1. She won't verify the age. A desktop solution might help her but member states likely won't bother implementing it.
2. Users will be encouraged to create accounts on their favorite porn website, see user journey.
3. Yeah, one more hinderance to enter the market and huge boon for big tech companies.

A desktop solution might help her but member states likely won't bother implementing it.

I think like one of the issues with the current proposal is the reliance on member states to actually implement the wallet. The wallet and credential provider should be separated to allow the EU commission, member states and other parties (such as open source solutions) to act as a wallet.

Otherwise this will eventually lead to a problem where some member states don't update their instance to current market standards (such as adding newly emerging OSes and devices) which of course was also outlined in point 3.

I can see one potential fix for point 2 could be the W3C Credential Management API. However it's not fully there yet and as with the previous points it will require more openness towards third-party wallets in order to become a viable option.

The aim of this project is to ensure that online platforms offering certain content and services legally restricted to adults, verify that their users are over 18. This means that users accessing such online content and services will need to prove they are old enough in a reliable and privacy-preserving way.

At present the project is focused on mobile platforms, specifically Android and iOS, as they cover the vast majority of users and real-world use cases. Private browsing or incognito mode will likely require age verification to be repeated more frequently. Desktop support is not currently within the project's scope.

It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.

We appreciate your feedback and remain open to evolving needs, contributions and future platform considerations.

The aim of this project is to ensure that online platforms offering certain content and services legally restricted to adults, verify that their users are over 18. This means that users accessing such online content and services will need to prove they are old enough in a reliable and privacy-preserving way.

At present the project is focused on mobile platforms, specifically Android and iOS, as they cover the vast majority of users and real-world use cases. Private browsing or incognito mode will likely require age verification to be repeated more frequently. Desktop support is not currently within the project's scope.

It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.

We appreciate your feedback and remain open to evolving needs, contributions and future platform considerations.

This is very unfortunate given that with the scope of the DSA and age verification the "vast majority" doesn't seem enough especially given the fact that many eID mobile apps seem to be increasingly relying on Google and Apple and most other people would either have to give up their privacy even more or be locked out (aka. censored).

Would be possible to stay open for other (F)OSS projects to use the same APIs for extending the functionality and platform compatibility?
The major issue for most other solutions is that they are often quite expensive, limited to certain ID-types or not privacy preserving. If third-parties (ideally open source) would be able to re-implement the AV-Wallet (potentially for desktops) on top of the existing identity providers and verification schema it might be at least a feasible solution for other users.

At present the project is focused on mobile platforms, specifically Android and iOS, as they cover the vast majority of users and real-world use cases.

1 in 10 households in Denmark does not have a smartphone: https://www.dst.dk/da/Statistik/nyheder-analyser-publ/nyt/NytHtml?cid=37848

Also, owning a smartphone is not the same as owning a smartphone with a stock Google OS.

Finally, as a government issued solution, it is not sufficient to just support "the vast majority" of platforms used by the citizens like a private company would, it is your responsibility to ensure that you are not forcing citizens to be customers of specific companies who already hold a duopoly on the smartphone market. Take a look at the market share of browsers: https://en.wikipedia.org/wiki/Usage_share_of_web_browsers#/media/File:StatCounter-browser-ww-yearly-2009-2025.png

Just because a given platform is the most popular now does not mean that it is at all the most popular in ten years. However, if you push mandatory software on the citizens which ONLY works on the platforms offered by the current dominant market players, then you will make any future competition in this market have a huge disadvantage.

Developing a desktop solution and/or a solution based on open standards and hardware tokens is your moral responsibility. It should be a legal requirement.

I believe the reason desktop support is not within the project's scope is because they still have the integrity mechanism requirement, which is not possible to do except on a tiny fraction of PCs with vendor-specific API:

However, recognizing the importance of these checks, their implementation is planned for future releases. These will be based on widely supported and freely available platform APIs, such as Play Integrity APIs and Hardware Key Attestation or alternative solutions to support also free Android environments (AOSP).

At present the project is focused on mobile platforms, specifically Android and iOS, as they cover the vast majority of users and real-world use cases. Private browsing or incognito mode will likely require age verification to be repeated more frequently. Desktop support is not currently within the project's scope.

While I understand projects need to limit their scope, saying that "mobile platforms [...] cover the vast majority of users and real-world use cases" is, given the stakes of DSA, weaponized ignorance, sorry to be blunt.

It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.

Fortunately so. Why would it "prevent the use of other solutions"?

I think this kind of comments illustrates how little you know about what you're supposed to address with this application.

Hence, why you based your application around a US integrity solution.

The current specification creates a fundamental flaw by requiring smartphone attestation through Play Protect (Google) or Apple's device checks. This approach effectively locks all 450+ million EU citizens into two closed ecosystems, contradicting the EU's own competition policy by using regulation to cement a private duopoly.

Digital identity is not an optional consumer app—it's critical infrastructure that citizens will need to access healthcare, file taxes, sign contracts, prove their age, and participate in essential parts of modern life. When the state mandates something this fundamental, it must be vendor neutral and platform agnostic.

By tying identity to iOS and Android exclusively, the regulation:

• Excludes any alternative operating system (Linux, Windows, Sailfish, LibreOS, custom ROMs) by design
• Locks out citizens who don't want or can't afford these specific devices
• Hands control of essential public infrastructure to two US companies
• Kills competition in the mobile ecosystem through regulatory enforcement

Identity infrastructure must allow genuine alternatives that don't depend on Apple or Google. This should at the minimum include all of the below but NOT LIMITED TO:

• Smartcards with secure elements
• FIDO2 hardware tokens
• An open, EU-controlled attestation framework
• Support for alternative operating systems and devices

Without these fallback options, the EU Digital Identity Wallet will entrench exactly the monopolies it should be regulating, undermining both digital sovereignty and citizen choice. The specification needs to treat identity as public infrastructure requiring universal access, not as a product extension for two dominant platforms.

At present the project is focused on mobile platforms, specifically Android and iOS

What you are saying is that anyone who doesn't pay money to one of two immense, American computer giants, Google or Apple, will simply be cut off the internet.

Given that just yesterday the President of the United States spent an hour telling Europe and all the world how evil and incompetent the countries of the EU are, this seems wildly risky.

I cannot support this proposal to the slightest degree. If it is passed, I will work diligently to find technical solutions to bypass it, whether these solutions are legal or not.

@rec trouble is, no one cares about nerds on the internet. If you have linux as your main OS or own a fringe mobile device (or a chinese android clone) you are obviously a pedo. This act is to protect children remember?

It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.

@robinmassart As this project is rather open technology-wise, will it be possible for citizens to develop these other solutions themselves, or will only member states be allowed to implement client applications for currently unsupported platforms?

Desktop support is not currently within the project's scope.

So fix the scope. You are giving more power to the americans by forcing european citizens to buy their devices.

Focusing on mobile makes sense when replacing "physical" ID checks. For online however, the only credible solution is to focus on the web platform. This needs to be flexible enough so the check could be provided by the browser, an extension or even the operating system. Also, this would alleviate all problems of operating system dependence - which this comment section rightfully highlights as a pressing issue.

Passkeys come to mind as they are a recent standard and offer this flexibility to the user.

And this discussion is taking place on github, a MS, US owned platform, which is quite a bad sign in the first place. 🤦

The aim of this project is to ensure that online platforms offering certain content and services legally restricted to adults, verify that their users are over 18. @robinmassart

Don't.

So you want me to install binary code that possibly contains spyware / backdoors as well? This is ridiculous…

Every website has GDPR checkboxes these days which somewhat disrupts browsing experience if browsing in for example incognito mode. 

this is just a bs from the government. All browsers always had setting "accept cookies" that was there all the time. If you don't wanna accept cookies, you uncheck that in your browser. No need to disrupt my experience with all those mandatory checkboxes that who knows what they are really doing.

That was a malicious comply, nothing else.

personally I use adblock for those useless gdpr checkboxes anyway

If they really wanted to make it right, they would mandate browsers to have per-site setting visible on the tool panel by default (like star to fav the page). Or just fund open-source extensions for all the browsers that do just that. Would be way cheaper

GDPR only made it visible how many websites spy on you.

this is just a bs from the government. All browsers always had setting "accept cookies" that was there all the time. If you don't wanna accept cookies, you uncheck that in your browser. No need to disrupt my experience with all those mandatory checkboxes that who knows what they are really doing.

No not really, because this rejects all cookies, including ones that you need to log in and use other functions. It's great that there's a setting for rejecting spyware cookies.

But at the same time, this should be handled at the browser level. I should be able to tick a box in the browser that says "never consent to tracking cookies" and that should be it. Instead, the companies that want to track you have decided to implement this in a way that introduces the most friction, and bother you until you cave and consent. This is of course illegal, but enforcement has been weak and national data protection authorities in general don't give a shit.

No not really, because this rejects all cookies, including ones that you need to log in and use other functions. It's great that there's a setting for rejecting spyware cookies.

I agree. Current underdeveloped setting allows only to reject everything. They could develop a standard to define cookie role and API for that and enforce browsers to implement it and sites to use that API, for example. That would allow crawlers to easily check what cookies site creates in what cathegories to actually make sites comply.

Not like we want to be tracked in the first place...

Note EU privacy laws don't require any cookie banner. The "cookie banner" is websites' invention to social engineer users into granting consent to collect user data for non essential features. So it's not even about the technology being used. Even if it used fingerprinting or uploading localStorsge via JS it would still need a consent banner. Website using cookies only for essential functionality like login sessions don't need a consent banner at all. Anyway not OP but this is off-topic.

@rec trouble is, no one cares about nerds on the internet. If you have linux as your main OS or own a fringe mobile device (or a chinese android clone) you are obviously a pedo. This act is to protect children remember?

Ah yes, the pedo who didn't fly to epstiens island and reminiced with him and ghilaine about "beautiful, special things"

This does nothing but enable censorship from free speech, and (among other solutions proposed like chat control) to gather more data for Big Data. It never was about the children.

Yes, @voltaiac, from https://www.privacyguides.org/en/basics/why-privacy-matters/#what-is-privacy:

A common counter-argument to pro-privacy movements is the notion that one doesn't need privacy if they have "nothing to hide." This is a dangerous misconception, because it creates a sense that people who demand privacy must be deviant, criminal, or wrong. [...] Privacy is about empowering your rights over your own information, not about hiding secrets.

At present the project is focused on mobile platforms, specifically Android and iOS, as they cover the vast majority of users and real-world use cases.

Yes, but what about the small minority? You can't just dismiss that. Or, maybe, my govt would provide me some allowance to buy a smartphone to run your awesome code on it?

@pshirshov, only to shove down a lot of privacy issues on my throat? With stock Android your freedom is slowly diminishing. iOS also has privacy issues and wanting to control what software to run. So please no, the only smartphone I would ever buy is one I can run GrapheneOS on!

This essentially forces users to 1) have a phone and 2) have a phone from 2 specific non-EU companies (Apple or something with Google's approval).

Some additional requirements this expects from the user.

Have a smartphone:

• Some people are actually happy having a "dumb" phone (which by the way were still sold in store last week).
• Some people are actually happy not having a smartphone or do not want to have one because they think they spend to much time on said smartphone.
• Some people do not have a smartphone because of the environmental impact of this type of device.
• Some people do not have smartphone because these devices are comparatively expensive.

Have a recent-enough smartphone/tablet:

• At some point your old device will become incompatible with the new version of the application.
• This will force you to buy a new smartphone/tablet
  • giving more money to non-EU companies;
  • environmental impact.

Have a non-rooted smartphone:

• This kind of application will end-up refusing running on rooted devices, right?

References:

• Smartphones' carbon footprints are largely underestimated
• You don’t need a smartphone: a practical, personal guide to downgrading your device
• I’ve lived into my 40s without ever owning a smartphone. Hopefully I’ll never have to
• ‘It’s political’: why some people refuse to have a smartphone
• The ‘boring phone’: stressed-out gen Z ditch smartphones for dumbphones

@pshirshov, only to shove down a lot of privacy issues on my throat? With stock Android your freedom is slowly diminishing. iOS also has privacy issues and wanting to control what software to run. So please no, the only smartphone I would ever buy is one I can run GrapheneOS on!

At least that would be fair. As a cute option, they may provide us with nice collar-shaped smartphones. But if they provide them for free we won't mind.

This, ladies and gentlemen, is simply pure fascism right here. The one that many of your grandparents fought against, with "non-Aryans" rebranded to "smartphone non-owners" this time

Look, a concept art: