Current Region:
Global

Is the EU Age Verification App Ready for a Social Media Minimum Age?

June 12, 2026

The EU Age Verification App was initially designed with a specific purpose: to demonstrate to adult-only services – pornography platforms in particular – that there was a technically feasible, GDPR-compliant mechanism to implement an 18+ minimum age. And it has succeeded in doing so, once the zero-knowledge proof functionality that is planned is in production. The architecture is privacy-preserving, the open-source blueprint is technically sound, delivering a proportionate level of age assurance for the use-cases it was invented to address.

But “technically sound for its original purpose” is not the same as “ready to be the mandated mechanism for a new EU-wide social media minimum age.” As the debate in Brussels moves toward imposing age restrictions on social media platforms with thresholds of 15 or 16 on the table, the app is increasingly being cited as the obvious solution. Before that argument hardens into a mandate to use it as the only means of compliance, it is worth examining carefully whether the infrastructure behind it can comprehensively enable delivery of this new policy.

What the app requires

The EU AV App works by issuing a “proof of age attestation” – a cryptographic token confirming that a user is above a given age threshold – derived from a national digital identity credential – currently either a passport or the national eID database. Importantly, the threshold itself is just a configuration parameter: generating an attestation of “age 15 or over” rather than “age 18 or over” requires no architectural change to the app. That is genuinely good news.

The harder question is whether children of 15 or 16 who do not have access to a passport can use the national digital identity records that the app needs in order to issue the attestation. In most member states, that means an eID card with an NFC chip, a digital wallet, or a national identity app. These systems were built primarily for adults, and in many cases their extension to younger age groups is partial, recent, or dependent on a parent or guardian actively facilitating enrolment.

The picture across EU Member States

We have analysed the position in all 27 member states, and the results merit review before assuming “job done”.

  • In a number of member states – Denmark, Estonia, Poland, the Netherlands, Portugal, Finland, Sweden, Lithuania, Latvia, Spain, Austria, Luxembourg and Malta – the digital identity infrastructure reaches down to 15 or below, and enrolment can in most cases be completed remotely without an in-person visit. These are the states where the EU AV App could, in principle, be deployed relatively quickly for a 15 or 16 minimum age.
  • In a second group – Croatia, Czechia, Bulgaria and Hungary – the credential floor is low enough, but enrolment requires an in-person visit, typically to a municipal office or registry. Once a child has their eID card, the AV app works. But card issuance is a bottleneck. These systems were not designed to simultaneously onboard a cohort of several million children determined to retain their access to social media before a legal deadline, and municipal appointment capacity is already under pressure in most of these countries.
  • A third group – Belgium, Cyprus, Germany, Greece, Ireland, Romania, Slovakia and Slovenia – requires more substantive development work, particularly if 15 rather than 16 is chosen as the minimum age. Germany is illustrative: a 16-year-old can use the eID function on their Personalausweis cleanly, but securing the physical card in the first place requires an appointment at the local municipal authority, and a 15-year-old threshold would require a statutory amendment to the Personalausweisgesetz. Belgium’s itsme opens to 16-year-olds via bank branch onboarding, but there is simply no established pathway for a 15-year-old at present.
  • And then there are France and Italy, where the national wallet is hard-gated at 18 with no widely deployed or mature under-18 pathway. France’s beta test of a 15+ proof-of-age feature is, according to public statements, a test of the credential output, not a change to the enrolment gate: a 15-year-old still cannot obtain a France Identité attestation under the current architecture. Italy’s IT Wallet faces the same constraint, compounded by the fragmentation of issuance processes for CIE cards across more than 7,900 municipalities. In both countries, enabling sub-18 use of the app would require policy decisions, legislative or regulatory changes, new parental consent flows and significant system development.

Enrolment involving parents may restrict child rights

Across many member states, particularly for children at the lower end of the age ranges being discussed, a parent or guardian is a critical part of the enrolment process – either because the child cannot independently obtain a digital identity credential at that age, or because the enrolment procedure requires a parent to be physically present.

There is no proposal currently on the table in the EU for a parental consent requirement as a condition of social media access – that is policy debate more often found in the USA, not a European concept. But if the EU AV App becomes the mandated mechanism and its enrolment process de facto requires parental involvement for a significant proportion of European children, then parental consent has been introduced inadvertently. A child whose parent is unwilling, unavailable or unable to engage with a municipal enrolment procedure is effectively denied access to social media regardless of their age – not because the policy intended that outcome, but because the implementation mechanism made it inevitable. That is a significant and underexamined rights issue for children without passports unless new enrolment routes are deployed that do not involve a parent. 

Hardware capabilities may also restrict access

There is a further practical barrier that receives less attention than it deserves. The remote enrolment pathway using physical ID – which is the only pathway that scales – requires a smartphone with an NFC reader to scan the chip in an eID card or passport. In most systems this means an iPhone 7 or newer, or a mid-range Android with NFC capability. Budget Android devices, which are disproportionately common in lower-income households and among younger users who are using hand-me-down devices, frequently lack NFC. Where NFC is absent, the fallback is an in-person visit, which compounds rather than resolves the accessibility problem.

For a 16 or 17 year old from a lower-income family, the combination of no NFC-capable device and no practical access to a municipal appointment could mean effective exclusion from social media access above the minimum age, not because they are under age but because the verification infrastructure is inaccessible to them.

Here’s a version that I think sits naturally within the article and reinforces its central theme of accessibility, resilience and technological neutrality.

Digital sovereignty and platform dependence

A further consideration is digital sovereignty. The current EU Age Verification App is intended to be distributed primarily through the Apple App Store and Google Play. While this is an entirely practical approach for initial deployment, it also means that Europe’s official age verification infrastructure would rely operationally on two commercial mobile platform ecosystems outside the direct control of either the European Union or its Member States.

This is not a criticism of Apple or Google, nor is it unique to age verification. It is a broader question of resilience whenever public digital infrastructure depends upon privately controlled distribution channels and platform policies. If the EU AV App were simply one option amongst many, this dependence would be of limited significance. However, if it became the sole or mandatory mechanism for demonstrating age, the resilience of the entire system would become linked to those commercial ecosystems.

The European Union has consistently pursued greater digital sovereignty by reducing unnecessary dependence on external digital infrastructure and by encouraging open, competitive and interoperable markets. The same principles should apply to age assurance. Official European digital identity infrastructure should, over time, be capable of being obtained, restored and used through multiple trusted channels rather than depending upon a single method of distribution or access.

This reinforces a broader point: Just as the EU should avoid making access to age-restricted online services dependent on possession of a passport, an NFC-enabled smartphone or the availability of a municipal enrolment appointment, it should also avoid creating unnecessary operational dependencies around a single application or distribution ecosystem. Resilience, competition and inclusivity are all strengthened when citizens have genuine choice in how they obtain and use age assurance services.

The EU AV App should be an option, but not the only option.

None of this is an argument against the EU AV App. It is a useful piece of infrastructure, built to a principled architecture, and it will be a valuable backstop option as part of the European age assurance landscape. The point is that it should not be mandated as the only mechanism.

To mandate the EU AV App as the sole route to demonstrating eligibility for social media access – or to removing age-based restrictions on functionality – would create significant and foreseeable limits on accessibility and inclusivity. It would entrench digital identity infrastructure gaps as social participation gaps. It would also concentrate risk around a single technical solution, with a number of single points of failure such as the Trusted Lists of issuers and apps, or the protocols on which this one solution is built. And it would effectively impose policy outcomes – parental involvement, device requirements, in-person procedures – that no one has explicitly debated or decided.

And one more point – equally effective estimation and inference should be permitted alongside traditional verification

We continue to argue that the Commission’s guidance on implementing Article 28 of the Digital Services Act, and by extension any new policy on social media minimum ages, should embrace highly effective age estimation techniques where these are proven to deliver accurate and reliable outcomes comparable to those of traditional age verification methods, primarily on the grounds of inclusivity.

The Commission’s current reluctance to recognize estimation rests on a category error that estimation cannot produce a binary yes/no determination with the same legal certainty as a credential-based check. But this distinction does not hold under examination, mainly because it overlooks the “binding problem.” Document verification inherently requires an additional, separate step to biometrically bind a user to the data they are presenting (e.g., performing a facial match to prove a child didn’t just borrow their older sibling’s passport). This separate binding step is not required for estimation because the process relies entirely on inherent features of the user themselves – their face, voice, or physiological traits. Both estimation and verification are subject to error. As the Australian Age Assurance Technology Trial found, a strong facial estimation algorithm utilizing a sufficient buffer age can equal or beat the accuracy of a document check in real-world conditions. To treat one as always superior in policy is not supported by the evidence.

Furthermore, this aversion is often driven by fears of biometric profiling under the EU AI Act. However, modern privacy-preserving age estimation, which processes data ephemerally (such as in-RAM cloud processing) or on the user’s own device and immediately destroys both the image and the temporary facial geometry map, does not perform persistent biometric identification or categorization. The Act explicitly differentiates this from high-risk or prohibited practices when used strictly to protect minors from harmful content.

This matters because by excluding estimation from the EU AV App ecosystem, there is a massive negative impact on inclusivity. A technically excellent age estimation system with high accuracy deployed across 100% of users provides a more comprehensively usable child protection solution than a credential-based system that only reaches 60% because the remaining 40% lack the required device, the physical document or an accessible municipal enrolment pathway.

By excluding estimation and related, demonstrably proven inference methods such as email address and mobile number metadata analysis, the Commission is not upholding a higher standard. It is exacerbating the inclusivity and accessibility problems it cares deeply about, while leaving a significant proportion of European citizens who meet legal age limits either excluded from age-appropriate participation or pushed toward circumvention and non-compliant platforms.

The answer – choice for EU citizens

The EU AV App can play a genuine role in the age assurance ecosystem. It should be promoted, supported and made available as one option. For any legally mandated online age restriction, the EU should prioritise giving its citizens choice and set technologically neutral, outcome-based regulation and guidance. The question regulators should be asking is not “which technology?” (or even worse, which EU approved App) but “what level of accuracy, reliability and accessibility does the outcome require?” Any method that meets that bar – whether credential-based, estimation-based, or inference-based – should be permitted.

The children who most need protection from the harms of unregulated social media access are often the same children who will find the EU AV App hardest to access. That is a problem that the EU and private sector enterprises can solve together through standards and choice.

 

EU AV App Adaptation for Sub-18 Age Thresholds: Member State Readiness

Notes:

  1. The EU AV app threshold is configurable by design — an attestation of age ≥ 15 or age ≥ 16 requires no architectural change. The substantive question for each member state is whether a child of that age holds an enrolment credential the app can read, and whether the wallet layer itself is gated at 18.
  2. Ordered by practical rollout feasibility. Technical and legal development requirements are noted but treated as secondary to enrolment friction.
  3. Research is based on published information – we have not asked Member States about any unpublished plans or activities – we will update this research if we receive authoritative new information.

TIER 1 — Ready: Remote Enrolment, No System or Legal Changes Required

Children can enrol from home without an in-person visit. Threshold configuration is the only change needed.

Member State eID Wallet / App Wallet Min Age Can 15-16yo Enrol? Enrolment Mode Route Min Age Min Age w/ Parent Min Smartphone Reqt Notes
Denmark MitID 13 Yes Remote — self-service 13+ via passport NFC chip scan in MitID app, or in-person at Citizen Service as fallback; no parental involvement required 13 N/A NFC reader required (iPhone 7+ or NFC Android); Citizen Service fallback if no NFC Highest practical readiness. Fully remote, no parental step, passport chip scan from home. Citizen Service fallback means non-NFC devices are not a hard blocker.
Estonia mRiik Wallet App 13 Yes Remote — self-service Smart-ID available from age 7 with parental setup; 13+ independently; fully automated via live Rahvastikuregister (Population Register) 13 13 NFC reader for eID card setup; Smart-ID app otherwise runs on standard smartphone Fully automated. Live population register reflects guardianship changes dynamically. One of the most scalable architectures in the EU.
Poland mObywatel App 13 Yes Remote — self-service 13+ independently via minor identity card; PESEL (Universal Electronic System for Registration of the Population) registry provides instant automated link 13 N/A NFC reader required for e-dowód chip verification (Android 8.0+ or iOS 16+) Remote, independent, no parental step. PESEL linkage is instant. NFC required from January 2026 for identity verification via e-dowód.
Netherlands EDI-Wallet / DigiD 14 Yes Remote — self-service 14+ with DigiD login via BRP (Personal Records Database) registration; BRP automated crosscheck 14 13 No NFC required for standard DigiD login (username/password + SMS); NFC needed only if using DigiD with ID card Straightforward remote enrolment at 14+. BRP crosscheck is automated. School proxy available for failed links.
Finland Finnish Digital Wallet 15 Yes Remote — parental step required for under-15 13-14 via bank eID with parental involvement; 15+ independently via bank eID; DVV (Digital and Population Data Services Agency) guardian database provides automated link 15 13 No NFC required; bank eID uses app-based authentication 15+ is fully remote and independent. Under-15 requires a parental digital step but no in-person visit. DVV guardian database is live and automated.
Sweden Swedish EUDI Wallet 13 Yes Remote — parental authorisation required for under-18 13+ via Freja eID or BankID with parental authorisation; Skatteverket (Swedish Tax Agency) automated sync or bank audit fallback 18 13 No NFC required; BankID and Freja eID use app-based authentication Parental authorisation required for all under-18s but completed digitally. Skatteverket sync is automated. The parental step is a friction point but not an in-person barrier.
Lithuania mID / National Wallet 14 Yes Remote — self-service 14+ via physical identity card on VIISP portal; State Centre of Registers provides automated link 14 13 NFC reader required for eID card chip reading Remote independent enrolment at 14+. Live registry crosschecks automated. Court order requirement for non-standard guardianship is a manageable edge case.
Latvia eParaksts Mobile 14 Yes Remote — self-service 14+ independently via identity card; PMLP (Office of Citizenship and Migration Affairs) database provides automated link for under-14s 14 13 NFC reader required for eID card chip reading Remote independent enrolment at 14+. PMLP automated lookup handles parent linkage. Notary requirement for unlinked relationships is an edge case.
Portugal id.gov.pt Wallet 12 Yes Remote — self-service 12+ via Citizen Card with NFC phone reader; unified civil and tax registry; Instituto dos Registos for guardian changes 12 N/A NFC reader required for Citizen Card chip reading Lowest independent enrolment floor in the EU at 12. Unified civil and tax registry infrastructure is robust.
Spain Cartera Digital 14 Yes Remote — self-service; parental token for under-14 14+ via DNIe (Electronic National Identity Document) card; under-14 via parent 30-day token through Cl@ve portal Registro Civil query 14 13 NFC reader required for DNIe chip reading Remote independent enrolment at 14+. The 30-day token expiry for under-14s is operationally cumbersome for a live AV scheme. Foreign-born minors without an electronic record require manual passport submission.
Austria eAusweis / ID Austria 14 Yes Remote — self-service 14+ independently at registry office; 13 via parent proxy through ZMR (Central Population Registry) automated link 14 13 NFC reader required for eID card chip reading Straightforward threshold change. ZMR provides robust automated parent-child linkage. Initial registry office enrolment may require a one-time in-person visit.
Luxembourg GouvID App 15 Yes Remote — parental token for under-15 15+ independently; 13+ via parental token link; automated CTIE (State Information Technology Centre) population lookup 15 13 NFC reader required for identity card chip reading 15+ works cleanly. Sub-15 parental route is digitally mediated via CTIE automated backend. Cross-border families require manual upload — a minor gap.
Malta myGovmt Wallet 14 Yes Remote — self-service 14+ via e-ID credentials; Identita Agency centralised database handles under-14 lookup 14 13 NFC reader required for e-ID card chip reading Remote independent enrolment at 14+. Centralised Identita database. Foreign resident manual route is a minor edge case.

 

TIER 2 — Ready: In-Person Enrolment Required (Scalability Risk)

Credential floor covers 15-16 but enrolment requires at least one in-person visit. No system or legal changes needed, but appointment capacity constrains rollout speed.

Member State eID Wallet / App Wallet Min Age Can 15-16yo Enrol? Enrolment Mode Route Min Age Min Age w/ Parent Min Smartphone Reqt Notes
Croatia Certilia / e-Osobna 15 Yes In-person for initial eOI card; remote thereafter 15+ independently via eOI (Electronic Identity Card); under-15 via e-Gradani portal with Matica rodenih (Registry of Births) digital registry link 15 13 NFC reader required for eOI chip reading Once the eOI card is issued (one-time in-person visit), subsequent AV use is remote. Matica rodenih digital linkage is robust.
Czechia eDoklady App 15 Yes In-person for initial ID card; remote thereafter 15+ independently via identity card; under-15 via parent portal with automated Rob (Registry of Rights and Duties) registry link 15 13 NFC reader required for eID chip reading In-person for card issuance, remote for AV use. Rob registry automated linkage for under-15s is a genuine asset.
Bulgaria BGID Wallet 14 Yes (14+) In-person with parent In-person registration at interior ministry office with parent 14 N/A NFC reader likely required for eID chip; standard smartphone otherwise Credential floor covers 15-16 but entire enrolment is in-person with no digital or remote pathway. No digital family registry; paper birth certificate required for parent link.
Hungary DAP App 14 Yes (14+) In-person with parent In-person Kormanyablak (Government Window) visit with parent; clerk-based audit 14 N/A Standard smartphone; NFC likely required for DAP credential reading Credential floor covers 15-16 but enrolment is entirely in-person. Clerk-based audit with no digital family tree. Queue and appointment availability is a real constraint at scale.

 

TIER 3 — Requires Some Development: Building Blocks in Place

Enrolment pathway exists at 15-16 in most cases but gaps in coverage, integration, scalability or legal provisions require addressing before deployment at scale.

Member State eID Wallet / App Wallet Min Age Can 15-16yo Enrol? Enrolment Mode Route Min Age Min Age w/ Parent Min Smartphone Reqt Notes
Belgium itsme 16 Yes at 16; no route at 15 In-person at bank branch for initial setup 16-17 year olds can create an itsme account via bank branch onboarding (bank scans eID card); no automated or remote route at 15 16 13 No NFC required for itsme app use; NFC used at bank branch during setup 16 works but requires physical bank branch visit. No pathway at 15 — new process required. The eID signature certificate only activates at 18, which is why the bank route was created for 16-17 year olds.
Cyprus CYeID Wallet 15 Yes at 15 In-person at KEP with parent In-person KEP (Citizen Service Centre) visit with parent required for all minors; no digital proxy 15 15 Standard smartphone; NFC likely required for CYeID credential reading Accessible at 15 but requires in-person KEP visit with parent present. No remote or digital proxy capability. KEP office capacity is a scalability constraint.
Germany EUDI-Wallet / BundID 16 Yes at 16; no independent path at 15 In-person at municipal authority to activate eID at 16 eID function on Personalausweis (National Identity Card) activates at 16 and must be enabled at the local municipal authority; under-16 cards are issued but eID is statutorily disabled 16 13 NFC reader required for Personalausweis chip reading 16 works but requires a municipal office visit to activate the eID function. A 15+ threshold requires amending the Personalausweisgesetz (National ID Card Act). BundID is a portal layer on top of the Personalausweis eID, not a separate minor provision.
Greece Gov.gr Wallet 15 (via tax profile) Nominally yes at 15, but route is unreliable Remote but structurally weak Parent must claim child as a tax dependent on their active Taxisnet (Tax Registry Network) profile; no live civil registry linkage 15 15 Standard smartphone; NFC not required for Taxisnet-based authentication Technically reachable at 15 but the tax-dependent proxy is an unreliable foundation for a regulated AV scheme. Robust deployment requires civil registry integration.
Ireland Gov.ie Digital Wallet 16 Yes at 16 In-person for PSC; manual digital step for sub-16 16+ apply in person for a Public Services Card at an Intreo (Public Employment and Welfare Service) office; under-16 parent-linked via manual PPS number input triggering a background check 16 15 Standard smartphone; NFC not required for MyGovID login 16 works via in-person PSC. Sub-16 route hindered by silo between the General Register Office and MyGovID — integration work needed.
Romania ROeID Wallet 14 Yes at 14 Remote but unscalable (video call) 14+ via video validation using minor identity card; under-14 fully blocked; parental link requires holding physical birth certificate to camera during a live video call 14 13 Standard smartphone with front camera; no NFC required for video validation route 14+ video validation works but is operationally unscalable for mass deployment. No digital family registry exists. The under-14 video birth certificate method is particularly fragile.
Slovakia Slovensko.sk Wallet 15 Yes at 15 In-person for initial card; remote thereafter 15+ via electronic national identity card (Obciansky preukaz with chip) and security PIN; REGOB (Register of Inhabitants) registry query; system hard-blocks minors not electronically mapped to a parent 15 13 NFC reader required for chip ID card reading 15+ works in principle but REGOB mapping completeness is a real operational risk — unmapped parent-child relationships cause hard blocks. Scale deployment requires a REGOB audit and remediation programme first.
Slovenia halcom / e-Osebna 15 Yes at 15 In-person for initial card; in-person with custody papers for under-15 15+ via physical identity card; under-15 requires in-person visit to local administrative unit with physical custody papers presented to a state agent 15 13 NFC reader required for identity card chip reading 15+ enrolment is functional but the portal cannot process digital relationship signatures, making the under-15 route entirely in-person and administratively heavy.

 

TIER 4 — Needs Significant Effort: Legal, Procedural and System Changes Required

Wallet enrolment is hard-gated at 18. Sub-18 deployment requires opening the wallet to minors, new parental consent frameworks, and likely legislative or policy decisions.

Member State eID Wallet / App Wallet Min Age Can 15-16yo Enrol? Enrolment Mode Route Min Age Min Age w/ Parent Min Smartphone Reqt Notes
France France Identite App 18 No N/A — wallet hard-gated at 18 Hard-gated at 18. A 15-16 year old cannot independently enrol. A beta test of 15+ and 18+ proof-of-age attestations is underway but this is a proof-of-age output feature, not a change to the 18+ enrolment gate. 18 N/A NFC reader required for biometric CNI card reading (iPhone 7+ or NFC Android) Production architecture is hard-gated at 18. The 15+ beta tests credential output only — the enrolment gate remains 18+. Sub-18 deployment requires opening France Identite enrolment to minors, a new parental consent framework, and likely a policy or legislative decision.
Italy IT Wallet (IO App) 18 No N/A — wallet hard-gated at 18 Hard-gated at 18. CIE (Electronic Identity Card) cards are issued to all ages but the wallet enrolment layer rejects under-18s; no current under-18 enrolment pathway exists. 18 N/A NFC reader required for CIE card reading Entirely restricted to adults. CIE issuance to all ages is irrelevant while the wallet enrolment layer blocks under-18s. Enabling sub-18 thresholds requires wallet modifications, a new parental consent flow, and engagement with 7,900+ fragmented municipal CIE databases.