Social Media Bans, DSA Enforcement, and the EU’s Push for Age Verification

The European Commission has a problem. Individual member states are moving toward social media bans for minors at different ages, using different definitions, under different legal theories. France is considering restrictions for under-15s. Spain for under-16s. Germany for under-14s, with stricter rules applying through age 17. Australia has already implemented a ban. The political pressure to do something about children’s access to social media is real, growing, and producing a fragmented regulatory landscape that the Commission’s internal market mandate exists specifically to prevent. On April 29, 2026, the Commission published its response: a Recommendation for a common approach to EU-wide age verification technologies. Non-binding, strategically significant, and notably light on the technical specifics that would make it immediately actionable — but a clear signal of where European digital policy is heading and how fast it intends to get there. For organizations operating platforms accessible to minors, the compliance picture is becoming clearer in outline and more complex in detail simultaneously. Here is what the Commission’s Recommendation actually says, what it leaves open, and what the enforcement activity running alongside it already requires.

The Legal Framework: What the DSA Actually Requires

The starting point for understanding the Commission’s age verification push is what existing EU law actually mandates — and the answer is less than most people assume. Article 28(1) of the Digital Services Act requires that providers of online platforms accessible to minors “put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors.” The remainder of the Article addresses advertising based on profiling and further processing of personal data to verify whether a user is a minor. What it does not do is specify age verification as a legally binding requirement or define what “appropriate and proportionate measures” must include in technical terms. This matters because the Commission’s Recommendation, and the enforcement activity accompanying it, is operating in a space where the legal obligation is clear in principle and ambiguous in implementation. Age verification is not yet explicitly mandated by any of the directly applicable EU laws — not the DSA, not the Digital Markets Act, not the Audiovisual Media Services Directive. The upcoming Digital Fairness Act is expected to address gaps, but has not yet been published. The Commission’s 2025 Guidelines on the protection of minors under the DSA covered age assurance broadly — including self-declaration, age estimation, and age verification as distinct methods with different accuracy levels. The 2026 Recommendation narrows the focus specifically to age verification, which the Commission now treats as categorically more reliable than the lower-accuracy methods that currently dominate platform implementations. That distinction between age assurance and age verification is not semantic. It is the thread connecting the Recommendation’s policy goals to the enforcement actions already underway.

Enforcement Is Already Happening — and Setting the Standard

While the regulatory framework for mandatory age verification remains technically voluntary, enforcement activity under the DSA is establishing a de facto standard that platforms ignore at their peril. In April 2026, the Commission issued a preliminary finding that Meta is in breach of the DSA for failing to prevent minors under 13 from accessing Facebook and Instagram. The finding specifically addresses the inadequacy of the age assurance methods Meta has implemented — predominantly self-declaration — for achieving the protection the DSA requires. In March 2026, the Commission opened an investigation into Snapchat for failing to prevent users under 13 from accessing the platform and for not adequately assessing whether users are under 17 — an age the Commission considers relevant for ensuring an age-appropriate experience. The pattern in both cases is consistent: self-declaration and basic age estimation are being treated as insufficient for DSA compliance where minors’ access to the platform creates meaningful risk. The Commission is not waiting for the age verification framework to be legally mandatory before enforcing against inadequate age assurance. It is using existing DSA obligations to establish that current industry practice is below the required standard. For platforms currently relying on self-declaration mechanisms — date of birth entry, checkbox confirmation — the enforcement signal is direct. The question is not whether age verification will eventually be required. The question is how quickly the enforcement record accumulates to the point where the current approach becomes indefensible.

What the Commission Is Building: Blueprint and Scheme

The Recommendation’s most concrete operational commitments are the development of two distinct instruments: an age verification blueprint and an age verification scheme. The age verification blueprint will be a publicly available technical specification covering the architecture, protocols, and interfaces that member states and service providers should use to implement age verification measures. It will include an open source mobile app implementation that can be customized to national contexts. Critically, the blueprint is intended to be consistent with the EU Digital Identity Wallet — age verification will function as an additional capability within the wallet infrastructure that member states are already required to make available to citizens by the end of 2026. The age verification scheme will establish requirements for providers of proof-of-age attestations, including conformity criteria and a list of EU-based trusted providers whose attestations platforms can rely on. The conformity criteria — accuracy, reliability, robustness, non-intrusiveness, and non-discrimination — are drawn from the Commission’s 2025 DSA Guidelines and will determine which age verification solutions are recognized as adequate for compliance purposes. The reference to conformity assessment is not incidental. It echoes the conformity assessment framework under the EU AI Act and signals the Commission’s broader tendency to apply a product safety regulatory model across digital services — establishing technical standards, recognized testing bodies, and trusted provider lists rather than simply stating outcome requirements and leaving implementation to the market. The requirement that trusted providers be EU-based is equally deliberate. It reflects the Commission’s digital sovereignty agenda and will have direct implications for non-EU age verification technology vendors seeking to participate in the European market.

The Privacy Gap That Should Concern Compliance Teams

The Recommendation makes significant references to privacy throughout. It commits to facilitating “harmonised, privacy-preserving, cybersecure, data protection compliant and robust EU age verification solutions.” It specifies that age verification responses should be limited to a binary true-or-false answer about whether the user meets the age threshold, without transmitting additional personal information. It mentions zero-knowledge proofs as a technical mechanism that could prevent unnecessary data sharing while enabling age verification. What the Recommendation does not do is reference the GDPR. For a policy document governing the collection and processing of personal data about minors — the most protected category of data subject under European law — the absence of any reference to the regulation that directly governs that processing is a significant gap. The EDPB adopted a Statement on age assurance in February 2025. National DPAs have begun enforcing GDPR in the context of age verification solutions. The legal framework governing how age verification data is collected, stored, processed, and deleted is the GDPR — and the Recommendation’s silence on it leaves organizations without guidance on how to reconcile the Commission’s technical requirements with their existing data protection obligations. The GDPR adds a further complication to the age definition question. Article 8(1) sets 16 as the default age below which parental consent is required for the processing of children’s personal data in the context of information society services — but allows member states to lower this to 13. The Recommendation defines a minor as anyone under 18. Member states define the age of a minor differently across their national legal systems. The result is a potential three-way fragmentation: the Recommendation’s definition, the GDPR’s definition, and each member state’s national definition may produce different compliance requirements for the same platform operating across multiple jurisdictions. Organizations building age verification compliance programs need to address all three layers, not just the Recommendation’s framework.

Social Media Bans: How the Commission Is Making Them Procedurally Difficult

The political backdrop to the Recommendation is the growing pressure within individual member states to ban minors’ access to social media outright — rather than waiting for age verification infrastructure to mature. France, Spain, and Germany have all signaled varying forms of access restriction. Australia implemented its ban for under-16s. The political momentum is real. The Commission’s response is not to endorse bans but to make them procedurally difficult to implement unilaterally. The mechanism is Directive 2015/1535, which requires member states to notify the Commission before adopting technical measures restricting access to information society services. That notification triggers a three-month standstill period — extendable — during which the measure cannot be adopted, and initiates dialogue with the Commission and other member states. Failure to notify renders the measure “a procedural defect that renders the measure unenforceable against individuals in national court proceedings.” The Commission cites two CJEU cases — CIA-Security (C-194/94) and Unilever (C-443/98) — to establish that this procedural failure makes the national measure inapplicable to individuals, not merely challengeable by the Commission. The practical effect is that member states considering social media bans face a mandatory notification and standstill process that gives the Commission substantial leverage to delay, modify, or challenge those bans before they take effect. The Commission is not prohibiting member states from protecting minors. It is ensuring that protection happens within the Commission’s preferred harmonized framework rather than through fragmented national action.

The Global Picture

The Commission’s age verification framework does not exist in isolation. It is one thread in a rapidly developing global patchwork of age assurance requirements that compliance teams operating across multiple jurisdictions need to track simultaneously. Australia has moved furthest fastest — implementing a social media ban for under-16s and conducting an Age Assurance Technology Trial assessing the feasibility of different age assurance solutions. Indonesia has similarly implemented social media restrictions. Brazil’s recently effective Digital ECA requires that accounts of minors under 16 be linked to a parent account. In the United States, legislation is pending at the federal level that would ban under-13s from holding social media accounts and restrict certain platform features for teen accounts — and the New York Attorney General’s Office is conducting rulemaking under the SAFE for Kids Act to establish age assurance standards and accuracy benchmarking requirements. The Commission’s approach goes beyond most of these by establishing conformity requirements and a list of vetted trusted providers — creating an approval infrastructure rather than simply stating outcome requirements. That makes EU compliance more defined but also more structured than the more flexible frameworks developing elsewhere. For global platforms, the compliance architecture question is whether a single age verification approach can satisfy multiple jurisdictions’ requirements simultaneously or whether the divergence in definitions, methods, and standards requires jurisdiction-specific implementations. The Commission’s blueprint and scheme are explicitly designed to enable interoperability — but interoperability within the EU framework does not guarantee compatibility with the frameworks developing in Australia, the US, or elsewhere.

What Organizations Should Be Doing Now

The Recommendation sets a target of December 31, 2026 for member states to implement age verification solutions. That timeline, combined with the active DSA enforcement already underway, makes the compliance window shorter than organizations currently operating on self-declaration mechanisms may realize. Audit your current age assurance implementation against the DSA enforcement standard. The Commission’s preliminary finding against Meta and investigation of Snapchat establish that self-declaration is insufficient for platforms where minors’ access creates meaningful risk. If your current implementation relies primarily on date-of-birth entry or checkbox confirmation, assess it against the DSA’s requirement for “appropriate and proportionate measures” in light of the enforcement record — not just the text of the regulation. Map the age definition requirements across every jurisdiction where you operate. The Recommendation’s under-18 definition, the GDPR’s 13-16 range, and member states’ varying national definitions create overlapping requirements that must be addressed jurisdiction by jurisdiction. A compliance program that applies a single global age threshold without accounting for this variation will have gaps in some markets. Review your age verification data flows against GDPR requirements. Whatever age verification mechanism you implement collects personal data — potentially including identity documents, biometric data, or device identifiers. That processing is subject to the GDPR’s requirements for lawful basis, data minimization, purpose limitation, and retention limits, regardless of the Recommendation’s silence on those obligations. The binary true-or-false response model the Commission endorses is consistent with GDPR data minimization — but achieving it technically requires deliberate design choices that should be made now. Monitor the blueprint and scheme development for technical specifications. The Commission has committed to developing the technical specifications but has not yet published them. When they are published, they will define the conformity criteria that age verification solutions must meet for EU compliance purposes. Organizations that have already built age verification infrastructure need to assess it against those specifications when they emerge — retrofitting a non-conformant solution after the specifications are published is more expensive than building toward the expected standard now.