Executive Vice-President Henna Virkkunen, in a written answer on 29 June 2026, defended the EU's age verification application against criticism that it was launched with security vulnerabilities, stating that issues raised by independent experts have been corrected and that the system is designed to protect user anonymity and data. The answer addresses concerns from MEPs Dick Erixon, Charlie Weimers, and Beatrice Timgren (all ECR), who questioned the app's technical readiness after media reports claimed it could be hacked or bypassed within two minutes of its launch on 15 April 2026.
Virkkunen acknowledged that some of the issues raised were well founded and said the development consortium released an updated version shortly after the initial launch, with further improvements to follow. She emphasised that the 15 April release was an early reference implementation made public for scrutiny before full deployment. The answer contains concrete commitments: age verification solutions will be assessed and approved under Commission Recommendation (EU) 2026/1035, with rules established via the age verification attestation of attributes scheme based on Article 8 of Implementing Regulation (EU) 2025/1569, the Age Verification Blueprint, eIDAS Regulation, NIS2 Directive, Cyber Resilience Act, and GDPR.
On data protection, Virkkunen stated that the system uses zero-knowledge proofs, allowing users to prove their age without sharing identity or personal details. Platforms receive only a cryptographic confirmation, ensuring unlinkability and no centralised data storage. Strict compliance is enforced through contractual obligations on implementers, including mandatory data protection impact assessments. The policy orientation is toward robust security and privacy by design, with institutional follow-up expected as the Commission finalises the assessment scheme and approves compliant solutions. The answer signals that the Commission is committed to addressing vulnerabilities transparently while maintaining the app's core goal of protecting children online without compromising user anonymity.