eSafety Codes Reach AI Nudify and Deepfake Tools | TLY

AI Regulation Tracker  /  Online safety code

Australia's eSafety codes make AI nudify tools block children or face civil penalties

The eSafety Commissioner has begun enforcing Australia's Age-Restricted Material Codes against generative-AI "nudify" services, using formal directions that give a provider 14 days to add child-access controls or face reported civil penalties and search-engine delisting.

Australia's eSafety codes make AI nudify tools block children or face civil penalties regulation briefing
The Leveraged Years AI Regulation Tracker

Australia's eSafety Commissioner has moved from writing rules to enforcing them. The regulator has issued a formal Direction to Comply to a widely used generative-AI "nudify" service, the first enforcement action of its kind under the Age-Restricted Material Codes, the registered industry codes that came into effect on March 9, 2026. The direction requires the service to put controls in place that stop children reaching a tool that lets users upload images of real people and generate sexually explicit deepfake content.

What the codes require

The Age-Restricted Material Codes sit under Australia's Online Safety Act. According to eSafety, the codes were registered in September 2025 and took effect on March 9, 2026. They apply across several categories of provider, including app distribution platforms, equipment providers, social media services, relevant electronic services, and designated internet services. The core duty is preventive. Regulated providers must deploy systems that stop children from accessing or being exposed to age-restricted material, a category that eSafety describes as including pornography, high-impact violence, and content promoting self-harm, suicide, or disordered eating. Generative-AI image tools that can produce sexual deepfakes fall within that reach when they are accessible to Australian users.

The enforcement mechanism

The Direction to Comply is the first step in what eSafety calls a graduated enforcement process. As reported, a service that receives a direction has 14 days to implement the required protections. If it does not, eSafety has said it may pursue further action, including civil penalties reported up to AU$49.5 million and delisting notices sent to search engine providers that help users reach the service. The penalty figure reflects the maximum court-imposed amount available for a corporation under the relevant provisions, calculated in penalty units, rather than a fine already levied. eSafety has framed the current action as targeting systemic non-compliance, not a single incident.

What it does not do

The direction does not, on its own, shut a service down or impose a fine. It sets a compliance deadline and preserves eSafety's ability to escalate. A provider that meets the requirements within the window avoids the penalty track. The codes also do not ban generative-AI image tools outright. They require that such tools, when reachable by Australian users, carry effective controls that keep children out. The distinction matters for operators. The obligation is to build and evidence age-assurance and access systems, not merely to remove offending outputs after they surface.

What age assurance looks like in practice

The codes turn on stopping children from reaching age-restricted material, so the compliance question becomes how a provider knows who is on the other side of the screen. eSafety has framed age assurance broadly, covering methods a service can use to establish that a user is an adult before granting access. For a generative-AI image tool, that shifts the burden to the entry point of the service, not the output. A tool that generates sexual deepfakes on demand cannot rely on after-the-fact takedowns to meet the duty, because the harm the codes target is a child gaining access at all. Trust-and-safety teams should expect to document which age-assurance method they use, how it is applied, and how it holds up when a user tries to bypass it.

Why the pressure is producing results

eSafety has reported that several "nudifying" services stopped operating in Australia as regulatory pressure increased, and it has taken action against more than one major service. That pattern suggests the codes are changing provider behavior before penalty proceedings conclude. Part of the leverage comes from the delisting mechanism. A service that is hard to find through search is harder to monetize, so the threat of notices to search engines reaches providers that might otherwise ignore a foreign regulator. For trust-and-safety leads, the operational signal is that access control and age assurance are now the front line, and that visible enforcement is being paired with public naming of the conduct at issue.

The cross-border angle for US readers

The codes bind conduct in Australia, but their practical reach extends to any provider whose service is accessible to Australian users, including US-based generative-AI companies with no local office. A US operator that offers an image tool globally can receive a direction and face the delisting and penalty mechanisms if the service is reachable in Australia. That makes the Australian regime a live compliance question for US trust-and-safety and legal teams, and a preview of how age-assurance duties for AI image tools may be framed in other markets.

Frequently Asked Questions

What changed under Australia's Age-Restricted Material Codes?

The codes, registered industry codes under the Online Safety Act, came into effect on March 9, 2026, and eSafety has begun enforcing them against generative-AI "nudify" services. Regulated providers must now deploy systems that stop children from accessing age-restricted material, including sexual deepfake content, rather than acting only after harm is reported.

Who is affected by these codes?

The codes reach app distribution platforms, equipment providers, social media services, relevant electronic services, and designated internet services, including generative-AI image and "nudify" tools accessible to Australian users. Trust-and-safety teams, content-moderation leads, app stores, and search engines that index these services are all in scope.

What penalties and enforcement steps can eSafety use?

eSafety issues a Direction to Comply as the first step in a graduated process. As reported, the provider then has 14 days to act. If it does not, eSafety has said it may seek civil penalties reported up to AU$49.5 million and send delisting notices to search engines. These figures are described by eSafety as the maximum available, not amounts already imposed.

Does this apply to a US-based AI image company with no office in Australia?

It can. The codes focus on whether a service is accessible to Australian users, so a US provider offering a generative-AI image tool globally can receive a direction and face the delisting and penalty mechanisms even without a local presence.

What should a provider do first?

Confirm whether the service falls within the code categories, then review its age-assurance and access controls against the codes' requirements before any direction is issued, since a direction as reported leaves only 14 days to comply.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.