Italy: Resolution establishing technical and procedural requirements for age verification systems to prevent minors from accessing pornographic content online enters into force

On 12 November 2025, the Communications Regulatory Authority (AGCOM)’s Resolution 96/25/CONS, establishing technical and procedural requirements for age verification systems to prevent minors from accessing pornographic content online, comes into force. The resolution applies to operators established in Italy or in other EU Member States that distribute pornographic material to Italian users. AGCOM has the authority to identify relevant entities and notify the European Commission. A foreign service is considered to target Italian users if it uses the Italian language, has a significant Italian audience, generates revenue in Italy, markets to Italian users, or has an Italian domain or contact point. The resolution adopts a technology-neutral approach while setting out minimum requirements for age assurance systems. Key principles include proportionality, compliance with the General Data Protection Regulation (GDPR), involvement of independent third parties, security, accuracy, accessibility, non-discrimination, and user information. It emphasises the protection of user privacy through a “double anonymity” model, where neither the content provider knows the user’s identity nor does the identity provider know which site the user is visiting. The resolution distinguishes between three main age assurance methods: self-declaration (considered ineffective), age estimation (probability-based), and age verification (high certainty based on verified identification). Systems must prevent content providers from collecting personal data about users while ensuring age verification providers cannot identify the sites being accessed. Independent third-party involvement is mandatory, and these providers must be legally and technically separate from pornographic content distributors.For systems not based on installed applications, the process involves three distinct stages: issuance of age proof by a trusted third party, provision of this proof to the user who then presents it to the website, and authentication by the site without accessing the user’s identity data. Application-based systems may use digital wallets or identity management apps, potentially employing QR codes for verification while maintaining privacy protections. Age verification must occur for each access session, with validity ending after 45 minutes of inactivity or when the user closes the browser. Account creation cannot be mandatory, and age verification must be performed regardless of whether users hold an account.