Italy introduced a new system intended to protect minors from accessing adult content, but its design created widespread confusion about whether SPID digital identification would be required to access such websites.
By Francesco Cappelletti – Cybersecurity researcher at VUB and Senior Fellow at ELF
Italy has just produced the most Italian solution to a problem nobody managed to demonstrate: in the name of “protecting minors”, lawmakers crafted a system so clumsy that half the country believed it required logging into pornography websites with SPID — the same digital identity that citizens must use for every essential service, despite the State’s legendary inability to keep them running. The political signal was unmistakable: your most intimate choices must now bow before a bureaucratic altar.
Then came the fine print. Article 13-bis of the so-called Decreto Caivano obliges any platform distributing pornographic content in Italy to verify users’ age, and AGCOM’s Delibera 96/25/CONS sets out the methods and deadlines. Six months for compliance if you operate in Italy; far longer if you’re abroad. And although this is a national law, the government justifies the framework by pointing to EU legal bases — in particular Article 8 of the GDPR on children’s data, the European Strategy for a Better Internet for Kids (BIK+), and the emerging standards linked to the EU Digital Identity Wallet pilot — none of which mandate Italy’s specific architecture but are invoked as political cover.
A liberal society treats adults as adults. Demanding quasi-official paperwork before two consenting adults may appear on your screen is not liberalism — it is administrative cosplay, authoritarianism performed in a queue. The message could not be more patronising: Italians cannot be trusted with their own autonomy unless the State peers through the keyhole first.
And the irony is exquisite. The very politicians who wail about “privacy” whenever Brussels requests financial transparency are now engineering the world’s most delicate metadata hotspot: a national architecture linking identity tools, age-verification tokens, and access to sexual content. One breach — and considering the latest reports from the Italian Cybersecurity Agency, it is not if but when — and millions may find themselves greeted by the classic extortion email: “Caro Marco, sappiamo che ti piacciono i video con…” (Dear Marco, we know you like videos with…)
Sextortion has worked precisely this way for a decade; the only novelty is that the State is now underwriting the risk.
To make matters worse, the scheme inserts a new mandatory intermediary between citizens and what they read or watch. These so-called “age-verification providers” issue cryptographic passes certifying that the user is over 18. On paper, they should see almost nothing, store less, and be audited thoroughly. In practice, we are creating yet another class of operators capable of being hacked, pressured, or quietly repurposed — all while handling some of the most sensitive metadata a person can generate. The official documents promise minimisation; they do not offer the architecture, audits, or penalties that make minimisation real.
Then arrives the plot twist. Direct SPID or CIE login to pornography websites will not exist. AGCOM — keen to avoid the political inferno it accidentally lit — clarified that access will instead rely on a separate, privacy-preserving mechanism: a digital proof of age stored on the user’s device. This token may be generated by an app currently being tested by the European Commission and AGCOM, or eventually by the IT Wallet or the government’s IO app. The porn site sees only a “yes/no” on adulthood; it never receives your identity.
At least, that is the theory. Reality has a different rhythm. No final technical standard exists. No certified providers exist. No public audit framework exists. Italy has legislated an infrastructure before building the foundations — a Renaissance fresco painted on wet cardboard.
And what does this masterpiece of overreach achieve? Almost nothing. AGCOM has identified 45–48 major platforms — Pornhub, Xvideos, OnlyFans, and their competitors — that must comply if they wish to remain accessible in Italy. Domestic operators must adapt quickly; foreign platforms, however, have until early 2026 to align with EU procedures.
Meanwhile, a €3 VPN cheerfully dissolves the entire edifice in seconds. So, the only groups actually burdened are Italian businesses, Italian users, and Italian systems — the three entities least able to shoulder additional risk without consequence.
To complete the farce: we are told this aligns Italy with Europe. This is not an isolated Italian measure. Several other EU countries, including France and the UK, have implemented mandatory age verification for adult content. The key difference is that the EU is now developing a single, privacy-focused ‘mini wallet’ standard to replace these varying national systems. Yet some other EU member states tried similar systems; in many cases regulators or courts blocked them on the ground that access-control must be proportionate, technically sound, and genuinely privacy-preserving. Italy skipped the analysis and announced the solution. This is not policymaking; it is theatre with a loading screen.
And of course, the perimeter quietly expands. The same mechanism is designed to apply not only to pornography, but also to gambling platforms, online alcohol and tobacco retailers, and any other service “reserved for adults”. The database may be decentralised, but the ambition is unmistakably centralising.
Real protection for minors requires digital literacy, functioning parental controls, and serious action against exploitation networks. Instead, we imposed an ID checkpoint at the bedroom door, and congratulated ourselves for having “done something”.
This is the Italian reflex in pure form: when confronted with a technological challenge, never empower people — always build another system. The State that cannot keep its tax portal upright now expects us to trust an untested, unregulated, un-audited age-verification network handling intimate traffic patterns of millions. Auguri.
The theory insists there will be no central registry. Every communiqué claims “double anonymity”, tokens without identity, and strict separation between verifiers and content providers. Yet every layer — the app, the logs, the providers, the exceptions for other adult-only services — is another hinge on which privacy could quietly fold inward. Italy has no shortage of systems designed to be privacy-preserving in principle and disastrously leaky in practice.
Liberals have warned for decades: the greatest threat to privacy is always the State. And here is the demonstration, in neon. A law that burdens adults, weakens cybersecurity, adds friction to life online, and does little for children beyond generating headlines.
Now consider also the obligations under the Digital Services Act (DSA). The DSA — in force since 2022 for online platforms — requires platforms to adopt “appropriate and proportionate measures” to protect minors, including robust age-verification or age-assurance where adult content may be accessible.
In theory, the national legislation could plug into the DSA’s risk-mitigation framework. But in practice, Italy’s law lays out a national architecture which remains unbuilt, untested, and un-audited. That means compliance with DSA standards may remain aspirational — while actual age verification will rely on unproven intermediaries, raising the very systemic risks (metadata exposure, centralisation, security vulnerabilities) that a robust DSA-based implementation should mitigate.
No, the “SPID-Game” will not happen. As long as VPNs exist, they will remain the cheapest, simplest tool for exercising one’s right to privacy without asking permission. The government may keep its fantasy of a national moral ledger. Adults do not need a permission slip to be adults, and children will not be protected by turning parents into logged deviants.
In the end, this law protects only the illusion that politicians are “doing something”, while delivering every hacker’s dream scenario: a sprawling, untested, politically sensitive network of age-verification systems, built in haste and defended with hope.