Menu
Two boys sit on a light-colored couch, both focused on handheld devices. The boy in the foreground wears a grey hoodie and blue jeans, holding a smartphone. The boy behind him wears a striped shirt with yellow and blue, looking at a tablet.

New Commission Guidelines on age assurance and minors’ protections under the DSA

The Commission’s Guidelines on measures to ensure a high level of privacy, safety, and security for minors online, published in OJ C 2025/5519 on 10 October 2025, provide detailed non-binding guidance for providers of online platforms accessible to minors under Article 28(1) of the Digital Services Act (DSA). The text clarifies that obligations apply to any platform whose services are accessible to minors, including services that do not effectively prevent minors’ access despite contractual disclaimers, and that statements in terms and conditions excluding minors are insufficient without technical or practical access restrictions. The Guidelines frame compliance through proportionality and appropriateness, anchored in children’s rights under the EU Charter of Fundamental Rights and the UN Convention on the Rights of the Child, and promote privacy-, safety-, and security-by-design.

Providers are expected to conduct regular risk reviews assessing the likelihood and impact of minors’ exposure to privacy, safety, and security risks. These reviews should inform proportionate mitigation measures tailored to service features and user demographics, with documentation that demonstrates ongoing monitoring and adaptation. The Commission indicates that the Guidelines will serve as a benchmark for supervisory assessments of compliance, and that Digital Services Coordinators and other competent authorities may rely on them in interpretative and enforcement contexts.

On age assurance and verification, the Guidelines recommend robust, privacy-preserving systems, favoring independent verification mechanisms and forthcoming EU Digital Identity Wallets over self-declaration. Effectiveness criteria include accuracy, reliability, robustness against circumvention, non-intrusiveness, and non-discrimination, with a focus on data minimization and clear user information. Providers should avoid solutions that disproportionately process personal data or create barriers to access without demonstrable risk reduction.

Operationally, platforms should integrate these measures into product design and governance, including clear accountability, testing, and audit trails. The approach underscores that compliance is not achieved by policy statements alone but through concrete safeguards embedded in platform architecture and processes. In practice, this raises the bar for age assurance, content and feature controls, default privacy settings, and incident response, positioning the Guidelines as a practical roadmap for Article 28(1) DSA compliance.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *