Reddit Shows What Regulation Looks Like in Practice
On 24 June 2026, Reddit announced that it would automatically switch teen accounts in the EU to the most restrictive privacy settings – permanently locked in for 13- to 15-year-olds, set as a changeable default for 16- and 17-year-olds – and tie access to NSFW content to age verification going forward. The announcement came immediately after the European Commission’s third and final meeting of the “Special Panel on child safety online” on 16 June 2026, and coincided with ongoing DSA enforcement proceedings against several adult-content providers.
Reddit is responding to regulatory pressure coming from several directions at once. The European Commission is currently advancing youth protection in digital services not only through legislation and guidelines, but also through active enforcement. This article looks at the role the Digital Services Act (DSA) plays in this, who Article 28 DSA actually applies to, where matters are headed next, and which other rules apply alongside it.
The DSA at a Glance: A Tiered System of Obligations
The Digital Services Act (Regulation (EU) 2022/2065) has been fully applicable since 17 February 2024 and sets out the obligations of intermediary service providers in the EU. Its tiered system of obligations imposes requirements of varying scope depending on the type and size of the service – from basic transparency and reporting rules for all intermediary services, through additional obligations for hosting services and online platforms, up to the strictest requirements for very large online platforms and search engines (VLOPs/VLOSEs).
This tiering matters for correctly gauging the reach of individual provisions, such as Article 28 DSA discussed here: not every obligation applies to every service provider in the same way.
Who Does Article 28 DSA Actually Apply To?
Article 28 DSA is specifically addressed to providers of online platforms that are accessible to minors. What matters is not whether a service is expressly aimed at minors, but whether minors can access and use it at all. This covers, in particular, social networks, video and sharing platforms, and comparable services with user-generated content, such as Reddit. Under Article 19 DSA, micro and small enterprises within the meaning of EU Recommendation 2003/361/EC are exempt from the additional obligations for online platforms (Articles 19–28 DSA) and therefore also from Article 28 DSA. Purely B2B services and platforms without any meaningful accessibility to minors likewise fall outside the scope of the provision.
Nevertheless, this classification is not limited to traditional social networks. Even services that do not primarily function as social-media platforms could be covered, based on specific features typical of such platforms.
If one or more of these features are present, services that are not traditional social media platforms may also be affected. Not least, this could include online games with public chat features or marketplaces for virtual goods, messaging services with public channels or groups, AI chatbots and virtual companions with personalized interaction, learning platforms with forums or social profiles, livestreaming services with viewer chat, as well as marketplaces and classifieds portals with user-generated listings.
Whether an obligation under Article 28 DSA actually applies in a given case depends on an overall assessment. The decisive factors are, in particular, the wording of the terms and conditions as well as the actual user structure known to the provider—and not the service’s original target audience alone.
What the Guidelines Specifically Require from Providers
Article 28(1) DSA requires covered platforms to take appropriate and proportionate measures to ensure a high level of privacy, safety and security for minor users. The wording was deliberately left open and required further specification by the Commission.
That specification followed on 14 July 2025 in the form of guidelines containing a non-exhaustive list of risk-appropriate measures against grooming, harmful content, addictive design and cyberbullying. Key recommendations include:
- Accounts of minors set to private by default, to guard against unwanted contact and data access;
- Age verification for access to adult content (e.g. pornography, gambling), and age estimation where contractual minimum ages differ;
- A risk-based approach that takes account of the platform’s nature, size, purpose and user base.
For platform operators, this may mean adjusting default settings, implementing technical age verification or estimation procedures, and documenting a risk assessment of their own service functions – the kind of measures Reddit has now put in place.
Digital Age Verification Is Coming: The EU Wallet on Its Way
In practice, the guidelines are complemented by the age-verification solution developed by the Commission (the “mini wallet”), which allows users to prove their age without disclosing any further personal data. It is technically compatible with the forthcoming EU Digital Identity Wallet and has been “feature ready” since 15 April 2026, meaning Member States and market participants can now build on it. The Commission is aiming for a Union-wide rollout of both solutions by the end of 2026. For platform operators, this points toward a single, EU-wide standard for age verification that is set to replace the patchwork of approaches used by providers so far.
How Old Is Old Enough? The Current EU Debate on Fixed Age Limits
At the same time, a fixed minimum age is under discussion. In a resolution of 26 November 2025, the European Parliament called for an EU-wide age limit of 16 for social media, video platforms and AI companions that pose risks to minors, subject to parental consent, together with a general access ban for children under 13. At national level, the expert commission “Child and Youth Protection in the Digital World,” set up by Federal Minister Karin Prien in September 2025, presented a total of 56 recommendations on 24 June 2026. According to press reports, these are said to include two alternative approaches: a statutory age limit of 13 combined with effective age verification, or service- and function-specific restrictions based on risk assessment. The ministry does not plan to publish the full recommendations until mid-July 2026. Minister Prien herself has already spoken out in favor of the first alternative. Neither approach has yet been implemented into binding law, but both signal that platform operators should prepare for stricter requirements.
Youth Protection: A Regulatory Patchwork
Depending on the specific service, other rules can apply alongside Article 28 DSA, including the German Youth Protection Act (Jugendschutzgesetz, JuSchG) for carrier media and certain gaming platforms, the Interstate Treaty on the Protection of Minors in the Media (Jugendmedienschutz-Staatsvertrag, JMStV) for telemedia with content that may impair development, the Audiovisual Media Services Directive (AVMSD) for video-sharing platforms, and the Unfair Commercial Practices Directive (UCPD) for issues such as loot boxes and manipulative in-game purchases. Which of these provisions apply alongside the DSA in a given case again depends on the specific service and its content.
Finding Your Way Through the Regulatory Jungle
As the example of Reddit shows, youth protection in the digital space is evolving dynamically across several levels at once. For providers, this adds up to an increasingly complex web of DSA rules, national law and consumer-protection requirements. We would be glad to help you navigate this regulatory environment and identify the obligations that specifically apply to your service.




