A panel with real expertise, and a real mandate problem
On July 13, 2026, the European Commission's Special Panel on Child Safety Online — a body of roughly 60 health, neuroscience, child-rights and computer-science experts co-chaired by Dr. Maria Melchior and Prof. Jörg Fegert — handed President Ursula von der Leyen its final report after three sessions since March (European Commission). The report runs roughly 150 pages and makes 14 recommendations, the headline ones being a harmonised EU-wide access restriction to social media for children under 13, and a mandate for 'effective age assurance systems' across the bloc (European Commission).
The steelman case is genuinely strong. A companion Eurobarometer survey found 71% of Europeans worry about cyberbullying and harassment and 70% fear online grooming and sexual exploitation; nearly two-thirds want EU-wide rules restricting children's access to social media by age (Tech Policy Press). Parents are not wrong to worry, and a patchwork of 27 national responses — France pushing an under-15 ban the Commission itself says conflicts with EU law — is worse for both children and platforms than one harmonised standard.
The genuinely good part: rejecting biometric age-checks
On the technical design, the panel deserves credit. Its report explicitly states that age-assurance methods 'should not lead to the processing of identity documents and biometric data for the purpose of age estimation,' and instead points to zero-knowledge proofs — cryptographic techniques that can confirm a user is over or under a threshold without a platform ever learning the user's birthdate, name, or ID scan (Biometric Update). That is the correct instinct. Age verification regimes elsewhere have defaulted to document uploads or facial-age-estimation scans that create honeypots of sensitive data and chill adult usage through friction and privacy fear. A EU standard built around privacy-preserving cryptography rather than ID databases would be a genuine export-worthy model, if it survives contact with 27 member states' implementation.
The part that should worry innovation-minded readers
The more troubling recommendation is structural, not technical: converting the Commission's existing non-binding Article 28 DSA guidelines on minors into a binding code of conduct, alongside a pre-certification regime that would require any service 'likely to be accessed by children' to demonstrate compliance before entering the market (Tech Policy Press). That flips the normal regulatory posture from 'act, then be held accountable for harm' to 'prove safety to a regulator before you may operate.' For Meta or TikTok, a pre-certification file is a compliance-department exercise. For an EU startup building a teen-adjacent education or gaming app, it is a plausible reason to launch in the US first, or not launch in the EU at all — precisely the dynamic that has already made the bloc a laggard in consumer social platforms.
The under-13 access restriction has the opposite problem: it is easy to legislate and hard to enforce. UK experience is instructive here. Ofcom opened a formal investigation into TikTok on July 16, 2026, alleging the platform's age-inference models 'failed to correctly identify a significant proportion of children,' even though TikTok already operates under the binding UK Online Safety Act with penalties up to £18 million or 10% of global revenue (The Record). If a company with real regulatory exposure and mature compliance infrastructure still cannot reliably keep under-13s off its platform using the tools the UK has approved, an EU-wide statutory age floor will not automatically fix itself through legislative text. It will produce the same enforcement gap, just at greater scale — and, as UNICEF has separately warned regarding Australia's under-16 ban, restriction without enforceable substitutes tends to push children toward less-moderated, offshore services rather than off screens entirely.
What proportionate regulation looks like here
A pro-innovation position does not mean opposing this report wholesale. It means separating what should survive the Commission's drafting process, expected before autumn 2026, from what should not. Zero-knowledge-proof age assurance and safety-by-design defaults — disabling infinite scroll, autoplay, and engagement-optimised recommender feeds for known minors — are proportionate, technically sound, and narrowly targeted at the actual harm. A binding pre-certification gate that applies before any evidence of harm exists, layered on a hard under-13 ban that UK enforcement data suggests will be porous in practice, risks becoming a compliance tax on smaller EU competitors while doing little to change outcomes at the margin. The Commission should keep the former and drop the latter from its legislative text.
"Age-assurance methods... must be proportionate and uphold minimum requirements, notably concerning the fundamental rights of users, including children's rights." — European Commission Special Panel report, July 2026
That proportionality test is the right one. The Commission should now apply it to its own pre-certification proposal, not just to the age-check technology.