Online harms: a structural problem
While social media can offer connection and self-expression, it can also expose youth to serious harm. Platforms built around attention-based business models collect and monetize personal data while using algorithmic feeds to maximize engagement. Endless streams of dopamine-producing content keeps users hooked online for hours on end, potentially exposing them to harmful and illegal material. The consequences of this consumption range from poor mental health to reduced cognitive function.
Are existing protections enough?
The EU has responded with a number of platform governance and personal data protection regulations. “The General Data Protection Regulation (GDPR), the Audiovisual Media Services Directive (AVMSD), the Digital Services Act (DSA), and the Artificial Intelligence Act (AI Act) all contain provisions that specifically address children’s vulnerabilities,” according to Interface’s 2025 report, “Mind the Gap: Age Assurance and the Limits of Enforcement under EU Law” by Jessica Galissaire.
Why is it, then, that online harms persist? The problem doesn’t lie in the lack of regulation, the authors write, but instead in the lack of effective enforcement and implementation.
The authors highlight age assurance—understood as “the set of technical and procedural mechanisms used to determine the age or age range of a user”—as one important aspect of enforcement. These tools are used to enforce legal obligations that keep minors safe from exposure to harmful content, targeted advertising, and data processing.
Yet age assurance is often overlooked, undermining the effectiveness of the EU’s regulations. The authors found that among the most popular platforms used by youth in the EU (Discord, Fortnite, Instagram, Roblox, Snapchat, TikTok, Twitch, and YouTube), all relied “on self-declaration mechanisms for age checks.” In practice, these can be easily bypassed, removing any obligation for platforms to treat them differently than other users.
Some countries favour complete bans, prohibiting children under a certain age from holding a social media account, even with parental consent. Others prefer tiered models, combining complete bans for younger children with parental consent allowances for older teens.
The EU’s fragmented regulatory landscape
Meanwhile, mounting political pressure has led many member states to pursue their own online harm legislation.
But these have been highly fragmented. According to Interface's 2026 report “Social Media Age Gating in the EU” by Jessica Galissaire and Salma Gomez, twenty-three of twenty-seven member states were at least considering national legislation in May, yet no coherent model has emerged. Most countries are still at the discussion phase. Italy, Poland, Portugal, and Spain have introduced draft laws. France is furthest along, with each legislative chamber having passed a different version of the same bill. The European Commission was notified of the Senate’s version.
Even more still, approaches themselves vary widely. Some countries favour complete bans, prohibiting children under a certain age from holding a social media account, even with parental consent. Others prefer tiered models, combining complete bans for younger children with parental consent allowances for older teens.
Even approaches within individual countries differ. At the time of the report’s writing, Italy currently had four competing legislative proposals from different parties.
Another key takeaway from the 2026 report is that the phrase “social media ban” is misleading. For one, “bans” wouldn’t apply to platforms themselves but rather underage users. For another, it conveys the idea that these national initiatives target a homogenous category of “social media services” when in fact there is no EU-wide definition of what that entails. Some countries drew their definitions from the Digital Markets Act. Others have written their own. Portugal's draft law extends its scope well beyond social media to include online betting and gaming apps. What most definitions have in common, the authors say, is a focus on platform features, including user profiles, algorithmic feeds, content sharing, and the ability to interact with strangers.
The Commission steps in
To avoid fragmentation of the EU’s single market, the European Commission is pushing toward a common framework. At an EU summit in April, Commission President Ursula von der Leyen announced a special expert panel on online child safety, tasked with advising on the case for and against restricting minors' access to social media platforms.
“Without pre-empting the panel's findings, I believe we must consider a social media delay,” she said, adding that “depending on the results, we could come with a legal proposal this summer.”
The Commission has also released an age verification application for deployment across the EU, which would allow users to confirm their age via passport or ID card when accessing online platforms. Adoption is not mandatory, but the Commission has formally recommended that Member States use it.
Estonia rejects age restrictions
Estonia is one of the few Member States to reject age restrictions as a solution to online harms. Its position is rooted in its context as a digital society. Citizens access civic institutions and services through digital technology. While social media isn’t necessarily one of those tools, citizens are taught to view digital technologies as a normal part of everyday life. Bans from these platforms therefore contradict the ethos of Estonia’s e-governance and deny youth the opportunity to develop the digital literacy they will need to navigate online spaces safely and responsibly.
“A purely age-based technical access restriction fails to address the core issues surrounding youth safety online,” said Pakosta. “Such hurdles can easily be bypassed by using a parent's or friend's account, another device, or a VPN.”
(Liisa-Ly Pakosta)
Instead, the Minister of Justice and Digital Affairs Liisa-Ly Pakosta told Eesti Elu that “Estonia bases its minimum age for social media use on the GDPR, which permits the processing of children's data from the age of thirteen. We believe additional barriers would impose a disproportionate restriction on children's access to the information society.”
Estonia also questions whether purely age-based technical restrictions would work in practice. “A purely age-based technical access restriction fails to address the core issues surrounding youth safety online,” said Pakosta. “Such hurdles can easily be bypassed by using a parent's or friend's account, another device, or a VPN.”
The Commission's age verification app has done little to shift Estonia's position. “Our skepticism is further deepened by recent reports that cybersecurity experts have found multiple security flaws and technical shortcomings in the Commission's app,” Pakosta said. “From a state perspective, such vulnerabilities are a red flag and further reduce the already unlikely prospect of Estonia adopting a similar solution for its citizens, as ensuring privacy and data protection must remain an absolute priority.”
Instead, Estonia’s preferred solution has been to improve enforcement where relevant regulation already exists.
“The DSA already mandates that social media platforms ensure a safe environment for children, requiring private accounts, safe algorithms, and the prevention of addictive features and manipulative business practices,” said Pakosta. “The focus should remain on platforms’ own responsibility and effective risk‑mitigation measures, rather than narrowly on age‑verification requirements that could restrict users’ rights to access social media and other online services,” she added.
“The European Union already has the legislative tools to address these risks, and the priority should be to enforce them more efficiently,” she added.
~~~
