Source: Ius Mentis
The European Commission is advising EU member states to start using an EU age verification app by the end of 2026, according to a blog post by Ius Mentis, which references Nu.nl as its original source. The guidance is connected to rules around the European Digital Identity Wallet, based on Regulation 2024/1183, sometimes referred to as eIDAS 2.0.
According to Ius Mentis, the app is designed to let people share their age or an age status with online services in a privacy-friendly way, without having to send copies of a passport or ID card. The wallet behind it works as a kind of digital safe where people can store identity credentials. One feature allows users to prove they are over 18 without revealing their actual date of birth.
It is worth noting that Regulation 2024/1183, Article 5bis paragraph 15, sets a clear limit: access to essential services cannot be made dependent on identification through the wallet.
The guidance arrives alongside a separate development. According to Ius Mentis, Meta is reportedly subject to a preliminary finding that it is in breach of Article 32 of the Digital Services Act (DSA) because it carries out no age checks for minors. This is described as a preliminary assessment, not a final decision, and it is not yet clear whether any formal ruling or fine has followed. The suggestion from the Commission appears to be that platforms like Meta should use the age verification app to address this kind of concern.
Because the source for all of this is a secondary blog post rather than a primary official document, and because the exact date of the Commission's advice is not stated, these details should be treated with some caution.
If your website or online service is accessible to minors, age verification is becoming an area of increasing regulatory attention at EU level. While this guidance is currently directed at member states and large platforms, the broader direction of travel suggests that online services of all sizes may eventually need to think about how they handle age-related access. For now, making sure your privacy policy and data practices are in order is a sensible first step, and our GDPR compliance checklist and privacy policy requirements guide are good places to start.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkA large Belgian tech company received a total fine of 176,000 euro from the Belgian Data Protection Authority for failing to timely delete the mailbox of a former female employee.
Dutch legal blog Ius Mentis explains that GDPR makes it legally impossible to obtain valid consent for personal data use through terms of service or general conditions, and that Article 7(2) GDPR…
On 19 March 2026, the CJEU ruled in Case C-526/24 (Brillen Rottler) that a data subject's first DSAR can be refused as 'excessive' under Article 12(5) GDPR if the controller can demonstrate abusive…