Gataca logo

Gataca Updates

5 min read

Gataca Vouch earns ISO/IEC 27566 certification: what it means and why it matters

July 2, 2026

Getting certified is always good news. But some certifications go beyond the badge, and this is one of them.

The laws already existed. What didn't exist was an international technical standard defining exactly how to verify age correctly, privately and consistently across jurisdictions. ISO/IEC 27566 arrived in December 2025 to fill that gap. For the first time, businesses have a clear benchmark to evaluate which age verification systems actually do it right.

When that benchmark appeared, Vouch was already ready.

Building the technology years before the standard existed is what made the certification possible. In June 2026, just six months after its publication, we earned a 'Highly Effective' rating, awarded only to systems that exceed 95% effectiveness.

What is ISO/IEC 27566?

ISO/IEC 27566 is the first international technical standard for online age assurance systems. It defines what it means to verify age correctly: with privacy and security, having consistency across multiple jurisdictions.

Before its publication, the market operated in a technical vacuum. Laws said what needed to be done, verify that the user meets the minimum age requirement, but not how to do it properly. The result was a fragmented ecosystem, because every provider was implementing their own approach, every jurisdiction was interpreting requirements differently, and businesses operating across multiple markets were facing a regulatory puzzle with no clear solution.

ISO/IEC 27566 changes that. It turns the generic effectiveness, privacy, and security requirements found across different age-verification regimes into a single harmonized technical framework, giving service providers and regulators a shared understanding of what a highly effective system looks like, whether operating under EU, UK, or US state law.

The certification process evaluates privacy, security, accessibility, governance, and risk management controls in depth. The "Highly Effective" rating, the highest available, is awarded only to systems that exceed 95% effectiveness across that evaluation.

The regulatory context: why this matters now

Age verification online is not a new problem. But the regulatory pressure around it has never been this intense or this coordinated.

In the European Union, the Digital Services Act requires platforms to implement effective measures to protect minors. The eIDAS 2.0 regulation, which establishes the framework for the EUDI Wallet, reinforces the principle that identity verification, including age, must be:

  • Secure
  • Interoperable
  • Privacy-preserving.

Users should be able to verify who they are without exposing more data than necessary, and businesses must be able to prove it.

In the United Kingdom, the Online Safety Act places specific obligations on digital platforms to prevent minors from accessing inappropriate content. Ofcom (UK communications regulator) has defined four criteria that any age verification solution must meet to be considered compliant:

ISO 27566 banner.jpg

  • Technical accuracy: the system must correctly determine whether a user is a child or an adult under test lab conditions.
  • Robustness: the system must perform reliably across real deployment contexts, not just controlled environments.
  • Reliability: age assurance outputs must be reproducible and derived from trustworthy evidence.
  • Fairness: the system must avoid or minimise bias and discriminatory outcomes, particularly for AI and machine learning methods.

Vouch meets all four. The ISO/IEC 27566 certification process evaluates systems against exactly these criteria, which is why earning a "Highly Effective" rating carries weight beyond a technical audit.

In the United States, 24 states have passed or are processing legislation requiring platforms to verify user age. The regulatory map is complex and still evolving.

How Vouch works

Vouch supports three complementary age verification methods, adapted to different levels of trust and different use cases.

  1. Identity wallet verification is the highest-trust method and the most aligned with eIDAS 2.0. The user shares a reusable digital credential from their identity wallet. The platform receives only the result: eligible or not eligible. No documents, photos or personal data. The EUDI Wallet rolls out across Europe under eIDAS 2.0, and as Google and Apple expand support for Pass IDs and Mobile Driver Licenses, this method is expected to become the most widely adopted form of age verification within the next couple of years.

  2. Facial age estimation is designed for contexts where the user doesn't yet have a wallet. It uses a privacy by design model and a certified provider. The system estimates the user's age from an image without storing biometric data or personal information. If the result is inconclusive, it automatically redirects to wallet verification.

  3. Passkey re-verification allows reuse of a previous age verification through device-bound authentication. This means that users don't need to verify again every time they access a platform. Once verified, the reuse process takes a single click.

In all three cases, the platform requesting the verification only receives the eligibility result. Again, no personal data, age estimates, credential details are shared.

Beyond privacy, the real shift is for the user.

Beyond privacy, the real shift is for the user.

Highly Effective rating

Certifications like this one allow us to reinforce on two things. First, that our technology is reliable and independently validated by recognized institutions. Second, and more importantly, that rigorous privacy and a smooth user experience can coexist. On one hand, what the user sees is a single click and a reusable verification. On the other, what's running in the background is a system that has been independently audited against the strictest international criteria.

And for businesses, that translates into three concrete things: less time justifying compliance to regulators, less time evaluating whether a provider actually meets the bar, and the confidence that external audits ensure that bar is maintained over time

Media companies in regulated markets face the same equation: meeting increasingly strict age verification online requirements without penalizing their users' experience. An age verification system that slows down onboarding or creates drop-off during access has a direct cost on conversion.

One more step toward trustworthy digital identity

This certification is not the finish line. It's the validation of an approach we've been building for years: that it's possible to verify users rigorously through privacy-preserving age verification, without creating unnecessary friction and without relying on solutions that were obsolete before regulation caught up with them.

The certification process was conducted by the Age Check Certification Scheme team, who conducted a rigorous evaluation process.

To learn more about how Vouch can help your platform meet age verification requirements, contact us.

Ana Wedfry profile photo
Ana Wedfry

Marketing