The EU’s efforts to ensure stricter protection of minors in the digital space are heading towards a new conflict: Virtual Private Networks (VPNs). Member states and the EU Commission are currently working hard on systems to protect minors from pornography or gambling online. But now technical tools for circumventing these hurdles are becoming the focus of politics. In a recently published analysis, the European Parliament’s Research Service (EPRS) urgently warns against a drastic increase in VPN use in order to circumvent legally required age checks.
Read more after the ad
The legal experts of the MEPs explicitly describe this trend as a “regulatory gap that must be closed”. They see this as a significant risk to the effectiveness of future EU laws. Their concern is based on observations in Great Britain and several US states that already have strict online verification requirements. As soon as laws came into force that required platforms to verify their age, VPN apps dominated the download charts there, according to the EPRS.
VPNs encrypt data traffic and replace the user’s IP address with that of a server in another region, according to the handout, which was brought to attention by Cyberinsider magazine. In this way, regional barriers and identity checks could be effectively circumvented. The background material from the EPRS is not just an inventory: it boils down to the question of whether VPN services themselves should be legally required to check the age of their users in the future. Providers would have to ensure that their technology is not used as a tool for undermining youth protection measures.
Digital anonymity versus obligation to control
Such a step would shake the foundations of digital privacy. VPNs are considered essential tools for working from home, protecting against unauthorized surveillance and providing free access to information in authoritarian regimes. Civil rights activists and data protection activists have long been warning in fire letters to politicians that an identity requirement for VPN providers would significantly weaken anonymity on the Internet and create new risks through central data collection. If access to the “encryption tunnel” were only possible upon presentation of ID, VPNs would lose their core function as a tool for whistleblowers and journalists.
At the same time, the technical implementation of the age test itself remains a problem area, as the EPRS researchers admit. Recently, security researchers uncovered flaws in an official demo of the Commission’s age verification app.
Such appeals are sometimes ignored by politicians: Utah, for example, has already passed a law that relies on the physical presence of a user beyond the IP address in order to make VPN masking legally ineffective. At the EU level, the EPRS also suggests that an amendment to the EU Cybersecurity Act could contain specific requirements to prevent the misuse of VPNs to circumvent legal protection mechanisms.
Brussels’ plan for the European identity app
Read more after the ad
The Commission made a move forward with a recommendation at the end of April in order to prevent a patchwork of national solo efforts. By the end of 2026, EU countries should provide age verification technologies across the board based on the technical blueprint of the Brussels government institution. This open source solution aims to allow users to prove their age without revealing their entire identity. Governments can either offer this feature in standalone apps or integrate it directly into the upcoming European digital wallet (EUDI wallet).
The system relies on data economy and modern cryptography such as “zero knowledge proofs”. A user only has to confirm to a website that they are over 18 years old, for example, without providing their name or place of residence. An official EU framework with lists of trustworthy providers is intended to ensure that only tested technical solutions are used that are continuously monitored for their security and conformity.
Doubts about the circumvention narrative
But there is a gap between regulatory perception and the actual use of encryption tools, suggests a study from the University of Michigan. Accordingly, over 82 percent of those surveyed use VPNs primarily to protect against general threats from cybercriminals and to secure their privacy. According to the scientists, there is still no empirical evidence that VPNs are actually being purchased on a large scale and primarily to circumvent youth protection filters.
Read also
(NO)
