EU Pushes Age Verification App for All States

The European Commission wants every member state running age verification by the end of 2026, and it wants them running its own app to do it. A recommendation adopted Wednesday tells the bloc’s twenty-seven governments to accelerate deployment of the EU Age Verification App and have it available to citizens before the year is out, regardless of the unease some capitals have expressed about adopting Brussels’ code over their own.

The push lands months after security researchers tore through the same app the Commission is now urging governments to ship. In April, consultant Paul Moore bypassed the app’s protections in under two minutes, demonstrating that the rate-limiting controls were stored in an editable file, biometric authentication could be turned off with a simple configuration change, and sensitive credentials were accessible without secure hardware protection.

The Commission patched the headline issues. It is now telling governments the app is ready for production.

Henna Virkkunen, the Commission’s Executive Vice-President for Tech Sovereignty, Security and Democracy, framed the recommendation as the next step toward shielding minors online. “Effective and privacy-preserving age verification is the next piece of the puzzle that we are getting closer to completing, as we work towards an online space where our children are safe and empowered to use positively and responsibly without restricting the rights of adults,” she said.

What the Commission is actually building is identity infrastructure. Member states have the option of producing the app as a standalone product or folding it into the European Digital Identity Wallet, the bloc’s wider plan to put government-issued credentials on every citizen’s phone. Either path requires linking your real-world identity to a phone you carry everywhere, and either path puts the Commission at the center of how Europeans prove who they are online.

The verification flow asks for a passport or national ID card. The app then tells platforms whether you clear an age threshold but the credential it uses to make that judgment is your government identity.

Alongside the recommendation, the Commission plans to set up an EU Age Verification Scheme with formal requirements for anyone offering proof-of-age attestations or verification solutions, and it will publish lists of approved providers and approved products. Vendors will need certification. National implementations will need accreditation.

Virkkunen has been explicit that the goal is consolidation rather than competition between national approaches. “I will set up an EU-wide coordination mechanism,” she said earlier this month. “We need a structured approach for EU accreditation of national solutions. And for Member States to ensure that age credentials can be issued easily and across the whole EU. And above all to ensure that we continue to build one solution for the EU, not 27 different ones.”

A single solution may be efficient but it’s also a single point at which surveillance, breach, or policy creep can affect the entire bloc.

The on-device encryption, the headline fix meant to lock down the very Shared Preferences file that powered the original bypass, relies on three dependencies that are all deprecated, Moore noted.

The remediation, in other words, was built on libraries Google itself has stopped maintaining. This is the foundation Brussels is now telling member states to deploy at population scale.

Age verification of any kind requires linking a real person to an online action, and that link has to live somewhere. Centralizing it in a Commission-blessed app, even one designed not to leak personal data to platforms, creates a single piece of infrastructure that millions of Europeans will route their identity through to access ordinary websites.

The platforms get a yes-or-no answer. The app, the device, and whatever certification authority sits behind it know more than that.

There is also the question of what the app gets used for once it exists. The Commission has presented the system as a way to enforce minimum ages on social media, with countries like Greece preparing to bar under-15s from major platforms next year.

Once the rails are built, though, the same infrastructure can verify other thresholds: whether you are old enough to access encrypted messaging, gambling, news that some future government considers age-restricted. The app proves attributes about you. The list of attributes worth proving will not stop at “over 18.”

Commission President Ursula von der Leyen used the launch event to lean on platforms. “Online platforms can easily rely on our age verification app. So, there are no more excuses,” she said.

The Digital Services Act censorship law does not actually require platforms to use the EU app. It requires them to verify ages effectively, leaving them free to deploy their own systems if those systems work. The Commission’s pressure is aimed at making its own product the path of least resistance, the option a compliance officer reaches for first.