The European Commission today adopted a formal recommendation on age verification - and the most important thing about it is what the Commission is not doing. Having spent months building a technical solution from scratch, contracting Scytales and T-Systems to develop open-source software, publishing a blueprint on 14 July 2025, and declaring that solution feature-ready on 15 April 2026, the Commission has now stepped back. The actual deployment - getting the app into the hands of citizens across 27 different countries, each with its own national eID systems, app store processes, bureaucratic timelines, and political priorities - falls to the Member States. The deadline is 31 December 2026.

That is eight months away. And the instrument used to set it is a recommendation, not a regulation. Member States are urged, encouraged, and called upon. They are not legally compelled.

A non-binding push to 27 governments

The distinction matters enormously. The Digital Services Act, which became fully operational on 17 February 2024, is binding law. Its Article 28(1) requires platforms accessible to minors to ensure a high level of privacy, safety, and security. The age verification recommendation announced today is a different instrument entirely. According to the Commission's published documentation, it "lays down the actions the Commission encourages Member States to take." That language - encourages - reflects the limits of what a recommendation can do under EU law.

The actions Member States are encouraged to take include making use of the EU age verification blueprint, which can be customised to each Member State's needs and integrated with the European Digital Identity Wallets. They are also asked to draw up implementation plans to ensure swift adoption, to work together with their Digital Services Coordinators, other Member States, the Commission, researchers and civil society in the rollout of their national solutions, and to ensure compliance with all relevant cybersecurity standards through independent third-party scrutiny.

The Commission will, for its part, set up an EU Age Verification Scheme - a governance framework outlining requirements for providers of proof-of-age attestations and age verification solutions. Two lists will follow: one of age verification solutions meeting the EU's privacy and security standards, and one of trusted providers of proof-of-age attestations. These providers can verify a user's age through onboarding mechanisms such as eIDs, passports, or physical ID cards. But the Commission building a list of trusted providers does not put a working app on anyone's phone. That step still depends on national governments.

Seven frontrunners - and the other twenty

The Commission is currently working with seven self-selected frontrunner countries: Cyprus, Denmark, France, Greece, Ireland, Italy, and Spain. According to its documentation, the Commission "hopes to see" those countries sharing the app with their citizens soon. The word "hopes" is doing considerable work in that sentence. The remaining twenty Member States have no stated timeline beyond the end-of-year target that the recommendation sets but cannot enforce.

The history of similar EU digital deployments is instructive here. The EU Digital Identity Regulation - which requires Member States to offer at least one free EU Digital Identity Wallet to residents by the end of 2026 - is a binding instrument, yet progress across Member States has been uneven. The age verification app is designed to be interoperable with those future wallets, and is built on the same technical specifications. If wallet rollout slips - and it has been slipping in several Member States - the age verification layer built on top of it also slips. What the Commission has created is not one system but a dependency chain running through 27 separate national administrations.

The BVDW, Germany's digital advertising industry association, published a position paper in February 2026 arguing that age verification alone is insufficient and that media literacy must accompany any technical protection systems. That argument implicitly acknowledges the gap the recommendation leaves: even if Member States deploy the app on schedule, it reaches only users who download it, who set it up, and who use it when prompted. None of those steps are automatic.

What the technology actually does

The technical case for the Commission's solution is genuine. The app is built on zero-knowledge proof technology - described in the Commission's FAQ documentation as a "golden standard in privacy protection." When a user opens an age-restricted website or service, the app sends a single binary signal: for example, "Age over 18: true." Nothing else. No name, no date of birth, no browsing history, no identity. The platform receives only the answer to a single question and nothing more.

Setting up the app requires a one-time certification step. According to the Commission's documentation, users can certify their age through a biometric passport or ID card, a national eID, a pre-installed third-party application such as a banking app, or an in-person process at a location such as a post office. Only the confirmation that the user exceeds a certain age threshold is stored. Once that step is complete, the communication between the app and the certifying source ends. No further data is exchanged. The source that verified the age - whether a government eID provider or a bank - cannot subsequently track the user's online activity.

The solution also prevents cross-site tracking. According to the Commission's documentation, transactions by the same user are not linked. The app leaves no trace of which websites the user has visited. The solution is also adaptable: it can prove age ranges other than 18+, including 13+ for younger teens or 65+ for services offering discounts to retirees.

The app is also referred to internally as the "mini wallet." It uses the same cryptographic architecture as the European Digital Identity Wallets being rolled out across Member States, ensuring that once those wallets arrive, age verification functionality integrates directly rather than remaining a permanently separate system.

The Google Play Integrity problem - resolved or not?

The Commission's technical journey to this point has not been without friction. When the blueprint was first published on 14 July 2025, the prototype drew sharp criticism from privacy advocates and open-source developers. The Android version of the app was built to require Google's Play Integrity API, which checks whether the operating system is licensed by Google and whether the app was downloaded from the Play Store. Users of alternative Android systems - including open-source distributions that do not use Google's certification infrastructure - would be rejected by the age verification service entirely, even if using a compiled version of the same open-source code.

Critics pointed to the Dutch Yivi system as proof that effective age verification does not require dependency on American platform infrastructure. One developer comment published on GitHub at the time put the tension sharply: the European Commission had simultaneously been pursuing Google for anticompetitive practices under the Digital Markets Act while building a citizen identity service that required Google's approval to function.

Whether the feature-ready version published on 15 April 2026 has addressed that dependency is not stated in today's documentation. The recommendation focuses on governance and deployment, not on changes to the underlying technical architecture. That question remains open - and it matters for Member States that need to submit apps to both Apple and Google's stores while also meeting quality control and security requirements imposed by those same platforms.

What the Commission has - and has not - done on enforcement

The Commission's approach to the age verification gap is, in many ways, consistent with its broader digital policy pattern. It designs standards centrally - sometimes very good ones - and then relies on Member States to implement them, with non-binding instruments as the primary lever.

Compare this with the DSA, where the Commission does hold direct enforcement power over Very Large Online Platforms. As PPC Land has tracked extensively, the Commission has issued preliminary breach findings against TikTok and Meta for transparency violations, fined X 120 million euros in December 2025 for advertising repository failures, and opened formal proceedings against multiple platforms under the DSA. That enforcement machinery exists because the DSA is a regulation. The age verification recommendation has no equivalent mechanism. There is no fine for a Member State that misses the 31 December 2026 deadline.

The DSA itself, meanwhile, already requires platforms to address minors' access to harmful content. According to the Commission's documentation, guidelines published last July under the DSA recommended the use of effective age assurance methods that are accurate, reliable, robust, non-intrusive, and non-discriminatory. Those guidelines recommended using age verification to restrict access to pornography, gambling, and alcohol purchasing, or where national rules set a minimum age. The statistics underpinning the urgency are significant: according to Commission data, 24% of 14 to 17-year-olds in six EU countries report seeing pornographic content at least once per week. A 2025 survey cited in the Commission's documentation found that 9 in 10 Europeans agree urgent action is needed to protect children online, with 92% citing cyberbullying and 93% citing the negative impact of social media on mental health.

The EDPB's Statement 1/2025, adopted on 11 February 2025, established strict data protection principles for age verification systems, including that such systems must not enable additional tracking or profiling. Today's recommendation is aligned with those principles. The EDPB's Guidelines 3/2025, adopted on 11 September 2025, subsequently addressed the intersection between DSA compliance and GDPR requirements - the area where advertising targeting restrictions for minor audiences become most technically complex. Neither of those instruments can compel Member States to deploy the app either.

The advertising and marketing implications

For publishers and advertisers operating in the EU, the current situation is one of regulatory aspiration outpacing operational infrastructure. The DSA bans targeted advertising to minors. Platforms must comply. But the mechanism for reliably identifying which users are minors - at least for those accessing age-restricted content - remains incomplete until Member State deployment catches up with the Commission's blueprint.

A verified proof-of-age signal from the EU app would change that calculus significantly. Platforms receiving a verified "Age over 18: true" attestation would have a technically defensible basis for serving age-appropriate content and advertising. The absence of that signal - whether due to a user being under the threshold or simply not having completed verification - would provide a clear technical trigger for applying content and advertising restrictions. This moves compliance from probabilistic inference to binary verification.

Germany's Sparkasse and Google announced a partnership on 1 July 2025 that demonstrated how bank-issued credentials could serve as proof-of-age through zero-knowledge proof cryptography and Google's Credential Manager API. That deal covered Germany through a private infrastructure. The Commission's blueprint covers all 27 Member States through a public one - in theory. The gap between the theory and the 31 December 2026 deployment deadline will be filled, or not, by 27 national governments acting independently, each at their own pace, under a recommendation they are free to follow slowly or not at all.

Meanwhile, the UK implemented mandatory age verification for adult content under its Online Safety Act on 17 January 2025, triggering a 1,400% surge in VPN signups according to Proton VPN data. The EU is attempting a technically superior and more privacy-preserving alternative to the UK's approach. Whether it arrives on schedule depends entirely on the 27 governments the Commission has just handed the work to.

Timeline

Summary

Who: The European Commission, addressing all 27 EU Member States. Seven frontrunner countries - Cyprus, Denmark, France, Greece, Ireland, Italy, and Spain - are expected to act first. The recommendation affects online platforms, publishers, advertisers, and citizens across the EU.

What: A non-binding formal recommendation establishing a common EU-wide framework for anonymous, zero-knowledge-proof age verification technology aligned with the European Digital Identity Wallet. The Commission also announced the EU Age Verification Scheme governance framework, a list of trusted age verification solutions, and a list of trusted proof-of-age attestation providers. Crucially, the instrument is a recommendation, not a regulation: Member States are encouraged but not legally compelled to deploy by the deadline.

When: The recommendation was adopted on 29 April 2026. The target deployment deadline is 31 December 2026. The underlying technical solution became feature-ready on 15 April 2026, two weeks before today's announcement.

Where: Across the European Union. The app will be deployable as a national standalone application or integrated into national European Digital Identity Wallets. Seven frontrunner Member States are expected to lead initial rollout.

Why: The Commission designed a technical solution it believes is the most privacy-preserving age verification system available - but its legal tools for compelling 27 governments to deploy it are limited. The recommendation reflects the gap between what the Commission can build and what it can mandate. With 24% of 14 to 17-year-olds in six EU countries reporting weekly exposure to pornographic content, and a 2025 survey showing 9 in 10 Europeans wanting urgent action on child online safety, the urgency is clear. Whether the non-binding deadline produces coordinated results or a fragmented patchwork of national rollouts - or no rollout at all from some Member States - will be answered over the next eight months.

Share this article
The link has been copied!