EU Tightens AI Act: Bans AI-Generated Sexual Content and Strengthens Privacy Rules

EU Lays Down the Law: Stricter AI Rules on the Way

The Council of Europe launched proposed amendments to the AI Act on Monday, March 16, that go further than the original regulations. The key changes:

1. Ban on Nudification Tools

AI tools that generate or manipulate images to depict people nude without consent — so-called nudification apps — will be directly prohibited under the AI Act. This is an extension of the existing ban on "deepfake sexual content" and responds to a wave of abuse cases, particularly against women and minors.

2. Stricter Rules for Sensitive Personal Data

Processing special categories of personal data with AI systems — health, biometrics, ethnicity, religion — will face enhanced requirements for risk assessment, documentation, and human oversight.

3. Connection to GDPR

The amendment proposals clarify the interaction between the AI Act and GDPR. Companies using AI to process personal data will need to handle two regulatory frameworks in parallel — with stricter requirements than if they were applied separately.

What Happens Now?

The proposals have been sent to the European Parliament and Commission for consideration. Given that enforcement of the AI Act is already postponed until 2027, it's likely these additions will be adopted and incorporated into the final regulations.

---

My take:

For CISOs and DPOs: this is a clear signal that EU regulation of AI doesn't end with the AI Act base text. The regulatory framework is growing. Companies processing biometric data, HR data, or health data with AI systems should already now identify and document these use cases. Compliance here is not a one-time project — it's a living framework. Start with an AI data processing protocol linked to GDPR Article 35 (DPIA) and build from there.