On 20 May 2026, Australia's eSafety Commissioner issued a formal Direction to Comply against an Argentina-based AI "nudify" service — an app that lets users upload a photo of a real person and generate an on-demand, sexually explicit deepfake. The provider, which eSafety says was attracting roughly 40,000 Australian visits a month as of March 2026, was given 14 days to put in place measures preventing children from reaching the service. It had not responded or committed to any safeguards. Non-compliance, eSafety warned, can draw civil penalties of up to A$49.5 million and delisting notices to search engines.
This is the first enforcement action under the Age-Restricted Material Codes (the "ARM Codes"), which commenced in March 2026 as Phase 2 of Australia's industry-code regime under the Online Safety Act 2021. For a publication that is instinctively wary of state content controls, it is worth saying plainly where this action lands: it is about as defensible as online-safety enforcement gets.
The strongest case for the regulator
Start with the steelman. On-demand nudify tools are not a marginal edge case of a broadly useful technology — their core function is producing non-consensual intimate imagery, and a large share of the resulting material depicts minors. eSafety Commissioner Julie Inman Grant said the platform's popularity and "the ease of which children can access it is deeply concerning," and that the regulator would "not hesitate to use our enforcement powers." The harms she lists — image-based sexual abuse, sexual extortion, cyberbullying, and exploitation of minors — are concrete, documented, and disproportionately fall on teenagers, often generated by their own classmates.
There is no plausible free-speech interest in a stranger generating fake nudes of a real child from a school photo. A regulator that targets exactly this use case, with a graduated process that starts with a notice and a fortnight to fix things rather than an immediate fine, is behaving the way a proportionate regulator should. The Direction to Comply is the first step in an escalating ladder, not the last.
Why this enforcement is narrow — and why that matters
The encouraging feature of the May 20 action is what it is not. It is not a blanket order against generative AI, not a demand that platforms scan or pre-clear user content, and not a takedown of lawful adult material. It is aimed at a service whose advertised purpose is synthetic sexual abuse, and the operative remedy is a children's-access gate, not a ban on the tool's existence for adults.
eSafety's own track record supports reading this as targeted rather than expansionist. Three of the most widely used nudify services withdrew from the Australian market in late 2025 after earlier eSafety pressure; according to coverage of the new action, they have since relaunched under new ownership with mandatory age-assurance measures in place. That is the outcome a well-calibrated regime should produce — not the disappearance of a technology category, but the disappearance of its unmitigated, child-accessible form.
Enforcement that changes provider behaviour without conscripting the broader internet into a surveillance role is the version of online safety the open-internet community can live with.
The part worth watching
The caution is not about this defendant; it is about the machinery. The ARM Codes turn on "age assurance" — the obligation to keep children away from class 1C and class 2 material such as pornography, including simulated and deepfake pornography. Age assurance, applied well, means a friction-light check at the door of a genuinely harmful service. Applied badly, it becomes age verification across ever more of the web, with users handing identity documents or biometric face-scans to third parties to read ordinary content.
That is the slope that should worry innovators and civil-liberties advocates alike. The same month eSafety issued this direction, the Electronic Frontier Foundation was warning that a wave of U.S. state bills are "masquerading as 'children's online safety' measures" while functioning as censorship. The Australian codes are better drafted and more narrowly targeted than those bills — but the underlying tool, mandatory age gating, is identical, and tools migrate from their best-justified use to their most expansive one.
Two design questions will determine whether the ARM Codes stay proportionate. First, scope: does "age-restricted material" stay anchored to genuinely high-impact content like nudify output, or does it creep toward general-purpose platforms and lawful adult expression? Second, privacy: does eSafety hold providers to age-assurance methods that are data-minimising and verifiable, or does compliance default to document-and-biometric collection that creates new honeypots of sensitive data?
The extraterritorial reality
There is also a hard practical limit on display. The target is an Argentine operator that has simply ignored an Australian regulator. eSafety's leverage is real but indirect — civil penalties it may struggle to collect across borders, and search-engine delisting that degrades discoverability without removing the service. That is a feature, not a bug, from a proportionality standpoint: it pushes eSafety toward remedies that shape access for Australians rather than asserting global takedown authority over foreign code.
The right verdict, then, is qualified approval. Using new powers first against an unambiguous abuse case — a non-responsive nudify operator generating synthetic child sexual material — is the regulator earning its mandate on the merits. The job for everyone who cares about an open internet is to hold eSafety to that standard as the codes mature: keep the target narrow, keep age assurance privacy-preserving, and resist the gravitational pull from "stop nudify apps reaching kids" toward "verify everyone's identity to read anything." On 20 May, the line held. The work is keeping it there.