The internet is playing an increasingly crucial role in the lives of young people, and new ways need to be found to protect them from harm on the internet, without limiting their access to the many educational and cultural benefits that can be found online. The European Commission recently published an age verification blueprint, along with guidelines on the protection of minors online adopted under the Digital Services Act (DSA). They both further a key DSA objective of protecting minors online.

The age verification blueprint will help achieve this goal. The blueprint comes in the form of a software solution with all technical specifications for an accessible, privacy-preserving, and user-friendly age verification method. As these specifications are harmonised at the EU level, they will enable interoperability of age verification solutions deployed across Member States. This means that providers of online platforms should soon be able to apply, where necessary, age restrictions to protect children online across the EU. Such solutions can either take the form of a standalone application available on major app stores or be integrated with other solutions, such as a European Digital Identity wallet.  

In addition to the technical specifications, the blueprint also contains ready-made source code implementing an application that can be customised to national contexts without compromising its privacy features. This significantly simplifies the work of service operators and, ultimately, the deployment of compliant age verification solutions. The open-source technology will enable users to prove they are over the age of 18 when accessing adult-restricted content (which, for example, includes online pornography and gambling), without having to reveal any other personal information, and thus respecting everyone’s privacy and data protection rights.

It is technically possible to extend the age verification solution to other age limits or to other use-cases, such as purchasing alcohol in online or physical shops. Member States or other entities can decide to do so when customising their age verification solutions for their national contexts.

The blueprint is built on the same technical specifications as the European Digital Identity (EUDI) Wallets. It is therefore interoperable with the EUDI Wallets that will launch by the end of 2026 in all Member States. The requirement to deploy the EUDI Wallets is based on the European Digital Identity Regulation that amended the 2014 eIDAS regulation.

The age verification blueprint will be tested and further refined together with Member States, online platforms and end-users. Denmark, France, Greece, Italy, and Spain are the first Member States to test and build on the blueprint, with the aim of launching their own age verification apps soon.  

Why children need protection online

Children are increasingly using smartphones and accessing the internet, spending a considerable amount of time online. But the digital environment is not always safe. Children face several issues online, including privacy and safety threats, exposure to harmful content or misinformation, cyberbullying and features and practices that can cause compulsive or addictive behaviours. Children thus require comprehensive protection against these significant risks.

On 10 September 2025, in her State of the Union speech, Commission President Ursula von der Leyen emphasised the need to protect children from social media risks, including exposure to online bullying, adult content, promotion of self-harm, and addictive algorithms. She highlighted the importance of empowering parents rather than algorithms and proposed exploring the need for social media age restrictions. To this end, an expert panel will be commissioned by the end of 2025 to advise on the best approach for Europe.

The guidelines on the protection of minors, recently published alongside the age verification blueprint, establish comprehensive recommendations for providers of online platforms to ensure a high level of privacy, safety and security for children. The preparation of the guidelines included extensive consultation with children and young people, as well as experts, academia, civil society organisations and the wider public.  

The guidelines are based on the principles of proportionality, protection of children’s rights, safety by design, and age appropriateness. They provide several recommendations on the four key areas of risk review, service design, reporting, user support tools, and governance. Key recommendations include measures to tackle the following risks:

• Addictive design: recommending the removal of features like streaks, autoplay and read receipts that promote excessive use, as well as putting safeguards around AI-chatbots.
• Cyberbullying: empowering minors to control interactions and preventing unauthorised content downloads, as well as report users and content easily through age-appropriate tools.
• Harmful content: giving users more control over recommendations based on their explicit feedback rather than on behavioural monitoring and reducing the risk of children ending up in rabbit holes of harmful content.
• Unwanted stranger contact: setting minor accounts to private by default, so their personal information, data, and social media content is hidden from those they aren't connected with, as well as ensuring they are not included in contact suggestions to adults and cannot be added to groups without their explicit consent.

Following the same risk-based approach of the Digital Services Act (DSA), the guidelines recognise that different platforms pose varying risks, and protective measures should be proportionate to the different risks that each platform may pose. The guidelines further emphasise that the measures should not unduly restrict children’s rights, for example, to participation, freedom of expression and information. 

Protection of minors and age verification in the guidelines  

Under the DSA Article 28(1), platforms accessible to minors are required to take appropriate and proportionate measures to protect their privacy, safety, and security. One instrument to achieve this goal is to implement effective age assurance methods to reduce the risks of children being exposed to pornography or other age-inappropriate content. The guidelines recommend two types of age assurance methods, depending on the specific case:

• Age estimation, in which a service establishes that the user is likely to be of a certain age, by analysing behavioural and environmental data. For example, this can be done by checking how the user interacts with a device or by testing their capacity or knowledge.
• Age verification, which relies on physical identifiers or verified sources of identification that provide a high degree of certainty in determining the user’s age.

The age verification blueprint is the European Commission’s proposed 'gold standard' for age verification. The guidelines list several cases in which age verification should be used. Self-declaration, that is, a person indicating their age without further proof, is not considered to be an appropriate age-assurance measure.  

Age verification is expected to be used in the following situations:

• To restrict access to services that are high risk to minors and should only be available for adults, such as pornography or gambling.
• Where the platform’s terms and conditions (or other contractual obligations) require that users are over 18 years old, for example, to buy alcohol.
• When national law, provided it does so in compliance with EU law, sets a minimum age for services, such as defined categories of social media.
• Other high-risk services where age verification would be the only way to protect minors.
   

Age estimation, if done by a third party or appropriately and independently audited, is recommended in the following situations:

• Medium risk services, where age assurance is used to ensure age-appropriate experiences for minors.
• When the platform’s terms and conditions require the user to be above a certain age and this threshold being below 18 years old (e.g. a minimum age of 13 years old).
• Exceptionally, it can also temporarily support platforms in complying with their obligations to implement age verification, only until age verification becomes available.

The guidelines also require minimum standards of accuracy, robustness, reliability, non-intrusiveness and non-discrimination that any age assurance methods should respect.

How EU Digital Identity Wallets paved the way for the age verification blueprint

The European Digital Identity Framework (Regulation (EU) 910/2014 amended by Regulation (EU) 2024/1183) entered into force on 20 May 2024. It includes a new set of mechanisms and tools that address the needs raised by the increasing digitalisation of society. It responds to the citizens’ desire for seamless digital experiences, alongside an increased need for online security and privacy.

The amending regulation created the new requirement for Member States to offer European Digital Identity Wallets that implement a high level of privacy. The wallets will give citizens back control over their data when they identify themselves in online and physical scenarios or when presenting different attestations, such as proof of age.  

Work on the technical specifications of the wallets was carried out in parallel to the legal process, in what has been termed the Architecture and Reference Framework. This involved Member State experts, technical contractors, and public-private consortia who have been developing and testing the EUDI specifications for years in a mutually collaborative and reinforcing way. The work continues to thoroughly support the ongoing development, and ultimately the deployment and uptake of the wallets.

The specifications are publicly available and contain comprehensive mechanisms ensuring that wallets are secure and privacy-preserving by design. As all Member States will build their wallets to the same specifications, this will ensure that citizens’ wallets will function across all Member States – true EU-wide interoperability. The technical specifications of EUDI Wallets have provided a very strong basis for the development of the age verification blueprint.

The development of the age verification blueprint

The development of the age verification blueprint began in early 2025, building upon the established EUDI specifications as its technical foundation. The design and development of the solution is supported by a contract awarded to the T-Scy consortium (Scytales and T-Systems).

The blueprint provides comprehensive technical specifications for age verification applications, and an open-source implementation of such an application (a so-called “white-label app”). Ready-made open-source components are also provided for online platforms to simplify their implementation work. The blueprint enables Member States and other entities to develop their own tailored solutions to address unique national requirements and regulatory frameworks while maintaining the privacy features. Member States, online platforms and other stakeholders are currently testing the blueprint.

A primary objective of the initiative is to establish a consistent, secure, privacy-preserving, and user-friendly age verification experience that integrates seamlessly across a wide range of digital services throughout the EU. The modular architecture and commitment to open standards and open-source software ensure interoperability between age verification apps and online service providers doing actual verification, as well as flexibility for implementers. 

How will an age verification app work in practice for users?

Age verification apps will be downloadable by users from major app stores. The age verification functionality can also be integrated into other apps, such as EU Digital Identity (EUDI) Wallets. In the latter example, a user would only need to download the EUDI Wallet, without the need to install a standalone app for age verification purposes. Regardless of the way the app is published, all of them will be interoperable.

A practical example

Consider Claire, an 18-year-old from France, who wants to purchase a special bottle of wine online as a birthday gift for her father. Here’s how the age verification process would work:

Initial setup

• Claire downloads her national age verification app from her device’s app store.
• To enrol on the app, she links it to an official form of identification that confirms her age. There are four options supported by the blueprint, even if not all of them may become available in all Member States:
  • Using existing electronic identification systems available in Member States.
  • Reading an electronic identity card (eID) or a machine-readable passport.
  • Using a third-party app that has already reliably checked the user’s identity, such as a banking app or an app of a telecom operator.
  • Enrolment can be conducted on-site to accommodate users who may not have access to electronic identification means.
• The app securely stores her age credentials without retaining unnecessary personal information.

Making the purchase

• Claire browses the online wine retailer’s catalogue, selects the perfect bottle, and proceeds to checkout.
• The retailer’s system automatically requests age verification to comply with legal requirements.
• Claire’s app generates a cryptographic proof confirming she meets the minimum age requirement (18+) without revealing her name, birthdate, address, or any other identifying information.

Privacy-preserving verification

• The online retailer validates Claire’s age proof through secure protocols that protect her privacy.
• Once her age is verified, Claire can complete her purchase with confidence that her privacy remains intact throughout the entire transaction.

The verification process offers double-blindness: neither the retailer learns Claire’s identity details, nor does the issuer of her original ID receive information about her shopping activity. 

A closer look at the blueprint

The age verification blueprint comprises four essential components that work together to create the bedrock of a secure, privacy-preserving verification ecosystem:

• Age attestation issuer service: Generates proof-of-age attestations (digital credentials that confirm a user’s age) required to enrol on the age verification app.
• Age verification app: Securely stores proof-of-age attestations received from the issuer through advanced cryptographic techniques. The app is designed with security, privacy enhancement, and user experience as core principles.
• Verifier service: A service that simulates real-world scenarios where age verification is required before granting access. This is a component that can be used by online services to integrate age verification in their systems.
• Age verification trusted list: Ensures system integrity by listing legitimate age attestation issuers duly authorised to do so. Only proofs issued by entities on the list are accepted by online services that perform age verification. This component ensures full compliance with EU Digital Identity Framework requirements.

The blueprint contains specifications and implementations for all these components and services. It also includes mock services and simulators that provide a robust testing environment that mirrors real-world implementation.

The blueprint includes advanced technologies to maintain the high standards of security and privacy. For example, to prevent user profiling and tracking by avoiding linkable transactions, it uses batch issuance of age attestations. This ensures that each attestation is only used once, preventing no cross-site tracking of users. Further enhancements are underway, such as the addition of a Zero-Knowledge Proof mechanism. 

Piloting the blueprint

The blueprint serves as a comprehensive toolkit of open-source solutions, enabling online services, Member States, and technology providers to seamlessly integrate age verification capabilities into their systems. The first release in July 2025 marked the start of a collaborative pilot phase where the solution undergoes testing and refinement. This iterative approach, conducted in partnership with Member States, online platforms, and end users, ensures that the technology meets real-world requirements and user needs.

Five EU Member States —Denmark, France, Greece, Italy, and Spain—are spearheading the implementation by developing customised national age verification applications based on the technical framework. The roadmap includes planned enhancements beyond the initial deployment, with additional issuance methods and expanded functionality scheduled for future releases.

In parallel, thorough testing is ongoing with online platforms, including adult content providers. Online platforms that are not involved yet are invited to participate in the pilot and join the testing phase. User testing commenced at the end of June 2025 and will be expanded with support from European Safer Internet Centres.

Building on insights from these initial deployments, the Commission will develop a comprehensive scaling strategy to extend the pilot programme to additional Member States, working closely with national authorities and digital services coordinators to ensure coordinated implementation across the EU.

Interested in learning more or getting ready to implement age verification? Check out the age verification blueprint to uncover the full technical specifications.

Additionally, check out the guide to age assurance on the Better Internet for Kids (BIK) public portal. It includes a range of resources spotlighting age assurance for those with a general interest, along with easy-read explainers to help raise awareness in educational and family settings, and resources aimed at digital service providers to help them check their own compliance.

Discover the blueprint!

This article is a contribution from the EC's Directorate-General for Communications Networks, Content and Technology (CNECT). It was co-authored by the teams Accessibility, Multilingualism and Safer Internet (CNECT.G.3), DSA Protection of Minors and other Societal Risks (CNECT.F.3), and Digital Identity and Trust (CNECT.H.4). 

Interested in more? 

If you are interested in more policy insight, explore the BIK Knowledge hub, including the BIK Policy monitor, the Rules and guidelines and Research and reports directories, where we draw together relevant policy instruments, reports and research informing the implementation of the BIK+ strategy at the national level.  

Find more BIK Knowledge hub insights articles here.