EU age verification framework 2026
Commission Recommendation (EU) 2026/1035, adopted on 29 April 2026, asks Member States to make an EU age-verification solution available by 31 December 2026. The preserved Commission page and current FAQ snapshot describe a stand-alone application or a function integrated into national EUDI Wallets.
This is a recommendation to make a proof mechanism available, not a universal legal duty for every person to verify age before using the Internet. The DSA requires appropriate and proportionate protection on platforms accessible to minors, but does not itself prescribe one minimum age or a check on every service. The Commission’s 2025 guidelines recommend verification for high-risk adult services such as pornography and gambling and where EU or national law sets a minimum age.
Claimed privacy architecture
The proposed flow separates enrolment from presentation.
An identity source such as an electronic identity,
passport, identity card, bank application,
or in-person service establishes the threshold once.
The service later receives only a result such as over 18: true.
The issuer should not learn which service requested the proof,
and presentations should not be linkable across services or visits.
The Commission describes this as anonymous. Its preserved technical specification is more qualified. It treats unlinkability as a design goal, initially used batches of single-use credentials, and subsequently added experimental zero-knowledge mechanisms. It also allows a service to store a verification result in an account, which preserves convenience but makes privacy depend on the account and service architecture.
The Commission called the common solution technically ready in April 2026. The public Android repository simultaneously described its application as an incomplete reference implementation requiring national customization and production integration. The privacy model should therefore be evaluated from audited production deployments, not from either announcement language or demonstration software alone.
Significance
The framework can replace direct uploads of identity documents, payment-card checks, and remote facial estimation with a much smaller disclosure. It also creates a reusable EU-wide checkpoint that can be extended to other age thresholds and services.
Privacy-preserving identity integration treats that checkpoint as a relying-party integration market: minimum-attribute requests, wallet compatibility, failure handling, and evidence about what the service retained. It does not require another universal identity database.
That combination makes it central to EU age verification and Internet privacy: the same infrastructure can improve privacy per verification while making age-gated access far more common.