EU Lawmakers Move to Ban AI Nudifiers, but Enforcement Remains Unclear

Today, the European Parliament voted on rules that would prohibit AI systems designed to create nonconsensual intimate images, one of the most widely supported measures in a broader package aimed at simplifying the bloc’s Artificial Intelligence Act.

The vote follows a provisional agreement reached on May 7 on legislation known as the "AI omnibus," which includes a new prohibition on so-called "nudifiers" — AI systems that generate explicit images of real people without their consent. Yet while lawmakers have repeatedly described the measure as a ban, many national authorities still lack the legal powers needed to enforce it.

The agreement requires companies to implement safeguards against the creation of nonconsensual sexual deepfakes and could remove offending systems from the EU market by the end of the year. “This is not a strict prohibition,” said Sadia Berdaï, head of the AI Innovation and Technology Unit at Luxembourg’s Data Protection Authority. “It’s about the intended purpose, the way you use the systems, not the technology itself.”

What the EU is trying to ban

The issue of sexualized deepfakes returned to headlines recently after AI images of Italian Prime Minister Giorgia Meloni in lingerie circulated online. The case is a reflection of the broader problem, given that 98% of AI pornographic videos online are non-consensual, and 99% target women.

“We're talking about systems designed to strip clothes from photographs of real people, not synthetically created people, but real people, overwhelmingly women and children, to humiliate them, degrade them, and objectify them. To do so at scale and industrialize that for profit,” Michael McNamara, a co-rapporteur of the AI Omnibus and a member of the European Parliament, said during the debate on Monday ahead of the vote.

The agreement prohibits AI systems intended to generate nonconsensual intimate content involving identifiable individuals. Users would also be barred from intentionally creating such content without consent.

The measure would not prohibit all AI-generated sexual content. Instead, it would allow the creation of synthetic intimate material when all depicted individuals have provided consent.

To qualify for protection, the targeted individual must be identifiable under the General Data Protection Regulation (GDPR), including through a face, name, location, online identifier or other distinguishing characteristics.

Belén Luna Sanz, a women's and digital rights advocate, said that the requirement may create challenges for victims. "It creates a significantly higher threshold for protection of victims and enforcement at the level of product safety," she said.

The proposal also excludes fictional characters and certain artistic, cartoon and medical uses. Critics say questions remain about how different cultures understand intimacy. Silvia Semenzin, a researcher focused on digital violence, pointed to examples involving AI-generated images of Muslim women without hijabs, which some may experience as a serious violation of privacy despite not being sexually explicit.

"Challenges remain regarding the definition of what constitutes 'intimate' content, a concept that varies across cultures and even between individuals," Luna Sanz said.

Who bears responsibility for consent and safeguards?

Under the agreement, consent must be freely given, specific, informed, unambiguous and explicit. Companies offering systems that generate or manipulate intimate content would be required to establish reliable mechanisms to collect and demonstrate consent while complying with the GDPR.

For Semenzin, the burden of proof remains a central concern.

"The person creating or sharing the images should have to prove they had consent and not the other way around," she said. "Victims should not be forced to prove, after the image has been created and it's already circulating, that they did not authorize it."

The agreement would also place new obligations on developers. Regulators could scrutinize companies whose systems predictably and repeatedly generate nonconsensual intimate content if they fail to implement adequate safeguards.

Luna Sanz said the approach is significant because "it puts responsibility not only on the perpetrators of such abuse, but also on the companies."

According to the text, providers would be expected to deploy safeguards including data cleaning, refusal training, prompt-design protections, output controls, runtime guardrails, content filtering, usage restrictions, abuse-detection systems, and notice-and-action mechanisms.

“Platforms will be required to implement robust safeguards, including prompt-level filters, building on existing practices in other regulated domains,” Member of the European Parliament and shadow rapporteur for the Omnibus, Sergey Lagodinsky, told Tech Policy Press.

Markéta Gregorová, another member of the European Parliament and shadow rapporteur on the Omnibus, said many providers already employ similar protections. “Most AI providers don’t want these images to be generated regardless and already have measures in place,” she said. “The cost for these providers will be minimal since they already comply with the ban.” X chatbot, Grok, still hosts and generates sexualized deepfakes of famous women.

Enforcement powers are still missing

As with other parts of the AI Act, enforcement is the real challenge, requiring coordination between national AI market surveillance authorities, the European AI Office, and the European Commission. At the moment, only eight member states have designated a market surveillance authority, and even those bodies have limited powers until national legislation is in place.

“Until national laws are voted, we are not competent to enforce the AI Act,” Berdaï said. According to Berdaï, Italy and Denmark are among the few countries that have approved national laws allowing them to enforce nudity prohibitions. In Luxembourg, regulators can act under the GDPR when personal data processing is involved, but not under the AI Act itself. “It’s just a matter of competence, and as long as the law is not voted on, we don’t have the competence, even though we are skilled,” said Berdaï.

Lithuania faces similar challenges. The country’s Communications Regulatory Authority told Tech Policy Press that “the practical enforcement arrangements are not yet fully defined at the EU level,” including how responsibilities will be divided between national market surveillance authorities and the European AI Office, and that it was still too early to know the exact procedures that will apply from December 2026.

Breaching any of the AI Act’s prohibitions can lead to fines of up to EUR 35 million or, for companies, up to 7% of worldwide annual turnover from the previous financial year, whichever is higher.

After Tuesday’s vote in Parliament, the agreement needs to be adopted by the Council, then published in the Journal of the European Union. Given that the AI Omnibus delays the high-risk provisions scheduled for August 2026, Brussels wants the file ready before that deadline. However, the ban on nudifiers is only due to start on Dec. 2.