On July 14, 2025, the European Commission did something unusual for Brussels: it shipped code. Alongside its long-awaited guidelines on the protection of minors online under Article 28 of the Digital Services Act, the Commission released a white-label, open-source age-assurance application — the so-called "mini-app" — designed to let platforms verify whether a user is over 18 without harvesting their identity. Ten months later, France, Italy, Spain, Greece and Denmark are piloting the tool as a stopgap until the EU Digital Identity (EUDI) Wallet rolls out across the bloc in late 2026.
For a regulatory project that has frequently been accused of being long on principle and short on plumbing, this is a meaningful shift. But the mini-app is also a stress test of a deeper question: can Europe build child-safety infrastructure that is genuinely privacy-preserving, interoperable, and proportionate — or will it default to ID-checks-for-everything?
What the mini-app actually does
The Commission's tool is not a single product but a reference implementation. It allows a user to prove an age attribute — typically "over 18" — to a relying party (an adult site, a social network, an alcohol retailer) without disclosing their name, date of birth, or document number. The architecture relies on the EUDI Wallet's age-verification rulebook and supports zero-knowledge-style attestations issued by national identity providers or accredited third parties.
Crucially, the mini-app is open source, white-labelled, and free for member states to adapt. That matters. One of the more under-appreciated risks of European tech policy is regulatory capture by a handful of incumbent age-verification vendors who have lobbied hard, from the UK's Online Safety Act consultations to France's ARCOM rulemaking, for mandatory ID upload regimes. A Commission-provided reference stack changes that procurement dynamic.
Why a stopgap, and why now
The five-country pilot is not happening in a vacuum. Two pressures converged.
First, the DSA's Article 28 obligation — that very large online platforms (VLOPs) put in place "appropriate and proportionate measures to ensure a high level of privacy, safety and security of minors" — became enforceable in early 2024. The Commission has since opened formal proceedings against several platforms over minor-protection design, and national regulators are signalling they want tangible compliance evidence rather than self-assessments.
Second, the EUDI Wallet — mandated by the revised eIDAS Regulation (Regulation (EU) 2024/1183) — will not be available to every European citizen until member states finish their rollouts, currently slated for late 2026. In the meantime, platforms face the awkward question of what, exactly, they should deploy.
Without a Commission-blessed bridge, the answer would have been a fragmented mess: scanning passports in one country, biometric face-age estimation in another, credit-card-as-proxy in a third. The mini-app is the bridge.
The proportionality test
From a pro-innovation perspective, three features of the pilot deserve cautious applause.
- Data minimisation by default. The mini-app is designed to disclose a single boolean attribute rather than a full identity document. That is the right architectural choice and a direct rebuke to "upload your passport" implementations.
- Open source and interoperable. Platforms operating across multiple member states can integrate one SDK rather than negotiating with five different national vendors. For startups and mid-sized services — who are not Meta and cannot absorb bespoke compliance costs — this dramatically lowers the barrier to lawful operation in the EU.
- Scope discipline. The Commission's Article 28 guidelines explicitly contemplate age assurance, not just age verification — a spectrum that includes age estimation and self-declaration where the risk profile is lower. That nuance is important: a generalist video platform is not a pornography site, and the regulatory tooling should reflect that.
But there are real risks the pilot must avoid hard-coding.
Three failure modes
The first is scope creep. The mini-app was built to gate adult content and high-risk services. There is already pressure from some member states to deploy it for general social media access, news comment sections, and even search. That would convert a targeted child-safety tool into a de facto identity-internet — the exact outcome the Commission's own Better Regulation principles caution against.
The second is centralised choke points. Even with privacy-preserving cryptography, the issuing-attester relationship concentrates power in whichever bodies — national ID authorities, accredited private issuers — are blessed to mint age attestations. If that list is short, captured, or politically gatekept, the mini-app risks becoming a censorship rail rather than a safety tool.
The third is extraterritorial overreach. The DSA already applies to non-EU platforms serving EU users. If the mini-app becomes a de facto global compliance baseline — as the GDPR did for privacy — smaller non-European services may simply geoblock the EU rather than integrate. That is bad for European users and bad for an open internet.
What success looks like
A successful pilot would demonstrate three things by mid-2027: that the mini-app can be integrated by a small platform in days rather than months; that adult-content services actually use it (rather than evading it via mirror domains, which has been the persistent failure mode of the UK and French regimes); and that no national regulator quietly broadens its mandate beyond high-risk categories.
If Brussels can hit those marks, the mini-app will be one of the more competent pieces of EU digital infrastructure in a decade. If it overreaches, it risks becoming the moment Europe accidentally introduced mandatory ID-to-browse. The five-country pilot is, in that sense, exactly the right place to find out — small enough to course-correct, serious enough to matter.