Europe’s Push to Turn Age Verification From a Meaningless Formality Into Functional Infrastructure

For as long as most internet users can remember, accessing adult pornographic sites has required as little effort as cutting in a queue: zero work at all. The promise of age verification has always been an empty gesture — one quick click on the “I’m over 18” button, and users of any age gain full access immediately. Spurred in part by recent U.S. rulings highlighting the harm social platforms inflict on minors, the European Commission has accelerated its ongoing effort to roll out truly effective mandatory age-verification systems across the bloc.

All Too Simple

Back in May 2025, Brussels launched formal infringement proceedings against four major adult platforms — Pornhub, Stripchat, XNXX, and XVideos — over suspected violations of the European Union’s Digital Services Act (DSA). The DSA, which updated the EU’s legal framework for all platforms operating within the bloc, entered into force in 2024. It requires platforms to meet strict transparency standards, remove illegal content rapidly, and mitigate systemic risks ranging from disinformation to harm against minors.

Exactly one year later, in March 2026, the Commission released its preliminary investigation findings. Regulators confirmed all four platforms still allow minors to access their services by relying solely on the simple one-click age confirmation checkbox, a mechanism regulators ruled is completely insufficient to meet legal requirements. The same finding of non-compliance was issued against social platform Snapchat, which a separate Commission investigation found likely violated the DSA by exposing minors to grooming attempts, criminal recruitment, information on the sale of illegal goods like drugs, and unregulated access to age-restricted products including e-cigarettes and alcohol.

While the DSA does not explicitly mandate age verification as an absolute requirement for all platforms, it requires Very Large Online Platforms (VLOPs) — platforms with more than 45 million monthly active users in the EU — to take concrete action to reduce systemic risks tied to child protection. Failure to comply can result in fines of up to €18 million, or 10% of a platform’s total global annual turnover.

So What’s the Solution?

During a recent press conference held by the two officials leading the DSA investigations, Prabhat Agarwal and Renate Nikolay, regulators laid out their core goal: to implement age-verification systems that confirm a user meets the minimum age requirement without sharing the user’s name, date of birth, or any other sensitive personal data with the hosting platform or any third party.

The leading technical solution currently under evaluation is the Age Verification Blueprint, more commonly referred to as the mini-wallet. It is a mobile application designed to function like a digital credential wallet: users download the app once, verify their age a single time via an electronic national ID, passport, banking app, or other official national identification system, and can then prove they are over 18 on any participating platform at any time without having to re-submit identity documents for every visit.

The system relies on a technical principle called selective disclosure: the mini-wallet never shares a user’s full date of birth or other identifying details with the website. It only answers the specific question “Is this person over 18 years old?” with a cryptographically verifiable “yes” or “no”. Access credentials are issued as single-use tokens, which theoretically prevents cross-session tracking of users on the same platform.

The mini-wallet is not intended to be a permanent standalone system. It is designed as a transitional bridge to the upcoming EU Digital Identity Wallets (EUDI Wallets), the universal digital identity wallets that EU member states are scheduled to roll out by the end of 2026, which the mini-wallets will eventually integrate into. In practice, this means users who adapt to the mini-wallet now will already be familiar with the functionality of the universal digital wallet that all EU citizens will be required to use in the future. The full EUDI wallet will let users store and manage not just age verification, but also official identity, educational qualifications, driver’s licenses, and other personal credentials all in one mobile app.

Five EU member states are already running pilot tests of the mini-wallet solution this year, but progress across the bloc is far from uniform. Regulators noted during the press conference that France and Denmark are well ahead of schedule, while Greece, Spain, and Italy are lagging behind. This uneven rollout has led many experts to question whether the full universal EUDI wallet will actually enter into force by the agreed deadline.

An Alternative to the U.S. Market Model

Two private companies already dominate the existing European age-verification market: Persona and Yoti. Persona is an identity and age-verification provider used by major platforms including Roblox, Discord, and Reddit. It offers verification based on government IDs, facial age estimation, and other personal identifiers, adjusting its methods to comply with local regulations in each country where it operates.

In February 2026, independent researchers reported that a public subdomain linked to Persona was left exposed, leaking thousands of user records linked to the service. The company partially disputed the researchers’ findings in a subsequent public statement, noting it had held direct, productive discussions with the research team following the discovery.

Yoti, meanwhile, is currently used by TikTok for age verification in Europe alongside other methods like credit card and government ID checks. Last year, the company was fined €950,000 by Spain’s data protection authority, which found Yoti’s Digital ID app violated EU data protection regulations. The company has denied any wrongdoing and announced it would appeal the fine.

Brussels is pushing for the new mini-wallet system to use an open-source architecture, allowing both member state governments and private market players to develop national or customized derivative versions of the tool. During the press conference, European tech providers Scytales and T-Systems were named as leading potential partners for the project. Regulators explained that any approved system must follow a “triangular” structural rule: an independent third party certifies that the user meets the required age requirement, and the adult platform never receives the user’s identity documents or any sensitive personal data. To make this model easier to understand, the Commission compared it to the EU’s digital Covid certificate system, which operated on the same privacy-preserving principle.

A Glaring Unresolved Loophole

Even with this carefully designed framework, there remains a clear gap between the technical promise of the system and the real-world social challenges of age verification. As regulators acknowledged during the press conference, the mini-wallet is primarily designed to prevent platforms from collecting excess personal data about users, but it does very little to address the simplest and most common bypass method: a minor using an adult’s phone, pre-verified credentials, or official ID to access content. In other words, the new system may reduce the amount of sensitive personal data circulating online, but it does not automatically eliminate the risk of practical age-verification bypass.

Despite this known flaw, the mini-wallet is currently seen as the most promising solution available. The Commission has clarified that it is not the only acceptable solution, however, and the door remains open to alternative approaches as long as they deliver “equally effective” results for child protection and privacy. Pornhub is already participating in the pilot phase of the project, and other platform operators have been invited to join the testing program.

In short, Europe is poised to become the first major global policy laboratory where age verification stops being a meaningless formality and becomes a real, regulated digital infrastructure — with all the promise this brings, and all the accompanying risks that cannot be overlooked.

This story originally appeared in WIRED Italia and has been translated from Italian.