A verifier that accepts a Proof-of-Age attestation because its signature is well-formed has done half the job and skipped the important half. A valid signature only proves the credential was signed by some key. It says nothing about whether that key belongs to an issuer the EU actually trusts to attest age. Closing that gap is the job of the Age Verification Trusted List, and the verifier guidance is explicit: you must validate every age attestation against it before granting access.
This is the step teams most often skip — and the one an auditor will most reliably ask about.
Trust is a list, not a signature
In the EUDI ecosystem, trust is anchored in published trusted lists: machine-readable registers of the entities authorised to play a given role. For age verification, the relevant register is the Age Verification Trusted List — the set of issuers whose Proof-of-Age attestations a conformant verifier is permitted to accept.
The validation chain your verifier must complete:
- Parse the presented
mso_mdocProof-of-Age (theeu.europa.ec.av.1attestation — see our developer guide to the namespace). - Verify the signature against the issuer's certificate.
- Anchor that certificate to the Age Verification Trusted List — confirm the issuer is actually listed.
- Only then grant access.
Skip step 3 and you will happily accept a perfectly-signed attestation from an issuer nobody authorised. That is the difference between cryptographic validity and trust, and it is the whole reason trusted lists exist. We walk the general version of this chain in How eIDAS Verification Works; this post is the age-verification-specific instance of it.
There is already a test list — in the ACC environment
You do not have to wait for production to build this. The Commission already hosts a test Age Verification Trusted List in the eIDAS Dashboard ACC (acceptance) environment. A notable detail for anyone exploring it: the reference test issuer appears under Iceland in that environment — a test placement, not a statement about Icelandic deployment. Use the ACC list to develop and exercise your trust-anchoring logic against real list structure now, ahead of the production list going live.
The eIDAS Dashboard is the same infrastructure that will host the production trusted-list endpoints. Building your validation against the ACC list means that when the production list publishes, you are changing an endpoint and a trust anchor — not architecting a capability from scratch.
The distinction that trips people up: AV list ≠ WRPAC list
This is the single most important clarification in this post. The eIDAS Dashboard will host multiple trusted lists for different roles, and conflating them leads to genuinely wrong integrations:
| List | Answers the question | Used by |
|---|---|---|
| Age Verification Trusted List | "Is this issuer authorised to attest age?" | The verifier, to trust an incoming proof |
| WRPAC provider list | "Is this relying party authorised to request attributes?" | The wallet, to trust an outgoing request |
They run in opposite directions. The AV Trusted List protects you, the verifier, from accepting proofs from rogue issuers. The WRPAC provider list protects the user's wallet from disclosing attributes to unregistered relying parties. As we documented, the WRPAC provider list is not yet published — its obligations apply from 24 December 2026. The AV test list, by contrast, is already available in ACC. Same dashboard, different lists, different timelines, different directions of trust. Treat them as one thing and you will wire your verifier to check the wrong register.
Operational realities of trusted-list validation
A few engineering points that separate a robust implementation from a brittle one:
- Cache, but refresh. Trusted lists change — issuers get added, certificates rotate. Fetch the list, cache it for performance, but refresh on a schedule and handle the case where a previously-trusted anchor disappears.
- Fail closed. If you cannot reach or validate the trusted list, the correct default for an age gate is to deny, not to wave the user through. A trust check that fails open is not a trust check.
- Distinguish "not yet published" from "empty." During this transition period an endpoint may legitimately return that a list is not published. That is a defined state, not an error to swallow — exactly as we found with the late-May 2026 EU-27 WRPAC status, where the WRPAC endpoint deliberately reports unpublished. Your code should recognise the difference between "the list says no issuers" and "there is no list yet."
- Separate test and production anchors cleanly. The ACC list (with its Iceland test issuer) must never be a trust anchor in your production verifier. Keep environment configuration explicit so a test anchor can never leak into production trust.
Why this is a competitive advantage, not just a checkbox
Most age-verification vendors today validate a signature and call it done. A verifier that correctly anchors to the EU Age Verification Trusted List is doing something materially stronger: it is enforcing the EU's governance of who may attest age, not just the cryptography of a single signature. When a regulated relying party — a gaming operator, an age-restricted marketplace, a platform under DSA Article 28 — has to demonstrate how it knows an age proof is genuine, "we anchor to the EU Age Verification Trusted List" is a far stronger answer than "the signature checked out." The same logic underpins our WooCommerce and online gaming integrations.
The bottom line
Validating against the Age Verification Trusted List is the step that converts a signed credential into a trusted one. The test list exists today in the eIDAS Dashboard ACC environment, so there is no reason to defer building it. Anchor every proof to the list, fail closed when you cannot, refresh your cache, keep test and production anchors strictly separate — and never confuse the AV issuer list with the WRPAC provider list. Get this right and your verifier is enforcing EU trust governance, not just checking math.
This post reflects the EU Age Verification trust infrastructure as of June 2026. The production Age Verification Trusted List was not yet live at time of writing; the ACC test list and its placements are for development only. Verify against the eIDAS Dashboard and current verifier guidance before relying on specifics.
Share this article
Help others learn about eIDAS verification