Undress Code: EU bans AI Systems which create nudes as US Senate clears the NO FAKES Act

Within the space of four days, two major jurisdictions have moved to regulate AI-generated non-consensual imagery with different approaches. On 14 June 2026, the European Parliament formally approved amendments to the EU AI Act through the so-called Digital Omnibus on AI package, including a new prohibition on apps and AI systems that generate or manipulate non-consensual intimate imagery. On 18 June 2026, the US Senate Judiciary Committee unanimously advanced the NO FAKES Act (S.4591), a bipartisan bill that would give every American a federal right over AI-generated replicas of their voice and likeness. Both developments trace a common origin: a wave of AI-enabled harms — most visibly the Grok scandal of December 2025, when Grok's picture-editing feature on X produced a surge of non-consensual sexualized deepfakes — that exposed gaps in existing legal frameworks.

A gap the DSA couldn’t fill

In the EU, the primary tool for regulating harmful online content is the Digital Services Act (DSA) under which governments can compel platforms to remove illegal content and conduct systemic risk assessments. Following the Grok incident, the European Commission opened investigations under both the DSA and the GDPR. But the DSA only applies to online platforms and search engines, not to standalone applications, such as AI or so-called "nudifier" apps that generates nudes from clothed photos but don't distribute them through a covered platform, leaving them largely outside the DSA’s reach. The AI Act amendments are designed to close that gap, applying directly to AI system providers and deployers regardless of where the harm occurs.

The EU approach: a new prohibited practice from December 2026

The EU amendments add two new entries to the list of prohibited AI practices AI systems that generate or manipulate realistic depictions of an identifiable person’s intimate parts, or of an identifiable person engaged in sexually explicit activities, without their freely given, specific, informed, unambiguous, and explicit consent; and AI systems that generate or manipulate child sexual abuse material (CSAM) within the meaning of Directive 2011/93/EU.

The prohibitions take effect on 2 December 2026 and apply differently depending on the role in the AI supply chain:

1. Providers are caught where generating prohibited material is the system’s intended purpose, or where such output is a reasonably foreseeable and reproducible outcome without significant technical modification and the provider has not implemented adequate technical safety measures to reliably prevent it.

   
   

2. Deployers are caught only where they use an AI system for the purpose of generating or manipulating the prohibited material, including by circumventing a provider’s safety measures, but not where the prohibited output is accidental.

The package also extends deadlines for compliance with high-risk AI system obligations under Annex III (use-based systems) by 16 months, from 2 August 2026 to 2 December 2027, giving operators additional runway ahead of the next implementation milestone. Amendments to transparency obligations for synthetic content and the reallocation of supervisory competence to the AI Office for systems integrated into very large online platforms round out the changes.

The US approach: a federal right to your own likeness

The US continues their tradition of cleverly named laws with the Nurture Originals, Foster Art, and Keep Entertainment Safe (NO FAKES) Act, taking a very different approach. Rather than banning a category of AI output, which could be in violation of the First Amendment, the law creates an individual property right for every American, not just public figures, giving a federal right to authorise or block AI-generated replicas of their voice and visual likeness.

The bill carves out First Amendment uses including news reporting, parody, and satire, and establishes a single national notice-and-takedown framework with a counter-notice process for material removed in error.

Penalties are tiered and significant, with US $5,000 per work for an individual who creates or distributes an unauthorised replica; US $25,000 per work for a company; and US $750,000 per work for an online service that fails to comply with its notice-and-takedown obligations.

The bill passed the Senate Judiciary Committee unanimously by voice vote on 18 June — though three Republican senators raised First Amendment concerns, and the Electronic Frontier Foundation has urged Congress to reject the bill on the grounds it could sweep up parody and criticism. The EFF notes that the NO FAKES Act protects contractually transferred rights so that:

Earlier versions failed in 2024 and in April 2025. The bill has drawn backing from major record labels, Spotify, Google, OpenAI, IBM, and YouTube, and aligns with the White House’s National Policy Framework for Artificial Intelligence released in March 2026, which called on Congress to establish a federal framework protecting individuals from the unauthorised commercial use of AI-generated digital replicas.

Different mechanisms both targeting the same outcome

The EU and US approaches reflect different legal traditions. The EU amendment is a prohibition on a class of AI system those building or deploying AI from 2 December 2026 without adequate safeguards are likely in breach Article 5 of the AI Act. The US NO FAKES Act instead leaves individuals to issue take down notices and platforms face liability. This is a supply side attack by he EU and a demand side response by the US. Other countries like the Cayman Islands and Australia have no equivalent legislation in force, though existing criminal and civil frameworks address the sharing of non-consensual intimate images. In London, the UK’s Online Safety Act 2023 makes the sharing of intimate imagery a "priority offense" (the same level of seriousness as CSAM and terrorism) and the Data (Use and Access) Act 2025 specifically creates an offense of creating deepfake nudes.

What now?

Platforms, AI developers, and content businesses operating in the EU or with EU users should act promptly to:

1. assess whether any AI systems they provide or deploy could generate or manipulate intimate imagery of identifiable individuals — including systems not primarily designed for this purpose where such output is a reasonably foreseeable outcome;

   
   

2. review technical safety measures against the December 2026 prohibition deadline, noting that the standard requires measures that reliably prevent prohibited outputs, not merely flag or review them after the fact;

   
   

3. audit supply chain agreements with AI model providers to confirm information-sharing obligations under the amended Article 25 are met, given that breaches now attract fines of up to 3% of worldwide annual turnover; and

   
   

4. for US-facing platforms and services, monitor the NO FAKES Act’s progress through the full Senate and House, and assess any take down notices and response given the the $750,000-per-work platform liability and litigious culture of the US.

With the legislative approach providing ample cloth, the scourge of online fake nudes may have a legislative cloak thrown across the ongoing harm to victims, whether this balances freedom of speech and other libertarian concerns will remain to be seen.

By Michael Bacina