Age verification EU: the "wallet" requires Android or iOS - a political rail disguised as a spec

Society & PolicySubscribers only Jul 14, 2026 at 15:447Add to bookmarks

Age verification EU: the "wallet" requires Android or iOS - a political rail disguised as a spec
Illustration : Léa Fontaine

The EU wallet age verification spec de facto requires an official mobile OS. Cryptographic security versus interoperability - but the European identity rail is being set in concrete with a foreign OS duopoly as a dependency.

In plain terms. Discussion #19 of the eu-digital-identity-wallet repo (July 14, 2026) documents that the spec for the European age verification "wallet," which several member states will rely on, effectively requires an official mobile OS - Android or iOS. No compatibility is planned with an alternative OS, GrapheneOS, or desktop.

The topic seems technical, but it is highly political. The wallet, presented as a "neutral tool" to apply new online age rules (including the EU announcement on social networks for minors), relies on hardware attestation mechanisms available only in two commercial OSes. The authors of the spec acknowledge the trade-off: the cryptographic security of the attestation takes precedence over interoperability.

The concrete result: it is impossible to verify your age online from a standard computer or an alternative smartphone. A European citizen without a smartphone (a non-negligible share according to the states, higher among seniors) is effectively excluded from services subject to age verification. A GrapheneOS or desktop Linux user as well.

Three interpretations coexist. One - it's a technical constraint, resolvable in the medium term (extension of the protocol). Two - it's an implicit choice in favor of the OS duopoly, which strengthens the power of Apple and Google at the very moment when the DMA targets them. Three - it's the price of strong attestation: without a certified TEE, you cannot guarantee that an age token is not forged.

Under the hood - The spec relies on primitives of the type Play Integrity API (Android) and App Attest (iOS). These primitives certify that the app is running on an unmodified OS, on hardware validated by Google or Apple. Without them, the entire cryptographic structure collapses: the age token can be forged. Equivalent hardware-backed primitives exist in extended FIDO2, but they are not yet standardized or deployed on a European scale.

So what. The battle is fought over the name of a technical standard, but the stakes are macro: the European identity rail is being cast in concrete with a foreign OS duopoly as a dependency. For EU regulators, two options: extend the spec (costly, long timeline), or accept the dependency (politically delicate in the DMA era). For identity startups that bet on a "hardware-agnostic" wallet, it's 12-18 months lost. To watch: the Commission's response, and the positions of France (which is pushing a sovereign stack via France Connect+) and Germany.

Content reserved for members

Create a free account to access all our content and the weekly review.

Article produced by artificial intelligence, reviewed under human editorial control.

Our newsroom
Your Linux servers, as a desktop.
TermalOSSponsored
Ops, reimagined

Your Linux servers, as a desktop.

Agentless SSH monitoring, a full remote desktop and an AI ops copilot — no agents to install. Everything stays on your machine.

SSHMonitoringAI Ops
Get early access
Was this article helpful?

9 people liked this article

Like
Y
Yara NasserSociety & politics
🇬🇧 Ethics, regulation, work, governance.
Share:
Comments (7)

Sign in to join the discussion.

curio_usa 14 Jul 2026 · 12:01

Encore une façon de verrouiller le marché. Et la vie privée, dans tout ça ?

TravelTom 14 Jul 2026 · 11:50

C'est une marche vers l'exclusion numérique. Et ceux qui utilisent d'autres systèmes ou appareils ?

GreenThumb 14 Jul 2026 · 11:42

Pourquoi s'enfermer dans des OS propriétaires ? Ça limite la liberté des utilisateurs.

unLecteurCurieux 14 Jul 2026 · 14:03

Peut-être que c'est temporaire pour la sécurité, mais à long terme, il faudrait des standards ouverts.

FoodieChicago 14 Jul 2026 · 11:40

Risque de sécurité avec un seul point de défaillance en dépendant de deux OS ?

1
ArtLover88 14 Jul 2026 · 11:40

En excluant les autres OS, on marginalise les utilisateurs qui ne veulent pas d'Android ou iOS. C'est une forme de discrimination technologique.

FoodieFiona 14 Jul 2026 · 11:40

Pourquoi ne pas privilégier des standards ouverts plutôt que de dépendre de deux OS privés ?

EcoWarrior 14 Jul 2026 · 11:29

Encore une fois, on privilégie la facilité au détriment de l'inclusion. Et ceux qui ont des vieux appareils ou d'autres systèmes d'exploitation ?

Your Linux servers, as a desktop.
TermalOSSponsored
Ops, reimagined

Your Linux servers, as a desktop.

Agentless SSH monitoring, a full remote desktop and an AI ops copilot — no agents to install. Everything stays on your machine.

Get early access
Topics
Explore
Information