The Evolution of Age Assurance Standards: PAS 1296 to IEEE 2089.1 to ISO/IEC 27566-1
The Evolution Timeline
PAS 1296:2018 — Awareness, Principles, and Early Certification
PAS 1296 was published in 2018 by the British Standards Institution (BSI) and the Digital Policy Alliance as a Publicly Available Specification. Its goal was to provide organizations with voluntary guidance on how age assurance could be established in practice.
The framework was deliberately principle-based rather than prescriptive, setting out broad expectations around effectiveness, proportionality, accountability, and inclusivity. What it did not provide, however, were measurable performance metrics that would allow for consistent technical testing.
However, ACCS transformed PAS 1296 into a practical assurance scheme. Providers could be audited through documented policies, governance evidence, and system testing, giving buyers and regulators the first independent assurance of compliance in the UK. This meant PAS 1296 became auditable in practice through ACCS, providing the first independent trust mark for age assurance in the UK. Regulators such as the ICO recognised its value. PAS 1296 gave real credibility to the concept of “age assurance” and positioned it as a serious discipline. Its voluntary and advisory nature limited its value for regulators and large-scale procurement. It was an important starting point, but not the end state.
IEEE 2089.1:2024 — Structured, Measurable, and International
The next stage came with IEEE 2089.1, approved in 2024 as the IEEE Standard for Online Age Verification. Unlike PAS, IEEE 2089.1 was developed as a full process standard with global applicability. ACCS enables immediate IEEE certification, providing measurable audits for tech-focused providers – ideal for US innovators and early adopters.
It establishes a framework for the design, specification, evaluation, and deployment of online age verification and estimation systems. It is structured around seven phases:
- Determination – deciding if age assurance is required.
- Selection – choosing the appropriate method(s).
- Assurance – verifying or estimating age.
- Categorization – classifying the level of confidence achieved.
- Interoperability – exchanging results between providers.
- Privacy – embedding privacy-by-design.
- Data Security – protecting and securing all age assurance data.
The standard requires organizations to demonstrate conformance with mandatory tasks and outcomes, providing a basis for auditability. Annexes define quantitative metrics such as:
- Accuracy thresholds (e.g., proportion of age estimates within ±1 year).
- False acceptance/rejection rates.
- Liveness detection requirements.
- Fairness and outcome error parity across protected groups.
IEEE 2089.1 also embeds principles from the UN Convention on the Rights of the Child and the 5Rights Foundation, requiring proportionality, inclusivity, accessibility, and the primacy of the child’s best interests.
IEEE 2089.1 gives the market a structured, measurable, and internationally applicable standard, allowing real comparability and accountability across different technologies. While it established conformance and audit processes, it did not create a globally harmonized certification scheme recognised by regulators.
ISO/IEC 27566-1:2025 — Global Certification Framework
ISO/IEC 27566-1 by ISO/IEC JTC1 SC27, represents the culmination of this evolution: the first full international certification standard for age assurance. It integrates the principles of PAS and the structured metrics of IEEE into a single framework, while adding global harmonization and regulator recognition. Certification requires organizations to evidence compliance across five pillars:
- Functionality – clarity on the scope and method of age assurance.
- Privacy – privacy-by-design/default, data minimization, disposal.
- Security – threat modeling, replay and injection attack resistance, adversarial testing.
- Accessibility – WCAG compliance, inclusivity, multi-language support.
Performance – effectiveness indicators, accuracy, fairness, classification integrity.
Unique Features of ISO/IEC 27566-1
Auditable Practice Statements
Providers must publish and maintain formal documentation of their methods.
Audit Logs
Systems must generate traceable logs of checks and decisions to support accountability.
External Certification
Independent, accredited certification bodies like ACCS perform audits, leading to a globally recognized certification mark.
Regulatory Alignment
Directly supports compliance with frameworks like the UK Online Safety Act, EU DSA/eIDAS, and Australia’s eSafety trials.
Cross-Jurisdiction Recognition
Provides a single certification language trusted across regions, removing the need for multiple overlapping audits.
Flexible Pairing
Complements IEEE’s metrics; ACCS offers combined audits (e.g., IEEE tests validate ISO performance pillar) for efficient, layered compliance without redundancy.
Market Impact
For the first time, regulators, platforms, and procurement teams can rely on a single, harmonized certification framework. ISO/IEC 27566-1 is positioned to become the global “gold standard” for age assurance, bridging the gaps of PAS and IEEE, while giving the market a trusted, regulator-backed benchmark.
Who Can Apply?
ISO 27566-1 applies broadly across these roles within the ecosystem of age assurance services, including:
Age Assurance Providers
These include age verification, age estimation, and age inference service providers (e.g., ID document verification, credit reference checks, biometric face analysis tools, email, social media AV inference systems).
Intermediaries
These include aggregators, attribute/exchange gateways, consent managers (e.g., brokers connecting multiple age check providers to relying parties).
Relying Parties
Organisations needing their own configurations, integrations, or handling of age assurance beyond the age assurance service provider’s result (e.g., online platforms, e-commerce, gambling, adult content, gaming, social media — anyone enforcing age restrictions).
Hybrid Services
Multi-role providers offering layered approaches such as performing both age-assurance and user-management or acting as an intermediary layer between them (e.g. platforms that verify a user’s age and deliver a verified response or trust token to relying parties).
Choosing the Right Standard – ACCS’s Segmented Approach
In a maturing market, IEEE and ISO aren’t rivals – they’re complementary layers.
ACCS, as the only certifier bridging both, helps you choose based on your attributes, needs, and position:
IEEE 2089.1
IEEE 2089.1
Typical profile: North American companies working heavily with AI or biometrics, often early-stage or R&D-driven (e.g., gaming or EdTech startups).
What they need: Fast and affordable technical validation at usually at component level and audits usually range from around £7K to £16K offering the flexibility to keep improving their technology. IEEE certification mark and dual listings on ACCS and ICAP registries are also provided.
Why it fits: Provides quick certification with measurable results at component level such as accuracy and error-rate metrics, aligning well with US laws like COPPA and innovation-hub expectations.
→ A good first step if you want a proof-of-concept certification before expanding internationally with ISO later on.
ISO/IEC 27566-1
ISO/IEC 27566-1
Typical profile: Larger, multinational platforms and high-risk relying parties such as social networks, gambling operators, or major content platforms handling cross-border data.
What they need: Recognised, global-level certification for procurement and regulatory compliance — audits typically range from £12K to £30K+.
Why it fits: Offers a complete, privacy- and security-focused framework aligned with the DSA (EU) and the UK Online Safety Act.
→ Ideal for companies preparing for Australia’s eSafety deadline (Dec 2025) or operating in regulated age-assurance markets in the UK and EU region.
Both Standards Combined (Dual Certification)
Both Standards Combined (Dual Certification)
Typical profile: Mid-maturity providers offering reusable or multi-layered systems, such as fintech or identity-verification vendors.
What they need: A layered approach that avoids duplicate effort while maximising assurance coverage.
Why it fits: IEEE delivers the technical performance validation, while ISO adds global credibility and governance assurance. Combined audits through ACCS can save roughly 20–30% overall.
→ ACCS uses a unified model where about 40 – 60% of your IEEE audit evidence carries over into ISO, giving full value and efficiency across both certifications.
Side-by-Side Comparison
PAS 1296 (2018)
- Nature: Guidance, with audit programme via ACCS
- Scope: Principles: Effectiveness, Proportionality, Accountability, Inclusivity
- Auditability: ACCS audit & certification (policies, governance, demos)
- Privacy: UK GDPR (ACCS 2) & data minimisation, necessity
- Accessibility: Inclusivity principle only
- Performance: Conceptual effectiveness checks
- Regulatory Recognition: Informal in UK (ICO context)
IEEE 2089.1 (2024)
- Nature: Technical standard
- Scope: System performance metrics across seven phases (e.g., accuracy, interoperability, privacy)
- Auditability: Independent lab testing possible; ACCS provides certification audits
- Privacy: Privacy-by-design with child-centric focus
- Accessibility: Inclusivity addressed indirectly via child-centric principles
- Performance: Quantitative metrics (precision, recall, error rates)
- Regulatory Recognition: Referenced by EU/Ofcom, Australia eSafety, and US contexts
ISO/IEC 27566-1 (2025)
- Nature: Full certification framework
- Scope: Functionality, Privacy, Security, Accessibility, Performance
- Auditability: Mandatory certification audits, logs, evidence
- Privacy: Central requirement (by design/default)
- Accessibility: Explicit WCAG alignment & inclusivity
- Performance: Effectiveness + broader assurance indicators
- Regulatory Recognition: Expected global recognition (UK OSA, EU DSA/eIDAS, Australia eSafety, Brazil ANPD) – IEEE referenced alongside
Why ISO/IEC 27566-1 Matters
Global Harmonisation: For the first time, ISO creates a single internationally recognised baseline, replacing fragmented national schemes and proprietary frameworks.
Privacy at the Core: Unlike PAS and IEEE, ISO requires privacy-by-design/default – covering minimization, lawful processing, secure disposal, and transparency.
Security Redefined: Providers must prove resistance to spoofing, replay, injection attacks, and adversarial testing, going beyond surface performance.
Depth of Audit: Certification demands evidence of practice statements, audit logs, governance controls, and lifecycle management, not just metrics.
Accessibility & Fairness: Inclusivity is baked in, requiring WCAG compliance, multi-language access, and bias/fairness testing across demographics.
Complementary to IEEE: Use IEEE’s metrics for ISO’s performance pillar – ACCS bundles for seamless, non-redundant certification.
Practical Implications
From Guidance to Certification
The journey has shifted – PAS gave principles, IEEE gave metrics (ideal for tech segments), but ISO makes certification global and regulator-recognised (for enterprise segments).
Holistic Maturity Required
Vendors must now evidence governance, audit trails, inclusivity, security resilience, and privacy, not just system accuracy.
Market Access Lever
Tailor to segments – IEEE for US innovation, ISO for AU/EU compliance. ISO certification is likely to become a prerequisite for regulators, procurement teams, and platforms seeking trusted providers.
First-Mover Advantage:
Early adopters will stand out as certified leaders, signalling readiness and trust to regulators, platforms, and parents.
Hybrid Options
For scale-ups, combine IEEE + ISO via ACCS for 70% shared audits – maximizes value without shortchanging technical validation.
Next steps
If you’re a provider (AV, AE, or intermediary)
- Map your service against the five ISO pillars (Functionality, Privacy, Security, Accessibility, Performance).
- Gather and document policies, audit logs, and practice statements.
- Assess where IEEE technical metrics you already meet fall short of ISO’s certification demands; consider combo for layered assurance.
If you’re a relying party (platform, retailer, or operator)
- Understand that your integration choices (configurations, fallback methods, data handling) can bring you in-scope.
- Use ISO certification to show regulators and buyers that you apply age assurance responsibly and transparently.
If you’re a regulator or platform buyer
- Treat ISO/IEC 27566-1 as the benchmark for procurement and compliance.
- Use IEEE for technical evaluation where needed, ISO for global assurance.