The European Commission unveiled its new age verification app as technically ready for deployment, presenting it as a central digital initiative. Only hours later, one thing remains above all: reputational damage. Security researchers broke into the application within a very short time and pointed to fundamental design flaws. For Brussels, this is more than a technical setback. It is a political embarrassment.
Ursula von der Leyen had promoted the app as “fully anonymous” and particularly secure. It was meant to allow users to prove their age on platforms such as TikTok or Instagram without disclosing sensitive data. The application is considered a key component of the planned European digital identity. Expectations were correspondingly high. The fall has been just as steep.
What was intended as a flagship project was publicly dismantled within hours. IT security researchers documented how core safeguards could be bypassed with minimal effort. In several cases, it was enough to alter simple text files to gain access to stored identity data. Particularly sensitive is the allegation that highly confidential data such as identity documents are not adequately protected on users’ devices.
Expensive Project on Weak Foundations
Exactly how much money has been spent on developing the app remains unclear. What is clear, however, is that an EU-wide digital project of this scale does not come without significant financial resources. Development contracts, testing, coordination between member states and technical infrastructure quickly add up to millions of euro. That makes the impression all the more serious that basic security principles do not appear to have been consistently implemented.
The criticism does not target minor flaws but the architecture itself. Safeguards such as limits on failed attempts can reportedly be disabled with ease. Biometric protections can be bypassed through a single setting. The system relies on the user’s device rather than moving security-critical processes into protected hardware environments. In banking applications or password managers, that has long been standard practice. An app handling state-level identity data falls short of that benchmark.
The result is damaging: an application intended to build trust undermines it from the outset. And not behind closed doors, but in full public view at a time when concerns over data security are particularly acute.
From Prestige Project to Liability
The political dimension extends far beyond the app itself. Brussels had deliberately placed the project within a broader narrative and drew comparisons with the digital Covid certificates. At the time, the EU managed to build a functioning system in a short period that was adopted internationally. The age verification app was meant to build on that success.
Now the opposite effect threatens to take hold. Instead of strengthening trust in digital solutions, the EU is providing fresh arguments to its critics. Age verification is only the first step. Technically, the application is closely linked to the planned European digital wallet, which is intended to combine identity cards, driving licences and other credentials.
If this first building block is already so vulnerable, it inevitably raises questions about the stability of the entire system. Critics see a structural issue. A centralized or interconnected identity infrastructure is only as strong as its weakest link. That link has now been exposed by the EU itself.
A Familiar Pattern
The sequence of events appears strikingly familiar. A system is first presented as secure, anonymous and without alternative. Technical problems, criticism and a loss of trust follow shortly afterwards. It is then revised, expanded and often more tightly regulated. The end result is often a system far more complex and intrusive than originally announced.
Another factor is adding to the debate: speed. The app appears to have been fully developed before it was presented publicly. Given the usual timelines of European digital projects, that is notable. It suggests that key decisions were made well in advance, while public debate is only beginning now.
The European Commission is seeking to contain the damage. Officials say work on improvements is ongoing. At the same time, they have played down the current version, describing it as more of a demonstration model. That characterization, however, contradicts the original presentation as “ready”.
What remains is a deeply unconvincing launch for a project intended to build trust. The EU set out to demonstrate that it can deliver digital solutions. Instead, it has shown how quickly an ambitious initiative can become a liability. For the future of European digital identity, that is not an encouraging sign.