For a decade, keeping children safe online has meant asking children to be careful and parents to keep watch. A panel of experts convened by the European Commission wants to end that arrangement.
Its report, published on 13 July, makes a blunt argument. The burden of proving a service is safe should sit with providers, not the families using it. In one line, it moves child safety online from a parenting problem to a safety by design obligation on providers.
Brussels moves the burden of proof
The special panel on child safety online met three times between March and June 2026. Von der Leyen set it up. Its report is not law. The Commission will bring forward proposals after the summer. So what landed this week is direction, not regulation. Yet the direction is unambiguous.
The central recommendation is direct. Until providers show a service meets a safety by design standard, access for under-13s should be restricted. That covers social media and other digital services across the EU. For teenagers over 13, the panel suggests member states weigh further precautionary limits. Von der Leyen went further herself. A doctor by training, she said children under three should have no screen exposure, and under-13s only time-limited, supervised access.
The sharper point sits beneath the age threshold. The report argues the burden of proof belongs with providers, not regulators, parents or children. That single sentence reverses the working assumption of the past decade.
Safety by design, defined
So what does safety by design mean in practice? The panel is specific. It wants binding rules where today there are only guidelines. Those rules would require platforms to switch off or remove certain design features by default. The features named are familiar: infinite scrolling, autoplay, push notifications and personalised recommendations tuned for maximum engagement. Protective settings would be on by default. The rules would stay adaptable, so regulators can reach new harms as they emerge.
Read that list again. It is almost the exact set of features the Commission cited three days earlier. That was when it preliminarily found Meta in breach of the Digital Services Act. Safety by design, then, is not an abstraction. It is a concrete instruction to change defaults.
The same week, the same features
The timing is the story. On Friday, the Commission’s enforcement arm named infinite scroll, autoplay, personalised recommendations and push notifications. Those, it said, are the mechanics that nudge users into autopilot. On Monday, an expert panel named the same mechanics. A service must neutralise them before a child gets in. Enforcement and policy are settling on one safety by design vocabulary.
For anyone running a digital service in Europe, that convergence matters more than either item alone. A single enforcement case can look like an outlier. A regulator and an independent panel reaching for the same list in the same week is a pattern. The signal to product and governance teams is plain. Engagement-maximising defaults are moving from competitive advantage to compliance liability.
What this means for governance teams
Here is the reframe worth sitting with. A burden-of-proof reversal is not really about age gates. It is about evidence. If a provider must show a service is safe before children reach it, safety by design stops being a value you assert. It becomes a claim you have to substantiate. The question a board faces is no longer whether the product feels responsible. It is whether the organisation can show its working.
That shifts ownership inside a business. Default settings, recommender tuning and age-assurance choices stop being quiet growth-team decisions. They become governed artefacts, each with a documented rationale, a risk assessment and an owner. The firms that cope well will already treat design choices as things to record and defend, not simply ship.
Building the safety by design evidence trail
None of this needs to wait for the autumn proposals. The evidence trail that a safety by design regime will demand can start now. It means mapping each engagement feature to the risk it carries and the mitigation in place. Recording why a default sits where it does, and what would change it, belongs in the same file. Above all, a team should be able to answer one plain question in a board paper. If a regulator asked us to prove this service is safe for a child, what would we hand over?
Firms that build that file early turn a looming obligation into a standing capability. Firms that wait will assemble it under deadline. That is the expensive way.
The tensions worth watching
The report is not without friction, and honest planning should hold its contradictions in view. Age assurance is the obvious one. Proving a user is over 13 tends to mean collecting more personal data. That sits awkwardly beside the data-minimisation instincts of the GDPR. It also cuts against a fresh warning from the G7 data protection authorities. Age checks, they say, must not become a pretext for identity collection. Verifying age to protect children can widen the surveillance of everyone.
There is a scope debate too. One panel contributor argued that safety by design should apply to all users, not only children. The reasoning is that platforms otherwise have little incentive to redesign. Others flagged fragmentation, with member states layering their own limits on teenagers against a single EU line. A tension already runs between EU-level harmonisation and national moves under way.
For a governance lead, the point is not to resolve these tensions. It is to plan for a rulebook that will carry them. The broad direction is clear. The detail, and the friction, arrive after the summer.
Future Prep will keep mapping how the EU’s safety by design signals turn into obligations. The organisations that read direction early tend to meet the rule calmly. The rest meet it in a hurry.