EU Targets VPNs in EU Age Verification Push

Brussels has a problem with people trying to stay anonymous online and now it’s eyeing the tools they use to do it.

Henna Virkkunen, the European Commission’s Executive Vice-President for Tech Sovereignty, Security, and Democracy, told reporters that VPNs sit on the agenda as the EU pushes its age verification app toward member states.

Asked how Brussels intends to stop children from routing around age checks with a VPN, she said “it’s also an important part of next steps also to look at that it shouldn’t be circumvented.”

VPNs are more than a tool for teenagers trying to access Instagram. They are how journalists protect sources, how dissidents talk to family, how ordinary people stop their internet provider from logging every site they visit. Treating circumvention as a problem to be solved at the network level means treating privacy tools as the obstacle, rather than the proportionate response to a system that demands ID for ordinary online activity.

The VPN comment surfaced at a press conference about the Commission’s broader regulatory squeeze.

Brussels provisionally found that Meta likely violated the Digital Services Act by failing to keep under-13s off Facebook and Instagram, accusing the company of “failing to diligently identify, assess and mitigate the risks of minors under 13 years old accessing their services.”

By the Commission’s own count, roughly 12% of European children below the age limit log into the platforms anyway.

Virkkunen framed the finding as enforcement of existing rules rather than a new mandate. “The DSA requires platforms to enforce their own rules: terms and conditions should not be mere written statements, but rather the basis for concrete action to protect users, including children,” she said.

A Commission spokesperson echoed the line, telling ISMG that the DSA “does not mandate specific mitigation measures,” and pointing to alternatives like better internal review processes.

The denial sits awkwardly next to everything else Brussels is doing. The Commission published guidelines last July recommending age verification. It is now pressing member states to “accelerate the adoption of age verification tools.”

It has built a framework defining who can supply proof-of-age services. And it has shipped an official mobile app, designed for citizens to load with passport or ID card data, intended as a template for national rollouts.

Virkkunen called the app a “blueprint” meant to harmonize age checks across the bloc.

Saying you have not mandated something while assembling every piece of infrastructure required to mandate it is a particular kind of policy choreography.

Meta, looking at the Commission’s provisional finding, has to ask itself what realistic compliance looks like without deploying the very tools the Commission insists it has not required.

The Commission’s own app illustrates why these systems make security people nervous. Brussels described it last month as “technically ready” and “ready for deployment.”

It then released the source code for review. Multiple security consultants broke it within minutes and the Commission walked the language back.

Virkkunen acknowledged the Commission’s own expert panel on social media age limits will not deliver its findings until the summer but argued the timing required action now because member states are already moving.