US Age Verification vs. eIDAS 2.0: Two Roads to Identity Assurance
The US and the EU are working on the same problem: how can an online service confirm a fact about a user, like age or residency, without becoming a permanent vault for that user's identity documents?
Both sides agree the status quo is broken. They disagree, almost entirely, on the fix.
If you came to this blog through the state age verification posts, this is the bridge. One regime is a state-by-state patchwork that grew up around adult content and is now creeping into social media. The other is a federal-level overhaul of digital identity across 27 member states. They share a vocabulary. They do not share a worldview.
The US road: a patchwork built on retention
US age verification did not start with a policy paper. It started with Louisiana.
Louisiana Act 440 took effect in January 2023 and forced adult content sites to verify users with a digitized ID card or a commercial database check. Texas followed with HB 18, which the Supreme Court upheld in Free Speech Coalition v. Paxton. Utah pushed further with SB 287, extending verification into social media. Then Mississippi, Virginia, Arkansas, Montana, North Carolina, and Florida.
The state laws are not coordinated. They are copied. Most of them lift the Louisiana template with small variations: a different penalty figure, a different list of covered services, a different retention window. A few states get creative. California AB 2273 skipped hard age gates entirely and required age estimation plus privacy-by-default settings for anyone who might be a minor.
What unifies the US approach is the verification mechanism. Government ID upload. Third-party verification services. Penalties measured per violation, sometimes per user, with caps that imply billions in theoretical liability for any large platform. And the part that should bother anyone reading this: explicit data retention obligations. Some statutes call for keeping verification records for years.
We covered the full state breakdown in State Age Verification Laws: 2025 Compliance Overview, and Pornhub's response to it in Why Major Platforms Blocked States Over Age Verification Laws. The compliance map is wider than most US-only platforms realize.
The EU road: a federal regulation built on selective disclosure
The EU went in a different direction. Instead of asking platforms to collect more identity data more carefully, it asked: what if the user holds the data, and the platform never sees it?
Regulation (EU) 2024/1183 entered into force on 20 May 2024 and amends the original eIDAS regulation. It is colloquially called eIDAS 2.0. The headline outcome is the European Digital Identity Wallet, or EUDI Wallet, a member-state-issued credential container that lives on a citizen's device.
A user with a wallet does not hand over a driver's license. They generate a cryptographic proof of a specific fact, like "this person is over 18" or "this person is a resident of Spain," and the relying party verifies that proof. The underlying birthdate, document number, or address never leaves the wallet. This is selective disclosure, and it is in the regulation as a legal requirement, not a marketing line.
The EU Commission Architecture Reference Framework specifies the protocols: OpenID4VP for presentation, OpenID4VCI for issuance, SD-JWT VC and ISO/IEC 18013-5 mdoc as the credential formats. The EU also funded four large-scale pilots (POTENTIAL, EWC, NOBID, DC4EU) to test wallet behavior in real workflows across member states.
Acceptance is not optional for everyone. The regulation creates obligations for selected relying parties in specific sectors, including very large online platforms under the Digital Services Act, banking and financial services, telecommunications, energy, transport, postal services, healthcare, and education. If you are in one of those sectors and have EU users, eIDAS 2.0 is going to land on you. More detail at the EU Commission's digital strategy landing.
Side by side
| Dimension | US (state laws) | EU (eIDAS 2.0) |
|---|---|---|
| Source of the rule | State legislatures, ~15+ states with their own statute | One regulation (EU) 2024/1183, directly applicable across 27 member states |
| Geographic scope | State by state, with geolocation and IP heuristics | Pan-EU, with cross-border interoperability built in |
| Verification mechanism | Government ID upload, commercial database checks, age estimation | User-held wallet generating cryptographic proofs |
| Data collected by the platform | Driver's license, passport, selfie, birthdate, address | A proof of a specific attribute; underlying data stays in the wallet |
| Retention by the platform | Often required for multi-year periods to demonstrate compliance | Data minimization is a legal requirement; nothing to retain beyond the verification outcome |
| Enforcement | State AGs, civil penalties per violation, private right of action in some statutes | National supervisory bodies under the regulation, coordinated at EU level |
| Privacy posture | Retroactively bolted on, often in tension with state privacy laws | Privacy by design as the regulatory starting point |
| Cross-border behavior | Each state asserts jurisdiction; VPNs and geolocation create gray areas | Wallet works across all 27 member states under the same trust framework |
What each side got right
The US states moved first on a real harm. Minors were accessing adult content with no friction. The legislatures that passed these laws did not wait for an elegant solution to arrive, and the political signal was loud enough that platforms changed behavior, even if the chosen behavior was to block entire states. The Supreme Court ruling in Paxton, whatever you think of it, ended years of ambiguity about whether such laws could survive constitutional challenge.
The EU is right about the architecture. Selective disclosure is not science fiction. The cryptography is settled, the protocols are public, the credential formats are standardized, and the wallets are being issued. Building privacy minimization into the legal definition of acceptable verification, rather than treating it as a vendor's marketing claim, is the part US lawmakers have not figured out how to do.
What each side got wrong
The US patchwork built retention honeypots. We made the case at length in Data Breach Exposure in Traditional KYC Workflows, and the math has not changed since. Every platform forced to retain a database of government IDs for years is a future incident report. The vagueness in most statutes about what counts as "reasonable" verification ensures the rules will be clarified by lawsuits rather than guidance. And the geolocation requirements assume an internet that does not actually exist.
The EU's problem is timing. Member states are working toward the wallet rollout, but a regulation only changes behavior when implementations are in users' pockets. There is real risk that acceptance obligations land before adoption is meaningful. Platforms in scope have to integrate ahead of a population that may not yet have a wallet to present. That is not a reason to skip the work, but it does mean the EU regime will go through an awkward middle period where the legal duty exists and the user-side rails are still filling in.
What a US platform should watch in the EU
If you are a US company and you have EU users in any of the sectors with acceptance obligations, eIDAS 2.0 will reach you regardless of where you are headquartered. The pattern is similar to GDPR. Establishment is not the trigger; targeting EU users is.
The concrete things to watch: which member states publish wallet implementations first, what their acceptance timelines look like, and what trust list infrastructure you need to integrate with. If you operate a regulated finance product or a healthcare workflow with EU patients, this is closer to a 2027 problem than a someday problem. The deadline context is the December 2026 wallet issuance window, with private-sector acceptance obligations following.
What an EU operator should know about the US patchwork
Coming from a regulation-first culture, the US looks chaotic, because it is. Three things matter most for an EU operator with US exposure.
First, you cannot reuse your EUDI Wallet integration to satisfy US state age laws. The US statutes do not recognize wallet-based selective disclosure as a compliance path. You will need a separate verification mechanism for US users, today, even if you have an elegant wallet flow for EU users.
Second, US age verification is no longer scoped to adult content. Utah and other states have moved into social media, and California's age-appropriate design code applies to any service likely to be accessed by minors. If you launch a US consumer product, you should assume some form of age verification or age estimation will become part of your roadmap.
Third, enforcement is uneven and unpredictable. State attorneys general decide what to pursue. Class action plaintiffs decide what is worth filing. Pre-emption from a future federal law could rearrange the map. Plan for the rules to keep moving.
Convergence, or not
So will the US move toward something more EUDI-like?
Not in the next year or two. The political vocabulary in the US around identity wallets is still tangled up with mobile driver's license programs at the state level, and there is no federal vehicle that looks like the EU's regulation. The closest pieces of federal legislation, KOSA and COPPA 2.0, do not mandate a privacy-preserving verification architecture. They mandate verification and leave the architecture open.
Here is the prediction. US states will keep passing age verification laws on the current template until something embarrassing happens. A breach at a large verification vendor. A class action that connects a specific harm to a specific retained dataset. A First Amendment ruling more skeptical than Paxton. When that happens, the public conversation will shift to the question the EU has already answered: can you verify without retaining? At that point, the building blocks of eIDAS 2.0 (selective disclosure, user-held credentials, cryptographic proofs) will sit in a public specification, with working implementations across 27 countries. The US will not adopt them by treaty. It will adopt them because the alternative will have failed loudly enough.
The honest read: the US regime is doing real work on a real problem and paying for it in privacy. The EU has the right architecture and is racing the clock on rollout. A platform that has to live in both worlds should not wait for either side to converge. Build verification flows now that assume privacy-preserving rails are the destination, even where US law currently tolerates the older approach.
How Arbiter fits
Arbiter is a relying-party API for EUDI Wallet acceptance in regulated health and finance. We focus on the EU side of this picture: selective disclosure, multiple credential formats, trust list synchronization, and the OpenID4VP profiles that the EU Commission's Architecture Reference Framework calls for. If you have an EU footprint in a sector with acceptance obligations, that is the conversation we are built for.
Request a briefing to scope your wallet acceptance work.
Related reading
- What is eIDAS 2.0? A Practical Primer for Product and Compliance Teams - Orientation to the EU side
- EUDI Wallet Acceptance: A Preparation Playbook for Relying Parties - What you would actually build to accept wallets
- State Age Verification Laws: 2025 Compliance Overview
- Why Major Platforms Blocked States Over Age Verification Laws
- Data Breach Exposure in Traditional KYC Workflows
Disclaimer: General information, not legal advice. Engage qualified counsel for your specific compliance scope in either jurisdiction.