On April 29, 2026, the European Commission urged member states to accelerate rollout of its EU age-verification app and make it available to citizens by the end of the year. The so-called 'mini-wallet,' feature-ready since April 15 and built on the same technical specifications as the European Digital Identity (EUDI) Wallet, lets a user prove they are over 18 without disclosing their name, birthdate, or anything else. A front-runner group — France, Denmark, Greece, Italy, Spain, Cyprus, and Ireland — plans to fold it into national wallets or ship customised national apps.
On paper, adoption is voluntary. In practice, the Commission has built an enforcement gun and pointed it at the industry's head on the same day it released the recommendation.
The strongest case for the app
The child-protection problem is real, and the Commission's instinct is defensible. Roughly 92% of Europeans rank strengthening minors' online protection as a top policy priority, per the Commission's own age-verification policy page. Self-declared birthdates are a fiction: any twelve-year-old can type '1999.' And the privacy architecture here is genuinely better than the alternatives. The mini-wallet uses zero-knowledge-proof cryptography and selective disclosure — a binary 'over 18: yes/no' token, with no document image handed to the website and, the Commission insists, no way to track the user across sites.
Compared with the dominant commercial model — uploading a passport scan or a face to a third-party vendor that retains the data — a state-issued, anonymous, on-device proof is a meaningful improvement. If age checks are coming regardless, a privacy-preserving public option beats a surveillance-heavy private one. That is the honest steelman.
'No more excuses' is the tell
The trouble is that the app does not arrive as a neutral tool. It arrives as the reference standard against which non-compliance will be measured. The Commission's guidelines on Article 28 of the Digital Services Act require platforms accessible to minors to deploy age-assurance methods that are 'accurate, reliable, robust, non-intrusive, and non-discriminatory,' and Brussels has committed to publishing a list of solutions deemed equivalent to its own blueprint. A platform may use a 'system of comparable accuracy' — but the Commission decides what is comparable, and the Commission wrote the comparator.
The enforcement timing removes any doubt about leverage. Hours before the rollout push, the Commission preliminarily found Meta in breach of the DSA for failing to keep under-13s off Instagram and Facebook, estimating that 10–12% of under-13s use the platforms and warning of fines up to 6% of worldwide annual turnover. Commission President von der Leyen's framing was unsubtle: 'Online platforms can easily rely on our age verification app. So, there are no more excuses.' When the regulator that levies the fines also ships the compliance tool and declares all other excuses void, 'voluntary' is doing no real work.
What the engineering actually shows
A mandate is only as good as the artefact it mandates, and the artefact is not finished. A March 2026 security review of the app's open-source code found a structural flaw: the issuer cannot verify that passport checking actually happened on the user's device, making the proof — as critics put it — trivially bypassable. One consultant demonstrated a bypass in two minutes; a VPN defeats the location logic outright. Closing the gap may require shipping full passport data to a server, which would gut the anonymity that is the app's entire selling point.
Member states have noticed. According to Biometric Update, Estonia flagged the vulnerabilities as 'a big flag'; Ireland, France, and Poland prefer nationally developed software; Germany has no plans to roll out the app at all; Finland and the Netherlands are 'hard maybes.' Pushing 27 governments toward a single reference architecture before it is secure is how the EU ends up certifying a standard it will later have to walk back.
The deeper design problem
Even a perfectly secure app would shift power in the wrong direction. Because verification runs through smartphones and their operating systems, it makes Apple and Google — the very gatekeepers the Digital Markets Act was written to constrain — load-bearing infrastructure for accessing lawful content. Adults without a compatible device, a passport, or the digital literacy to navigate a wallet risk exclusion from ordinary websites, with disproportionate effects on marginalised users. And age-gating treats a symptom: the documented harms to minors flow less from mere access than from engagement-maximising recommendation systems and addictive design, which an over-18 token does nothing to touch.
The proportionate path is narrower. Keep the blueprint genuinely optional and certify multiple independent solutions, so no single architecture — least of all an unfinished one — becomes the default through enforcement pressure. Fix the trust-boundary flaw and publish an audited version before urging 27 states to commit. And aim DSA enforcement at design and algorithmic risk, where the evidence of harm is strongest, rather than at the access checkpoint, where the cost to open-internet access and adult privacy is highest. Child safety is a legitimate goal. Conscripting every adult into a government ID app to reach it is not the only way there — and Brussels should stop pretending its tool is a choice.