On 14 July 2025, the European Commission published its final guidelines on the protection of minors under the Digital Services Act (“DSA”) (the “Guidelines”). The Guidelines are intended to provide guidance to providers of online platforms that are “accessible to minors” on meeting their obligations to “put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service” (DSA, Art. 28(1)).

The European Commission published a draft version of the guidelines for consultation on 13 May 2025 (“Draft Guidelines”) (see our blog post here). The final Guidelines include some amendments to the Draft Guidelines on the basis of the feedback received during consultation, clarifying and building out further the recommended measures.

Although the Guidelines are non-binding, the Commission has made clear that it intends to use the Guidelines as a “significant and meaningful” benchmark when assessing in-scope providers’ compliance with Article 28(1) DSA.

The Guidelines form part of a broader trend in the EU and UK as regulators seek to strengthen online protection measures for children. As discussed in our most recent blog post on the OSA, Ofcom, the UK online safety regulator, recently announced that it is requiring certain in-scope providers to submit their children’s risk assessments under the Online Safety Act by 7 August 2025, and opened a consultation on new proposals aimed at strengthening existing online protection measures for children.

Risk Review

The Guidelines recognise that, due to the different nature of platforms, and the contexts in which they operate, in-scope providers will need to consider different measures to determine which are best suited to their circumstances to comply with Article 28(1) DSA. The Guidelines refer to this as a “risk review.”

The Guidelines include minimum factors that providers must identify and take into account when conducting their risk review. They also clarify that when conducting a risk review, providers should give “primary consideration” to the best interests of the child, and should seek the participation of children, their guardians, and representatives of other potentially impacted groups, taking their views into account. As part of their risk review, providers should also consider the most up-to-date scientific and academic research, and leverage other relevant assessments they perform.

The Guidelines also state that providers should carry out the risk review periodically, and at least annually, or whenever they make significant changes to their service’s design.

For designated very large online platforms and search engines specifically, the Guidelines state that the risk review “can” be carried out as part of their general assessment of systemic risks under Article 34 DSA, although they are not obliged to do this.

EU Age Verification Solution

The Commission also released a prototype of its age verification app, opening a pilot phase during which the software solution will be tested and further customized in collaboration with Member States, online platforms and end users. The blueprint on age verification enables users to prove that they are over 18 when accessing restricted adult content, without disclosing any other personal information. The technical specifications and the open-source blueprint are freely available and available to providers to use to align the age verification solutions they use with the recommendations set out in the Guidelines.

Other Reports on Stakeholders’ Consultations

At the same time as publishing the Guidelines, the Commission published the results of three consultations it had with various stakeholders in developing them—namely, summary reports of the public consultation (the “Public Consultation Report”) and call for evidence (the “Call for Evidence Report”) on the Guidelines, and a report on the process and outcome of focus groups organised with children and young people on the Guidelines (“Focus Groups Report”):

  • The Public Consultation Report is the result of the public consultation, which ran from 13 May to 15 June 2025, on the Draft Guidelines, and provides an overview of the respondents’ feedback on general and specific parts of the Draft Guidelines.
  • The Call for Evidence Report summarises feedback from the call for evidence, which ran from 31 July to 30 September 2024, to gather feedback on the proposed scope and approach of the Guidelines and good practices and recommendations to mitigate online risks for minors.
  • The Focus Groups Report summarises the outcome of several focus groups, ran by the European Schoolnet on behalf of the Commission and supported by the European network of Safer Internet Centres. The focus groups took place at both the European and national level, involving over 150 young people, during which they were asked to identify gaps in the Draft Guidelines, areas for improvement, and any unintended negative consequences.

***

The Covington team is working with a range of clients on DSA and OSA compliance. Please reach out to a member of the team if you need assistance.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan CooperEmail
Show more Show less
Photo of Shona O'Donovan Shona O'Donovan

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy, intermediary liability and online content issues under EU, UK, and Irish law.

Shóna provides…

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy, intermediary liability and online content issues under EU, UK, and Irish law.

Shóna provides strategic advice to companies on complying with data protection, e-privacy and online content laws, as well as defending organizations in cross-border, contentious investigations and regulatory enforcement before EU and UK regulators. In this context, she has represented clients in responding to regulatory requests relating to their compliance with the GDPR, the ePrivacy Directive, the Digital Services Act, the Audiovisual Media Services Directive and the Online Safety Act 2023. She also regularly advises clients on how these laws intersect with one another.

In her current role, Shóna gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna co-leads Covington’s pro bono work with the Schools Consent Project, and regularly delivers workshops on sexual consent in schools across London. She also regularly provides pro bono advice to non-profits on complying with data protection laws.

Read more about Shona O'DonovanEmail
Show more Show less
Photo of Madelaine Harrington Madelaine Harrington

Madelaine Harrington is an associate in the technology and media group. Her practice covers a wide range of regulatory and policy matters at the cross-section of privacy, content moderation, artificial intelligence, and free expression. Madelaine has deep experience with regulatory investigations, and has…

Madelaine Harrington is an associate in the technology and media group. Her practice covers a wide range of regulatory and policy matters at the cross-section of privacy, content moderation, artificial intelligence, and free expression. Madelaine has deep experience with regulatory investigations, and has counseled multi-national companies on complex cross-jurisdictional fact-gathering exercises and responses to alleged non-compliance. She routinely counsels clients on compliance within the EU regulatory framework, including the General Data Protection Regulation (GDPR), among other EU laws and legislative proposals.

Madelaine’s representative matters include:

coordinating responses to investigations into the handling of personal information under the GDPR,
counseling major technology companies on the use of artificial intelligence, specifically facial recognition technology in public spaces,
advising a major technology company on the legality of hacking defense tactics,
advising a content company on compliance obligations under the DSA, including rules regarding recommender systems.

Madelaine’s work has previously involved representing U.S.-based clients on a wide range of First Amendment issues, including defamation lawsuits, access to courts, and FOIA. She maintains an active pro-bono practice representing journalists with various news-gathering needs.

Read more about Madelaine HarringtonEmail
Show more Show less
Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.

Read more about Laura SomainiEmail
Show more Show less