European Union: European Commission adopted guidelines to enforce protection of minors online under Digital Services Act including age verification requirements

On 14 July 2025, the European Commission published guidelines on protecting minors under the Digital Services Act (DSA). The guidelines set out a framework for age assurance measures that online platforms must consider, particularly those accessible to minors. It distinguishes between three main approaches, self-declaration, age estimation, and age verification, each varying in accuracy, reliability, and level of intrusiveness. The guidelines specify that platforms should carry out detailed assessments before introducing age-based access restrictions. These assessments must evaluate whether such restrictions are necessary and proportionate and whether alternative, less intrusive measures could achieve the same level of protection. The outcomes of these assessments should be published on the platform’s interface to ensure transparency. Where online content poses significant risks to minors, such as pornography, gambling, or the sale of alcohol and tobacco, platforms are expected to apply high-certainty age verification methods. These should rely on secure technologies, including anonymised tokens generated from verified government-issued IDs or cryptographic protocols such as zero-knowledge proofs, to preserve user privacy. In lower-risk contexts, age estimation may be acceptable if the methods are independently audited and demonstrably effective. However, the guidance notes that self-declaration does not provide sufficient protection due to its limited reliability and ease of circumvention. The guidance also addresses the forthcoming EU Digital Identity Wallet, expected to be available by 2026, which will enable users to verify their age securely without disclosing additional personal data. In the meantime, the Commission issued the EU age verification solution to serve as an interim standard. Finally, the guidance notes that age assurance solutions must respect core principles of data protection. They should be accurate, reliable, difficult to bypass, minimally intrusive, and accessible to all users without discrimination. Personal data must be processed strictly for age verification and not retained or repurposed.