3 February 2026 – An international framework to support consistent, trustworthy age assurance information security practices worldwide has been published by BSI, amidst growing focus on young people’s exposure to harmful content online.
BSI’s research has found that almost half (47%) of UK adolescents wish they were growing up in a world without the internet, while 50% say a social media curfew would improve their lives. At the same time, 42% had pretended to be a different age to access online content, highlighting the importance of reliable age assurance – the process for determining age of online users.
Despite this, fragmented approaches and ongoing concerns around privacy, security, bias and user acceptability have acted as barriers to effective age assurance. OECD research found just two in 50 online services aimed at children systematically assure age at account creation[1].
Information security, cybersecurity and privacy protection — Age assurance systems — Framework (BS ISO/IEC 27566-1), which is available now for use by those running online platforms and content services, aims to provide a clear, internationally agreed framework and core characteristics for age assurance systems. Initiated and developed with significant input from UK experts, it is intended to support organizations and policymakers in making age-related eligibility decisions without mandating full identity verification in all cases, thereby fostering public trust by not taking unnecessary data. This approach can also benefit firms by reducing complexity and enable privacy by default through data minimisation and selective disclosure.
Last week, the UK Government announced it would consult on a potential social media ban for under-16s, following the Australian example and the introduction of the Online Safety Act. These moves reflect rising expectations for protections that are effective, proportionate and respectful of individual rights. Internationally, regulators are converging around similar principles through initiatives like the EU Digital Services Act and the EU Digital Identity Wallet.
BSI’s research found that two-thirds of young Britons were spending more than two hours on social media daily, with parents left in the dark by their children’s online activities. 42% admitting to lying to adults about what they do online, over a quarter (27%) had pretended to be a different person online, and 40% had set up fake or decoy accounts.
The findings point to a strong need for robust privacy safeguards, clearer protections, and more trustworthy approaches to age-related access online. BS ISO/IEC 27566-1 responds directly to issues that have eroded market confidence in age assurance thus far, including unclear processes, weak controls and disproportionate data use. It describes characteristics that support functionality, performance, privacy protection, security safeguards and user acceptability, across both digital and physical contexts.
Rather than mandating specific technologies or a single approach, the standard sets out the characteristics of robust age assurance systems and defines what good looks like, across effectiveness, privacy, security and acceptability. It is intended to support organizations in designing and assessing age assurance systems, enable policymakers to set outcome-focused requirements without forcing identity verification, and promote clearer expectations for individuals around privacy, transparency and usability, helping to build trust and acceptability.
Laura Bishop, Digital Sector Lead Artificial Intelligence & Cyber Security, BSI said: “Safeguarding the online well-being of adolescents and children is paramount, and we are seeing evidence of worrying behaviours. At the same time, the digital world is here to stay and we need to focus on fostering human-centric design of platforms, then empowering children and parents through education to navigate them safely.
“Age assurance is a vital tool in the armoury of creating an online world in which children can thrive safely and securely, while still building the skills and digital literacy they will need throughout their lives. BS ISO/IEC 27566-1 can act as a starting point in our journey towards a safe online world, by providing a practical framework establishing clear characteristics for trustworthy systems.”
BS ISO/IEC 27566-1 is relevant to policy makers and regulators; organizations providing age-restricted goods, content or services; age assurance and technology providers; and online platforms and content services. It is the first in a planned series. ISO/IEC 27566-2[2] and ISO/IEC 27566-3[3], currently in development, will build on this foundation and further support consistent, trustworthy age assurance globally.
The UK played a pivotal role in its development, with UK expert leadership in the editorial process and coordinated input via BSI’s national committee on age assurance (IST/33/5/5) into ISO/IEC JTC 1/SC 27 Working Group 5 on Privacy Technologies and Identity Management. This collaborative effort brought together expertise from regulators, industry, civil society and assurance communities, supporting international alignment and practical adoption.
For further information on the standard, visit BS ISO/IEC 27566-1:2025
