In spite of a great deal of legislation implying or explicitly requiring age assurance within the European Union, for the past few years, the Commission has not been clear about its vision for how this should be implemented. This has now changed, with two recent announcements of ambitious plans for age assurance, notably through a further largescale pilot of the proposed EU Digital Wallet (eIDAS 2.0) and an interim open-source Age Verification App. These two initiatives present both opportunities and challenges for the age assurance industry and its clients.
The EU Digital Wallet: Ambition Meets Reality
The leadership of the European Commission has for several years now envisioned the EU Digital Wallet as the primary solution for age verification across Member States. While this initiative aims to enhance digital identity management in general, significant hurdles must be addressed before it can be applied, particularly for sensitive use-cases such as those involving children’s data or access to adult content, to age verification:
- Timeline Concerns: The Digital Wallet is not expected to be available until 2026. With current laws already requiring age protection for children, the urgency is palpable. The Commission has already initiated the first steps towards enforcement action against major platforms such as Meta, Twitter, and TikTok, in large part due to concerns about their child protection measures and reluctance to adopt comprehensive and effective age assurance mechanisms.
- Design Debates: Ongoing discussions between Member States about the wallet’s design could now delay its Implementing Act, further pushing back deployment if the current Architecture and Reference Framework is substantially altered. And the outcome of those talks could even make the wallet less fit-for-purpose for age verification use-cases.
- Adoption Challenges: The transition to the Digital Wallet will take time, and not all citizens will embrace this technology, undermining its ability to be a silver bullet single solution for age verification.
- Current Legal Requirements: Under GDPR and the Audio Visual Media Services Directive, age assurance is arguably already also mandated for individuals under 18. There are currently no plans for the immediate rollout of Digital Wallets to minors in every Member State, so it leaves a significant gap (currently being filled by age estimation solutions, whose role in a vision based on the wallet is unclear).
- Technical Limitations: Experts have raised concerns regarding the wallet’s capacity to provide anonymous age verification, a key requirement for certain data protection authorities, notably in France and Spain. The wallet is fundamentally designed for identity verification, which may compromise user privacy. It is based on the ITU’s x509 protocol which was not designed to achieve a proof which is tracking and trace resistant, i.e. the adult site cannot identify the user, and the process does not allow the user’s choice of sites to be recorded.
In response to these challenges, the EU is commissioning a large-scale pilot to explore how the wallet can be effectively utilized for age verification. However, this may necessitate design modifications that could further delay the readiness of the wallet for the more sensitive use-cases across Member States.
The EU’s Interim Age Verification App
Recognizing the pressing need for immediate solutions, the EU has now also issued a call for tenders for an Age Verification App. This open-source software will allow Member States to white label the technology and adapt it for their specific needs. This is a welcome development, although there are opportunities to build on the very detailed specification set out in the tender documentation and some challenges:
- The app will read physical national ID cards and leverage other methods of age verification, such as open banking, before it pseudonymously confirms age for websites and apps. It is not clear how it would enable the use of age estimation solutions, which have proven highly popular with some users.
- Just 5% of the effort envisaged is earmarked to make the solution double-blind, in compliance with the requirements of the French regulators, CNIL and Arcom, and the spirit of demands from the Spanish AEPD, and this is an optional addition to the functionality with no decision taken as to whether to implement it. That may not satisfy these regulators, or even cause tension with the European Data Protection Board, which is working on its own principles in this field.
- While the app aims for a Q2 2025 release, contracts may not be finalized until April 2025, potentially delaying access to effective age verification solutions to the point that its value as an interim solution is eroded by the arrival of the EUDI Wallet.
- That said, whether it is intended to be interim is questioned by the inclusion of an aspirational requirement that it should not only deal with 18+ use cases, but also those for children of younger ages and even “65+”. It is not yet clear how the age of children could be checked given the age verifiicaton methods envisaged, but it is feasible to enable age-ranges determined through estimation techniques to be incorporated into this ecosystem.
- The app is to be designed as open source, but it will be for each Member State to decide to implement a white label version of this. There is no indication of how the commercial model is expected to operate, so it may be that governments will need to fund the development, maintenance and support to users and relying parties. That could dampen enthusiasm by cash-strapped Member States to adopt this approach, particularly if it is seen as only a temporary answer until the EUDI wallets take over.
We do see a need for an orchestration layer in the technology stack for age assurance, and if this app is intended to fill that gap while still maintaining an open and competitive market in age assurance services (both verification and estimation), it will be a big step forward. In fact, the non-profit euCONSENT has recently begun to build a proof of concept for a tokenized AgeAware app that quite possibly meets most of the requirements set out in the tender. Sadly, the qualification criteria for this tender mean only very few large companies with a track record of developing apps for EU Member States can bid, but we hope there may be the opportunity for collaboration.
Where does this leave Age Verification in Adult Content in the EU
The demand for action is primarily driven by Member States who want to prevent children seeing pornographic content online. But the legal framework surrounding age verification for adult content in Europe remains fragmented. There are currently no unified EU regulations governing all pornographic sites. Very Large Online Platforms (VLOPs) must adhere to age assurance under the Digital Services Act (DSA), while smaller sites are regulated at the discretion of national regulators. Those operating outside the EU may be in scope for some domestic legislation within a member state. Indeed, several EU states have implemented domestic laws requiring age verification for adult content, and developed detailed regulations and even built technological solutions, as they seek to fill the regulatory gap left by the EU.
Given this still confused picture, waiting for comprehensive EU legislation on age verification for all adult content providers may not be a viable strategy for the rest of Europe. Given France and Germany have already taken unilateral action, and others may follow suit.
The pathway towards an effective age assurance solution, if it is to be delivered centrally by the EU’s institutions, is fraught with complexity. While the EU Digital Wallet and the interim Age Verification App are promising developments, they are not immediate solutions. Yet, the private age verification sector already offers effective age assurance technologies which could be required of adult websites tomorrow, including tokenised, interoperable and independently audited approaches. Embracing existing solutions would help ensure that children are protected without delay while waiting for legislative frameworks to catch up, and avoid the need for expensive, government IT projects that try to meet the complex requirements of anonymized age assurance.
