AgeGateOverview
The Digital Services Act requires platforms to take "appropriate and proportionate measures" to ensure a high level of privacy, safety, and security of minors. Article 28 specifically addresses the protection of minors online. The European Commission published its age verification blueprint in July 2025, centred on a "mini wallet" approach using the upcoming European Digital Identity (EUDI) wallet system.
The blueprint is not yet legally binding but sets a clear direction of travel. Platforms that engage with the Commission's preferred approach now will be well-positioned when the EUDI wallet mandate comes into effect. In the interim, other approved methods — photo ID, facial age estimation, and reusable credentials — satisfy the DSA's current requirements.
EU rules apply uniformly across all 27 member states. AgeGate automatically maps users from any EU country to the EU ruleset.
Who needs to comply
The DSA applies in layers depending on platform size and nature:
- Very large online platforms (VLOPs) — platforms with 45 million or more monthly active users in the EU — have the strictest Article 28 obligations and are directly supervised by the European Commission
- Smaller platforms must still take proportionate measures to protect minors from harmful content
- The DSA applies to any platform accessible to EU users, regardless of where it is headquartered
- Micro and small enterprises (fewer than 50 staff, under €10M turnover) are exempt from certain provisions but not from basic minor protection requirements
Approved verification methods
The Commission's July 2025 blueprint sets out the preferred approaches for age verification under the DSA:
| Method | How it works | DSA rating | Offered by |
|---|---|---|---|
| Photo ID verification | User uploads a government-issued photo ID. Document is verified and age extracted. | Recommended | Third-party |
| Facial age estimation | Uses a brief selfie to estimate age. The model runs entirely on the user's device — no image is uploaded, transmitted, or stored. Accuracy and reliability requirements apply under Article 28. | Recommended with conditions | AgeGate |
| Reusable age credential (AgeKey) | A FIDO2 passkey-based reusable credential. Users verify once and reuse across sites. | Recommended | Third-party |
| EUDI wallet attestation | Age attestation via the European Digital Identity wallet, confirming age without revealing full date of birth. | Mandated from 2027 | Coming soon |
The Commission's longer-term goal is to make the EUDI wallet the primary method. The wallet will include a "Person Identification Data" attestation that can confirm age without revealing the user's full date of birth.
Penalties and enforcement
Enforcement of the DSA's VLOP provisions sits with the European Commission directly. Member state Digital Services Coordinators handle enforcement for smaller platforms.
- Fines of up to 6% of annual global turnover for VLOPs that fail to comply with Article 28 obligations
- Repeat infringements can result in temporary access restrictions for EU users
- Member state authorities can impose additional sanctions under national implementing legislation
- The Commission can order emergency measures within 24 hours in cases of serious risk to public security
How AgeGate helps
AgeGate handles EU/DSA compliance automatically:
- Detects EU users and applies the DSA ruleset automatically
- Presents AgeGate's facial age estimation — meets the accuracy and reliability requirements of Article 28, runs on-device in under 100ms
- No image is uploaded, transmitted, or stored — fully compatible with the GDPR
- Logs every verification event with the detail needed for Commission audits: timestamp, method, jurisdiction, outcome
- EUDI wallet integration is on the roadmap — early access customers will be first to switch when it goes live