roadside check alerts - creates a new information layer that goes beyond simple storage and redistribution.

This principle has substantial implications for how platforms across the digital advertising ecosystem think about their liability exposure. A platform that uses algorithmic signals to determine which content surfaces to which users, in what order, and under what conditions is not, under the court's reasoning, operating as a neutral technical conduit.

Why this matters for digital marketing and platform operators

The marketing industry has watched age verification debates intensify across Europe and North America for several years. PPC Land has tracked the EU's age verification trajectory since the UK began enforcing age requirements in July 2025, and documented the EU's own age verification app development and criticism over its Google dependency.

The court's ruling today makes clear that age verification is not a soft recommendation but a legally enforceable technical obligation - one that member states can compel foreign operators to implement, provided they follow the directive's procedural conditions. PPC Land reported in April 2026 that the EU had spent considerable resources building an age verification application that carries no mandatory implementation deadline.

The judgment does not create a new general obligation. What it does is confirm the legal pathway through which national regulators can go after platforms established in other member states when those platforms serve content to minors. The conditions are stringent. Individual notices must be issued. Proportionality must be demonstrated. The home member state must be asked to act first in most cases. But the legal framework for compelling compliance across borders is now judicially validated at the highest EU level.

For ad tech professionals, the algorithm and hosting ruling is equally consequential. DSA platform liability debates have circled around similar questions - when does content curation become control? The court today gave a clear answer under the older e-Commerce Directive framework that the DSA built upon. Algorithmic decisions about what to show, to whom, in what order, and under what conditions constitute control. That is not a hosting posture. It is an active editorial posture with corresponding legal accountability.

The court's approach also directly intersects with discussions about how the DSA, fully operational since February 2024, interacts with the e-Commerce Directive's legacy frameworks. PPC Land has covered how the DSA establishes liability rules for platforms that depend partly on whether a platform is acting as a neutral intermediary or as an active curator of content - precisely the distinction the court explored today.

Graham Smith, Of Counsel at Bird & Bird and author of the @cyberleagle legal commentary, noted in a LinkedIn discussion responding to the ruling that the DSA's Recital 42 uses "significantly different language" from the e-Commerce Directive provision at issue, and suggested this difference will fuel future CJEU references seeking different outcomes under the DSA framework. Markus Sullivan, an in-house lawyer on international data and technology law, commented that operators "cannot have the cake" of liability limitation on the basis of neutrality while simultaneously exercising discretion over what content to show, suggest, promote, or suppress. Martin Husovec, Associate Professor of Law at the London School of Economics and Political Science, shared the ruling on LinkedIn where it attracted 114 reactions, 19 comments, and 11 reshares within hours of delivery.

The coordinated field and its limits

One technical point in the judgment rewards careful reading. The court confirmed that the coordinated field under Article 2(h) is not bounded by the harmonised subjects in the directive's own Chapters II and III. Those chapters cover electronic contracts, commercial communications, intermediary liability rules, codes of conduct, and dispute settlement. But the coordinated field extends further - to any national provision concerning the access to or pursuit of an information society service, regardless of which branch of national law it comes from.

The exceptions are specific and exhaustive. Article 1, paragraph 5 of the directive excludes taxation, data protection questions covered by the 1995 directive, competition law, notarial activities, legal representation before courts, and gambling. Article 2(h)(ii) excludes requirements applicable to goods as such, delivery of goods, and services not provided electronically. And Article 3, paragraph 3 read with the Annex excludes intellectual property, certain insurance and investment fund regulations, certain contract questions, and unsolicited commercial email authorisation.

Criminal law does not appear on any of those exclusion lists. Public policy and public security measures do not appear either. The court today confirmed that their absence from the exclusions is deliberate and meaningful. Excluding them from the coordinated field, the court observed, would allow member states to evade the entire country-of-origin mechanism simply by framing restrictions in criminal law terms - a result inconsistent with the directive's objective of ensuring the free movement of information society services.

Timeline

• 8 June 2000 - Directive 2000/31/EC (e-Commerce Directive) enters into force, establishing the country-of-origin principle for information society services and the coordinated field framework.
• 30 July 2020 - France enacts Law No 2020-936 on protection of victims of intimate partner violence, with Article 23 conferring on ARCOM's president the power to issue formal notices to pornographic website publishers.
• 19 September 2020 - Article 28 ter of Directive 2010/13 (Audiovisual Media Services Directive) becomes applicable to video-sharing platforms, explicitly listing age verification systems among appropriate protective measures for minors.
• 19 April 2021 - France publishes Decree No 2021-468 implementing Article L. 130-11 of the Highway Code, governing how geolocation navigation services must respond to roadside check suppression orders.
• 7 October 2021 - France publishes Decree No 2021-1306 setting technical conditions for age verification compliance by pornographic website operators under the Law of 30 July 2020.
• 9 November 2023 - CJEU rules in Case C-376/22 (Google Ireland and Others) that general and abstract measures aimed at a category of information society services do not qualify as measures "taken against a given information society service" under Article 3(4) of Directive 2000/31. PPC Land covered related DSA and e-Commerce Directive intersection issues.
• 11 April 2024 - Regulation 2024/1083 (European Media Freedom Act) published; Article 15 establishes structured cooperation for enforcement of obligations on video-sharing platform providers.
• 8 May 2025 - Article 15 of Regulation 2024/1083 becomes applicable ratione temporis.
• 18 September 2025 - Advocate General Szpunar delivers his opinion in Joined Cases C-188/24 and C-190/24 before the Grand Chamber, recommending the positions the court today largely adopted.
• July 2025 - UK Online Safety Act age verification enforcement begins, with X implementing age assurance in the same month.
• April 2026 - EU's own age verification application draws criticism for Google dependency and lack of mandatory implementation deadline.
• 16 June 2026 - CJEU Grand Chamber delivers judgment in Joined Cases C-188/24 and C-190/24, confirming member states can require age verification on foreign pornographic platforms under specific conditions, and ruling that algorithmic control of content distribution removes hosting liability protection.

Summary

Who: The Court of Justice of the European Union Grand Chamber, composed of fifteen judges including President K. Lenaerts, ruling on referrals from the French Conseil d'Etat. The applicants were WebGroup Czech Republic and NKL Associates (Czech-registered pornographic website operators) in Case C-188/24 and Coyote System (a French geolocation navigation service provider) in Case C-190/24.

What: The court clarified the conditions under which EU member states can impose age verification requirements on pornographic websites operated by service providers established in other member states. It confirmed that the e-Commerce Directive's coordinated field extends to criminal law and public policy measures, that a country cannot apply blanket general rules to foreign operators, but that it can issue individualised enforcement notices and require specific platforms to implement age verification systems where the proportionality and procedural conditions of Article 3, paragraph 4 of Directive 2000/31 are satisfied. The court also ruled that platforms using algorithms to determine content distribution conditions exercise control over that content and cannot claim hosting liability exemptions under Article 14.

When: The judgment was delivered today, 16 June 2026. The underlying national proceedings began after France's ARCOM issued formal notices in the period following the Decree of 7 October 2021. The Conseil d'Etat referred the questions on 6 March 2024. A joint hearing was held on 24 March 2025. The Advocate General delivered his opinion on 18 September 2025.

Where: The judgment was delivered in Luxembourg by the Court of Justice of the European Union. The underlying disputes arose in France, where national legislation required Czech-registered pornographic website operators and French-registered navigation service operators to comply with domestic regulations potentially in tension with EU internal market rules.

Why: The case mattered because the e-Commerce Directive's country-of-origin principle had left genuine uncertainty about whether member states could compel foreign platforms to implement protective measures for minors, particularly when the underlying obligation arose from general criminal law rather than targeted administrative action. The ruling resolves that uncertainty, giving national regulators a clearly mapped procedural route to enforce age verification against foreign platforms while preserving the internal market framework that limits regulatory fragmentation across the EU's 27 member states.