This article is practically relevant for online service providers established in an EU Member State that find themselves confronted with national regulatory media or digital rules of another Member State (such as youth-protection or platform laws). In decision dated 16 June 2026 (C-188/24 and C-190/24), the Court of Justice of the European Union (“CJEU“) clarified three points: the country-of-origin principle protects such providers also from the application of criminal law rules of other EU Member States. At the same time, regulatory rules that require an individual decision of the regulator remain applicable. Lastly, non-compliance with the Audiovisual Media Services Directive, increases the risk the exception of the country-of-origin principle being applicable. Providers offering services from another EU Member State and facing particularly intrusive national regulation should check whether it applies to them at all.
1. Background: what the case was about
The case concerned two French rules aimed at operators of pornographic websites.
- The criminal rule. Under French criminal law, it is a criminal offence to offer pornographic content in a way that allows minors to see it. In simplified terms: “anyone who distributes pornography so that children can access it commits an offence”. This applies even where the user clicks to confirm that they are an adult, as this form of age-gating is considered insufficient.
- The ARCOM rule. A second rule gives the French media regulator, ARCOM, a concrete tool to regulate: where the authority finds that a specific site gives minors access to pornography in violation of the criminal law, it can require that site to install an age check. If the site does not comply, it can be blocked.
The claimants were two operators established in the Czech Republic. Their argument: we are subject to Czech law — France cannot impose its rules on us. They relied on the country-of-origin principle of the e-Commerce Directive: an online service is, in principle, regulated by the EU country in which it is established; other EU Member States may not impose their regulations on such providers.
2. What did the CJEU decide?
2.1 New: the country-of-origin principle also covers criminal law rules
The CJEU clarified that the country-of-origin principle also covers criminal-law rules — at least where they govern the conduct of online services. Whether this was so had long been unsettled and contested.
The Court’s reasoning rests on a simple observation about how the Directive is built. It nowhere lists what the principle covers; instead, it sets out a closed list of areas expressly carved out of it — such as taxation, gambling, copyright or e-money. The lawmakers would not have taken the effort to carve those areas out if they had been outside the principle anyway. The very existence of an exceptions list therefore shows that, by default, everything falls within the principle — and that the list marks the only exits. Criminal law is not on that list. A State therefore cannot escape the country-of-origin principle simply by writing a behavioral rule into its criminal code.
Thus, a Member State cannot remove a rule of conduct for online services from the country-of-origin principle simply by placing it in its criminal code. What matters is whether the rule governs the conduct of the service — not which statute book it sits in.
2.2 Confirmed: blanket laws never qualify for the exception to the country-of-origin principle
The country-of-origin principle has an exception: under certain conditions a Member State may intervene — expressly including protecting minors, among other things. But the exception requires a measure “taken against a given service” — that is, an individual measure.
Here the CJEU followed and confirmed its existing line (C-376/22; C-662/22 and C-667/22): a law is never an individual measure. By its nature it governs many cases at once and applies without distinction to all providers of a category. Such general rules therefore never qualify for the exception — not even when they serve youth protection. That is precisely why the general French criminal rule could not be invoked against the Czech operators: because it applies to all providers without distinction. Hence, the CJEU ruled, that the French criminal rule is inapplicable due to a violation of the country-of-origin principle.
2.3 New development: laws built on an individual-order model are permissible
The decision’s practically most significant new development is that it identifies the type of national rule that remains permissible.
France had two separate rules. The first — the criminal rule — is a blanket prohibition and, as shown, does not work against EU-foreign providers. The second — the ARCOM rule (summarized in simple form above) — is structured entirely differently: it does not prohibit anything across the board. Instead, it lets the authority act in the individual case against a specific, named service and require that site to install an age check. That is an individual measure — and therefore one that can fall within the exception of the country-of-origin principle.
The decisive point is therefore not whether a Member State may enforce youth protection, but how: the restriction must not already follow from the law itself, but must arise only from a targeted order against an individual provider.
Two examples make the distinction concrete:
- Impermissible rules: A rule stating: “You may not distribute content XYZ, or you face a fine or criminal penalty”. Such a rule imposes a behavioral duty directly and applies to all providers alike. In the words of the courts, the rule itself “constitutes a restriction” and “applies without distinction to all providers”. It is therefore abstract-general — and not covered by the exception.
- Permissible rules: A rule stating: “If a provider breaches a requirement, the regulator may issue an order against that specific provider”. Here the restriction arises only through the targeted order against an individual service — and can therefore be justified.
2.4 New: No unwritten exception to the country-of-origin principle
Those defending the French rules made a further argument. Because the strict reading of the country-of-origin principle increasingly leaves national rules inapplicable to providers established elsewhere in the EU, they contended that the fundamental rights at stake — human dignity (Article 1 of the EU Charter) and the child’s right to protection (Article 24) — should justify a kind of unwritten exception to the country-of-origin principle, allowing even abstract-general laws, i.e. measures that apply to an entire category of services where this is needed to protect minors effectively.
However, the CJEU declined to recognize any such unwritten exception. The country-of-origin principle stands, and the only gateway for national intervention remains the written exception in the e-Commerce Directive (Article 3(4)). Abstract general measures in the form of laws therefore remain excluded — even where children’s fundamental rights are at stake.
The fundamental rights do not drop out of the picture, however. Rather than create a new exception, the Court takes them into account within the existing written exception — in particular within its proportionality requirement (see 2.5 next).
2.5 The further requirements set by the E-Commerce Directive – And what the CJEU ruled on them
The e-Commerce Directive itself sets out further requirements to the exemption of the country-of-origin principle, in addition to the individual-measure requirement explained above: the measure must
- (i) be necessary to protect a recognized objective (here, the protection of minors and human dignity as part of public policy),
- (ii) address a service that genuinely endangers that objective (a serious and grave risk), and
- (iii) must be proportionate.
Procedurally, before acting the authority must also
- (i) ask the provider’s home Member State to act itself and
- (ii) notify both the Commission and the home Member State (subject to exceptions for urgency and for genuine criminal proceedings).
The CJEU made further comments in particular on the proportionality requirement:
- First, this is where the CJEU takes into account the fundamental rights: human dignity (Article 1 of the Charter) and the child’s right to protection (Article 24) are weighed as part of the proportionality assessment.
- Second, the CJEU used the Audiovisual Media Services Directive (“AVMSD”) as the yardstick. The pornographic sites qualify as video-sharing platforms, which the AVMSD already requires to protect minors — and it expressly names age-verification systems as an appropriate measure for the most harmful content such as pornography. On that basis, a national age-verification requirement is proportionate where the provider has not itself taken the appropriate measures under the AVMSD. As the operators here relied on mere self-declaration (“I am 18”), the requirement of the French measure to impose a stricter form of age-gating was proportionate. In effect, the destination State’s measure operates as a backstop that applies where the provider has not already complied with its AVMSD obligations.
As regards the procedural conditions, the CJEU did not itself decide whether these were met but left this question to the referring court — the French Conseil d’État — to verify.
3. Further context: the CJEU confirms recent German case law
The decision confirms, almost point for point, what German courts had held in recent months:
- First, the Düsseldorf and Neustadt Administrative Courts had treated content prohibitions as inapplicable to providers established elsewhere in the EU — on the ground that the prohibition already follows from the rule itself. There, too, the rule at issue tied the distribution of pornography to youth-protection measures (permitted only where it is ensured that only adults obtain access).
- Second, those courts had also pointed out that such rules could be designed to be permissible — namely as an individual measure. That is exactly what the CJEU now says.
We covered the background to the German proceedings here. EU Commission and Courts Consider National Digital Laws Inapplicable.
4. Outlook and practical implications
4.1 Many national rules are likely no longer to apply
Under the current case law, it can be assumed that a very large share of the national regulatory media or digital rules of most EU Member States no longer applies to providers established in another EU Member State. Providers facing particularly intrusive national regulation should specifically check whether it applies to them at all.
4.2 Important limitation: only EU/EEA-established providers
This protection only helps providers established in another EU or EEA Member State. Providers established outside the EU (for example, in the US) cannot rely on the country-of-origin principle. However, third-country providers that qualify as an online platform under the DSA may, in certain cases, be able to rely on the precedence of the DSA — provided the national rule concerns youth protection (see 4.6 below).
4.3 Member States will adapt their legislative technique
Individual Member States are likely to adjust their legislative technique in the coming years — moving towards the individual-order model accepted by the CJEU, in order to continue enforcing youth protection and other media and digital rules against EU-foreign providers. Still, this will significantly limit the practical application of national regulatory laws, given that these are only enforceable to services established in another EU member state if they are tight to a regulatory enforcement measure.
4.5 Non-compliance with the AVMSD increases the risk of the exemption being applicable
The flip side of the Court’s proportionality reasoning is a practical risk for online services falling under the AVMSD. Because a national measure is proportionate precisely where the provider has not taken the appropriate AVMSD measures, the more a provider falls short of the AVMSD’s youth-protection requirements, the more readily a national measure against it will be regarded as proportionate — one of the key conditions of the exception.
The AVMSD foresees various youth protection rules for audiovisual media services (e.g. video-on-demand) and video-sharing platforms, of which non-compliance with could increase the risk of failing the proportionality test of the country-of-origin principle:
- Age verification for content that may impair minors’ development (Article 28b(3)(f); Article 6a(1));
- The strictest access controls for the most harmful content, which the AVMSD expressly extends to pornography and gratuitous violence (Article 28b(3); Article 6a(1));
- Parental control systems under the end-user’s control (Article 28b(3)(h));
- Content rating and clear information for viewers about potentially harmful content (Article 28b(3)(g); Article 6a(3));
- Reporting and flagging mechanisms for harmful content, with feedback on the action taken and complaint-handling procedures (Article 28b(3)(d), (e), (i));
- Media-literacy tools and awareness measures (Article 28b(3)(j)).
The same logic reaches beyond the protection of minors: the AVMSD also requires measures against incitement to violence or hatred and against terrorist content (Articles 6 and 28b(1)(b), (c)) — areas that map onto the further public-policy and public-security objectives for which the same exception can be invoked.
However, this exposure has limits. German courts have recently held that age-verification duties aimed at content that merely “impairs” the development of minors — as opposed to the most “harmful” content — do not necessarily meet the exemption’s requirement that the measure address a “serious and grave risk” to the protection of minors. In the case at hand, the court was not persuaded that the development-impairing content crossed that threshold, while expressly leaving open whether such content might do so in individual cases (Administrative Court Düsseldorf, 4 April 2023, case no. 27 K 3906/20; not yet final, appeal admitted). By way of illustration, the same reasoning would cast doubt on age-verification duties for 16+/18+ entertainment films (for instance on video-on-demand services): unlike pornography, such films — although rated 16+/18+ — would typically not pose a serious and grave risk to minors. For the most harmful content such as pornography, by contrast, the same court confirmed that the threshold was met and upheld the age-verification requirement. This line of argument might provide a valuable defense against age gating requirements on “normal” entertainment content that are imposed by EU Member States on video-sharing platforms or video-on-demand services established in another Member State.
4.6 What the decision did not address: the DSA question
The decision does not address the currently much-debated parallel question of whether the DSA takes precedence of national youth protection laws. That question is whether the DSA displaces national youth-protection law to the extent that this law applies to online platforms. The background is that youth protection is already regulated in the DSA (Articles 28 and 35 DSA); it is therefore argued in particular by the EU Commission and recently German courts that this area has been fully harmonized at EU level, with the result that national rules are no longer permitted.
Applying the reasoning of the Düsseldorf Administrative Court’s recent decision, there are good grounds to assume that even a rule built on the ARCOM model would be inapplicable, at least because of the priority of the DSA. The European Commission has taken the same view in its statements on the German youth-protection rules. The CJEU did not have to decide this point, because the questions referred concerned the e-Commerce Directive rather than the DSA.
Closely connected is a further question: the DSA expressly allows each Member State to define for itself what counts as “illegal content”. But if the corresponding national content rules may not be applied to EU-established providers because of the country-of-origin principle, that legislative decision would run partly empty. How the two relate is subject to an ongoing debate. In Germany, the Düsseldorf Administrative Court recently held that a rule which does not prohibit pornography outright, but instead makes access conditional on the implementation of age-verification measures, is precisely not a rule governing “illegal content” within the meaning of the DSA. Hence, the court ruled that the DSA takes precedence over such a rule which is therefore rendered inapplicable.
