The EU age-assurance clock is no longer theoretical. On 15 April 2026, the European Commission made its age verification blueprint feature-ready: the open technical standard behind the EU "mini wallet" approach. A Commission recommendation the same month urges Member States to give every citizen access to privacy-preserving age checks by 31 December 2026. Under the Digital Services Act (DSA), platforms already owe minors a high level of privacy, security, and safety. The Commission has also opened formal proceedings against Meta for failing to keep under-13s off Instagram and Facebook.
DSA penalties (already in force)
Non-compliance with the DSA can cost up to 6% of global annual turnover in serious cases. Digital Services Coordinators may also impose periodic penalty payments until a platform restores compliance. Source: Commission DSA enforcement.
The legacy "I am over 18" checkbox does not survive contact with Article 28 or national Digital Services Coordinators. The question for forums, marketplaces, and WooCommerce operators is no longer whether to verify. It is how to verify without forcing users through government-app detours that destroy conversion.
Quick answer
- What changed: Blueprint feature-ready 15 April 2026; Member States urged to roll out citizen-facing tools by 31 December 2026; Meta proceedings signal enforcement on minor protection.
- Who must act: EU platforms with age-restricted content or services likely accessed by minors. Social products first, then forums, communities, marketplaces, and WordPress stacks with sign-ups, UGC, or restricted goods.
- The trap: Full document KYC on every registration: high friction and a PII honeypot on your servers under GDPR.
- Recommended approach: Privacy-first age assurance: prove a threshold (16+ or 18+), not identity; align with the Commission blueprint and future EUDI Wallet; data minimisation on your side.
- How AgeOnce helps: Verify once, return a signed 16+ or 18+ result and Audit ID; no ID storage on your servers. Run the live demo.
What the Commission expects in 2026
The April 2026 package does not invent a new obligation from scratch. It sharpens how regulators expect platforms to meet DSA Article 28 and prepares the ground for eIDAS 2.0. Three design principles recur in the blueprint and technical portal at ageverification.dev:
Effective assurance: not self-declaration
Where age restriction matters, regulators expect methods that are appropriate and proportionate, not honour-system birth years. Cryptographic or biometric proof, accredited attestations, and wallet-based threshold credentials are in scope. Guessing age from browsing behaviour or a single checkbox is not.
Minimal disclosure: threshold only
Platforms should receive proof that a user is over a threshold (for example 18+) without collecting passports, storing full dates of birth, or building identity dossiers. The blueprint uses anonymous proof-of-age patterns (selective disclosure and attestations) so relying parties see what they need to gate access, not everything on an ID card.
Interoperability with the EU Digital Identity Wallet
Solutions should align with the EUDI Wallet architecture rolling out through 2026–2027. Member States must offer wallets to citizens by the end of 2026; private-sector acceptance timelines follow. Building on blueprint principles now makes it easier to accept wallet-issued proof-of-age attestations later without ripping out your integration.
Blueprint vs law
The blueprint is a reference implementation, not a statute. Treat it as the Commission's technical north star: what "good" looks like for privacy-preserving age assurance while national tools and trusted-provider lists mature.
Why state wallet-only flows hurt conversion
Member States may deploy the EU age verification app as a standalone tool or inside national digital wallets. That is the right direction for cross-border trust. For a private forum or checkout, forcing only that path creates UX friction:
- User leaves your registration or basket.
- Downloads or opens a third-party government app.
- Authenticates (sometimes via bank ID).
- Returns to your site hoping the hand-off worked.
Many identity and signup UX studies report 40–60% abandonment when document upload or heavy KYC is required at registration. Add justified GDPR scepticism about uploading passports to every new website, and document-KYC-on-every-site becomes a dead end for conversion, even when it is legally defensible on paper.
40–60%
Often reported registration abandonment when document upload is required at sign-up (identity UX studies)
Complying with the DSA by hoarding passports does not reduce legal risk. It relocates it from the Digital Services Coordinator's desk to your security team's incident queue.
Privacy-first verification: signed outcome, not a document vault
Your platform does not need a user's name, document number, or selfie file. It needs a reliable answer: is this person above the required threshold?
AgeOnce follows a privacy-first model aligned with Commission blueprint principles and GDPR expectations on retention:
- The user completes photo ID matching + liveness in the browser (first time on the network).
- The provider derives the age threshold and issues a signed outcome (e.g.
18+ verified) plus an Audit ID. - No passport images, document numbers, or face gallery are written to your database.
That is the same architectural idea behind EU proof-of-age attestations: enough to gate access and demonstrate compliance, without becoming a document storage business. See why tokens beat ID galleries for the retention case.
GDPR and breach risk
When you hold only a verification outcome and audit reference, a database leak exposes far less than a folder of identity scans. That matters for DPIAs, vendor reviews, and breach counsel.
At AgeOnce your application receives only an age threshold and an Audit ID, not names, document images, or biometric archives.
See how we do itOne-and-done: Face-ID-style reverification across the web
The friction problem is not the first proof. It is the tenth proof on the tenth site, or making every adult install a national wallet before joining a niche community.
Step 1: Full verification once
A new user passes ID + liveness through the AgeOnce gateway. The heavy lift happens once. Raw documents are not retained on the merchant server.
Step 2: Seconds on every return visit or new partner site
When the same person registers elsewhere on the AgeOnce network, or logs back in, they complete a short in-browser face check (liveness + match). No passport rescan. No mandatory wallet app install for every merchant.
That is the reverification pattern: strong initial proof, light repeat checks, fresh signed token and Audit ID per access decision. Conversion recovers because the repeat step feels like unlocking a phone, not opening a bank account.
From React to WordPress: ship DSA-aligned gates without a six-month build
Age gating should not require building S3 pipelines for ID images or maintaining liveness models in-house.
Custom SaaS and modern stacks
The AgeOnce API uses an OAuth-style redirect: send the user to verify, receive an authorization code on callback, exchange it server-side for a signed JWT or token and Audit ID. Your Next.js, React, Node, or Python backend gates routes based on the token. You never process raw ID bytes.
| Integration path | Best for |
|---|---|
Next.js, React, Node.js, Python, headless SaaS: redirect, callback, signed token + Audit ID | |
Forums, membership sites, WooCommerce age-restricted checkout: install, configure gates, no custom ID storage |
Typical integration work for a backend engineer: redirect URL, callback handler, token validation, session flag. Often a day or less for a standard SaaS signup or content gate.
WordPress, WooCommerce, and community sites
A large share of EU SMB sites run on WordPress. If you operate forums, member areas, or WooCommerce with age-restricted SKUs, a plugin can enforce gates at checkout, post publish, or registration without enterprise KYC budgets. See the WordPress age verification setup page for install, OAuth credentials, and WooCommerce rules.
How verification options compare
| Self-declaration / checkbox | State wallet app only | Document KYC per site | AgeOnce | |
|---|---|---|---|---|
| DSA effectiveness bar | Unlikely to satisfy Article 28 where assurance is required | Strong when wallet is adopted; depends on national rollout | Can work if methods are effective | ID + liveness first; reverification with fresh audit trail |
| First-time UX | One click; no real assurance | Leave site, install government app, bank auth, return | Full ID scan + selfie on every new site | In-browser ID + liveness once on the network |
| Return / second site | No proof carried forward | Wallet credential if user has one | Often full ID again | In-browser face reverification |
| Data on your server | No proof; also no compliance | Threshold attestation if integrated correctly | Risk of ID vault on your infrastructure | Signed threshold + Audit ID only |
| GDPR / breach exposure | Low data, high enforcement risk | Lower if you never store documents | High if passports are retained locally | Low; no document gallery on your side |
| WordPress / SMB fit | Cosmetic gate only | Poor until national wallet is ubiquitous | Poor without enterprise budget | Plugin or API in hours, not months |
How age-assurance approaches compare for EU-facing registration, communities, and restricted commerce.
Enterprise document-KYC and national wallet apps remain valid for AML programmes and accredited identity schemes. AgeOnce is optimised for web age gates where operators need defensible assurance, minimal PII, and signup flows that still convert, while staying compatible with the blueprint's threshold-only model.
What to do before 31 December 2026
Checkbox compliance is expired. Digital Services Coordinators have turnover-scale penalties; France, Germany, Ireland, and others are already active on DSA enforcement; the Commission is moving on major platforms.
Operator checklist
- Map where DSA Article 28 touches your product: age-restricted content, minor-accessible services, UGC, algorithmic feeds, restricted commerce. Start from the EU DSA age verification overview for duties, deadlines, and methods on one page.
- Replace birth-year typing with a method regulators treat as serious: ID + liveness, accredited digital ID, or validated estimation where appropriate and sufficient for your risk.
- Stop storing IDs locally. Outcome + Audit ID only (minimisation primer).
- Plan for EUDI Wallet attestations. Choose a provider whose model can accept wallet-issued proof-of-age credentials as Member States go live (eIDAS 2.0 guide).
- Design reverification so adults are not re-uploading documents on every site.
- Ship on one integration (API or plugin) and test on registration, checkout, or first-post flows now, not in Q4.
31 December 2026 is not your start date
The year-end target is when Member States should make citizen-facing tools available. DSA duties apply now. Treat 2026 as the window to pick a provider, wire flows, and load-test conversion, not the year to watch from the sidelines.
Next step: test the flow on your site
You can stay inside DSA and blueprint expectations, avoid building a passport archive, and keep adults moving through signup.
Run the live demo. ID + liveness once, then a reverification check in the browser. On WordPress? Install the plugin and gate checkout, forums, or member areas today. Compare volume tiers on pricing.
Frequently asked questions
Under Article 28, platforms must implement appropriate and proportionate measures, including age verification where needed, to protect minors on services likely to be accessed by them. The bar is effectiveness and privacy preservation, not a specific vendor technology.
Not exactly. The Commission's April 2026 recommendation urges Member States to make privacy-preserving age verification tools available to citizens by 31 December 2026. DSA obligations for platforms are already active; the deadline accelerates national wallet and blueprint rollouts that platforms should plan to accept.
The blueprint is a reference standard and open-source implementation, not a standalone law. It defines what the Commission considers good practice: proving "over 18" without disclosing exact date of birth, and bridges to the eIDAS 2.0 Digital Identity Wallet.
Up to 6% of global annual turnover in serious cases. Digital Services Coordinators can also impose periodic penalty payments until compliance is restored.
Yes. A privacy-first flow returns only a signed age threshold (e.g. 18+ verified) and an Audit ID to your application. ID images and selfies stay with the verification provider and are not kept as a merchant-side document vault, which reduces GDPR breach and retention risk.



