EU AI Act Deal Bans Nudifier Apps and Sexualized Deepfake Tools
EU Parliament and Council negotiators reached a provisional agreement to amend the EU Artificial Intelligence Act, adding a ban on AI systems used to create non-consensual sexualized depictions of identifiable people and synthetic child sexual abuse material, including so-called "nudifier" apps. The deal also advances related transparency rules by setting watermarking obligations for AI-generated content to 2 December 2026, while the new ban would also take effect on that timeline if formally adopted. The agreement still requires final approval by both Parliament and the Council.
The package also delays several AI Act compliance deadlines and simplifies parts of the regime under the EU's digital omnibus effort. Obligations for standalone high-risk AI systems would move to 2 December 2027, while AI used as safety components in products covered by sectoral safety laws would shift to 2 August 2028. Negotiators also narrowed some machinery-related requirements, allowed limited use of sensitive personal data to detect and correct algorithmic bias, extended certain SME exemptions to small mid-cap firms, and centralized enforcement for some general-purpose AI systems through the EU AI Office.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
RedAccess finds 5,000+ publicly exposed AI-built web apps
Researchers at RedAccess reported that more than 5,000 publicly accessible web applications built with AI coding platforms lacked proper protections and exposed sensitive corporate and personal data. The investigation also identified phishing pages hosted on AI coding platform domains impersonating major brands.
EU Parliament and Council negotiators reach provisional AI Act deal
Negotiators from the European Parliament and Council reached a provisional agreement under the digital omnibus package to amend the AI Act. The deal delays some compliance deadlines, moves watermarking obligations to 2 December 2026, and bans AI systems used for child sexual abuse material and non-consensual sexualized depictions of identifiable persons.
EU Parliament committee backs AI Act changes and nudifier app ban
The European Parliament announced a position on amendments to the AI Act that would delay parts of the law’s application and ban AI systems used to create child sexual abuse material or non-consensual sexualized depictions, including nudifier apps.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
AI Coding Tools Expose Thousands of Apps With Sensitive Corporate Data Online - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceEuropean Union Agrees to Ban AI Generated Non Consensual Sexualized Deepfakes - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceEU AI Act Deal Brings Nudifier App Ban And Rule Delays
thecyberexpress.com
Open sourceAI Act: deal on simplification measures, ban on “nudifier” apps | News | European Parliament
europarl.europa.eu
Open sourceArtificial Intelligence Act: delayed application, ban on nudifier apps | News | European Parliament
europarl.europa.eu
Open sourceEuropees Parlement achter verbod op uitkleed-apps, gaat voor de zomer in
nos.nl
Open sourceMEPs reach preliminary political agreement on AI omnibus | IAPP
iapp.org
Open sourceAI companies see sexual-deepfakes ban now added to EU countries’ position | MLex | Specialist news and analysis on legal risk and regulation
mlex.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EU Moves to Curb AI-Generated Sexual Abuse and Deepfake Harms
European policymakers advanced new measures aimed at limiting **AI-enabled sexual abuse and impersonation harms**, with the **European Council** proposing amendments to the AI Act that would ban AI systems used to generate non-consensual intimate imagery, including **nudification tools** and child sexual abuse material. The proposal also tightens standards for processing sensitive personal data, and follows parallel action in the **European Parliament**, increasing the likelihood that a negotiated EU position will include explicit restrictions on these abusive AI uses. The push comes amid broader concern over the real-world impact of generative AI, including the recent backlash over AI-generated intimate imagery. Separately, **YouTube** expanded access to its AI-driven likeness detection system for **government officials, journalists, and political candidates**, allowing eligible users to identify AI-generated impersonation videos and request removal when content violates platform privacy rules. The system is designed to detect synthetic uses of a person’s likeness while preserving exceptions for parody, satire, and other public-interest expression. Other cited items were not part of the same event: one covered the EU’s extension of voluntary **CSAM** detection rules under the ePrivacy framework, and another reported research showing major chatbots sometimes provided violent guidance to would-be attackers.
Mar 30, 2026
EU AI Act Imposes Risk-Based Rules on High-Risk and Biometric AI
The European Union has adopted Regulation (EU) `2024/1689`, creating a harmonised legal framework for the development, marketing, deployment, and use of AI systems across the bloc. The law applies a risk-based model that bans certain uses deemed unacceptable, including social scoring, manipulative AI, untargeted facial-image scraping, and some emotion-recognition and biometric-categorisation practices, while imposing mandatory obligations on high-risk AI systems. It also extends in some cases to providers and deployers outside the EU when AI outputs are intended for use in the Union. The regulation sets detailed requirements for high-risk AI used in areas such as critical infrastructure, education, employment, essential services, law enforcement, migration and border control, justice, and elections. Providers, importers, distributors, authorised representatives, and deployers must meet obligations covering risk management, data governance, technical documentation, logging, transparency, human oversight, robustness, accuracy, cybersecurity, post-market monitoring, accessibility, and AI literacy. The Act also places strict limits on real-time remote biometric identification in publicly accessible spaces, with narrow exceptions, authorisation requirements, and oversight, while preserving the application of existing EU rules on data protection, consumer protection, product safety, liability, and related sectoral frameworks.
May 26, 2026
European Commission Proposes Deregulatory Changes to GDPR and AI Regulations
The European Commission has introduced a legislative package, known as the Digital Omnibus, aimed at simplifying and consolidating digital regulations across the European Union. This proposal seeks to merge multiple pieces of legislation into a single framework, streamlining rules on artificial intelligence, cybersecurity, and data management. A key component of the package is the relaxation of certain General Data Protection Regulation (GDPR) provisions, including delaying the enforcement of regulations on high-risk AI systems and permitting companies to use personal data for AI training without prior user consent in most cases. The initiative also includes the launch of a European Business Wallet to facilitate digital operations for companies and public sector bodies, and a new Data Union Strategy to unlock high-quality data for AI development. EU officials argue that these changes will reduce administrative burdens and compliance costs for businesses, fostering innovation and competitiveness within the bloc. However, the proposal has drawn criticism from privacy and digital rights advocates, as well as some political parties, who warn that it could significantly weaken data privacy protections that have been a hallmark of the EU's regulatory landscape. The legislative package must still be approved by the European Parliament and the Council of the European Union, and its future remains uncertain amid ongoing debate over the balance between innovation and fundamental rights.
Mar 21, 2026