British Standards Institution publishes international framework to support trustworthy age assurance online

The question

What are the new standards on effective age assurance recently published by the British Standards Institute (BSI)?

The key takeaway

BS ISO/IEC 27566-1:2025 (the Standard), the UK implementation of the ISO/IEC 27566-1 Directive, sets out a practical framework and the core characteristics of a trustworthy age assurance system to enable "age-related eligibility decisions". Among other goals, it aims to support organisations that are designing or assessing age assurance systems.

The background

As concerns grow over young people's exposure to harmful content online and regulators worldwide impose stricter protections for children, age assurance (methods used to estimate or verify a user's age) has become critical. However, fragmented approaches and privacy concerns have acted as a barrier to effective implementation. As noted by BSI: "OECD research found that just two in 50 online services aimed at children systematically assure age at account creation", while BSI's research also found that 42% of UK adolescents have faked their age to access online content.

The development

Published on 31 December 2025 and developed with significant UK expert input, the Standard addresses key issues with current age-assurance methods including a lack of user trust, "unclear processes, weak controls, and disproportionate data use."

The Standard establishes characteristics for robust systems covering effectiveness, privacy protection, security safeguards, and user acceptability. By focusing on outcomes and defining what "good" looks like, rather than the technologies used, it aims to support organisations in designing systems, enable policymakers to set outcome-focused requirements, and promote clearer expectations around privacy and usability.

The Standard’s emphasis on guidance contrasts with the more direct approach taken by the European Commission, which is working with Member States to develop a harmonised model for age assurance across the EU (see the Spring 2025 edition of Snapshots which covers the EDPB's statement on age assurance technologies). For example, the Commission is currently piloting a software solution in the form of an app based on its Age Verification Blueprint. This app will enable users to prove they are above a certain age without disclosing any additional personal information. The Blueprint also sets out the required technical specifications of the software, allowing the tool to be deployed either as a stand‑alone app or integrated as an age‑verification feature within existing digital identity wallets. This shows that, unlike the BSI, the European Commission is as much focused on the technologies used for age verification as it is on the guidance which underpins compliance.

The Standard is the first in a planned series, with Parts 2 and 3 currently in development to provide technical implementation guidance and comparison approaches.

Why is this important?

As regulators across jurisdictions begin to scrutinise age assurance requirements and how providers are protecting children online, the Standard offers guidance and a best practice framework for online platforms and service providers to follow. Its emphasis on preserving privacy helps find a balance between regulatory compliance and avoiding excessive data collection, which could otherwise increase a provider's exposure to data protection breaches or reputational damage. Additionally, its flexible, outcome-focused approach aligns with regulatory and legal trends which tend to favour proportionate and risk-based measures over blanket identity verification.

Any practical tips?

Organisations should consult the Standard at an early stage when designing or reviewing age assurance measures. In line with the approach taken by the BSI and the European Commission, non‑intrusive, privacy‑preserving methods should be prioritised, and unnecessary biometric data or excessive storage should be avoided to ensure compliance with the GDPR. Clear communication about how age checks operate and what data is processed is also important in building user trust and, where personal data is involved, completing a DPIA will further strengthen compliance.

Spring 2026