The Digital Services Act (DSA) requires platforms to protect minors and to implement appropriate measures, including age verification, where access to certain content or services is restricted by age. The European Commission has gone further by publishing an age verification blueprint and a reference prototype that show how to verify age in a privacy-preserving way, for example by proving "over 18" without disclosing exact date of birth or other identifiers.
The EU blueprint and the eIDAS 2.0 Wallet
The blueprint is designed to work with the future EU Digital Identity Wallet (eIDAS 2.0). Until the wallet is widely available, the Commission’s solution offers an interim path: users can onboard with an ID or other credentials, and then present proof of age (e.g. one-time tokens) to platforms without leaking unnecessary data. Several Member States and adult-content and platform providers are already piloting it.
What DSA platforms must do in 2026
DSA penalties
Non-compliance with the DSA can cost up to 6% of global annual turnover. DSA authorities can also impose periodic penalty payments until a platform restores compliance.
EU teams need effective age assurance where the DSA requires it, with real audit and penalty risk (up to 6% of global turnover in serious cases). Regulators also expect minimal disclosure: prove age, not identity, and avoid storing raw documents or biometrics. A flow that follows the blueprint’s principles (privacy-preserving, interoperable with the future wallet) lines up with current expectations and the 2026–2027 eIDAS rollout.
Your next review and alignment steps
If you operate in the EU, review the Commission’s guidelines and technical specs, assess whether your current flow meets the "high standard" expected, and plan for alignment with the EU Digital Identity Wallet as it rolls out.
Frequently asked questions
The DSA obliges platforms to protect minors and implement appropriate measures, including age verification, where content or services are age-restricted. The bar is effectiveness and privacy-preservation, not any specific technology.
No, the blueprint is a reference implementation, not a law. But it defines what the Commission considers good practice (proving "over 18" without disclosing birth date) and is the bridge to the eIDAS 2.0 Wallet.
Up to 6% of global annual turnover in serious cases. DSA authorities can also impose periodic penalty payments until compliance is restored.
Member States must offer the EUDI Wallet to citizens by the end of 2026. Private-sector obligations to accept or use it follow later (for example, end of 2027 under some interpretations).
