EU age verification: Data protection-compliant age verification under the Digital Services Act

The Commission has presented a solution for EU age verification that enables proof of age without personal data.
Categories:
, ,
Picture of Aristotelis Zervos

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

The European Commission has published a Solution for EU age verification introduced. It should enable users to prove their age (e.g. ≥ 18 years), without disclosing personal data. This system is part of the implementation of the Digital Services Act (DSA)in particular Art. 28 This obliges online platforms, Effective protective measures for minors to take action. At the same time, the solution Privacy, security and discretion be taken into account.

Piloting and timetable for EU age verification

On July 14, 2025 In addition to the definitive Guidelines pursuant to Art. 28 para. 1 DSA also the first version of a white-label "Age Verification" blueprint published and thus a EU-wide pilot phase started. Initially five member states: Denmark, Greece, Spain, France and Italy. The aim of the pilot is to test the technical reference implementation under real conditions, integrate national identity sources and standardize integration paths for platforms.

Object and structure of the pilot. Tested are:

  1. the wallet-based user app ("mini wallet") for proof of minimum age,
  2. Issuer services to issue an age attestation (e.g. based on official eID, ID card data with eID function, bank KYC or other recognized attribute sources), and
  3. Verifier interfaces for online services. The Source texts and specifications stand Open Source The Commission provides test issuers/verifiers for testing.


Time milestones (planning status):

  • Q3-Q4/2025: National onboarding of the pilot countries, initial production-related tests with voluntary platforms; feedback cycle in the technical specification ("AV Profile").
  • Q1-Q2/2026: Expansion to further member states; hardening of the reference implementation, interoperability and security tests; preparation of guidelines for platform integrations.
  • From 2026: Optional Integration with the EU Digital Identity Wallet (EUDI Wallet)as soon as nationally available; successive adoption by platforms in high-risk areas.

Regulatory framework for EU age verification

The Guidelines of the Commission are not legally bindingbut serve as Evaluation standard for supervision in accordance with Art. 28 para. 1 DSA. Violations of the DSA can result in fines of up to 6 % of global annual sales be punished. The Guidelines address all Platforms that allow access to minors, not just VLOPs.

Next steps for companies. Platforms can dock onto the pilot integrations at an early stage and Risk assessments and Transparency information (Art. 28 in conjunction with Art. 14 DSA).

Reading tip: EU Digital Identity Wallet (EUDI Wallet) - GDPR compliance and technical implementation

Technological and data protection aspects

Privacy by design

The Guidelines rely on technically robust and non-discriminatory age verification methods and anchor the principle of "safety and privacy by design" in system development. Accordingly, only proof of minimum age should be transmitted, without any other identity data.

Technical functionality

The app functions as a digital age certificate. Users choose a proof of age procedure, e.g. state e-ID, ID card (with eID function), proof of bank account, biometric age estimation or proof of age from third parties such as banks or notaries. Once proof of age has been provided, they receive a Age certificate issued by the appThe platform only confirms the minimum age.

Open sources & interoperability

The blueprint is Open Source available, with released source code, technical Documentationprofile definition ("AV profiles") and integration recommendations.

Recommendations for companies

  1. Risk analysisDetermine the extent to which your own platform involves underage users. Check existing protective measures and document any gaps.
  2. Plan integrationObserve the pilot phase and prepare the connection of your platform for app proof verification.
  3. Involve the data protection officer early on: Make sure that data protection requirements (GDPRdata minimization) and technical design ("Privacy by Design") are already anchored in the development process.
  4. Provide alternative proceduresProvide fallback options for users without a digital identity.
  5. Monitoring regulatory developmentsKeep up to date with EUDI wallet developments and national implementations.
  6. Transparent communicationInform users about what data is processed and what rights they have.


Supplementary DPIA checklist (Art. 35 GDPR)

  • Intended use: Clearly document the purpose of the proof of age.
  • Data minimization: Check that only the required age attribute is transmitted.
  • Role clarification: Define Responsible persons and processors between the platform, issuer and verifier.
  • Technical measures: Rate EncryptionZKP and offline verification.
  • Rights of data subjects: Ensure that rights of access, erasure and objection are respected.
  • Impact assessment: Evaluate risks to fundamental rights and develop remedial measures.


Note: For a practical and audit-proof implementation of your Data protection impact assessment we recommend the use of our Ailance DSFA-software solution. This supports you in the structured implementation, Documentation and auditing of your DSFA processes.

Contract and role logic

  • Platform Issuer: Clarify whether an order processing contract (Art. 28 GDPR) is required.
  • Issuer-Verifier: Check whether data transfers to Third take place and which legal basis applies.


Transparency points (Art. 13/14 GDPR)

  • Duty to inform: Clear data protection information with purpose, data types, legal basis and recipients.
  • Contact points: Appointment of the data protection officer and complaint channels.
  • Storage duration: Definition and communication of the storage period of the age certificate.

Conclusion

The planned EU age verification represents a innovative and data protection-focused approach to enforce the protection of minors on the Internet. Pilot projects and Guidelines paves the way for nationwide implementation by 2026. Nevertheless Legal, technical and social challengeswhich require careful preparation and data protection support.

Link tip: EU Age Verification Solution

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts