Executive Vice-President Henna Virkkunen, in a written answer on 19 June 2026, defended the EU age verification app against privacy and security concerns raised by MEPs, stating that the reported flaws concerned an early development version and have been addressed, while stressing that the app's final deployment must comply with GDPR and cybersecurity standards.
The answer responds to a parliamentary question submitted on 22 April 2026 by MEPs Marieke Ehlers, Mieke Andriese, and Sebastian Kruis (all PfE), who cited independent code reviews claiming the app's PIN could be bypassed in under two minutes, biometric protections disabled, and unencrypted facial images stored without deletion. Virkkunen clarified that the findings related to a pre-release version that experts could examine before any citizen use, and that a hardening update was released on 17 April 2026 addressing the specific issues. She emphasised that the described behaviours require physical access to a device modified to remove built-in security protections, which a standard unmodified phone prevents. On biometric data, she stated that the app relies on local device processing, biometric material is used only to confirm the user is the genuine holder of an authentic identity document, and it is never transmitted. The individual solutions published will need to comply with the General Data Protection Regulation (GDPR), supervised by national data protection authorities. Virkkunen noted that the Commission's statement on technical readiness referred to the publicly available EU age verification blueprint, and that further integration work by an app publisher is required, including translation, branding, app-store submission, and operational hardening. The Commission Recommendation of 29 April 2026 calls on Member States to ensure compliance with all relevant cybersecurity standards. The EU Age Verification Scheme will set criteria for issuers of proof-of-age attestations and for age verification solutions, and will publish a list of providers meeting required privacy and security standards.