The European Union’s age verification ‘app’ (aka ‘blueprint’) is beginning to attract attention, and with that scrutiny has come a degree of confusion about what it is, what it does and how it fits into the wider age assurance ecosystem. It is worth setting out the position clearly, and understanding how it may operate alongside the existing, diverse, vibrant and innovative private sector market for highly effective age assurance solutions.
At its core, the EU approach is relatively straightforward. The app is designed to allow a user to prove that they are above a required age threshold without disclosing unnecessary personal information. It builds on the broader framework established under the eIDAS Regulation and the development of the European Digital Identity Wallet, with some derogations from the requirements for the wallet — to achieve anonymity, and to give general access to millions of age-restricted services, rather than restricting use, as is the case for the EUDI Wallet, to certified, regulated parties. In practical terms, a user obtains a credential from a trusted issuer and presents a simple “over 18” confirmation to a website or service. The site receives an answer, not the underlying identity data, and in principle any over/under age threshold can be checked.
From the perspective of the Age Verification Providers Association, this is a constructive step. Any measure that helps reduce children’s access to age-restricted services moves the system in the right direction. The app also plays an important role in addressing a longstanding argument from some platforms that compliance is not technically feasible. With a publicly available reference solution, that argument becomes harder to sustain. There is a basic, foundational route to compliance with GDPR, DSA and Member State domestic legislation, available to all.
Some of the criticism directed at the EU app has not been well founded. Claims about excessive data retention or inherent privacy risks often reflect misunderstandings of the design intent rather than the architecture itself. In reality, the design principles are closely aligned with those long advocated by the age assurance industry, including data minimisation and separation between the issuer of credentials and the relying service. These are the same principles underpinning many of the solutions developed by AVPA members, and which are reflected in international standards including IEEE 2089.1 and ISO/IEC 27566-1, against which our own members are certifying through independent audits.
That said, the EU app is not the only right approach — and it would be dangerous to presume so in a world where technology and adversaries move very fast. A mixed economy remains both likely and desirable. Different use cases, risk levels, and user preferences will require different solutions. Users should be able to choose how they verify their age, and service providers should be able to select solutions that align with their compliance obligations and risk appetite. EU laws do not require the use of this app, and to do so would be an ill-advised step, as it would burden the state with exclusive provision of the technology, support and development, and create a single point of failure risk.
One important distinction is that the EU app is focused on formal age verification. It does not incorporate facial and other age estimation methods or age inference techniques, such as email or mobile account metadata checks. This makes it a relatively high-assurance but also more restrictive, and less accessible and inclusive option. For some services, other approaches may be preferable — users might be more comfortable choosing a private sector age assurance provider they trust, or a method they find easier or less concerning. Global platforms will look for options that work globally.
There are also practical considerations for businesses that go beyond cost. The EU app is expected to be free for websites to use, which lowers barriers to adoption. However, it does not involve a commercial contract between the service and the provider of the credential. For regulated industries — AI, social media, gambling, adult content platforms — this matters in concrete compliance terms. Legal obligations in these sectors typically require demonstrable auditability of the age assurance process, certified performance against defined accuracy standards including measurable effectiveness at the relevant age threshold, and enforceable service levels with clear recourse in the event of failure. A public infrastructure solution, however well designed, does not by its nature provide these assurances. Certified commercial providers operating under contract, with warranties, guarantees, ongoing due diligence by their clients and subject to independent conformity assessment do. Organisations with formal compliance obligations will therefore need to assess carefully whether the EU app alone is sufficient for their purposes, or whether contractual arrangements with accredited providers remain necessary.
A related point concerns the pace and nature of evolution. Policy-driven systems are updated through governance processes that prioritise stability, consistency and regulatory alignment. Market-driven providers must respond rapidly to emerging fraud techniques, shifts in regulatory requirements, and improvements in accuracy — because their certification, their contracts, and ultimately their commercial viability depend on it. The EU app as a stable public backstop, and a competitive certified market for providers who must continuously improve: these are complementary, not competing, propositions. Where a private operator can respond to a new requirement in a three-week development sprint, a change across twenty-seven national implementations may take years.
It is also worth noting what the EU app’s privacy architecture does not do. Unlike approaches that route age signals through operating system providers or app store infrastructure — where a small number of very large technology companies can observe, at scale, which age-restricted services their users are accessing — the EU app is designed so that no central party sees both the user’s identity and the services they visit. The same is true of the better-designed private sector interoperability ecosystems, which use on-device token storage and double-blind architectures to ensure that neither the age assurance provider nor the relying party website can build a profile of the user’s online behaviour. This contrast matters. Legislation and policy frameworks that push age assurance toward operating system integration, however well intentioned, risk embedding a form of infrastructural oversight in the hands of platform operators that would be difficult to govern and hard to reverse. The design principles shared by the EU app and the more privacy-conscious private sector solutions point in a better direction, and they deserve to be the benchmark against which all approaches are assessed.
The relationship with the broader European Digital Identity ecosystem also raises questions that are still being worked through. The EUDI Wallet framework was primarily designed with adults in mind. If the app is to be used in contexts involving younger users — such as compliance with GDPR Article 8 or social media age restrictions — it will be important to ensure that all Member States provide inclusive and accessible pathways for those users. In practice, users below the age of majority in some Member States may not have ready access to the identity credentials required to use the EU app. At present, such provision is not guaranteed uniformly across the EU, which means that fallback to certified private providers remains necessary regardless of the EU app’s existence.
Implementation will also take time. There is no single EU-wide app being deployed centrally. Instead, Member States are responsible for their own rollouts, often integrating age verification functionality into their national EUDI Wallet solutions. This creates a degree of fragmentation in the short term. It also explains why some countries, such as France, have chosen to pursue separate applications rather than embedding age verification directly within a broader identity wallet, partly to maintain clearer separation of functions and reduce perceived privacy risks.
Recent reports suggesting that the app has been “hacked” need to be treated with care. The vulnerabilities that have been publicly demonstrated relate to reference implementations and demonstration environments, including attacks on reference versions deployed for integration testing, rather than production systems. It is important to note that the open-source, publicly accessible nature of these environments is a deliberate and principled design choice: open scrutiny is a feature of secure system design, not a flaw. Independent review and iterative improvement are how trust in security-critical systems is properly established. Isolated findings in non-production environments should not be taken as indicative of systemic weaknesses in the underlying architecture. That said, the speed and ease with which some of these findings were demonstrated does underscore the importance of rigorous independent security assessment before any national rollout, and the distinction between sound architectural design and mature, deployment-ready implementation remains an important one.
The European Commission has recently announced that it will offer certification to private sector providers whose solutions comply with the EU app’s technical specifications. This has been presented as an olive branch to industry, and the intent to create an interoperable certified ecosystem is genuinely welcome. However, the approach carries a risk that deserves honest acknowledgment. Certification frameworks built around a single reference architecture inevitably privilege that architecture and the assumptions embedded within it. The EU app reflects particular design choices — about assurance methods, credential formats, and the role of national identity infrastructure — that are not the only legitimate ones, and that may not be optimal for every use case or jurisdiction. A certification regime that rewards compliance with those choices, rather than compliance with outcomes such as accuracy, privacy, and effectiveness at the relevant age threshold, could narrow the space for innovation precisely when the ecosystem most needs it.
Overall, the EU age verification app represents a meaningful addition to the toolkit available for protecting children online. It aligns with many established best practices from the private sector and helps to close gaps in availability. At the same time, it is one component within a broader and still developing landscape, where choice, competition, interoperability and careful governance will be key to achieving effective and proportionate outcomes.