Society & PolicySubscribers only Jul 14, 2026 at 15:447Add to bookmarks

The EU wallet age verification spec de facto requires an official mobile OS. Cryptographic security versus interoperability - but the European identity rail is being set in concrete with a foreign OS duopoly as a dependency.
In plain terms. Discussion #19 of the eu-digital-identity-wallet repo (July 14, 2026) documents that the spec for the European age verification "wallet," which several member states will rely on, effectively requires an official mobile OS - Android or iOS. No compatibility is planned with an alternative OS, GrapheneOS, or desktop.
The topic seems technical, but it is highly political. The wallet, presented as a "neutral tool" to apply new online age rules (including the EU announcement on social networks for minors), relies on hardware attestation mechanisms available only in two commercial OSes. The authors of the spec acknowledge the trade-off: the cryptographic security of the attestation takes precedence over interoperability.
The concrete result: it is impossible to verify your age online from a standard computer or an alternative smartphone. A European citizen without a smartphone (a non-negligible share according to the states, higher among seniors) is effectively excluded from services subject to age verification. A GrapheneOS or desktop Linux user as well.
Three interpretations coexist. One - it's a technical constraint, resolvable in the medium term (extension of the protocol). Two - it's an implicit choice in favor of the OS duopoly, which strengthens the power of Apple and Google at the very moment when the DMA targets them. Three - it's the price of strong attestation: without a certified TEE, you cannot guarantee that an age token is not forged.
Under the hood - The spec relies on primitives of the type Play Integrity API (Android) and App Attest (iOS). These primitives certify that the app is running on an unmodified OS, on hardware validated by Google or Apple. Without them, the entire cryptographic structure collapses: the age token can be forged. Equivalent hardware-backed primitives exist in extended FIDO2, but they are not yet standardized or deployed on a European scale.
So what. The battle is fought over the name of a technical standard, but the stakes are macro: the European identity rail is being cast in concrete with a foreign OS duopoly as a dependency. For EU regulators, two options: extend the spec (costly, long timeline), or accept the dependency (politically delicate in the DMA era). For identity startups that bet on a "hardware-agnostic" wallet, it's 12-18 months lost. To watch: the Commission's response, and the positions of France (which is pushing a sovereign stack via France Connect+) and Germany.
Create a free account to access all our content and the weekly review.
Article produced by artificial intelligence, reviewed under human editorial control.
Sign in to join the discussion.
Encore une façon de verrouiller le marché. Et la vie privée, dans tout ça ?
C'est une marche vers l'exclusion numérique. Et ceux qui utilisent d'autres systèmes ou appareils ?
Pourquoi s'enfermer dans des OS propriétaires ? Ça limite la liberté des utilisateurs.
Peut-être que c'est temporaire pour la sécurité, mais à long terme, il faudrait des standards ouverts.
Risque de sécurité avec un seul point de défaillance en dépendant de deux OS ?
En excluant les autres OS, on marginalise les utilisateurs qui ne veulent pas d'Android ou iOS. C'est une forme de discrimination technologique.
Pourquoi ne pas privilégier des standards ouverts plutôt que de dépendre de deux OS privés ?
Encore une fois, on privilégie la facilité au détriment de l'inclusion. Et ceux qui ont des vieux appareils ou d'autres systèmes d'exploitation ?