Protection of minors on online platforms - New EU Commission Draft Guidance on Article 28(1) DSA

On 13 May 2025, the European Commission (the Commission) launched a public consultation on its much anticipated guidelines on the protection of minors (the Guidelines) under the Digital Services Act (DSA).

In this article, we provide an overview of some of the key aspects of the proposed Guidelines and our take on what they mean for online platforms.

Key takeaways

• The intention is for the Guidelines to serve as a principles-based benchmark against which the Commission and Digital Services Coordinators (DSCs) will assess compliance with the Article 28(1) DSA obligation for online platforms providers to “put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service”.
• Article 28(1) DSA obligations apply to platforms which are “accessible to minors” and the Guidelines make clear that that concept should be interpreted broadly. In this respect, terms and conditions which prohibit a minor’s use of the platform will not necessarily bring a platform out of scope of Article 28(1) DSA, if minors are, in fact, using the platform.
• One of the most notable proposals in the draft Guidelines is that a provider of a platform accessible to minors should complete a risk review of its service (and each time a significant change is made to that service) to determine the extent to which minors use the platform and the measures it has implemented to protect minors on its service.
• The Guidelines give further insight on the Commission’s views around age assurance measures. Unsurprisingly, the Commission concurs with the view being adopted by a number of content regulators that self-certification is not an effective method of age assurance. While the Guidelines discuss a number of potential age assurance measures, it is clear that the Commission sees the forthcoming EU Digital Wallet as being the primary solution to the age assurance issue.
• The Guidelines also set out a number of detailed proposals in respect of account settings which should be implemented as default on a minor’s account. In addition, recommendations are made in respect of the design of interfaces and recommender systems, aimed at helping minors avoid harmful behaviours and giving them more control over what content is displayed to them. Many of these recommendations could have a significant practical impact on the operation of online platforms.
• The Guidelines envisage minor-friendly reporting options, with priority being given to such reports. More generally, it is clear that transparency vis-a-vis minors is a key concern for the Commission.

Purpose and status of the Guidelines

Article 28(1) DSA requires providers of online platforms which are “accessible to minors” to implement “appropriate and proportionate measures to ensure a high level of privacy, safety and security of minors on their service”.

There has been considerable discussion about the scope of this broadly framed obligation since its introduction, with many eager to see the Commission’s guidance to providers of online platforms on how to comply with this obligation (as envisaged under Article 28(4) DSA).The publication of the draft Guidelines marks the first instance of such guidance from the Commission and gives additional insight into its approach to Article 28 DSA.

These draft Guidelines are a markedly different instrument to the voluntary Codes of Practice which were previously issued by the Commission (see our previous posts on the Commission’s Code of Disinformation and the Code on Countering Illegal Hate Speech). In contrast to the voluntary, opt-in codes, the Guidelines expressly state that they will serve as a “significant and meaningful benchmark” against which the Commission will assess compliance with Article 28(1). This implies a stronger regulatory expectation that all online platforms which are “accessible to minors” (save for micro and small enterprises) will strive to align their practices with the Guidelines so as to meet DSA obligations. They are perhaps best understood as providing greater detail in respect of the broad but mandatory requirements set out in Article 28(1).

Nevertheless, the Guidelines are careful to maintain a degree of flexibility for the Commission and DSCs in assessing DSA compliance. Although they state that the Guidelines will limit the regulatory discretion in applying Article 28(1), they explicitly note that implementing the measures set out in the Guidelines will not automatically guarantee compliance.

Moreover, the Guidelines note that Section 5 of Chapter III of DSA (the Section which imposes specific obligations on very large online platforms services (VLOPS) and very large online search engines (VLOSES)) may require such entities to implement measures which go further than those outlined in the Guidelines in order to fulfil their Section  5 DSA obligations.

Those caveats aside, it seems likely that if a provider’s Article 28(1) compliance is being scrutinised, a provider that has made a demonstrable and concerted effort to follow the Guidelines should be in a strong position to defend its compliance posture.  However, putting in place the necessary measures to demonstrate such compliance with Guidelines is likely to have a significant impact on the operations of many online platforms within the EU.

Scope of the Guidelines - When is an online platform “accessible to minors”?

The Guidelines make clear that an online platform provider cannot place itself outside of the scope of Article 28(1) DSA solely by including provisions in its terms of service that the service is not intended for use by individuals under a certain age.

The Guidelines reiterate the guidance provided in Recital 71 DSA, which notes that an online platform will be considered “accessible to minors” where any one of the following scenarios applies:

1. minors are permitted to use the service in the online platform’s terms and conditions;
2. the service is directed at, or predominantly used by, minors; or
3. the provider is otherwise aware that “some users” are minors;.

What exactly constitutes “some users” in the third scenario remains unclear, but the draft Guidelines do identify certain elements which will indicate that an online platform is “accessible to minors”, including:

1. the provider already processes personal data of those minors which reveals their age for other purposes;
2. the online platform is known to appeal to minors;
3. the online platform offers similar services to those used by minors;
4. the online platform is promoted to minors; or
5. the online platform provider has conducted or commissioned research that identifies minors as users.

Accordingly, the Guidelines reflect the broad approach taken under the DSA (and other EU laws such as the GDPR and EU competition law), to focus any regulatory assessment on how the platform operates in fact, rather than merely assessing its intended use. If an online platform is not intended for use by minors, it will need to be able to demonstrate it has effective measures in place to avoid minors gaining access, otherwise it will be expected to comply with the obligations of Article 28.

Requirement to conduct risk reviews

Perhaps one of the most notable developments under the Guidelines is the expectation that online platforms accessible to minors should complete a risk review of its own service (and each time a significant change is made to its service) to determine the extent to which minors use the platform and, as relevant, the measures it has implemented to protect minors on its service. It is proposed that this assessment should include an examination of:

1. the likelihood of minors accessing its service;
2. the risks to privacy, safety and security of minors posed by the service by reference to the online platform’s features such as design, marketing and uses[1];
3. measures already taken by the provider regarding these risks;
4. any additional measures identified in the review as appropriate and proportionate; and
5. the potential positive and negative effects on children’s rights from any measures such as restrictions on children’s rights to freedom of expression and information.

While the Commission hints at potentially issuing further materials to support providers in carrying out risk reviews, an existing child rights impact assessment tool used by the Dutch Ministry of the Interior and Kingdom Relations is identified as a helpful resource.

The Guidelines note that, for the providers of VLOPS and VLOSES this “protection of minors” risk assessment, should form part of the general assessment of systemic risks which is already required under Article 34 of DSA. 

While VLOPS and VLOSES will have stood up teams to carry out DSA risk assessments, many non-VLOP/VLOSE online platforms will now have to put in place new processes and procedures for regularly assessing the risks to minors in using its service. Given the ease with which many online platforms will fall within scope of being “accessible to minors”, this obligation is likely to impact a significant proportion of the industry.    

Age assurance methods

A central focus of the draft Guidelines is a discussion on age assurance measures. The Guidelines provide some further detail on what appropriate age assurance measures might look like under Article 28(1) DSA. However, they do not take a prescriptive approach in respect of what technical measures must be implemented. They instead discuss a number of potential measures which can be used in conjunction with one another, depending on the circumstances, and focus instead on the overall efficacy of the measures used.

The Guidelines draw a distinction between “age verification” and “age estimation” measures. “Age verification” measures are those which rely on physical identifiers or verified documentation to determine the age of a user with sufficient certainty. “Age estimation” measures are those which allow a provider to make an informed estimation that a user is likely to be of a certain age, to fall within a certain age range, or to be over or under a certain age, generally based on behavioural indicators.

The Guidelines provide guidance in respect of the circumstances in which different types of measure may be most appropriate.

• Age verification is considered appropriate where:
  • access to certain products or services is subject to a legally imposed minimum age i.e. sale of alcohol, pornographic content, gambling;
  • the terms and conditions of the service require users to be adults; and/or
  • the risk review determines that the service is high risk.
     
• Age estimation is considered appropriate where:
  • the terms and conditions require a user to be above a required minimum age that is lower than 18 to access the service; and/or
  • the risk review determines that the service is medium risk i.e. not high enough to require age verification but not low enough to have no age assurance methods.

The draft Guidelines provide that more than one method should be available to verify a user’s age and users should be provided with a redress mechanism to complain about incorrect age assessments.

The following should also be considered before any age assurance measure is implemented:

• the accuracy and reliability of the measure;
• how easy it will be for minors to circumvent the measure;
• whether the age assurance method is intrusive and if another method would be less intrusive (and as effective); and
• whether the chosen method is non-discriminatory and accessible to all minors.

Applying those considerations, the draft Guidelines explain that self-declaration would not be a sufficient age assurance measure. This is an unsurprising regulatory view and mirrors Coimisiún na Meán’s position on age assurance, as set out in Sections 10.6(f) and 12.10 of its Online Safety Code.  

Interestingly, the Guidelines emphasise that the ultimate goal of age assurance measures is to ensure a high level of privacy, safety and security for minors on a service and they recognise that such objectives could be achieved by alternative means, including by the implementation of other protective measures discussed in the Guidelines (e.g. content moderation measures, default settings etc.). Accordingly, it seems that what will be appropriate in a given case will be highly dependent on the particular circumstances and nature of the relevant platform.

The Guidelines also recognise that online platforms might have only some content, sections or functions on their platform that carry a risk for minors and accordingly it may be appropriate to implement age assurance measures focused on just those parts of the service.

The stance adopted by the Guidelines regarding age assurance is broadly aligned with the evolving approach within the industry. Online platforms are increasingly utilising a variety of age assurance methods and tools to prevent underage users from accessing their services. This includes exploring the use of biometric identifiers, machine learning, and/or linking access to already verified items like credit cards or IDs. Outsourcing age verification to a third party which specialises in age assurance is also an increasingly popular practice.

The Guidelines also reference the European Data Protection Board (EDPB) statement on Age Assurance, but unfortunately they do not examine in detail the concerns raised by the EDPB that certain age assurance measures, while effective, may also necessitate the excessive collection of personal data from minors. Striking the right balance between implementing robust age assurance mechanisms and appropriately minimising the amount of personal data collected is a consistent  challenge for service providers, so additional guidance from the Guidelines on how to navigate this issue would have been particularly valuable.

EU Digital Wallet

The draft Guidelines are principles-based, which helpfully leaves the door open for new age assurance measures to be identified in the future to enable compliance with Article 28(1) DSA.

In that regard, the draft Guidelines reference the EU Digital Wallet as a method of digital identification in the EU. Once issued, the EU Digital Identity Wallet is scheduled to be available by the end of 2026 and may be used by online platform providers for device-based age verification.

In the interim, the Commission has proposed  an EU age verification app which will confirm whether users are 18 and can be presented to online platform providers to confirm the user is not a minor. The Commission published the technical specifications on the age verification app on the open-source developer platform Github in April 2025.

Account settings

Another particularly significant element of the Guidelines is the section addressing account settings and in particular default settings. An overarching principle of the Guidelines is “privacy-, safety-, and security-by-design”, meaning platforms accessible to minors should integrate the highest standards of privacy, safety and security into the design and operation of their services. As an extension of this requirement, the draft Guidelines expect default settings on minors’ accounts to be configured in a manner that promotes privacy and security, while also discouraging excessive usage and harmful behaviour.

The Guidelines set out a list of account settings which should be implemented as default on a minor’s account, many of which could have a significant practical impact on the operation of online platforms. For example:

• Limiting Interactions: accounts of minors should only allow interaction such as likes, tags, comments, direct messages or reposts by accounts they have previously accepted as “friends” or contacts. This categorisation requires regular review. Furthermore only accounts that the minor has previously accepted as contacts should be allowed to see their content and posts.
• Limiting Screenshots: no account, except the minor’s, should be able to download or take screenshots of content uploaded or shared by the minor to the platform.
• Restriction of Functions: geolocation, microphone and camera, contact synchronisation as well as all optional tracking features should be turned off by default. The default autoplay of videos and hosting live streams should also be turned off.
• Limitation of Notifications: push notifications should be turned off by default and should always be off during core sleep hours, adapting the core sleep hours to the age of the minor. When push notifications are actively enabled by the user, they should only notify the user about interactions arising from the user’s direct contacts and content from accounts that the user actively follows or engages with.
• Excessive Use Measures: features that may contribute to excessive use, such as the number of “likes” or “reactions”, communication “streaks”, the “... is typing” function, ephemeral content, and “read receipts,” should be turned off by default.
• Body Image Measures: filters that can have detrimental effects on body image, self-esteem and mental health should be turned off by default.

The Guidelines also expect regular tests and updates of default settings to ensure they remain effective against emerging online risks and trends.

Online interface design

The Guidelines highlight the importance of providers ensuring that its online interface design does not encourage overuse or compulsive behaviour. Features such as indefinite scroll, automatic triggering of video content, artificial content and virtual rewards for repeated actions on the platform are viewed as encouraging negative behaviour in minors. There is a focus on increasing awareness for minors on their time spent on online platforms and to create “real frictions” so minors are dissuaded from spending more time on the platform.

Recommender systems

The draft Guidelines outline that recommender systems may pose and exacerbate risks to minors’ privacy, safety and security online by amplifying content that can have a negative impact. The Guidelines require that recommender systems should generally operate in a way to prevent minors’ repeated exposure to harmful content, but should also give minors the autonomy to completely “reset” their recommended feeds and opt for a recommender system not based on profiling.

Some of the suggestions made in the Guidelines for recommender systems include the following:

• Recommender systems should not only be used as a tool to optimise or maximise minors’ time spent on platforms.
• Keeping in mind their age group, recommender systems should promote minors’ access to information that is relevant and adequate for them.
• Recommender systems should not rely on the ongoing collection of behavioural data that captures all or most of the minor’s activities on the platform (such as watch time and click through rates) and should not collect any behavioural data which captures off-platform activities.
• Explicit user-provided signals (such as direct feedback) should be prioritised in recommended content over implicit engagement-based signals (where preferences are inferred based from the minor’s use of the service).
• Recommender systems should prevent exposure to certain harmful content (such as unrealistic beauty standards, content that glorifies or trivialises mental health issues, discriminatory content, illegal content, violent content and content encouraging dangerous activities).
• Minors’ search results and suggested contacts should prioritise verified accounts, contacts connected to the minors’ network and contacts within the minors’ age range.
• Search features and text autocomplete on the search bar should not recommend harmful content.

Other child protection measures

Beyond the measures outlined above, the draft Guidelines also outline a number of  measures that may be adopted by online platform providers to comply with Article 28(1) DSA (depending on the service) such as:

• Commercial Practices: The Guidelines recognise that minors are particularly vulnerable to persuasive commercial practices such as influencer marketing and AI-enhanced nudging. Measures such as a responsible marketing and advertising policy, visible and child-friendly commercial declarations on content, and transparency around advertising and economic transactions are all recommended in the Guidelines.
• Moderation: The draft Guidelines suggest that moderation measures should clearly define what constitutes harmful content and behaviour and ensure that this does not unduly restrict minors’ rights to freedom of expression and information. Interestingly, there is a focus on preventative moderation such as technical solutions to prevent AI generated content that is harmful to minors and preventing cross-platform dissemination.
• Reporting: The importance of ensuring that report mechanisms are accessible to minors is highlighted in the draft Guidelines. For example, the Guidelines recommend framing reporting prompts so that children can easily understand them, giving minors an option to provide feedback that they do not want to see similar content using simple phrases, avoiding complex reporting categories, and allowing minors to issue free-text reports. Significantly, the Guidelines also recommend prioritising the review of complaints from minors, and reviewing such reports, feedback, and complaints to identify and address any themes relevant to minors’ privacy, safety, and/or security.
• User support measures: The Guidelines note that providers should tailor its user support measures to make it easier for minors to navigate its service and seek support when needed. Those support tools should be child-friendly, accessible and directly connect minors to national support lines using visible links (such as Safer Internet Centres and INHOPE networks). Where providers use AI features as part of its user support measures, it should be clear to minors that they are interacting with an AI system and that these systems can “hallucinate”.
• Guardian tools: The draft Guidelines considers guardian tools as complementary to the safety by design and default measures that may be implemented by providers to address Article 28(1). In that regard, guardian tools should not replace or be the sole measure used to protect minors. There is not much substantive discussion as to what appropriate guardian tools may entail, but the Guidelines do note that such tools may include features such as managing screen time or setting spending limits for a minor, managing account settings or seeing the accounts that the minor communicates with.
• Monitoring and evaluation: The Guidelines consider regular monitoring and evaluation of the effectiveness of any Article 28(1) measures as essential to ensure that they remain effective. As part of that review, providers should consult with minors, guardians and stakeholders from a range of cultural and linguistic backgrounds and consider their feedback. 
• Transparency: The draft Guidelines recognises the importance of tailoring measures adopted to address Article 28(1) for a minor audience. For example, information on how recommender systems or content warnings work should be child friendly and engaging.
• Governance: Good platform governance is recognised in the Guidelines as an effective means for platforms to ensure the protection of minors is prioritised and managed on its service. The draft Guidelines suggest having dedicated, well resourced and trained teams responsible for Article 28(1) compliance, with direct access to senior management. The Guidelines also note that providers should have processes to systematically gather data about the harms and risks to minors on its platform and report this to senior management. The Guidelines also encourage open exchanges with other providers, DSCs and other relevant stakeholders on good practices and technical solutions to protect minors.

Commentary

The publication of the draft Guidelines will be welcomed as it ends the wait for some further clarity on the interpretation of Article 28(1) DSA. The adoption of a principles-based approach is particularly sensible, given the broad range of services covered by the DSA. This flexibility is essential to avoid an overly prescriptive framework, ensuring that compliance measures can be tailored to the specific nature of each service, and ensuring that online platforms can use their own deep expertise of their services to design the most effective means of achieving the objectives of Article 28(1) DSA.

However, it is difficult to avoid the conclusion that the Guidelines will introduce a significant layer of additional regulatory expectations (or, in effect, quasi-obligations) for non-VLOPS and non-VLOSES which are accessible to minors. Further, these types of quasi-obligations are analogous to the types of obligations that the EU legislature had specifically reserved for application to VLOPS and VLOSES. For example, the risk review is analogous to the Article 34 DSA risk assessment (as the Guidelines implicitly acknowledge), and the governance obligations are analogous to the Article 41 DSA independent compliance function obligations). That said, the Guidelines make clear that proportionality will be a core principle in applying Article 28(1) DSA, and it may be that providers can design less burdensome measures which are nonetheless acceptable to regulators as they prioritise the best interests of minors, and effectively safeguard their privacy, safety, and security.  

Finally, it is noteworthy that there are some cross-overs between the Guidelines and Coimisiún na Meán’s Online Safety Code (which applies to video-sharing platform services whose providers are established in Ireland). For instance, there appears to be a degree of alignment in respect of age assurance measures, the need to restrict who can see a minor’s content and who can contact a minor, and the availability of controls for parents/guardians.

What’s next?

The Guidelines are open for feedback until 10 June 2025, with the final Guidelines due to be published in summer 2025.

If you would like any further information on the Commission’s Article 28(1) DSA Guidelines, please contact Dr Stephen King, Partner, Eoghan O’Keeffe, Knowledge Consultant, Jade Van Standen, Solicitor, or your usual contact on A&L Goodbody’s Technology team.

Date published: 22 May 2025 

[1] When considering what risks are posed to minors, online platform providers should consider the following types of risk: content, conduct, contact, consumer and cross-cutting risks (referred to in the draft Guidelines as “5C typology of risks”).