Age verification in France: What ARCOM and the SREN law require in 2026

On August 1, 2025, ARCOM issued formal notices to five pornographic sites established in the European Union, accessible to French users, after finding no age verification measures in place. The notices arrived under the SREN Law, the regulation France passed in May 2024 to close the gap between requiring age verification and proving it. French age verification regulations have hardened faster than most platforms expected, and the operational definition of the word “verify” has tightened with them. If your service can be reached by a French user and exposes age-restricted content, you are now operating under one of the most prescriptive online age verification regimes in the EU. Here is what the law requires, what enforcement looks like, and where compliance is heading next.

What does French age verification law require?

French age verification law is anchored in Article 1 of Law n° 2020-936 and was strengthened by the SREN Law (Law n° 2024-449) of May 21, 2024. Together they require that any platform hosting pornographic content and accessible from France must verify the age of every user, every session, before any adult content loads. ARCOM, the French audiovisual and digital communication regulator, is the authority named to oversee compliance. On October 11, 2024, it published the final technical reference that defines what an acceptable age verification system must do.

The reference imposes four operational requirements. Verification must happen at session level, not at first registration. The platform must not display pornographic content on its home page before the user is verified. The verification must be secured against credential sharing and resistant to deepfake-assisted attacks. And at least one available method must satisfy a privacy principle called double anonymity, the central technical idea of the French regime. After an initial transition window, only solutions meeting these four conditions count as compliant.

What does ARCOM’s double-anonymity standard actually require?

ARCOM’s double-anonymity standard requires that the platform never sees who the user is, and the verification provider never sees what platform the user is visiting. The site receives a yes-or-no signal that the user is over 18. The provider issuing that signal handles the identity data on a separate system that has no contact with the site. Neither side can re-identify the user against the platform they accessed.

The failure mode regulators flag most often is single-system age checking. A platform that relies on card-based verification, or that runs identity capture on the same infrastructure that holds the user’s adult-content session, fails the test even if the capture itself is accurate. The two flows must be operated by legally and technically independent providers. From April 11, 2025, double-anonymity became mandatory. Card-based-only solutions, allowed under the three-month transition window described in the Bird & Bird summary of the standard, no longer qualify on their own.

Practical compliance usually pairs two methods. A document-based check (passport or national ID) plus a biometric age estimation, with each method delivered by a separate provider, is the structure most major sites have moved to. The platform calls the orchestration layer, the orchestration layer calls each provider, and the platform receives only the over-18 signal at the end of the chain.

What happens if you fail to comply?

Non-compliance with the French age verification regime carries financial, operational, and reputational consequences. ARCOM may impose a fine of up to €150,000 or 2% of the platform’s worldwide turnover (excluding VAT) for the previous financial year, whichever is higher. For a mid-sized digital platform, the percentage cap is the larger of the two figures, and the global revenue base means non-EU operators are not exempt.

The operational consequence is faster. ARCOM may order internet service providers and DNS resolvers to block the addresses of non-compliant sites within 48 hours, with no further court process required. On February 26, 2025, a ministerial order designated five EU-established sites as in scope under the SREN Law, and on August 1, 2025, ARCOM issued formal notices to those sites for failing to implement age verification. The Conseil d’État, France’s highest administrative court, upheld the order when it was challenged.

The reputational consequence is the one most platforms underestimate. Once ARCOM publishes a formal notice, the platform’s exposure to French users runs on a 48-hour clock to either comply or be made unreachable. Several large platforms that resisted the regime ended up self-blocking France rather than carry the public enforcement record.

How does the EU age verification app change the picture?

On April 15, 2026, the European Commission announced that the EU Age Verification Solution, a privacy-preserving mini-wallet built on the same technical specifications as the European Digital Identity Wallet under eIDAS 2.0, is ready for pilot rollout. France is one of seven frontrunner member states, alongside Denmark, Greece, Italy, Spain, Cyprus, and Ireland, integrating the app into their national EUDI Wallets.

The model relies on Zero-Knowledge Proof cryptography. A user proves they are over 18, 15, or 13 without disclosing name, date of birth, or document image. The check runs on the device, the platform receives a cryptographic yes-or-no signal, and no identifying data leaves the phone. Functionally, the architecture is the same as ARCOM’s double-anonymity standard, lifted to the EU level and run from a citizen-held wallet rather than a third-party provider.

The practical implication for a France-facing platform is twofold. The EU app is being designed to satisfy ARCOM’s standard, so platforms that accept it inherit French compliance through a single integration. And as EUDI Wallet issuance becomes mandatory across the EU by the end of 2026, the same wallet flow will extend to age-gating obligations under the Digital Services Act and emerging frameworks in other member states. The platforms that build to accept wallet credentials now will be ahead of the next regulatory cycle.

How Shufti helps platforms meet ARCOM age verification rules

A France-facing platform discovering it falls within the SREN Law’s scope usually finds the same gap. The age verification stack it has, built around card-based gating or a single-vendor capture flow, does not satisfy ARCOM’s double-anonymity test. The structural problem is that most age verification was assembled from components that share a back-end, which by design cannot prove independence between site and provider.

Shufti’s age verification combines document-based age confirmation and biometric age estimation, delivered through a technical layer separate from the site itself, so the over-18 signal arrives at the platform without identity data attached. The biometric layer runs on Shufti’s owned liveness engine, which holds iBeta Level 3 conformance under ISO/IEC 30107-3, the highest published independent standard against deepfake and presentation attacks. That ownership matters in a regime that names deepfake resistance as an explicit verification requirement.