5G(4) AI(28) Best practices(11) CEE(4) Cloud(3) Connectivity(17) Cybersecurity(8) Data(20) DMA(5) E-commerce(2) E-governance(13) Fintech(5) Global(15) Innovation(16) Intellectual Property(2) News(46) Privacy(20) Wiser Regulation(4)
Sign in Subscribe
Cybersecurity Featured

The EU’s age-verification dilemma: DSA and VPNs

While political agreement on online age verification has not been reached, the EU is now focusing on the technical implementation layer instead. This approach could backfire from both a technical standpoint and in terms of political optics.

Egle Markeviciute

3 min read
The EU’s age-verification dilemma: DSA and VPNs
Photo by Compagnons / Unsplash

European Commission Executive Vice President Henna Virkkunen recently admitted that, currently, the EU's fresh age verification app can be bypassed by using Virtual Private Networks (VPNs) and that the issue will be addressed in future proposals on age verification. 

The EU has bad real-life examples from other countries to consider: teens and children have been extensively using VPNs in Australia and the UK to bypass local age verification laws. This is further highlighted in the European Parliamentary Research Service’s paper on age verification and VPNs from January 2026:  

“ Since the related legislation came into force in 2025, half of the top 10 free apps in app-download charts in UK app stores have reportedly been VPN services. One app developer reported a 1 800 % spike in downloads in the first month after the legislation started to apply.”

Upcoming policy approach: what’s likely 

Nine months ago, we speculated on how the European Union would approach the issue of social media bans and/or age verifications being bypassed by VPNs. We were right about two things: the Digital Services Act (DSA), its follow-up guidelines on the protection of minors, and the revised Cybersecurity Act will be operationalized to create a multi-layered framework with new obligations for both platforms and VPN providers to ensure age-verification tools are not bypassed.

The DSA’s Article 28 on age assurance and its the guidelines are likely to be used (and/or amended) to oblige platform providers to check their compliance (e.g., through obligations to check if the service is being used via a VPN network and triggering additional verification), whereas the Cybersecurity Act (through potential new “child-safety criteria”, mentioned in the EPRS' paper) will create new obligation layers for VPN providers.

Digital Services Act, Article 28

This can become an ugly lobbying fight within the industry between big platforms and VPN providers, with both pointing fingers at each other - similar to what happened in the US between social media platforms and app store holders. 

What’s unlikely to happen

Contrary to popular narratives on social media, the EU will defintely not ban VPNs per se - this would look optically bad. Instead, a multi-layered approach with flexible investigations through the DSA, combined with new obligations for VPN providers, seems like the most probable scenario for now.

It’s also unlikely that the EU will opt for a US-style app store-level verification, because this might look bad in the context of the EU’s data protection rules and data minimization approach (collect, use and retain only a minimum data necessary to achieve an objective). 

Technical features mentioned in the paper, such as liveness detection (which helps to distinguish a live human user from a photo, video, etc.), also do not seem to be a probable scenario for the same reasons. 

Unintended consequences 

The argument about new, fringe, and less-regulated websites and services is often dismissed in the EU. However, the EU could learn a lesson from countries that have attempted to limit VPN use (e.g., Russia): once the big VPN providers are blacklisted or scrutinized, new, smaller providers pop up, making it virtually impossible to manage them all. 

The questions about user privacy and anonymity are often brushed aside in Brussels, but this can also bite back on two fronts. First, even Europeans who are not particularly privacy-concerned won’t be happy about having to verify their identity online when platform systems flag them incorrectly. Second, the EU’s advocacy on human rights and freedom of expression in authoritarian countries will become irrelevant, because the EU will face the same accusations about mass surveillance, even if implemented with more political finesse.

Fundamental debate is not happening

Overall, political agreement on age verification has not been reached in the EU, despite the prevailing view that this is a “done deal” and EU officials focusing mostly on technical implementation details.

Estonia, one of the most digitally advanced countries in the EU, is vocally against the very idea; 7 other countries are critical of the EU’s new age verification app. 

The Council of Europe’s new recommendations on online safety explicitly called for children not to be excluded from expressing themselves online (framing it as a fundamental human right), emphasizing potential negative effects on marginalized teens and stating that whatever is legal offline should be legal online and vice versa. So far, it seems that these guidelines haven’t reached policymakers’ inboxes.