AGCOM tightens regulations on video platforms: introduction of age verification systems

On April 18, 2025, the Italian Communications Authority (AGCOM) adopted Resolution No. 96/25/CONS, marking a significant step forward in the protection of minors online, in implementation of Law No. 159 of November 13, 2023, better known as the “Caivano Decree”. 

The measure establishes the technical and operational procedures necessary to ensure reliable age verification for users accessing content deemed potentially inappropriate for minors, distributed via video-sharing platforms or certain websites accessible from Italy—particularly pornographic sites. Obligated entities will have six months from the date of publication to comply with the provisions of the resolution.

Let us now examine in detail the main changes introduced.

The age verification system introduced by the new resolution is structured in two distinct but complementary phases. The first phase involves user identification, which must be carried out using certified digital identity systems, such as SPID or the Electronic Identity Card (CIE). The second phase consists of user authentication for each session, in order to ensure that access to regulated content is granted only to adult and previously identified users.

​​​

However, such a regulatory framework inevitably involves significant processing of personal data, especially concerning identifying and documentary information, which — if improperly managed — could pose serious risks to the rights and freedoms of individuals. To mitigate these risks and ensure a high standard of data protection, the resolution requires the involvement of certified third parties, acting as trusted intermediaries between the user and the platform, independently and separately performing the age verification functions. This mechanism ensures that the verifier is unable to know the identity of the platform the user intends to access, and the platform does not receive any identifying data about the user. 

In this context, the certified third-party intermediary, although operating within a complex system that enables the platform to function properly, does not act as a processor but rather as an autonomous data controller pursuant to Article 4(7) of Regulation (EU) 2016/679 (GDPR). It is the intermediary who determines the purposes and means of the data processing carried out during the age verification procedure, being directly responsible for GDPR compliance, while the “target” platform receives and processes no personal data whatsoever. This technical and organizational framework fully aligns with the data minimization principle under Article 5 of the GDPR, avoiding unnecessary processing and strengthening user control over their personal data.

In defining the regulatory framework for age verification systems, AGCOM has adopted a technologically neutral approach, avoiding the prescription of specific technical solutions, but instead establishing a series of binding principles that all systems must comply with. These include the principle of proportionality—meaning an appropriate balance between the tools used for age verification and the impact on users’ fundamental rights—data protection, cybersecurity, accuracy and effectiveness in age determination, as well as accessibility, inclusivity, and user-friendliness.

​

These requirements are complemented by the obligation to ensure non-discrimination, user training and information, and the availability of effective complaint management mechanisms. Furthermore, systems implemented must progressively align with the guidelines to be adopted by the European Commission, allowing for amendments and updates to the resolution to ensure coherent alignment with EU law and technological developments in the sector.

It should be noted, however, that the resolution focuses exclusively on age verification systems, without directly addressing the issue of parental control. Consequently, the obligation to comply with the regulation primarily concerns the operators of video-sharing platforms and websites that distribute pornographic content in Italy, who must implement effective age verification systems to ensure secure and restricted access to adult content.

A regulatory approach that considers parental control as an integral part of online minor protection would be more comprehensive and effective, ensuring not only the restriction of access to inappropriate content but also the active and informed protection of younger generations in the vast digital landscape.

In light of AGCOM Resolution No. 96/25/CONS, obligated entities — namely video-sharing platforms and websites that distribute pornographic content accessible from Italy — must adopt, within six months of the resolution’s publication, a series of concrete measures aimed at full compliance with the new regulatory provisions. It should be noted that failure to comply within the established deadlines will result in the initiation of sanctioning procedures by AGCOM. According to Article 1, paragraph 31, of Law No. 249/1997, as referenced by the Caivano Decree, entities that fail to comply with the Authority’s orders or warnings may be subject to substantial financial penalties.

Therefore, to comply with the regulatory requirements, the recipients of the Resolution must: