The European Parliamentary Research Service (EPRS) has called virtual private networks (VPNs) “a loophole in the legislation that needs closing,” warning that surging VPN adoption is undermining age verification frameworks across Europe and the United States, weeks after a researcher publicly bypassed the EU’s own age-checking app in under two minutes.

The EPRS briefing, published this week, tracked VPN download spikes following age verification enforcement in the UK and several U.S. states.

Virtual private networks #VPN are increasingly used to bypass online age verification.

Protecting children online is a priority, with new rules being implemented requiring a minimum age for access to some services

Read👉 https://t.co/XKK8ACwgtf#DSA @EP_Justice @FZarzalejos pic.twitter.com/kqzqTVGkRI

— European Parliamentary Research Service (@EP_EPRS) May 6, 2026

One developer reported an 1,800% increase in downloads in the first month after the UK’s Online Safety Act took effect in July 2025. Proton VPN recorded a 1,400% spike in new sign-ups during the same period.

EU Executive Vice-President Henna Virkkunen said at an April 29 press conference that VPN circumvention would need to be addressed. “Of course, it’s an important part of the next steps also to look at that it shouldn’t be circumvented,” Virkkunen said.

The EPRS paper arrived less than a month after security consultant Paul Moore demonstrated on April 15 that the EU’s official age verification app stored facial images as unencrypted files. Moore found that biometric authentication could be bypassed by toggling a single true/false value in a configuration file and reproduced a full bypass in under two minutes. French researcher Baptiste Robert independently confirmed the findings.

Hacking the #EU #AgeVerification app in under 2 minutes.

During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.

1. It shouldn’t be encrypted at all – that’s a really poor design.
2. It’s not… https://t.co/z39qBdclC2 pic.twitter.com/FGRvWtWzaZ

— Paul Moore – Security Consultant (@Paul_Reviews) April 16, 2026

Utah’s Senate Bill 73 (SB 73), the Online Age Verification Amendments, took effect May 6, making Utah the first U.S. state to hold websites liable for VPN users accessing adult content. Digital rights group Fight for the Future called the law “impossible by design” to enforce. However, enforcement of the specific VPN-related provisions is paused until September 3, 2026, following a lawsuit from Aylo, AVN reported.

On May 5, 19 organizations including Mozilla, the Electronic Frontier Foundation (EFF), Proton, and the Tor Project urged UK ministers to reject age-verification proposals for VPNs. “Restricting the use of privacy-preserving technologies undermines efforts to empower users to navigate the web safely and to develop digital literacy,” Mozilla said.