diff --git a/tildes/tildes/models/comment/comment.py b/tildes/tildes/models/comment/comment.py
index 38c190d..f845101 100644
--- a/tildes/tildes/models/comment/comment.py
+++ b/tildes/tildes/models/comment/comment.py
@@ -143,6 +143,7 @@ class Comment(DatabaseModel):
 
     def __acl__(self) -> Sequence[Tuple[str, Any, str]]:
         """Pyramid security ACL."""
+        # pylint: disable=too-many-branches
         acl = []
 
         # nobody has any permissions on deleted comments
@@ -186,6 +187,8 @@ class Comment(DatabaseModel):
         # reply:
         #  - removed comments can't be replied to by anyone
         #  - if the topic is locked, only admins can reply
+        #  - if the user has "comment.reply_slow", they can't reply to comments less
+        #    than 2 hours old
         #  - otherwise, logged-in users can reply
         if self.is_removed:
             acl.append((Deny, Everyone, "reply"))
@@ -194,6 +197,9 @@ class Comment(DatabaseModel):
             acl.append((Allow, "admin", "reply"))
             acl.append((Deny, Everyone, "reply"))
 
+        if utc_now() - self.created_time < timedelta(hours=2):
+            acl.append((Deny, "comment.reply_slow", "reply"))
+
         acl.append((Allow, Authenticated, "reply"))
 
         # edit: