The European Commission is pushing for the rapid introduction of digital age checks. Under the plan, all EU citizens are to have access by 31 December 2026 to a technical solution that allows them to prove their age online. As so often now, the project is justified in the name of child protection. The risk is another layer of digital surveillance of citizens.
The Commission is not, however, talking about a single EU app for everyone. The aim is to standardize procedures and create a technical blueprint that member states or private providers can adopt.
The actual system is therefore expected to appear either as a standalone app or to be integrated into national European Digital Identity Wallets (EUDI Wallets). They are intended to store identity data, driving licenses, educational certificates, professional credentials and, later, credentials confirming a user’s age. Under the Commission’s plans, each member state must provide at least one such wallet. Standardization is also intended to ensure that the wallets work across the EU.
The EU Only Sets Standards
Legally, an age check of the kind planned by the EU is in principle feasible. The basis lies in the Digital Services Act (DSA). Article 28 of the DSA requires providers of online platforms accessible to minors to take appropriate and proportionate measures to ensure a high level of privacy, safety and security. The same article also makes clear that platforms are not thereby obliged to process additional personal data solely in order to establish whether a user is a minor.
This is precisely where the Commission’s model comes in. It is supposed to provide only the information that someone is, for example, over 18. Names, dates of birth or other identity data are not meant to be passed on to the platform.
The EU’s legal competence, however, is tightly limited. It can issue binding rules for digital services and the internal market, and it can standardize technologies. The Digital Services Act is also directly applicable in all EU states.
The eID Is Coming
The European digital identity is also based on the eIDAS regulation, an EU regulation on electronic identification and trust services. The name stands for “electronic IDentification, Authentication and trust Services”. It provides that every member state must offer at least one EUDI Wallet.
The age check itself, however, is not currently being ordered by the Commission as a directly mandatory EU app. The recommendation of 29 April 2026 is not a law. It merely calls on states to submit implementation plans, work with data protection authorities, researchers and civil society, and have the solutions independently checked for cybersecurity.
National laws remain necessary. Only where the Digital Services Act already contains obligations for platforms can authorities and courts apply it directly. Where the issue is concrete age limits for social networks, gambling, alcohol, pornography or national child protection models, responsibility still lies with the member states.
Germany already has its own rules for this. Under the Interstate Treaty on the Protection of Minors in the Media, pornographic content may be made accessible only in closed user groups. Identification and authentication are required for that.
Child Protection Remains a National Responsibility
For other content harmful to minors’ development, technical age labels, child protection programs or other access barriers may be considered. Germany is also following a different timetable from the Commission on digital identity. The official German EUDI Wallet website says, for example, that a national wallet app for smartphones will be available from 2027 and then expanded continuously.
The Commission, however, is applying time pressure and has named seven pioneer states for age verification. They are Cyprus, Denmark, France, Greece, Ireland, Italy and Spain. Germany is not among them. An EU-wide technology could therefore exist by the end of 2026 without countries such as Germany being able to participate in it yet.
The EU’s technical idea for age verification is described by official bodies as data-minimizing. Users are first supposed to have their age confirmed with an identity card, a national electronic identification (eID), a banking app or in person. According to the Commission, the app then stores not a name or date of birth, but only evidence that an age threshold has been crossed. When a service later asks, it receives only a yes-or-no answer. The Commission points to zero-knowledge technology, open specifications and a trust framework for verified providers.
Security Is Not Yet Guaranteed
Experts still see risks. The Electronic Frontier Foundation wrote as early as 2025 that several important safeguards had not been made mandatory in the specifications at the time. These included salted hashes, in which data is stored or compared in such a way that the original value is not directly visible. Zero-knowledge proofs, meaning cryptographic procedures that allow someone to prove a statement without disclosing the underlying information, were also not mandatory.
The organization pointed out that the app depends on prior identity checks, for example via eID, an identity card, a banking app or third parties. That may anonymize later use, but it shifts the decisive question of trust to the bodies issuing the age credential. At least there, personal data is collected and processed.
After the EU presented its technical system in April 2026, further objections were raised. A demo version was hacked within a short time, allowing the security function to be bypassed. The Commission said the vulnerability affected only that trial version and would not be included in the final version, which raises the question of why it was there from the start. Proton also reported that rate-limiting controls were stored locally in an editable file, biometric authentication could be disabled and sensitive credentials were accessible without secure hardware protection.
Taken together, these are huge security gaps. The Center for Democracy and Technology warned that although the Commission had taken some data protection principles into account, it was not clear whether risks to security, privacy and freedom of expression had been sufficiently examined. Many questions therefore remain unanswered.
Complex Legal Questions
Legally, the situation is even more complex. The EU can pave the way for age checks under the Digital Services Act and the digital identity framework, standardize the technology and make them relevant for platforms. But it cannot require member states to introduce a specific app by the end of 2026, for example. Concrete age limits and national enforcement models still require national law or existing national rules.
In Germany, the EU plans collide with an existing youth protection system and a planned EUDI Wallet which, according to government information, is not expected to become gradually available until 2027.
For now, all that remains of the European Commission’s optimistic plans is a non-functioning EU app and a long list of unresolved technical and legal questions.