The Country-of-Origin Principle Under Pressure
Since 2000, the e-Commerce Directive's country-of-origin (CoO) principle has been the foundational rule of the EU digital single market: an online service established in one member state is governed by that state's law, not by every jurisdiction it reaches. For platforms based in permissive regulatory environments — or simply in their home market — this principle has served as an effective shield against extraterritorial enforcement. France's ARCOM regulator spent years trying to pierce that shield against Czech-registered pornographic websites. On June 16, 2026, the CJEU Grand Chamber told it precisely how.
The court, sitting as a Grand Chamber of fifteen judges under President K. Lenaerts, delivered its ruling in joined cases C-188/24 (WebGroup Czech Republic / NKL Associates) and C-190/24 (Coyote System). Both Czech-registered operators had challenged France's use of a general criminal prohibition on minors' access to pornography and targeted ARCOM enforcement orders requiring age-verification systems on their sites. The court's answer was split — and legally significant on both counts.
What the Court Said
The Grand Chamber made three core holdings.
Blanket criminal laws fail the specificity test. France's general criminal prohibition — applying uniformly to all services making pornographic content accessible to minors — does not satisfy Article 3(4) of Directive 2000/31/EC (the e-Commerce Directive). The CoO exception permits only "measures taken against a given information society service." A law that covers everyone covers no one specifically, and therefore cannot serve as the legal basis for targeting a foreign-established platform. Criminal law classification is irrelevant; what matters is whether the measure is individualized.
Targeted enforcement orders can qualify. ARCOM's notices to specific, named platforms — requiring them to implement age-verification systems — satisfy Article 3(4), provided France also follows the procedural sequence: requesting that the home member state (Czechia) first take action, and notifying both the European Commission and the home state. Urgent circumstances permit ex-post notification, but the procedural steps are mandatory, not optional.
Algorithmic curation removes the liability shield. Platforms that use algorithms to determine what content reaches whom — curating distribution based on user profiles, engagement signals, or commercial priorities — exercise "active control" over that content. This disqualifies them from the hosting-liability exemption under Article 14 of the e-Commerce Directive, reserved for genuinely passive intermediaries. Algorithmic sorting is not neutral hosting; it is editorial curation, and editorial curators bear liability accordingly.
The Steelman Case for Intervention
Child-protection arguments deserve to be heard seriously before critiquing them. The strongest version of France's position is this: the CoO principle was designed for a 2000-era internet where regulatory arbitrage was limited. Today, platforms can deliberately incorporate in permissive jurisdictions precisely to exploit it. If a Czech-registered site explicitly targets French users but faces no meaningful enforcement in Czechia, the CoO principle effectively means no regulation at all. France had the AVMSD (Directive 2010/13, Article 28 ter) on its side — a text that explicitly lists age-verification systems as proportionate safeguards — and a legitimate democratic mandate to protect minors.
The court took those arguments seriously. It used the AVMSD's age-verification provisions as a proportionality yardstick: where platforms have not voluntarily implemented AVMSD-compliant protections, targeted national enforcement orders are proportionate. That is a defensible, evidence-grounded conclusion for the specific class of content at issue.
The Fragmentation Risk
The difficulty lies not with this ruling's outcome — age-gating pornographic content is a bounded, proportionate intervention — but with the enforcement model it endorses at scale. Requiring individualized orders and home-state notification is procedurally sound. The problem arises when every EU member state issues individualized orders under its own child-protection, hate-speech, or consumer-protection law, each with its own technical standards and fine structures.
France's ARCOM, for instance, imposes penalties of up to 2% of worldwide turnover for non-compliance with its age-verification technical reference, and can direct ISPs and DNS resolvers to block sites within 48 hours. Germany has already signaled a different threshold — its courts have indicated that standard entertainment content may not meet the "serious and grave risk" test, while pornography does. Ireland's Data Protection Commission adds GDPR-layer complexity to any age-verification architecture. A platform serving all 27 member states now faces a potential mosaic of individually-ordered, procedurally valid but substantively different obligations — each legally permissible under the framework the CJEU just endorsed.
Small and mid-sized platforms face the sharpest compliance burden here. A major VLOP can absorb a 27-jurisdiction compliance function. A Czech operator with limited resources cannot easily navigate a procedural dialogue between Paris, Prague, and Brussels simultaneously.
The DSA Question Left Open
The ruling does not resolve a second critical ambiguity: whether the Digital Services Act displaces national youth-protection laws as a matter of harmonization. The DSA (Regulation 2022/2065) creates age-assurance obligations for platforms under Articles 28 and 34-35, and the European Commission has argued that full harmonization through the DSA renders national rules redundant for EU-established platform providers. The CJEU did not address this in C-188/24 / C-190/24.
The answer matters enormously. If the DSA fully pre-empts national rules for in-scope platforms, then ARCOM's enforcement orders against EU-established VLOPs may be displaced by the Commission's exclusive competence. If it does not, the multi-jurisdiction enforcement mosaic will intensify precisely as the DSA's own age-assurance obligations come fully online. National regulators, emboldened by the Grand Chamber's procedural roadmap, are unlikely to wait for the Commission to clarify this.
The Bottom Line
The CJEU's ruling gives regulators a clear, judicially validated pathway to compel age verification from foreign-established platforms — but only through individualized orders, not blanket prohibitions, and only after following the notification sequence. For child-safety advocates, this is a meaningful judicial endorsement of age-verification as proportionate under EU law. For platforms, it confirms that algorithmic curation forecloses the passive-intermediary liability shield, and that targeted enforcement orders from member-state regulators are legally legitimate.
The ruling is narrow on its facts and careful on its reasoning. Its risk is not what it decides but what it enables: an era in which every EU regulator has a judicially blessed enforcement template, and the digital single market fragments one individualized order at a time. The DSA was meant to prevent exactly that. Whether it does remains the central unresolved question of EU platform law.