Children, age verification and the future of VPNs in Europe

Aside from the upcoming discussions on CSAM/Chat Control, the internet privacy community should keep a close eye on the new Cybersecurity Act, the review of the ePrivacy directive and how the EU’s approach to virtual private networks (VPNs) play out in the next couple of years. 

The UK’s messy experience with age verification via the Online Safety Act  - and teens using VPNs to bypass it - has drawn significant attention. It’s likely the EU will target this area as it strengthens its own framework for protecting minors online.

While some tech-ignorant voices have called for VPNs to be “banned”, this remains highly unlikely in the Western world. Globally, only North Korea enforces a total ban. Other authoritarian-leaning states restrict VPN use during elections or political unrest. In Russia and China, for example, VPNs are technically permitted but only under strict conditions: in China, only government-authorized services are legal, while in Russia, providers must comply with official blacklists. Using VPNs to access banned content is illegal for individuals in Russia, though in practice, many Russians rely on them precisely for that purpose.

In Europe, VPN providers are subject to a range of regulations - from the General Data Protection Regulation (GDPR) to the Digital Services Act (DSA), NIS2, the ePrivacy Directive, and the EU Cybersecurity Act. In addition, Member States can impose their own obligations on VPN providers, including requirements for lawful interception, data retention, or national security.

Possible scenarios: the Cybersecurity Act, codes of practice, EUDI wallet integration, certification schemes - or all of them combined

Although virtual private network (VPN) providers haven’t (yet) been the focus of discussions on the incoming child protection framework online, it’s likely that the EU will build on the British experience and use a range of upcoming amendments to privacy- and cybersecurity-related legislation to impose stricter obligations on VPN providers.

The European Commission closed its public consultation on the Cybersecurity Act on June 20, 2025. A new draft is expected to be presented by Q4 2025, with the Danish Presidency signaling it will “be ready” to begin negotiations in December 2025. While the European Commission’s call for evidence focused mainly on cybersecurity for ICT products, services, and processes, as well as on “strengthening ICT supply chain security”, it is likely that the revised Cybersecurity Act will also introduce child-safety criteria, such as measures to prevent VPN misuse to bypass legal protections

The European Commission published guidelines on the protection of minors under the DSA in July 2025. While these guidelines are advisory rather than binding, it’s worth noting how frequently the EU has turned to “codes of conduct” and “codes of practice” in recent years. 

These frameworks are de jure voluntary, with companies signing on to align with EU laws and principles. In practice, however, they often go beyond existing legislation, creating additional, targeted requirements. Refusing to participate typically results in stricter scrutiny and lengthy legal disputes. It is therefore likely that VPN providers will eventually be subject to similar guidelines - building on existing legislation such as the DSA, the Cybersecurity Act, and the ePrivacy Directive.

An important part of the EU’s long-term age verification plans will be tied to the development of the so-called EU Digital Identity Wallet. If and when the wallet launches properly, it is expected to provide a trusted, interoperable way to verify age and identity across the Union. While the responsibility for age verification will likely fall on platforms (i.e. big tech), a key question remains: what happens when children or teens use their parents’ EUDI wallet to access certain websites (including VPN services)  and are still able to bypass restrictions?

In conclusion, the above mentioned scenarios are highly speculative at the moment, yet Europe’s internet privacy advocates should closely follow the upcoming legislative measures on protecting minors online - to “watch the watchmen” and ensure that the rules remain targeted and do not undermine broader European privacy principles.