Platform Governance and Technology-Facilitated Gender-Based Violence: Positioning the DSA in the EU’s Legal Framework

By Magdalena Jóźwiak and Jella Ohnesorge

This post examines technology-facilitated gender-based violence (TFGBV) as a systemic phenomenon and maps the main EU legal instruments available to address it—including the AI Act, the GDPR, the Directive on combating violence against women and domestic violence, and the DSA. It argues that while the DSA’s systemic risk framework is particularly well suited to tackling the structural drivers of TFGBV, its promise has yet to be realised in practice through implementation and enforcement.


In late December 2025, users of the social media platform X gained access to Grok, the platform’s embedded generative AI tool. By simply prompting @Grok, users could create or alter an image and share it on the platform with the click of a button. Almost immediately, the platform was flooded by sexualised AI-generated content, mostly depicting women, including nonconsensual deepfakes ‘undressing’ real people and children. According to research by the Center for Countering Digital Hate, Grok was used to create an estimated three million sexualised images disseminated on X over an 11-day period, including over 20,000 depicting minors.

Although X subsequently claimed to introduce safeguards, the damage was already done. The incident triggered many regulatory responses around the world, including proceedings by the European Commission under the Digital Services Act (DSA) and a criminal investigation by the French authorities, culminating in a raid on X’s Paris offices.

However striking the Grok case might be, it brought an alarmingly common phenomenon into the mainstream. The example demonstrates how quickly technology-facilitated gender-based violence (TFGBV) can scale when platform affordances, weak safeguards, and misogynistic user cultures converge.

The growing prevalence of TFGBV has prompted increasing attention from international organisations. While much of the early work developed within the human rights framework, including through the work of UN Women, the issue has more recently become an important concern of platform regulation in the EU. Although no single EU legal instrument comprehensively regulates TFGBV, a range of legal frameworks may apply to different aspects of the phenomenon, including the DSA, the GDPR, the AI Act and the Directive on combating violence against women and domestic violence.

This post makes three points. First, it explains why TFGBV should be understood as a systemic phenomenon shaped by the dynamics of digital platforms. Second, it maps the main EU legal frameworks that may apply to TFGBV, distinguishing between prohibitory, remedial, and anticipatory approaches, and highlighting the limitations of each. Third, it examines how the DSA’s systemic risk framework responds to the systemic nature of TFGBV. We argue that its anticipatory logic is particularly promising while also highlighting important gaps in its scope, implementation and enforcement.

TFGBV as a systemic phenomenon

The UN defines TFGBV as “any act that is committed, assisted, aggravated, or amplified by the use of information communication technologies or other digital tools, that results in or is likely to result in physical, sexual, psychological, social, political, or economic harm, or other infringements of rights and freedoms”. TFGBV can take many forms, including but not limited to sextortion (blackmail by threatening to publish sexual information, photos or videos), doxxing (publishing private personal information), online sexual harassment, or cyberstalking.

Platform design plays an important role in shaping both the spread and the persistence of TFGBV. For example, the recommender systems of social media platforms often favour controversial content due to monetary incentives. They are optimised for engagement and tend to promote content that provokes outrage, because psychological triggers such as anger, fear, and moral indignation increase time spent on the platform as well as clicks, comments, and reactions. As a result, misogynistic, hateful and violence‑supporting content directed at women and gender‑diverse people may often receive disproportionate visibility.

An example of non-consensual intimate image-based abuse (NCIIA), like in the Grok case, illustrates platform dynamics very well. Sexualised images can spread quickly through the algorithmic design of platforms and be shared on other platforms. They can also be replicated and shared independently of the original post. Therefore, it is very difficult to contain an image once it is ‘out there’ by the time victims discover it and seek removal.

The consequences extend far beyond individual pieces of content. A growing body of research links online gender-based violence to serious and lasting harms, including deterioration of mental health, withdrawal from public participation, and, in some cases, offline violence. Women in public-facing roles – including journalists, politicians, academics and activists – are disproportionately targeted by online harassment, stalking and doxxing. Meanwhile, misogynistic communities associated with the so-called “manosphere” have increasingly been linked to radicalisation and violent extremism. There is also a broader cultural impact – platforms such as those distributing NCII contribute to a culture that normalises the objectification of women and erodes respect for their privacy and autonomy.

Finally, TFGBV rarely occurs in isolation. Rather, it develops across interconnected digital ecosystems. Research by the Institute for Strategic Dialogue documents extensive online networks that mobilise around misogynistic ideologies while distributing access to AI tools designed to generate sexualised and abusive imagery. Women represent the overwhelming majority of victims. Another recent study identified a dramatic increase in easily accessible deepfake models, with women accounting for 96% of those targeted.

Along with this increased accessibility of AI-generation tools, research by AI Forensics has shown how Telegram acts as coordinating infrastructure for a broader cross-platform ecosystem of abuse. Images of women are routinely scraped from platforms such as TikTok and Instagram, private or ephemeral content is redistributed from services including Instagram, WhatsApp and Snapchat, and users are encouraged to target women across these platforms through practices such as cyberharassment and cyberflashing. Reddit often serves as an entry point, directing users to dedicated Telegram communities. Together, these findings demonstrate how different online services perform complementary roles within a coordinated infrastructure of TFGBV.

These findings reinforce a common theme across the literature: TFGBV is a systemic phenomenon shaped by the interaction of platform design, networked communities, and an underlying culture of misogyny. Individual abusive acts both arise from and reinforce this broader sociotechnical system.

Mapping EU tools applicable to TFGBV

Within the EU, the issue of TFGBV can be approached via a patchwork of legal frameworks that may apply to different manifestations of the phenomenon and intervene at different stages in relation to harm. This temporal dimension is particularly important in the context of TFGBV. As harmful content is copied, recommended and redistributed across platforms, the effectiveness of legal interventions decreases rapidly over time. The timing of both moderation and regulatory intervention more broadly is therefore crucial.

Such a temporal perspective provides a useful way of understanding the existing EU legal framework. Broadly speaking, three regulatory approaches can be distinguished:

  • Prohibitory, which seek to prevent particularly harmful technologies or conduct from being marketed or deployed (for example, the AI Act prohibition of certain AI systems and criminal law).
  • Remedial, which respond once harm has already occurred (for example, notice and action mechanisms (Article 16 DSA), trusted flaggers (Article 22 DSA), out-of-court dispute settlement (Article 21 DSA), civil and administrative proceedings brought under GDPR, or criminal proceedings).
  • Anticipatory (risk-based), which require organisations to identify and mitigate foreseeable risks of harm before they materialise (most notably the DSA systemic risk framework under Articles 34 and 35).

The following sections briefly discuss each approach while highlighting its structural strengths and limitations.

Prohibitory measures

  • AI Act

From the perspective of TFGBV, one of the most significant recent developments is the amendment to the AI Act agreed on 7 May 2026. It prohibits AI systems that generate child sexual abuse material or create images, videos or audio depicting an identifiable person’s intimate parts or sexually explicit activities without their consent. Importantly, the prohibition is not limited to dedicated “nudifier” applications. By conditioning market access on the implementation of adequate technical safeguards, it also extends to general-purpose or dual-use AI systems capable of generating such material. Providers must bring their systems into compliance by 2 December 2026.

The amendment is welcome because it recognises the particular harms of AI-enabled image-based abuse. Nevertheless, some structural limitations remain. The prohibition focuses on depictions of “intimate parts” and “sexually explicit activities”, concepts that inevitably leave difficult boundary questions. Harmful synthetic imagery may be created without revealing intimate body parts, while perceptions of intimacy vary considerably across individuals and cultures. Moreover, the amendment provides little guidance as to what constitutes “adequate technical safeguards”, leaving significant uncertainty for both providers and regulators.

  • Directive on combating violence against women

The Directive, which Member States must transpose by 14 June 2027, occupies an intermediate position between prohibitory and remedial approaches. By harmonising minimum criminal offences, it seeks both to deter perpetrators and to ensure that victims have access to effective criminal remedies.

A comprehensive analysis of the Directive is beyond the scope of this post. From the perspective of platform regulation, it is important, however, that the Directive harmonises minimum criminal offences relating to four forms of TFGBV: the non-consensual sharing of intimate or manipulated material, cyberstalking, cyber harassment, and cyber incitement to violence or hatred. By requiring Member States to criminalise these offences, the Directive strengthens legal certainty for victims, making it easier for victims to rely on existing procedural mechanisms, including Article 16 DSA notices discussed below.

At the same time, as an instrument of criminal law harmonisation, its definitions are necessarily precise and therefore relatively narrow. As Rigotti and McGlynn observe, this leaves certain forms of TFGBV outside its scope. For example, Article 7(b) criminalises the nonconsensual production, manipulation or alteration of material depicting an identifiable person engaged in “sexual activities” — a distinction which may not apply to many forms of nonconsensual material which could be weaponised, constituting TFGBV.

Remedial measures

For many victims of TFGBV, remedial measures remain the primary legal avenue. While these mechanisms are indispensable, they frequently offer only partial relief. This is particularly evident in cases involving NCIIA: once an image enters the online ecosystem, it can be copied, redistributed and monetised long before legal remedies become effective.

  • Digital Services Act

Alongside its systemic risk framework, the DSA strengthens several procedural mechanisms through which victims may seek the removal of illegal content.

  • Notice and action (Article 16): Any person may notify a hosting service of content they consider illegal, triggering an obligation for the provider to process the notice in a timely, diligent and non-arbitrary manner.
  • Internal complaints (Article 20): Victims whose notices do not result in action may ask the platform to reconsider its decision through an internal complaint-handling mechanism, providing an additional layer of redress before resorting to external procedures.
  • Out-of-court dispute settlement (ODS) (Article 21): Certified out-of-court dispute settlement (ODS) bodies provide users with an accessible avenue to challenge content moderation decisions, providing an escalation path for victims should their initial efforts to remove problematic content not succeed.
  • Trusted flaggers (Article 22): The DSA also establishes trusted flaggers, whose notices receive priority treatment. Notably, the Commission’s register already includes several trusted flaggers specialising in online harassment and the NCIIA, such as HateAid or Association Point de Contact, demonstrating the potential of this solution to mobilise specialised expertise in responding to TFGBV.

Together, these mechanisms can improve victims’ access to redress. Nevertheless, they remain inherently remedial, operating only after harmful content has already been created and disseminated. Moreover, reporting by the ODS bodies and trusted flaggers shows that platforms are not always cooperative in implementing these novel mechanisms.

  • GDPR

The GDPR is another piece of the EU regulatory toolkit which victims may rely on in cases where TFGBV involves the unlawful processing of personal data. This was illustrated by the CJEU’s recent judgment in Russmedia, which concerned processing of personal data by an online marketplace for placing ads, on which an unknown third party published an advertisement falsely presenting the claimant as offering sex services, using her real photographs and telephone number without her consent. Although the platform removed the advertisement within an hour of being notified, copies had already proliferated across other websites, illustrating why notice-and-action mechanisms often fail to provide effective protection in cases of image-based abuse.

The Court, recognising the limitations of notice-and-action mechanisms, sought to introduce a more preventive logic into the GDPR. While it might have reached the right moral instinct, it did so through the wrong regulatory tool. It established that the website was a data controller and interpreted the regulation as requiring it to identify advertisements containing special-category data before publication, verify whether the advertiser had a lawful basis to publish them, and implement measures preventing their further dissemination. Yet, as Kuczerawy and Stalla-Bourdillon argue, this solution comes at a considerable cost. It effectively shifts responsibility from the moment of notification to the moment of upload and amounts to “adjudicative know-your-user obligations”. In doing so, it expands platform surveillance and adjudicative powers and thus sits uneasily with data protection’s own principles such as data minimisation. Russmedia therefore exposes a regulatory mismatch in this case. While the Court correctly recognised that TFGBV requires anticipatory governance, not every framework is equally suited to provide it.

This is precisely where the DSA’s systemic risk framework offers a different regulatory logic through its systemic risk approach in Articles 34-35. Rather than relying primarily on greater monitoring of individual users or attempting to remedy harm once it has already proliferated, it seeks to address the platform design choices, such as recommender systems, advertising systems and monetisation incentives that enable misogynistic abuse to emerge and spread at scale.

TFGBV and the DSA systemic risk approach

The DSA complements these frameworks by seeking to intervene before the dynamics of virality, algorithmic amplification and cross-platform dissemination make reactive responses ineffective. Article 34 expressly recognises negative effects related to GBV as one of the systemic risks that very large platforms must identify, assess and mitigate. Unlike the remedial mechanisms discussed above (which primarily concern specific pieces of content pertaining to individual victims), the DSA’s systemic risk framework treats TFGBV as a question of platform governance. Its object of regulation is not harmful content itself but the systems, governance structures and design choices that make such harms foreseeable and scalable.

This approach is well illustrated in the recently published Second Report of the European Board for Digital Services on the landscape of prominent and recurrent risks on VLOPSEs. Rather than treating TFGBV primarily as the result of malicious individual users, the Board explicitly links it to the operation of digital platforms themselves. For example, it discusses how engagement-driven recommender systems may amplify misogynistic content, reinforce gender stereotypes, and facilitate the spread of gender-based disinformation targeting women in public life.

Equally importantly, the report understands TFGBV as an ecosystem phenomenon rather than a series of isolated incidents. In discussing different platform dynamics related to GBV, it refers, for example, to coordinated harassment campaigns, brigading, adversarial networks and cross-platform abuse, recognising that harmful content rarely remains confined to a single service.

Similarly to its first risk landscape report published last November, the Board deliberately does not identify any best practices in terms of mitigation measures – something that will emerge gradually through Commission enforcement and evidence gathered over time. The report does identify, however, several examples of mitigation measures for the TFGBV risk category, including specialised training for content moderators, proactive detection through hash-matching technologies, and reducing the visibility of content promoting extreme misogyny or GBV.

Implementation gaps

On paper, the DSA provides for a sophisticated legal framework for challenging TFGBV as a systemic phenomenon. At the same time, implementation of this framework remains relatively superficial. Even though recital 90 DSA requires that risk assessments and mitigation measures be based on the best available evidence and scientific knowledge, which is ample in the case of TFGBV, platforms often approach this risk category perfunctorily. For example, analysis of the systemic risk reports submitted by major pornographic platforms suggests that platforms adopt an overly narrow understanding of how their services contribute to GBV and discuss the issue only at a high level, resulting in mitigation measures that are similarly generic and difficult to evaluate.

Structurally, the scope of the DSA also presents an important limitation. The systemic risk obligations apply only to designated VLOPSEs. Consequently, services that play a significant role in the TFGBV ecosystem but do not meet the DSA designation thresholds or statutory definitions of what is a “platform” remain outside this regulatory framework. This is particularly significant in relation to services such as Telegram, which does not neatly fit the platform definition, yet plays a crucial role in the TFGBV ecosystem, as documented by the AI Forensics report mentioned above. Similarly, AI systems that operate independently from designated platforms, like for example ChatGPT, equally seem to escape the designation at the moment.

Ultimately, the practical significance of the systemic risk framework will depend on the Commission’s enforcement practice. So far, enforcement relating specifically to TFGBV has been limited to the X/Grok proceedings, which reflect the Commission’s willingness to treat AI-enabled image-based abuse as a systemic risk within the broader X ecosystem. By contrast, the ongoing investigations into pornographic platforms have been framed primarily around the protection of minors, while the issue of the systemic risk of TFGBV was not picked up by the Commission, even though these platforms seem not to analyse this risk diligently.

There are nevertheless indications that this may be changing. The recently adopted EU Gender Equality Strategy 2026–2030 identifies cyber violence as one of the Commission’s enforcement priorities and explicitly commits to strengthening implementation of the DSA in this area. Among the measures announced are continued monitoring of systemic risks related to TFGBV, structured regulatory dialogue with very large platforms, and the development of DSA guidelines identifying good practices for mitigating these risks. The latter could be particularly impactful, as such guidance would set out more concrete expectations regarding platform design, governance and risk mitigation that would be difficult to ignore by the VLOPSEs.

Conclusions

The EU has already taken significant steps to address the issue of TFGBV, from criminal law harmonisation and the AI Act to the DSA’s systemic risk regime. Each of these instruments has its own strengths and limitations, and no regulatory framework can ever fully keep pace with rapidly evolving technologies and new forms of abuse. What makes the DSA distinctive is its adaptive and anticipatory logic: rather than responding only after harm has occurred, it requires platforms to continuously identify, assess and mitigate their own contribution to systemic risks related to GBV.

If implemented as envisaged, it would be a crucial element in containing the problematic rise of misogynistic culture online and resulting harmful practices, in which platforms themselves play a role. For now, however, much of that promise remains unrealised, mainly because of the limited implementation and enforcement that is only just starting to pick up pace.

Paradoxically, the Grok scandal may have done one positive thing: it brought TFGBV into the spotlight, hopefully helping to create momentum for further action. The next crucial step will be to translate the DSA’s broad obligations into concrete expectations through Commission enforcement and the forthcoming guidelines on gender-based violence announced in the EU Gender Equality Strategy. Together, they will determine whether the DSA’s systemic risk regime becomes a meaningful safeguard against TFGBV or remains an ambitious regulatory promise.