NCII laws now exist in every major jurisdiction, but the statutes, penalties, and reporting portals are not equivalent. A victim in Colombo and a victim in Calgary face different menus of remedies. This article is the practitioner reference for those differences: statute citations, criminal penalties, civil remedies, reporting portals, and the practical interactions with the U.S. TAKE IT DOWN Act's 48-hour rule.
For the procedural workflow you do once you have decided where to file, see our NCII takedown guide and our survivor-step-by-step. This article is the statute-level reference for the filing decision.
United States: federal + state architecture
Federal baseline
Since May 19, 2025, NCII publication — including AI-generated digital forgeries — is a federal crime under the TAKE IT DOWN Act (Pub. L. 119–12). Penalties: up to 2 years for adult-victim cases, 3 years for minors. Read the National Association of Attorneys General analysis.
The Act also imposes a 48-hour takedown obligation on covered platforms, enforceable by the FTC. The first federal conviction under the Act was issued in April 2026 (Ohio). Compliance enforcement began May 19, 2026.
State laws (50 of 50)
All 50 states plus DC have some form of NCII statute (South Carolina completed coverage in May 2025). The Cyber Civil Rights Initiative maintains a state-by-state tracker. Penalties range from misdemeanors to felonies. Many states provide a private right of action with statutory damages.
Civil remedy
The federal 17 U.S.C. § 512(c) DMCA notice-and-takedown regime runs in parallel. Almost every NCII image is also a copyrighted work, so DMCA is the workhorse for platform takedowns even though it does not carry criminal liability.
Reporting pathways (U.S.)
- Local police — criminal complaint under state NCII statute and federal TAKE IT DOWN Act.
- FBI Internet Crime Complaint Center — ic3.gov (federal criminal referral).
- FTC — reportfraud.ftc.gov (platform non-compliance with 48-hour rule).
- CCRI Crisis Helpline — 844-878-2274 (advocate referral).
- StopNCII.org — proactive hash submission.
United Kingdom
Criminal base
Section 33 of the Sexual Offences Act 2003 criminalizes disclosing private sexual photographs or films with intent to cause distress. Penalty: up to 2 years imprisonment on conviction, plus indefinite registration on the sex offenders register for some sentences.
Online Safety Act 2023
The Online Safety Act 2023 imposes proactive duties on platforms to mitigate illegal content including NCII and cyberflashing. Ofcom (the regulator) has issued codes of practice including the Protection from Sexual Harassment and Sexual Violence Codes. Platform non-compliance carries fines up to £18 million or 10% of worldwide turnover, whichever is higher.
Civil remedy
The Revenge Porn Helpline's StopNCII.org is the U.S. + UK standardization layer. UK civil remedies for misuse of private information (Campbell v MGN Ltd, 2004) provide precedent for damages claims.
Reporting pathways (UK)
- Revenge Porn Helpline — revengepornhelpline.org.uk (Mon–Fri 10am–4pm UK time).
- Local police — criminal complaint.
- StopNCII.org — proactive hash submission (UK operator).
- Ofcom — platform-side complaints (illegal content duties).
European Union
EU Directive 2024/1385
Adopted May 2024, transposition deadline June 14, 2027. The Directive on combating violence against women and domestic violence criminalizes NCII including cyber-facilitated NCII and cyberstalking across member states. Each member state must:
- Criminalize non-consensual sharing of intimate images.
- Criminalize producing/manipulating intimate images without consent (deepfakes).
- Provide effective reporting mechanisms and victim support.
- Establish national reporting portals (often within the existing national CERT or DPA).
Pre-existing member-state regimes
Germany's § 184k StGB (criminalizes "violation of intimate privacy" including NCII), France's Loi du 7 octobre 2016, Spain's Código Penal reform (LO 1/2015 adding Art. 197.7), Italy's Codice della Privacy and Art. 612-ter (added 2019), and the Netherlands' "Wet strafbaarsteller voyeurisme en seksueel geweld" all provide prosecutions and civil remedies.
DSA / Digital Services Act interplay
The Digital Services Act requires VLOPs (Very Large Online Platforms, 45M+ EU users) to operate notice-and-takedown for illegal content; NCII is enumerated. The European Commission's periodic DSA enforcement calls out repeat offenders.
Australia
Criminal base
Section 474 of the Criminal Code Act 1995 (Commonwealth) criminalizes using a carriage service to menace, harass, or offend — the principal Commonwealth tool. Many states/territories have additional NCII-specific offenses (NSW, VIC, QLD, WA).
Civil + administrative remedy
The eSafety Commissioner is the strongest single-agency takedown power in any major jurisdiction. Under Part 5 of the Online Safety Act 2021, the Commissioner can issue takedown notices with statutory force to platforms operating in Australia, including extraterritorially to hosts whose services are accessed in Australia. Non-compliance is enforceable by the Federal Court.
India
Criminal base
The Information Technology Act 2000 (§66E — violation of privacy, §67 — publication of obscene material) and §79 of the IT Act (intermediary liability) plus 2023 amendments in the Bharatiya Nyaya Sanhita (BNS) criminalize cyber-NCII. Penalty range: 2–7 years depending on offense classification.
Civil + administrative remedy
Victims can file complaints with the Cyber Crime Coordination Centre (I4C) and the local cyber cell. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 require intermediaries to remove specified illegal content within 36 hours of court order or government direction.
At-a-glance table
| Jurisdiction | Primary statute | Criminal max (adult-victim) | Civil cause of action? | Strongest reporting pathway |
|---|---|---|---|---|
| U.S. (federal) | TAKE IT DOWN Act, Pub. L. 119-12 | 2 years / fine | Via state law | ic3.gov + StopNCII.org |
| U.S. (state) | All 50 states + DC | Varies (misdemeanor to felony) | Yes (most states) | State AG + local police |
| UK | Sexual Offences Act § 33; Online Safety Act | 2 years | Misuse of private information | Revenge Porn Helpline + StopNCII |
| EU | Directive 2024/1385 (transposition 2027) | National transposition | GDPR Art. 17 + national | National CERT / DPA |
| Australia | Criminal Code § 474; Online Safety Act 2021 | 3 years (state-level varies) | Privacy Act 1988 | eSafety Commissioner (takedown notices) |
| India | IT Act § 66E, § 67; BNS 2023 | 2–7 years | Art. 21 privacy right | Cyber cell + I4C |
Practical jurisdiction-routing rules
Rule 1 — Where is the depicted person?
Most modern statutes apply extraterritorially when the victim is a resident. Start with the victim's home jurisdiction.
Rule 2 — Where is the platform hosted?
If the platform is incorporated or primarily operated in a particular jurisdiction, that jurisdiction's compliance regime governs the platform's takedown duty. For covered platforms under the TAKE IT DOWN Act, the U.S. compliance duty applies regardless of where the platform is incorporated if it serves U.S. users.
Rule 3 — Where is the evidence?
Cross-border evidence preservation (MLAT, Letters Rogatory, EU EIO Directive) is slow. Plan for it; pre-emptive MHTML + TSA + custody packet removes much of the friction.
Operate across borders?
Shield's pipeline runs single-customer cases across jurisdictions in parallel — U.S. federal/state filings, UK police reports, eSafety Commissioner notices, EU member-state filings — anchored by a single chain-of-custody record. Discuss your cross-border case →
What the 48-hour rule means for each regime
- U.S. Direct federal mandate (TAKE IT DOWN Act) effective May 19, 2026, FTC-enforced.
- UK Online Safety Act codes of practice reach the same outcome via notice-and-action duties; Ofcom enforcement.
- EU DSA Art. 16 imposes notice-and-action for illegal content including NCII; specific deadlines vary by member state.
- Australia eSafety Commissioner notices have statutory force; non-compliance is enforceable by Federal Court.
- India 36-hour deadline under §79 IT Rules for specifically-noticed illegal content; broader NCII removal relies on court orders.
Open issues to watch (2026–2027)
- EU member-state transposition of Directive 2024/1385 (deadline June 14, 2027) — early transpositions are uneven.
- DEFIANCE Act (U.S. Senate passed January 2026) — adds a federal civil private right of action for NCII and digital forgeries.
- Cross-border e-evidence under EU EIO Regulation 2023/1543 — improving mutual legal assistance between EU jurisdictions.
- Australia's age-verification + code amendments — possible extension of eSafety powers in 2026–2027.
Frequently asked questions
Which jurisdiction has the strongest NCII protections in 2026?
It depends on the metric. The U.S. has the strongest federal baseline (TAKE IT DOWN Act, criminalizing NCII publication and imposing a 48-hour platform-removal rule) plus 50 state laws; the UK has the most operationalized extraterritorial regime (Revenge Porn Helpline + Online Safety Act codes); the EU's Directive 2024/1385 will harmonize protections across 27 member states once transposed (deadline June 14, 2027); and Australia's eSafety Commissioner has the most powerful single-agency takedown power. From a victim's perspective, the strongest realistic path today is the U.S. (criminal + 48-hour FTC enforcement + DMCA) plus the platform-side StopNCII.org hash-sharing network.
I am in country X and the leak happened in country Y. Where do I report?
Generally, file in your home jurisdiction — most NCII laws apply extraterritorially when the victim resides in the jurisdiction. Practically, if the host is in country Y, you may also want to file in country Y. Cross-border enforcement is improving under the EU Directive (which forces member-state cooperation) and the TAKE IT DOWN Act (which imposes a U.S. removal duty regardless of the platform's geographic incorporation if the platform serves the U.S. audience).
Is AI-generated NCII illegal everywhere?
No. As of 2026, the U.S. federal regime (TAKE IT DOWN Act) explicitly criminalizes "digital forgeries" of identifiable individuals. The UK Online Safety Act covers AI-generated intimate imagery as "intimate image abuse." EU Directive 2024/1385 covers cyber-facilitated NCII including deepfakes. Australia's eSafety regime covers cyber-abuse material including deepfakes. India's IT Act provisions are technology-neutral in principle but Indian case law on AI NCII is still developing. Some jurisdictions still have gaps, especially in the Global South.
What is the typical criminal penalty for NCII?
Criminal penalties range from summary misdemeanors (12 months' imprisonment, low fine) to serious felonies (5–10 years). The U.S. federal TAKE IT DOWN Act caps at 2 years for adult victims and 3 years for minors. UK Sexual Offences Act § 33 caps at 2 years. EU member-state implementations vary; the Directive mandates a "minimum level" of sanctions but specifics are national. The trend across jurisdictions is toward escalation, with repeat offenders and minors drawing the highest penalties.
Do non-consensual intimate imagery laws apply to sextortion?
Yes in most modern statutes. The U.S. TAKE IT DOWN Act explicitly criminalizes threatening to publish. UK Online Safety Act covers threats to share. EU Directive 2024/1385 covers cyberstalking and sextortion as part of cyber-NCII. Where threats are involved the offender faces elevated penalties in nearly every regime.