Age assurance in the EU and UKIE: The 2026 compliance guide

If your digital platform still relies on a self-declaration checkbox or a simple “enter your date of birth” age gate, it may no longer meet regulatory expectations. By 2026, businesses operating across the European Union, the United Kingdom, and Ireland need age checks that are verifiable, privacy-preserving, and aligned with regulator guidance.

The compliance bar has moved decisively from “have a check” to “have a verifiable, privacy-preserving, regulator-aligned check.” That shift matters for any business offering user-generated content, age-restricted products, adult content, social platforms, video-sharing services, gaming, streaming, or other digital experiences likely to be accessed by children.

The risk is no longer theoretical. Regulators are setting clearer standards, enforcement timelines are tightening, and penalties can include large fines, executive liability, and lasting reputational damage.

What businesses need to do now

Age verification is rapidly becoming a mandatory operational requirement that must be embedded into your compliance policies. Businesses should move quickly on three fronts.

• Review your current age checks. If your platform depends on self-declaration alone, assess whether it meets the standards in the markets where you operate. In many jurisdictions, businesses will need stronger methods, such as facial age estimation, secure document verification, or other regulator-aligned approaches.

• Update your compliance documentation. Privacy policies, terms of service, trust and safety materials, and internal compliance playbooks should reflect newer laws and enforcement expectations. Existing documentation and content should be reviewed and updated to avoid relying on outdated language around basic age gates or self-attestation.

• Improve user-facing messaging. Users should understand why an age check is required, what data is collected, how it is protected, and what alternatives may be available. Clear messaging reduces friction and helps build trust at the moment of verification.

The converging regulatory standards for child safety and privacy

Regulators across the UK, EU, and Ireland are moving toward the same core expectation: platforms must take active steps to prevent children from accessing harmful or age-inappropriate content while protecting user privacy.

That does not mean every country has identical rules. The legal frameworks differ by market, and enforcement can vary by regulator. But the direction is consistent. Businesses need systems that can prove they work, minimize unnecessary data collection, and adapt to local requirements.

United Kingdom: Online safety requirements become operational

The United Kingdom has become one of the clearest examples of this shift. The Online Safety Act 2023 applies to UK-based and international services offerings in the UK that allow user-generated content or publish age-restricted content, including pornography and other material that may be harmful to minors.

For businesses, the requirement is practical: remove illegal content, prevent children from accessing age-inappropriate material, and use effective age assurance where needed. As of July 25, 2025, services that host or distribute potentially harmful content to minors are expected to implement age verification or age assurance solutions that meet the law’s requirements.

Ofcom guidance points to methods such as photo ID verification and facial age estimation as ways to support compliance. This is where the move away from basic age gates becomes clear. A user typing in a birth year is not the same as a verifiable check that can stand up to regulatory scrutiny.

The UK’s Age Appropriate Design Code, also known as the Children’s Code, adds another layer. In force since 2021, it applies to digital services likely to be accessed by children and focuses on high-default privacy settings, age-appropriate communication, and data minimization. Together, the Online Safety Act and Children’s Code make the UK position clear: platforms must protect children by design, not as an afterthought.

Penalties under the Online Safety Act can reach up to £18 million or 10% of worldwide revenue, with potential criminal liability for senior managers in certain cases. UK data protection enforcement can also bring significant fines for failures tied to children’s privacy and data handling.

European Union: Shared baselines, local enforcement

At the EU level, the Digital Services Act (DSA) and the Audiovisual Media Services Directive (AVMSD) create a common foundation for protecting minors online. The DSA requires in-scope platforms to consider systemic risks, transparency, recommender systems, advertising practices, and protections for minors. The AVMSD on a broader scale addresses audiovisual content and requires safeguards to prevent minors from accessing harmful material.

The practical challenge is that the AVMSD being the EU directive is enforced through national regulators and local laws. That means businesses need a regional compliance strategy that can also account for country-specific requirements.

France: Stronger age checks and parental consent

France has been active in tightening protections for minors online. Law no. 2024-449 adds to the country’s growing framework for child safety, age checks, and parental consent. Businesses serving users in France should expect closer attention to whether age verification is meaningful, privacy-conscious, and technically reliable.

For platforms, the key takeaway is that a generic age gate is unlikely to be enough. Services may need to verify whether a user is under a relevant age threshold, support parental consent where required, and align with regulator expectations from authorities such as Arcom and CNIL.

Italy: Technical rules for websites and video-sharing platforms

Italy has also moved toward more explicit requirements. Law 159/2023 prohibits minors from accessing pornographic content, creating a clear obligation for businesses that host or distribute adult material.

AGCOM Delibera 96/25/CONS, issued on May 12, 2025, goes further by setting technical and procedural rules for age verification by websites and video-sharing platforms. This is an important example of how regulation is becoming more specific. It is not enough to say an age check exists; businesses must be able to show that the method is appropriate, reliable, and aligned with the regulator’s process expectations.

Spain: A higher digital consent age and explicit platform duties

Spain’s Proyecto de Ley Orgánica para la protección de las personas menores en los entornos digitales was approved by the Council of Ministers on March 4, 2025, and is currently in parliamentary process. The proposal raises the digital consent age to 16 and creates explicit age-verification obligations for online platforms.

For businesses, Spain signals where the market is heading: more direct duties on platforms, more focus on minors’ digital rights, and stronger expectations that services can identify when additional protections are needed.

See Age Estimation in action

Experience how Veriff’s AI accurately estimates age in real-time—no ID required.

Boost compliance, user safety, and onboarding speed with cutting-edge biometric technology.

Demo age estimation

Ireland: Online safety through Coimisiún na Meán

Ireland’s approach is now centered on the Coimisiún na Meán Online Safety Code. The code sets expectations for regulated online services and reflects the broader move toward safer digital environments for children.

For companies operating in Ireland, the practical point is similar to the UK and EU position: platforms should design protections for children into the service experience, not rely on weak checks after the fact. Businesses should be prepared to show how they assess risk, protect minors, and apply age assurance where appropriate.

Germany: Accredited solutions for harmful content

Germany has long required stronger protections around youth media and harmful content through frameworks such as the JMStV and JuSchG. Platforms may need to use accredited age verification solutions to restrict minors’ access to certain content, with penalties that can reach up to €300,000 in some cases.

Germany reinforces the same broader lesson: regulators increasingly expect age verification methods that are auditable, effective, and suited to the risk level of the content or service.

What this means for cross-border businesses

The UK, EU, and Ireland are not moving in separate directions. They are converging around a higher standard for child safety online.

Businesses operating across multiple jurisdictions should not build a separate, reactive process for every new rule. Instead, they should create a flexible age assurance framework that can adapt to local requirements while keeping the user experience consistent.

That framework should answer four questions:

• Which users, products, or content types require age checks?
• Which verification methods are appropriate for each risk level?
• How does the business minimize data collection and protect privacy?
• Can the business show regulators that the process works?

If the answer to any of these questions is unclear, now is the time to update your compliance approach.

Balancing compliance, privacy, and user experience

Strong age verification does not need to mean high friction. The best approach depends on the use case.

Facial age estimation can help estimate whether a user is above or below a required age threshold without requiring an identity document. This can reduce friction and support privacy by limiting the amount of personal data collected.

Document-based verification remains important when a higher level of assurance is required, such as for regulated products, high-risk services, or situations where exact age validation is necessary.

The goal is not to collect more data. The goal is to use the right method for the right risk level while giving users a clear, safe, and trustworthy experience.

The bottom line for 2026

Age verification in the EU, UK, and Ireland has entered a new phase. Regulators are no longer satisfied with basic age gates or unchecked self-declaration. They expect businesses to prevent minors from accessing harmful or age-restricted content through verifiable, privacy-preserving, regulator-aligned checks.

For businesses, the next step is clear: review your current age verification systems, update your public and internal documentation, improve user messaging, and adopt technology that can meet different regulatory requirements across markets. The companies that act now will be better positioned to protect young users, maintain trust, and reduce compliance risk as enforcement accelerates.