AI Regulation Tracker / Enforcement and litigation
Amsterdam Court Orders X and xAI to Stop Grok Generating Non-Consensual and Abuse Images for Dutch Users
In preliminary-relief proceedings, the Amsterdam District Court ordered X and xAI to stop Grok generating and distributing non-consensual AI "undress" images and child-sexual-abuse material for people resident in the Netherlands, under a penalty of up to EUR 10 million. It is an interim order, not a final judgment, and it rests on the GDPR and Dutch civil law.
On March 26, 2026, the preliminary-relief judge of the Amsterdam District Court issued an order against three X and xAI entities: X.AI LLC, X Corp and X Internet Unlimited Company. The court prohibited them from generating and distributing, through Grok and Grok inside X, non-consensual AI "undress" images and child-sexual-abuse material. The prohibition applies to images of people who live in the Netherlands. The court set a penalty of EUR 100,000 for each day the defendants fail to comply, up to a ceiling of EUR 10 million.
The case was brought by Stichting Offlimits, a Dutch foundation that works against online abuse imagery. The hearing took place on March 12, 2026, and the ruling followed two weeks later. In the court's own summary, the preliminary-relief judge prohibits Grok and X from generating and distributing such images, and the prohibition covers images of persons resident in the Netherlands.
What the court actually ordered
The order is specific and it is limited. The court did not shut down Grok, and it did not rule on whether X and xAI are ultimately liable for anything. What it did was issue an interim command: for people who live in the Netherlands, stop the two categories of image at issue, and pay a penalty for every day you do not.
The two categories are non-consensual AI "undress" or "nudify" output, meaning synthetic images that depict a real person without clothing when the person never consented, and child-sexual-abuse material. The court treated both as unlawful and ordered them stopped through the Grok feature and through Grok as it operates inside the X platform.
The penalty structure is the part US readers should register. A dwangsom, or incremental penalty payment, of EUR 100,000 per day is not a headline number invented for effect. It is a standard Dutch mechanism to force compliance with a court order, and here it is capped at EUR 10 million. The number exists to make ignoring the order expensive rather than to punish past conduct.
The legal basis, and why it reaches a US company
The court grounded the order in two things. The first is the AVG, which is the Dutch name for the General Data Protection Regulation, the GDPR. The second is article 6:162 of the Dutch Civil Code, the general provision on unlawful acts, which is the Dutch equivalent of a tort claim for wrongful conduct.
Using the GDPR here is the detail that matters for people outside the Netherlands. A synthetic image that depicts an identifiable real person is personal data about that person, and generating it can be processing of that data. When the people depicted live in the EU, the GDPR can apply to that processing regardless of where the company doing it is incorporated. That is how a set of US-registered entities ended up subject to an order from a court in Amsterdam. The regulation follows the data subject, not the company's home address.
The foundation and Dutch coverage described the order as a world-first against an AI "undress" function. Whether or not it holds that title, it is a concrete instance of an EU national court taking a generative-AI feature run by a US company and telling it to stop a specific output for EU residents, with money attached.
What this is, and what it is not
I want to be precise, because interim orders get over-read in both directions.
This is preliminary relief. A kort geding is a fast-track procedure for urgent situations, and the judge decides on a provisional basis without the full evidentiary record of a normal case. The order is enforceable now, but it is not the last word. It is not a final judgment on the merits, it does not settle liability, and a later proceeding on the full merits could reach a different or a more detailed result. Treat it as a binding stop order, not as a closed case.
It is also narrow in scope. The prohibition runs to the named X and xAI entities, it concerns two specific categories of image, and it protects people resident in the Netherlands. It is not a general ruling about generative AI, about Grok's other functions, or about AI companies at large. Reading it as anything broader than its terms is a mistake.
What it is, is a live example of EU data-protection law being applied by a court, in a hurry, to a US AI feature, with a real penalty for non-compliance. That combination is what gives it weight beyond the parties.
What this means for US finance and compliance leaders
A Dutch court is not your regulator, but the exposure pattern here travels. If your company builds or deploys a generative-AI feature and it is available to users in the EEA, an EU national court can apply the GDPR to what that feature does with data about EU residents, and it can attach a coercive daily penalty to an order to stop. The company's US incorporation does not put it out of reach.
For compliance and finance functions, that turns into a small number of concrete questions. Where does our AI product operate, and does it reach EU users. What does it do with data about identifiable people. Can it produce output that a European court would treat as unlawful processing or as clearly harmful, and what controls sit in front of that. And if an order like this landed on us, what would a EUR 100,000-per-day penalty do to the numbers while we scrambled to comply. None of that is a filing requirement. It is the kind of cross-border legal exposure that belongs in a risk register rather than a footnote.
The broader read is that EU enforcement against AI harms is not only coming through the AI Act and the data-protection authorities. It is also coming through ordinary courts, applying existing law, at speed, at the request of civil-society claimants. That is a wider surface than a lot of US compliance planning currently accounts for.
What to do now
Read the order for what it says, not for the headline. It is an interim, preliminary-relief prohibition against specific X and xAI entities for two categories of image affecting Dutch residents, not a final ruling and not a general judgment about AI. Map whether your own AI products reach EU users and what personal data they process, because that is the exposure this case turns on. Confirm you have controls that prevent your systems from generating clearly unlawful output, and that you can document them. And if you carry AI product risk on the balance sheet, price in the reality that an EU court can order a stop and back it with a daily penalty, and take that scenario to qualified EU counsel rather than reasoning from a US-only frame.
Questions professionals are asking
Is this a final court ruling against X and xAI?
No. It is a preliminary-relief order, known in the Netherlands as a kort geding. That is a fast-track, provisional decision for urgent situations. The order is binding and enforceable now, but it is not a final judgment on the merits, and it does not settle overall liability.
What exactly did the Amsterdam court order?
It ordered X.AI LLC, X Corp and X Internet Unlimited Company to stop Grok generating and distributing non-consensual AI "undress" images and child-sexual-abuse material for people who live in the Netherlands, under a penalty of EUR 100,000 per day, capped at EUR 10 million.
Why does a Dutch court have reach over US companies?
The court applied the GDPR, which can govern the processing of personal data about people in the EU regardless of where the company is incorporated, together with the unlawful-act provision of the Dutch Civil Code. Because the people depicted live in the Netherlands, the court treated the conduct as within its reach.
Does this affect US CPAs or US operations directly?
Not directly. A Dutch court order does not bind US filings or US operations. Its value for US finance and compliance leaders is as a cross-border exposure signal: an EU national court can apply the GDPR to a US AI feature reaching EU users and enforce it with a daily penalty.
Who brought the case?
The Dutch foundation Stichting Offlimits, which works against online abuse imagery, brought the proceedings. That is itself notable, because it shows civil-society claimants using ordinary courts and existing law to move quickly against AI harms, alongside formal regulators.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any court order, standard, or requirement applies to your situation with qualified counsel in the relevant jurisdiction.