A new report from the Digital Intimacy Coalition (DIC) alleges that three of the largest adult content platforms operating in the European Union—Pornhub, Stripchat, and XVideos—are failing to meet their legal obligations under the Digital Services Act (DSA) concerning risk assessments. The report, completed in April 2026 and announced on July 6, highlights what the civil society organization describes as significant shortcomings in how these platforms, classified as Very Large Online Platforms (VLOPs) by the European Commission, evaluate and mitigate risks, particularly regarding user safety and content moderation.
The European Commission has designated these platforms as VLOPs, a classification typically applied to web platforms with over 45 million users across the 27 EU member states. This designation subjects them to heightened scrutiny and more stringent online safety standards under the DSA. Despite some platforms, such as Stripchat, arguing they have fewer than 45 million EU users, the Commission’s enforcement arm has classified them as VLOPs. However, the EU executive later stated that Stripchat would no longer be designated as a VLOP after providing user numbers below the threshold, with this decision taking effect in four months. The DSA grants the European Commission broad authority to classify major social networks and adult entertainment platforms as VLOPs.
The DIC's study, described as "the first in-depth independent analysis of the legally mandated risk assessments," examined these platforms through a "sex-positive lens." This approach considers both gender-based violence and the over-moderation of consensual content as equally serious violations of fundamental rights. The coalition claims its analysis identified that none of the platforms acknowledge sexual autonomy as a fundamental right, and their risk assessment methodologies were not documented or reproducible. Carlotta Rigotti, head of DIC's Risk Assessment Analysis Taskforce, stated that these assessments "read like reputation management," noting that "severity ratings are unsubstantiated, AI-generated content is ignored entirely, and not one platform grapples with the real tension at the heart of this industry: how to protect against gender-based violence without erasing the right to sexual autonomy."
What are the Core Technical and Methodological Flaws in Risk Assessments?
The Digital Intimacy Coalition's analysis points to several structural weaknesses common across the three platforms' risk assessment practices. A primary concern is the opacity and non-reproducibility of their methodologies. This lack of transparency makes it difficult for external bodies, including regulators and the public, to understand how risks are identified, evaluated, and addressed. For platform operators, this suggests a potential absence of robust, auditable frameworks for continuous improvement and compliance, which could lead to inconsistent application of safety measures and difficulty in demonstrating adherence to regulatory requirements.
Furthermore, the report notes that platforms employ a narrow definition of gender-based violence, primarily focusing on the policing of non-consensual image sharing. This limited scope potentially overlooks other forms of harm and harassment that can occur on large-scale user-generated content platforms. The DIC also found that these risk assessments are "shaped by reputational concerns rather than user safety," implying that the focus is more on public image management than on genuine, comprehensive protection for users. This approach can lead to mitigation measures that are either lacking or whose effectiveness claims are unsubstantiated, posing significant challenges for platform engineers tasked with implementing and validating safety features.
Ana Ornelas, DIC's advocacy officer, highlighted critical omissions from the assessments, stating, "What is missing from these assessments is just as telling as what is in them." She pointed out the absence of data on moderator welfare, disclosure of civil society partnerships, and engagement with platform architecture or recommender systems. The latter is particularly significant for technology and engineering teams, as recommender systems play a crucial role in content discovery and user experience, and their design can inadvertently amplify or mitigate risks. The DSA explicitly requires engagement with platform architecture and recommender systems in risk assessments, indicating a gap in compliance that could have profound implications for content delivery algorithms and user interaction design.
How Do These Findings Relate to Broader DSA Enforcement?
The Digital Intimacy Coalition's report on risk assessment deficiencies aligns with broader enforcement actions initiated by the European Commission under the Digital Services Act. In May 2025, the Commission opened formal proceedings against Pornhub, Stripchat, XNXX, and XVideos for suspected breaches of the DSA, specifically concerning the protection of minors. These proceedings were initiated based on preliminary findings that these platforms did not implement "appropriate and proportionate measures to ensure a high level of privacy, safety and security for minors," particularly regarding age verification tools.
The Commission's investigation also noted a lack of "risk assessment and mitigation measures of any negative effects on the rights of the child, the mental and physical well-being of users, and to prevent minors from accessing adult content, notably via appropriate age verification tools." This directly corroborates the DIC's findings regarding inadequate risk assessments and the platforms' limited scope in addressing user safety. The EU executive has emphasized that protecting young users online is a key enforcement priority under the DSA, having launched similar probes into other large online platforms like Meta's Facebook and Instagram, as well as Temu, X, and TikTok.
The challenge of implementing effective age verification technology is a significant point of contention. XVideos, registered to Czech company WGCZ Holding, has stated that "implementing site-level age verification would immediately destroy our platform," claiming that 90 percent of users would migrate to search engines, social media, or other adult content platforms. XVideos advocates for device-level parental controls as the "only solution," arguing that such tools "pose zero risk to privacy" and could have largely solved the problem if energy had been devoted to promoting and refining them. This highlights a fundamental disagreement between platforms and regulators on the technical feasibility and impact of site-level age assurance, a debate that has significant implications for the development and deployment of privacy-preserving age verification technologies.
What are the Implications for Platform Operators and Future Compliance?
The DIC's report and the ongoing European Commission investigations signal a critical juncture for adult industry platform operators regarding their technological and operational approaches to compliance. The allegations of "opaque" and "non-reproducible" risk assessment methodologies suggest that current internal processes may lack the rigor and transparency required by the DSA. For engineering and product teams, this means a need to develop more robust, documented, and auditable systems for identifying, evaluating, and reporting potential harms. This includes not only technical vulnerabilities but also the societal impacts of content moderation policies and algorithmic recommendations.
The criticism that platforms are ignoring AI-generated content in their risk assessments is particularly pertinent for the adult industry, given the rapid advancements in AI and VTuber/avatar technology. As synthetic media becomes more prevalent, platforms must integrate sophisticated detection and moderation capabilities to address potential misuse, deepfakes, and the ethical implications of AI-generated content. The call for data on moderator welfare and engagement with platform architecture and recommender systems also points to a need for more holistic safety-by-design principles, where user safety and well-being are considered from the initial stages of system development rather than as an afterthought.
While the European Commission has not yet wrapped up any of its probes, the potential for "hefty fines and operational changes for non-compliance" looms large. Aylo, the owner of Pornhub, has indicated that its next risk assessment, completed in April, will be published later in July and "covers many of the areas addressed in the analysis." This suggests an ongoing effort by some platforms to adapt their compliance strategies. However, the fundamental tension between protecting against gender-based violence and preserving sexual autonomy, as highlighted by the DIC, presents a complex challenge for platform operators. Navigating these regulatory and ethical demands will require significant investment in advanced technology, transparent methodologies, and a deeper engagement with civil society and regulatory bodies to build systems that are both compliant and genuinely user-centric.

