Across the European Union, age verification has become a central policy mechanism for protecting minors online. The European Commission is pursuing a harmonised approach that enables users to demonstrate they meet minimum age requirements for age-restricted services while preserving privacy and minimising personal data sharing. This work is closely linked to the Digital Services Act (DSA), which places binding obligations on online platforms to mitigate risks to children, including exposure to harmful or inappropriate content. But it builds on long-standing legal requirements under data protection laws (GDPR) and the Audio Visual Media Services Directive (AVMSD)
EU Policy Framework
The Commission has issued guidance under the Digital Services Act clarifying expectations for age assurance and child protection. This guidance:
- Encourages proportionate and risk-based age checks
- Emphasises privacy-preserving methods over intrusive identification
- Focuses on services that present higher risks to minors
At EU level, the policy direction is toward interoperable and standardised age verification solutions that operate across borders, avoiding fragmented national systems. The DSA guidance prefers age verification methods when compliance with EU law is required, but does tolerate estimation and inference approaches at this time, although has suggested this will not be permanent once technical means of age verification are more widely available.
Adult Content and Other Age-Restricted Services
Only adult websites that are deemed to be Very Large Online Platforms are directly regulated under the DSA by the European Commission. The majority of such sites are regulated for DSA purposes by the Member State in which they are established. But the DSA does, in effect, require age assurance for all adult sites. Previously, this would only be required based on domestic law, or in the absence of parental controls which were a permitted alternative under the AVMSD.
Social Media Platforms
The only current EU law applying generally to social media platforms is GDPR. This s
Chatbots and AI-Driven Services
ets a minimum age of 16 for giving consent under Article 8 to personal data being processed, otherwise parental approval is needed. Member states were given the discretion to reduce this age as low as 13, so the legal age varies.
There is a lot of recent debate both at the MS state and EU level, about a common minimum age for social media but no consensus has emerged either in support of any minimum or a particular age (15 and 16 are both often put forward)
AI chatbots are not regulated as a separate category under the Digital Services Act. Instead, they fall within scope where they perform the functions of an intermediary service, such as hosting or disseminating user-provided content. Chatbots that enable users to generate, store, or publicly share content may therefore be treated as hosting services or online platforms and must comply with the relevant DSA obligations, which are enforced primarily by the Member State in which the service provider is established. In parallel, the EU Artificial Intelligence Act imposes additional transparency and risk-management requirements on many generative AI systems, meaning that chatbot providers may be subject to both regulatory frameworks depending on how their services operate.
The EU Age Verification App (‘Blueprint’)
In 2025, the European Commission published an EU age-verification blueprint outlining a common technical framework for privacy-preserving age checks. Key features include:
- Confirmation that a user is above a specified age threshold without disclosing identity details to the service provider
- No transmission of underlying identity data to websites or platforms
- Design principles aligned with data minimisation and privacy by default
A prototype application based on this blueprint was commissioned, and is available for Member States to implement if they wish to do so.
The Commission has announced that this approach, based on OpenID for Verifiable Presentation (OPENIDVP) protocols is to be tested by five several Member States, including:
- Denmark
- France
- Greece
- Italy
- Spain
The system is open source and designed to allow national authorities to adapt it to existing national identity infrastructures.
The EU Digital Identity Wallet
All Member States must offer their citizens a European Digital Identity Wallet. This was not designed to enable anonymised age verification so would need its approved specifications amended to adapt it to be fit-for-purpose – and that is hard to do as these are now part of EU law through the Implementing Acts. That said, some member states may just add the functionality of the EU AV Blueprint to their EUDI wallets, rather than expect people to download two new apps.