EU recommends white label age verification app, but member states are wary

The European Commission really wants member states to adopt its white label age verification app – and quickly. This week, the Commission adopted a recommendation urging member states to “accelerate the rollout of the EU age verification app and make it available by the end of the year,” according to a release.

Henna Virkkunen, executive vice-president for tech sovereignty, security and democracy, says “effective and privacy-preserving age verification is the next piece of the puzzle that we are getting closer to completing, as we work towards an online space where our children are safe and empowered to use positively and responsibly without restricting the rights of adults.”

Rolled out earlier this month, the app developed by Scytáles and T-Systems is intended to serve as a foundation on which EU nations can build a customized biometric age assurance tool that suits local needs, but maintains a degree of consistency across the bloc – a so-called “common approach.” Virkkunen says it will “help to ensure that everyone has the same online access, dependent on national rules.”

Member states can launch the age verification app on its own, or opt to integrate it into the European Digital Identity (EUDI) Wallet, which nations are required to offer by the end of 2026 under the eIDAS 2.0 regulation. (Although there is growing doubt that the majority of member states will be able to meet the deadline.)

Certification scheme will measure providers against age verification app

The recommendation goes beyond simply adopting the age verification blueprint or white label app. The Commission also encourages member states to “draw up implementation plans to ensure swift adoption of age verification solutions; work together and engage with their Digital Services Coordinators, other Member States, the Commission, researchers and civil society in the roll out of their national solutions; and ensure compliance with all relevant cybersecurity standards through independent third-party scrutiny.”

The EU also appears set to establish something like the UK’s Digital Verification Services trust framework, but specifically for age verification providers. This will encompass “requirements for providers of proof of age attestations and age verification solutions to meet, also outlining how trust in these providers can be checked by services needing to verify the age of individuals.”

Providers that meet the requirements could end up on a list of age verification solutions that meet the privacy and security standards of relevant EU legislation.

Per the Commission’s announcement, “these providers can verify the age of the user for the age verification solution through one of the supported onboarding mechanisms, such as through eIDs, passports or ID cards.”

With wallets on horizon, member states cool on implementing EU app

While the recommendation specifies that member states act quickly “to ensure the swift availability and interoperability of the EU age verification solution,” some will question the wisdom of acceleration, in light of vulnerabilities discovered shortly after the app was launched.

The Commission says an update has fixed the problem, and that the open source code will be “constantly updated and improved.”

Nonetheless, member states are still highly skeptical. A report from Politico says some governments are “unsure, reluctant and even unwilling to adopt the EU app.” Ireland, France and Poland prefer nationally developed software. Germany isn’t planning to roll out the app; Finland and the Netherlands are hard maybes. Estonia says the vulnerabilities, exposed just hours after the Commission declared the app “technically ready,” are a big red flag.

Greece’s Digital Minister Dimitris Papastergiou says Greece would comply if the EU released one app and told EU capitals to use it exclusively – but doubts that the Commission will make it mandatory, in light of the incoming EUDI Wallet scheme.

It doesn’t matter, he says, if “there’s two, three, five or ten apps. There will be many wallets.”

AVPA offers thoughts on EU age verification app

The Age Verification Providers Association (AVPA) believes the launch of the EU app is a “constructive step.” In a thorough interrogation of the app published on LinkedIn, AVPA says that the existence of the app means platforms no longer have excuses for noncompliance. Now, “there is a basic, foundational route to compliance with GDPR, DSA and Member State domestic legislation, available to all.”

AVPA ultimately defends the app against criticisms, saying “claims about excessive data retention or inherent privacy risks often reflect misunderstandings of the design intent rather than the architecture itself. In reality, the design principles are closely aligned with those long advocated by the age assurance industry, including data minimisation and separation between the issuer of credentials and the relying service.” This aligns with international standards such as IEEE 2089.1 and ISO/IEC 27566-1.

“Recent reports suggesting that the app has been ‘hacked’ need to be treated with care,” AVPA says. “The vulnerabilities that have been publicly demonstrated relate to reference implementations and demonstration environments, including attacks on reference versions deployed for integration testing, rather than production systems. It is important to note that the open-source, publicly accessible nature of these environments is a deliberate and principled design choice: open scrutiny is a feature of secure system design, not a flaw.”

That said, being as it is composed of private age verification providers, AVPA argues broadly for user choice. “A mixed economy remains both likely and desirable,” it says, noting that “users should be able to choose how they verify their age, and service providers should be able to select solutions that align with their compliance obligations and risk appetite.”

Besides which, the EU app is an age verification app – meaning it requires verifying a date of birth as part of the process, typically using an identity document. This is, so to speak, a “hard” model, versus age estimation systems that use face biometrics or infer age from trusted databases. This, says AVPA, “makes it a relatively high-assurance but also more restrictive, and less accessible and inclusive option.”

Private providers are better equipped to respond to rapid market change, and better positioned from a legal standpoint to service regulated industries that typically require “demonstrable auditability of the age assurance process, certified performance against defined accuracy standards including measurable effectiveness at the relevant age threshold, and enforceable service levels with clear recourse in the event of failure.”

Providers leery of certification scheme that favors app architecture

AVPA is also unsure about the proposed certification scheme. “This has been presented as an olive branch to industry, and the intent to create an interoperable certified ecosystem is genuinely welcome,” it says.

“However, the approach carries a risk that deserves honest acknowledgment. Certification frameworks built around a single reference architecture inevitably privilege that architecture and the assumptions embedded within it. The EU app reflects particular design choices – about assurance methods, credential formats, and the role of national identity infrastructure – that are not the only legitimate ones, and that may not be optimal for every use case or jurisdiction.”

Overall, the EU age verification app “represents a meaningful addition to the toolkit available for protecting children online” – but is just “one component within a broader and still developing landscape, where choice, competition, interoperability and careful governance will be key to achieving effective and proportionate outcomes.”

Article Topics

age assurance standard  |  age verification  |  AVPA  |  certification  |  EU age verification  |  EU Digital Identity Wallet  |  European Commission