Brussels wants to close the VPN loophole, even as it insists its official age verification app remains a mere suggestion.<\/h5>\n\n\n\n![\"Virkkunen](\"https:\/\/reclaimthenet.org\/wp-content\/uploads\/2026\/05\/S6VrFQLSq9k7-scaled.jpg\")
<\/figure>\n\n\n\nBy Cindy Harper<\/p>\n\n\n\n
Brussels has a problem with people trying to stay anonymous online and now it\u2019s eyeing the tools they use to do it.<\/p>\n\n\n\n
Henna Virkkunen, the European Commission\u2019s Executive Vice-President for Tech Sovereignty, Security, and Democracy, told reporters<\/a> that VPNs sit on the agenda as the EU pushes its age verification app toward member states.<\/p>\n\n\n\nAsked how Brussels intends to stop children from routing around age checks with a VPN, she said \u201cit\u2019s also an important part of next steps also to look at that it shouldn\u2019t be circumvented.\u201d<\/p>\n\n\n\n
VPNs are more than a tool for teenagers trying to access Instagram. They are how journalists protect sources, how dissidents talk to family, how ordinary people stop their internet provider from logging every site they visit. Treating circumvention as a problem to be solved at the network level means treating privacy tools as the obstacle, rather than the proportionate response to a system that demands ID for ordinary online activity.<\/p>\n\n\n\n
The VPN comment surfaced at a press conference about the Commission\u2019s broader regulatory squeeze.<\/p>\n\n\n\n
Brussels provisionally found that Meta likely violated the Digital Services Act<\/a> by failing to keep under-13s off Facebook and Instagram, accusing the company of \u201cfailing to diligently identify, assess and mitigate the risks of minors under 13 years old accessing their services.\u201d<\/p>\n\n\n\nBy the Commission\u2019s own count, roughly 12% of European children below the age limit log into the platforms anyway.<\/p>\n\n\n\n
Virkkunen framed the finding as enforcement of existing rules rather than a new mandate. \u201cThe DSA requires platforms to enforce their own rules: terms and conditions should not be mere written statements, but rather the basis for concrete action to protect users, including children,\u201d she said.<\/p>\n\n\n\n
A Commission spokesperson echoed the line, telling ISMG that the DSA \u201cdoes not mandate specific mitigation measures,\u201d and pointing to alternatives like better internal review processes.<\/p>\n\n\n\n
The denial sits awkwardly next to everything else Brussels is doing. The Commission published guidelines last July recommending age verification. It is now pressing member states to \u201caccelerate the adoption of age verification tools.\u201d<\/p>\n\n\n\n
It has built a framework defining who can supply proof-of-age services. And it has shipped an official mobile app<\/a>, designed for citizens to load with passport or ID card data, intended as a template for national rollouts.<\/p>\n\n\n\nVirkkunen called the app a \u201cblueprint\u201d meant to harmonize age checks across the bloc.<\/p>\n\n\n\n
Saying you have not mandated something while assembling every piece of infrastructure required to mandate it is a particular kind of policy choreography.<\/p>\n\n\n\n
Meta, looking at the Commission\u2019s provisional finding, has to ask itself what realistic compliance looks like without deploying the very tools the Commission insists it has not required.<\/p>\n\n\n\n
The Commission\u2019s own app illustrates why these systems make security people nervous. Brussels described it last month as \u201ctechnically ready\u201d and \u201cready for deployment.\u201d<\/p>\n\n\n\n
<\/figure>\n\n\n\nBy Cindy Harper<\/p>\n\n\n\n
Brussels has a problem with people trying to stay anonymous online and now it\u2019s eyeing the tools they use to do it.<\/p>\n\n\n\n
Henna Virkkunen, the European Commission\u2019s Executive Vice-President for Tech Sovereignty, Security, and Democracy, told reporters<\/a> that VPNs sit on the agenda as the EU pushes its age verification app toward member states.<\/p>\n\n\n\n Asked how Brussels intends to stop children from routing around age checks with a VPN, she said \u201cit\u2019s also an important part of next steps also to look at that it shouldn\u2019t be circumvented.\u201d<\/p>\n\n\n\n VPNs are more than a tool for teenagers trying to access Instagram. They are how journalists protect sources, how dissidents talk to family, how ordinary people stop their internet provider from logging every site they visit. Treating circumvention as a problem to be solved at the network level means treating privacy tools as the obstacle, rather than the proportionate response to a system that demands ID for ordinary online activity.<\/p>\n\n\n\n The VPN comment surfaced at a press conference about the Commission\u2019s broader regulatory squeeze.<\/p>\n\n\n\n Brussels provisionally found that Meta likely violated the Digital Services Act<\/a> by failing to keep under-13s off Facebook and Instagram, accusing the company of \u201cfailing to diligently identify, assess and mitigate the risks of minors under 13 years old accessing their services.\u201d<\/p>\n\n\n\n By the Commission\u2019s own count, roughly 12% of European children below the age limit log into the platforms anyway.<\/p>\n\n\n\n Virkkunen framed the finding as enforcement of existing rules rather than a new mandate. \u201cThe DSA requires platforms to enforce their own rules: terms and conditions should not be mere written statements, but rather the basis for concrete action to protect users, including children,\u201d she said.<\/p>\n\n\n\n A Commission spokesperson echoed the line, telling ISMG that the DSA \u201cdoes not mandate specific mitigation measures,\u201d and pointing to alternatives like better internal review processes.<\/p>\n\n\n\n The denial sits awkwardly next to everything else Brussels is doing. The Commission published guidelines last July recommending age verification. It is now pressing member states to \u201caccelerate the adoption of age verification tools.\u201d<\/p>\n\n\n\n It has built a framework defining who can supply proof-of-age services. And it has shipped an official mobile app<\/a>, designed for citizens to load with passport or ID card data, intended as a template for national rollouts.<\/p>\n\n\n\n Virkkunen called the app a \u201cblueprint\u201d meant to harmonize age checks across the bloc.<\/p>\n\n\n\n Saying you have not mandated something while assembling every piece of infrastructure required to mandate it is a particular kind of policy choreography.<\/p>\n\n\n\n Meta, looking at the Commission\u2019s provisional finding, has to ask itself what realistic compliance looks like without deploying the very tools the Commission insists it has not required.<\/p>\n\n\n\n The Commission\u2019s own app illustrates why these systems make security people nervous. Brussels described it last month as \u201ctechnically ready\u201d and \u201cready for deployment.\u201d<\/p>\n\n\n\n