EU Fortifies AI Rules, Bans 'Nudifier' Apps in Landmark Deal

Brussels, Belgium — The European Union has reached a pivotal provisional agreement on simplifying its Artificial Intelligence (AI) Act, a legislative milestone that not only aims to streamline compliance for businesses but also introduces an explicit ban on so-called "nudifier" applications and other AI systems deemed to pose unacceptable risks. This latest accord, part of a broader digital omnibus package, reinforces the EU's global leadership in AI governance, balancing innovation with stringent ethical and safety standards. The tentative deal, struck after extensive negotiations, sets clear pathways for the implementation of the world's first comprehensive legal framework for artificial intelligence.

The Pioneering AI Act: A Risk-Based Regulatory Framework

The EU AI Act, which officially entered into force in August 2024, establishes a common regulatory and legal framework for AI across the 27-member bloc, with provisions rolling out gradually over the coming months and years. At its core, the Act employs a tiered, risk-based approach to AI systems, categorizing them into four main levels: unacceptable risk, high risk, limited risk, and minimal risk, with an additional category for general-purpose AI. Systems posing an "unacceptable risk" are outright banned, reflecting the EU's commitment to protecting fundamental rights and democratic values. The recent agreement focuses on refining certain aspects of this comprehensive regulation, including adjusting timelines and clarifying definitions to ease the burden on providers while upholding the Act's foundational principles.

Explicit Prohibitions: Safeguarding Against Harmful AI

A significant outcome of the recent negotiations is the definitive prohibition of AI systems that generate or manipulate non-consensual intimate content, widely referred to as "nudifier" apps. This ban specifically targets AI applications that create child sexual abuse material or depict the intimate parts of an identifiable person, or them engaged in sexually explicit activities, without their consent. This move directly responds to growing concerns over the proliferation of sexually explicit deepfakes, sparked by incidents involving AI chatbots like Elon Musk's xAI Grok. The prohibition extends to placing such systems on the EU market with the intent of creating such content, or doing so without reasonable safety measures to prevent it, and applies to images, video, or audio. Companies will have until December 2, 2026, to ensure their systems comply with this new restriction.

Beyond "nudifier" apps, the EU AI Act prohibits several other AI practices considered clear threats to safety, livelihoods, and fundamental rights. These include AI systems that deploy subliminal techniques to materially distort a person's behavior, exploit vulnerabilities due to age, disability, or socio-economic status, or engage in social scoring by public authorities. Also outlawed are untargeted scraping of facial images from the internet or CCTV footage to create or expand facial recognition databases, emotion recognition in workplaces and educational institutions, and biometric categorization to infer sensitive characteristics like race or political opinions. Real-time remote biometric identification in publicly accessible spaces for law enforcement is also generally prohibited, with narrow and strictly defined exceptions for targeted searches for victims, prevention of imminent threats, or identification of suspects of serious crimes. Many of these prohibited practices began to take effect as early as February 2025.

Regulating High-Risk AI and General-Purpose Models

The bulk of the AI Act's requirements center on "high-risk" AI systems, defined as those that can pose serious risks to health, safety, or fundamental rights, even if they offer significant socio-economic benefits. These encompass AI applications in critical infrastructures (e.g., transport), medical devices, employment and worker management, education, law enforcement, and biometric identification systems. Providers of such systems face rigorous obligations, including robust risk assessment and mitigation, high-quality data sets to minimize discriminatory outcomes, comprehensive logging of activity, detailed documentation, transparent information for users, human oversight, and high levels of robustness, cybersecurity, and accuracy.

A key adjustment in the recent provisional deal involves delaying the application dates for obligations on high-risk AI systems. Rules for high-risk AI systems explicitly listed in the regulation, such as those involving biometrics or used in critical infrastructure, education, employment, and law enforcement, will now apply from December 2, 2027, rather than an earlier August 2026 date. For AI systems used as safety components and covered by existing EU sectoral safety legislation, the deadline is extended to August 2, 2028. This delay aims to provide companies with more time to ensure necessary standards and support measures are in place, particularly for technically complex adjustments.

The Act also addresses "general-purpose AI models" (GPAI), which are models capable of performing a wide range of distinct tasks and can be integrated into various downstream systems or applications. GPAI models posing "systemic risks"—such as those with high impact capabilities (e.g., trained with over 10^25 floating point operations)—will face additional stringent obligations. These include conducting model evaluations, assessing and mitigating systemic risks, reporting serious incidents, ensuring adequate cybersecurity, and providing comprehensive technical documentation and a clear copyright policy for downstream providers. Transparency requirements, such as mandatory watermarking of AI-generated content to indicate its origin, will apply from December 2, 2026.

Enforcement, Penalties, and Industry Landscape

The EU AI Act carries significant financial penalties for non-compliance, designed to be effective, proportionate, and dissuasive. Violations of prohibited AI practices, including the "nudifier" app ban, can incur administrative fines of up to €35 million or 7% of a company's total worldwide annual turnover, whichever is higher. Breaches of high-risk AI requirements can lead to fines of up to €15 million or 3% of global turnover, while providing incorrect or misleading information to authorities could result in fines up to €7.5 million or 1.5% of global turnover. Enforcement responsibilities will be shared between the EU's AI Office, particularly for general-purpose AI, and national regulatory authorities for other AI systems.

The revised agreement seeks to simplify compliance, particularly for industrial AI applications. Many AI systems covered by existing product rules, such as the Machinery Regulation, will no longer automatically be classified as high-risk under the AI Act, reducing potential overlapping regulations and administrative burdens. This aims to foster innovation within Europe and ensure that companies are not disproportionately penalized by complex dual regulatory frameworks. The Act's extraterritorial reach means it will impact any business or organization offering AI systems that affect individuals within the EU, regardless of their geographical location.

The provisional deal awaits formal adoption by both the European Parliament and the Council before it officially enters into law. This landmark legislation continues to solidify the EU's position as a global standard-setter in digital regulation, aiming to cultivate trustworthy AI development that prioritizes human safety and fundamental rights while encouraging technological advancement.