Germany platform regulation

Germany's FSM Makes Biometric ID the De Facto Standard for Age-Gated Content, Closing the Door on Lighter-Touch Verification

FSM's June 29 certification of Didit-AVS entrenches ID-plus-liveness checks as the compliance bar for German closed user groups, sidelining self-declaration and card checks.

Germany's Age-Verification Bar Just Got Higher People of Internet Research · Germany Dec 1, 2025 JMStV amendment took effect 6th Media Amendment State Treaty w… 102+ AVS concepts KJM-approved Total systems approved under KJM's… ~€3.6M Cost of AU biometric-hoarding au… Australian government probe found … peopleofinternet.com
Germany's Age-Verification Bar Just Go… People of Internet Research · Germany Dec 1, 2025 JMStV amendment took effect 102+ AVS concepts KJM-approved ~€3.6M Cost of AU biometric-hoardi… peopleofinternet.com

Key Takeaways

What FSM certified

On June 29, 2026, the FSM Expert Commission (Freiwillige Selbstkontrolle Multimedia-Diensteanbieter), Germany's recognized self-regulatory body for online youth protection, certified Didit's AI-driven Age Verification System (Didit-AVS) as meeting the requirements of Section 4(2) sentence 2 of the Jugendmedienschutz-Staatsvertrag (JMStV) for establishing a "closed user group" (geschlossene Benutzergruppe). That designation lets platforms hosting content legally restricted to adults treat their user base as verified-adult-only, rather than blocking the content in Germany outright.

Didit-AVS works in three steps: a user photographs a government ID (or taps it via NFC) for document verification, a live selfie is checked against the ID photo with liveness detection to rule out spoofing, and the system then reads the birthdate off the document to confirm the user is an adult. The certification follows the Sixth Media Amendment State Treaty (Sechster Medienänderungsstaatsvertrag), which took effect December 1, 2025 and, for the first time, wrote FSM's authority to certify AVS providers directly into the JMStV, aligned with the existing review process the FSM already runs for youth-protection filtering software.

From checkbox to ID scan

The practical shift is significant. For years, German platforms could argue that a self-declared birthdate, a checkbox, or a credit-card check demonstrated "good faith" toward restricting minors' access. Regulators have long been skeptical of that theory — a self-declared age is trivial to falsify, and a credit card can belong to a parent or be borrowed — but enforcement was inconsistent. The Sixth Amendment closes that ambiguity: it puts biometric-ID verification on statutory footing as the recognized method for building a closed user group, and Didit-AVS is now one of the systems FSM has formally blessed against that bar. This is not without precedent: the KJM (Kommission für Jugendmedienschutz), which oversees FSM's assessments, approved Privately SA's FaceAssure age-estimation system back in November 2022, bringing the total of KJM-approved AVS concepts and comprehensive youth-protection systems to over 100 — but that generation relied on on-device age estimation, not document-plus-liveness identity verification. Didit-AVS represents a harder pivot toward binding a real-world identity to platform access.

The case for it

The strongest argument for this approach is straightforward: German regulators have spent two decades watching self-declaration fail. If the legal category "content harmful to minors requiring closed user groups" is going to mean anything, the verification method backing it has to actually stop a 14-year-old from clicking through. Liveness-checked ID matching is measurably harder to defeat than a birthdate dropdown, and unlike blanket content bans or app-store age gates, it lets adults keep access to legal content rather than removing it from the market entirely. FSM's certification process is also not a rubber stamp — it is conducted by an independent expert body under KJM oversight, with a stated "technology-neutral" mandate, not a preference for any single vendor.

Why the proportionality math still doesn't add up

But solving the false-negative problem this way imports a much larger cost: it makes handing a scan of your national ID and a live face-match the price of admission to lawful adult content. Once ID-plus-biometric verification becomes the compliance bar rather than one option among several, platforms have every incentive to adopt the strictest available method to avoid regulatory risk — even where their user base or content risk profile doesn't warrant it. That is precisely the dynamic 400 researchers across 29 countries warned against in an open letter this March, arguing that governments are rolling out age-verification mandates faster than the evidence base for their societal effects can catch up, a concern echoed in Germany's own debate over parallel social-media-age proposals.

The data-retention question is not hypothetical. A government-commissioned Australian audit — reported by netzpolitik.org, which found the review cost roughly €3.6 million — documented age-verification vendors storing complete biometric or document data from all users even when neither the law nor the user had asked for retention, creating exactly the breach-prone honeypots privacy advocates predicted. Nothing in FSM's certification of Didit-AVS suggests German regulators have built in retention limits, audit rights, or breach-notification requirements specific to biometric AVS vendors as a condition of certification — the assessment appears to test whether the system reliably verifies age, not how long it keeps the ID scan afterward.

A narrower path exists

Proportionate regulation would tier the requirement to the actual risk: on-device age estimation with no data leaving the phone for moderate-risk content, escalating to document-based checks only for the narrowest category of explicitly age-restricted material, paired with binding retention caps and independent audits of AVS vendors as a condition of certification, not an afterthought. Germany's youth-protection goal is legitimate and its old self-declaration regime was genuinely too weak. But entrenching biometric ID checks as the default compliance path — without matching data-minimization guarantees — trades an enforcement gap for a privacy and surveillance-infrastructure risk that falls on every adult who wants to read something the state has decided minors shouldn't.

Sources & Citations

  1. FSM: Altersverifikationssysteme / Geschlossene Benutzergruppen
  2. KJM: 6. MÄndStV tritt in Kraft
  3. KJM: FaceAssure biometric AVS approval (2022)
  4. Didit: FSM Age Verification Provider certification for Germany
  5. netzpolitik.org: Australian audit on AVS vendors hoarding biometric data