Gataca logo
Gataca Studio
Gataca Wallet
Gataca Vouch
All Use Cases & Industries

Industries

Public Sector
iGaming
Media & Content
Banking
Higher Education

Use Cases

Client Onboarding
User Authentication
Age Verification
Physical Access Control
Credentials Issuance
About
Careers
Contact Us
Become a Partner
Blog
Certifications
eIDAS 2.0
Demo
Open menu

Market News

8 min read

EU Age Verification App Hacked in 2 Minutes: What It Means for the EUDI Wallet

April 28, 2026

EU age verification app

An opinion piece by Gataca on the European Commission's reference age verification implementation, why it matters for EUDI Wallet adoption, and where the public and private roles should have been drawn.

Key takeaways

  • On 15 April 2026, the European Commission released the source code of an "EU Age Verification App", a white-label reference implementation, not a finished consumer product.
  • The same day, security researcher Paul Moore bypassed PIN and biometric controls in under two minutes by editing a plain-text configuration file.
  • The premise of the project (privacy-preserving, wallet-based age verification) is correct and supports EUDI Wallet adoption.
  • The delivery — an open-source codebase contracted out to consultancies, shipped without the security maturity it required — fell short of what a launch of this profile demanded.
  • A compliant private market for age verification with digital identity wallets already exists in Europe today. Gataca's view is that the Commission's most valuable contribution is clear, evenly-enforced regulation, not a parallel public implementation.

What happened

On 15 April 2026, European Commission President Ursula von der Leyen unveiled what was widely communicated as the "EU Age Verification App."

In practice, what was released was open-source code, a white-label reference implementation pushed to a public GitHub repository, rather than a production-ready, hardened, end-user product.

The distinction matters. Within days, security consultant Paul Moore picked up that publicly available code and demonstrated a bypass in under two minutes.

By editing a plain-text XML configuration file, he was able to reset the user PIN, disable biometric authentication via a single boolean flag, and retain access to stored credentials. An Italian researcher subsequently reproduced his findings and documented five additional vulnerabilities. Multiple outlets have since reported that the project's own GitHub repository flagged the build as unfit for production before the Commission held its press conference.

The Commission has clarified that the released version is a demo, and that the code will continue to evolve.

What is the EU Age Verification App?

The EU Age Verification App is the European Commission's reference implementation of wallet-based proof of age.

The idea is straightforward: instead of handing your passport, name, address and document number to every adult website, social network or online gambling platform required to check your age under the Digital Services Act (DSA), you prove a single fact — "I am over 18" — from a credential stored in a digital wallet, without sharing additional personal data.

EU age verification app

Key facts:

  • Released: 15 April 2026 as an open-source reference implementation.
  • Pilot Member States: France, Denmark, Greece, Italy, Spain, Cyprus and Ireland.
  • Public availability: expected by summer 2026.
  • Architecture: selective disclosure, verifiable credentials, wallet-held keys.
  • Interoperability: designed to align with the upcoming European Digital Identity (EUDI) Wallet.

This is the direction Europe should be moving in, and at Gataca we have been building privacy-first age verification on this model for years. We want this initiative to succeed and that is precisely why the issues with this rollout matter.

Why the idea is right and why it matters for the EUDI Wallet

The premise of the Commission's app — that you should be able to prove you're over 18 without exposing your name, birthdate, address, document number and selfie to a third party — is the right premise. It is the only premise that respects child safety and user privacy at the same time.

The Commission's investment in this use case is also good news for the EUDI Wallet itself.

The real challenge for the EUDI Wallet has never been the technology. It is adoption. A wallet sitting dormant on a smartphone is useless: you need verifiers with a reason to integrate, and users with a reason to keep it on their phone.

Age verification delivers both:

  • For verifiers: a clean compliance path under the DSA and national rules.
  • For users: a simple, low-friction way to access services without oversharing.

Most digital ecosystems start with one strong use case and grow from there. Age verification could be exactly that starting point for European digital identity.

By legitimising the wallet-based model, the Commission is signalling to relying parties (adult content sites, social networks, online gambling, dating, gaming) that wallets are the way forward, which can meaningfully accelerate adoption.

That is why we believe the idea behind the EU Age Verification App is right. The challenge lies in how it has been delivered.

What went wrong

Why "open source contracted out" is not the same as "secure"

Open source can be incredibly secure but only after years of adversarial pressure, dedicated maintainers, professional security audits, bug bounty programs, and the feedback loop of real-world exploitation.

The vulnerabilities Moore found are not subtle. They are not obscure side-channel attacks. They are the kind of issues a competent penetration test would surface in an afternoon.

By most accounts the project carried a price tag of around €4M of European public funds, which makes a security and deployment outcome of this kind a particularly disappointing one.

The deeper issue is incentives. Consulting firms are paid to deliver code; they are not paid to operate it for a decade, to absorb the reputational hit when a flaw goes viral, or to hold the bag when a Member State re-skins the codebase and a teenager bypasses it on YouTube.

Private companies whose entire business is digital identity have the opposite incentive structure as their revenue, their certifications, their reputation and their next contract all depend on getting security and privacy right, every day.

The market the Commission's approach overlooked

This would be less concerning if European age verification were starting from scratch. It is not.

A market of digital identity and age verification providers — including Gataca — has spent years building solutions that are independently audited, penetration-tested, privacy-by-design, and aligned with eIDAS 2.0 and EUDI Wallet specifications.

These solutions are already in production: under AGCOM's framework for adult content in Italy, in Germany's age-verification regime, and across social media and gaming platforms.

A government-built reference implementation arrives in that market not as a complement, but as an alternative, and when that alternative ships with the kinds of issues described above, it sets the entire category back.

The timing

Even setting security aside, the timing is hard to reconcile. The Commission released this code only months before Member States' own deadlines to deliver their EUDI Wallets, which by design are perfectly capable of performing age verification, alongside many other use cases.

Why duplicate the effort? Why pour budget, political attention and public credibility into a parallel, single-purpose artefact that risks being obsolete the moment the wallets it is meant to integrate with go live?

Our take: where the European Commission can have the most impact

The European Commission is at its strongest when it regulates markets and helps them thrive sustainably, rather than executing what the market is already responsible for delivering, particularly when a compliant market already exists.

In our view, the current rollout has had three unintended consequences:

  1. It has put pressure on trust in the EUDI Wallet before it has even rolled out. Headlines that say "EU age verification app hacked" are read by many citizens as "EU digital wallet hacked." The technical distinction is lost in public perception.
  2. It has crowded out compliant private solutions with a free, government-endorsed alternative that then exhibited serious security issues, leaving Member States and platforms more hesitant to adopt anything, including audited solutions that already work.
  3. It has handed unnecessary ammunition to critics of government-built identity, when the underlying European digital identity project deserves a much stronger first impression.

We strongly support the Commission's intent. Our suggestion is that public funds and political capital are likely to have more impact when directed toward setting clear rules and enforcing them consistently across the board while letting the market do what it does best: build, harden, audit and operate the production-grade products that citizens actually use.

The two roles are complementary, and they are most effective when each side stays in its lane.

What "good" looks like and how Gataca can help

At Gataca, we’ve built privacy-first age verification that’s already live with relying parties across Europe, proving that a seamless experience and strong compliance can go hand in hand.

Our approach is simple:

  • Facial Age Estimation Users take a quick selfie. Our AI estimates age and confirms liveness in seconds—no ID uploads, no stored images, no personal data retained.
  • Gataca App (ID Wallet) Users complete a one-time ID verification to receive a reusable proof of age in their digital wallet. From there, they can share it in one click to access your service or any platform that accepts digital ID wallets.

Crucially, this model aligns with the Digital Services Act and anticipates the rollout of the European Digital Identity Wallet, expected by the end of 2026.

If you’re navigating DSA compliance and want to do it without compromising user experience, let’s talk.

FAQ

  • What was actually released on 15 April 2026? A reference, white-label open-source implementation of an age verification wallet — code, not a finished consumer app — published to a public GitHub repository.
  • Was the EU Age Verification App really hacked? A demonstrator version of the app was bypassed by editing a local plain-text configuration file. Security researcher Paul Moore demonstrated PIN reset and biometric bypass in under two minutes; an Italian researcher reproduced the findings and identified additional vulnerabilities.
  • Is the EU Age Verification App the same as the EUDI Wallet? No. The age verification app is a single-purpose reference implementation. The EUDI Wallet is the broader European Digital Identity Wallet, expected from Member States and capable of age verification among many other use cases.
  • Does this mean the EUDI Wallet is insecure? No. The two are technically related but distinct. However, the public perception risk is real: incidents like this can be read by citizens as a generalised failure of European digital identity, which is precisely what makes the rollout so consequential.
Esther Saurí - Digital Marketing Specialist
Esther Saurí

Digital Marketing Specialist