Protecting children online has been at the core of the EU's legislative and enforcement agenda for years. Yet governments are impatient, keen to respond to parents' concerns, and under real pressure to show results.
That pressure is legitimate: the damage from inaction is real, but so is the risk of a knee-jerk response, whether through measures that don't actually protect children or badly drafted laws that won't survive legal scrutiny. The road to hell - or Luxembourg - is paved with good intentions.
National-level social-media bans have now been debated or actively proposed in at least a dozen EU member states, from France and Greece to Spain, Italy, Denmark, Austria, the Netherlands and Belgium, in various shapes and sizes.
The two basic models on offer are genuinely different things: banning children below a certain age from accessing specific services, or blocking platforms from offering their services to children. The debate has too often conflated the two. Getting the distinction right matters, because one of these approaches could work and the other almost certainly won't.
This post is a write-up of an expert briefing AWO hosted on 25 June 2026, bringing together policymakers, compliance professionals, academics and civil society to address the fast-moving regulatory landscape around social media bans and age verification. Speakers included Martin Harris-Hess (European Commission), Joris van Hoboken (University of Amsterdam), Tony Allen (Age Check Certification Scheme), Amy Winecoff (Knight-Georgetown Institute), Rys Farthing (Reset), Leanda Barrington-Leach (5Rights), Mathias Vermeulen (AWO) and Esme Harrington (AWO).
The bad: banning kids
Children are not the problem. The services they use are. Any legislative framework that loses sight of that distinction will fail on its own terms.
Crucially, a blunt ban directed towards kids would likely not meet a fundamental rights test in EU-law. As Joris van Hoboken from the University of Amsterdam pointed out in AWO's recent expert panel on the 25th of June, any proportionate response has to balance a set of fundamental rights: yes, children have a right to be protected online, but they also have rights to freedom of expression, access to information, societal participation and privacy. A blanket ban framed around excluding minors from the online space would collide with all of those. Any national or EU law that moves into that direction is doomed to fail.
Beyond the legal problem, a standalone ban simply doesn't match the scale of the harm. Setting a threshold at 15 years old would see children aged 16 and 17 remain exposed. Under-15s will find workarounds. Rys Farthing from Reset noted at the panel that Australia understood this: their social-media ban was announced the same week as a major overhaul of its Online Safety Act's safety-by-design provisions, including a proposed digital duty of care. No one in Canberra ever thought a ban could substitute for strong safety-by-design regulation. “It's not either/or — you need both, and both need to be enforced”.
The good: a smart ban that complements online safety legislation
The good news is that, on paper at least, the EU already has a considerable amount of services-focused legislation in place. The division of labour across these instruments is broadly clear: The GDPR imposes significant limits on the collection and use of minors' data. The Audiovisual Media Services Directive governs what content services may offer to minors. Article 28 of the DSA - the most recent addition - is a process and transparency tool, requiring platforms to assess and mitigate design-related risks to children, with the Commission's October 2025 guidelines providing a detailed specification of what compliance actually looks like in practice.
What could a smart ban add to this framework?
Inspiration could be taken from a number of countries. The Dutch governmental coalition agreement frames its social-media restriction around "unsafe" social media, not social media as a blunt category. As Van Hoboken explained, this framing is deliberate: it puts pressure on industry to actually improve on safety, and allows for a tiered structure: a lower age limit applying broadly, a conditional-access bracket tied to age-appropriate design requirements, and then the adult category — and avoids an ‘all to nothing’ cliff edge that young people themselves have said feels arbitrary.
If non-compliant platforms can lose access to younger users, the DSA's Article 28 obligations stop being technical risk-mitigation exercises and become commercial stakes. Rather than introducing a blanket list of banned services, a more interesting approach involves linking age restrictions to specific features of a platform, with the absence of those features incentivising companies to build genuinely child-safe products and stay in the market.
The German Independent Expert Committee on Children and Youth Protection in the Digital World reached a similar conclusion in June: rather than a blunt ban, it proposed either a flat age-13 threshold with tiered safeguards, or risk-based restrictions targeting algorithmic feeds, livestreaming and open contact functions specifically — and explicitly called for DSA Article 28 obligations to be made more specific and binding.
This is, as Leanda Barrington-Leach from 5Rights and Rys Farthing from Reset argued, ultimately a product-safety question. If a product cannot demonstrate it is safe for children at a given age, it should face market-access restrictions.
Canada's proposed Digital Safety Act is moving in the same direction, creating a mechanism for its new regulator to exempt a platform from the ban if it can demonstrate adequate safeguards.
The convergence is striking: whether in Canberra, The Hague, Berlin or Ottawa, the direction of travel is toward surgical restrictions tied to specific harmful design features, not categorical exclusions.
The ugly: age assurance mechanisms
None of this will work without age assurance, and age assurance has challenges of its own.
Fortunately the technology and certification ecosystem have matured. Tony Allen pointed out how the ISO/IEC 27566-1 standard brings clear terminology: age assurance as the umbrella term, covering age verification (establishing a date of birth from a document or record), age estimation (using features that vary with age), and age inference (drawing reasonable conclusions from other facts about the user).
The Article 28 guidelines set five criteria any method must meet: accuracy, reliability, robustness against circumvention, non-intrusiveness, and non-discrimination across user groups. Self-declaration is explicitly ruled out as inadequate. The guidelines' approach is proportionate: full age verification is expected only in high-risk contexts such as pornography and gambling while age estimation may suffice in medium-risk scenarios, and privacy-preserving "tokenised" approaches that convey only eligibility status (a digital "yes" rather than an identity document) are the preferred direction.
The range of available technology means there is a choice in the market: age assurance can be done well, but also can be done badly. As Tony Allen stated: “we've seen examples in Australia of implementations that look almost deliberately designed to fail — part of a broader effort by some companies not to let Australia be seen as a success that could be replicated elsewhere”.
The standards debate is not settled yet though. As Amy Winecoff from the Knight-Georgetown Institute noted, ISO/IEC 27566-1 sets a framework and core characteristics, which is different from specifying granular technical requirements. Two providers doing very different things at very different levels of rigour can both technically comply with the standard, which undermines the idea of equivalent accountability.
Privacy is the other structural tension. Age-assurance systems necessarily involve processing information about users, and the risk of that data being retained, repurposed or breached is real. The European Data Protection Board has been explicit that age estimation can, in some cases, represent a higher privacy intrusion than age verification precisely because it may involve large-scale profiling. Data minimisation matters: the goal is systems that convey only whether a user is eligible, with no identity transferred to the platform and data deleted once the check is complete.
On circumvention: yes, children will try to get around bans, and some will succeed. That's not a reason not to implement them or to ban VPNs. Tony Allen highlighted how VPN use spiked briefly after the Australian ban came into force — and then dropped back, because using a VPN changes your currency, your time zone, your linked services, in ways that create real friction. “More importantly, a hundred years of age restrictions on alcohol, tobacco, gambling and pyrotechnics have never achieved zero-sum enforcement either. They have, however, shifted norms, reduced uptake among minors significantly over time, and placed legal accountability where it belongs — on providers, not on children and parents.”
What's actually at stake
Age assurance is a necessary evil to implement. Yet the real question is what comes after you've identified the user as a child: how services are then designed to serve them. As Leanda Barrington-Leach from 5Rights argued: The goal isn't an internet where every adult and every child is verified on every service. It's an internet where services aren't exploitative by design, where personal data isn't processed unless it delivers a genuine benefit, and where the basic bar of legal compliance - including GDPR and DSA - is actually met. If we get that right, age-gating everywhere becomes unnecessary, because the underlying architecture is already built for everyone, children included.
If you are interested in reviewing updates on this topic or want to be invited to similar events, don’t hesitate to register to our quarterly newsletter here.