The Online Safety Act: Introduction and overview

The Safety Net

Download PDF Contact our Online Safety team << The Safety Net

Download Download PDF

The Online Safety Act (OSA) is the UK’s legislative framework for a new regulatory regime aimed at making the internet safer for UK users. It seeks to do this by changing and increasing the liability of in-scope online service providers to require them to take a proactive approach to managing the safety risks encountered by users. This extends to in-scope service providers that operate outside the UK. The first set of duties on in-scope service providers became enforceable in December 2024; the remaining duties will become enforceable in phases through to 2027.

The framework provided by the OSA will be supported through codes of practice and guidance issued by Ofcom and through secondary legislation. These will collectively form one of the most far-reaching and comprehensive online safety initiatives in existence globally.

Who is in scope?

The OSA applies to a wide range of online services, including social media and messaging platforms, search engines, and websites that host user-generated content. Ofcom has estimated that over 100,000 service providers may be in scope.  

More specifically, the OSA applies to providers of the following types of online services that have “significant links” to the UK (‘regulated services’):  

  • user-to-user services”, which are services through which content and communications that are generated, uploaded or shared by users may be encountered by another user of the service;  
  • search services”, which are services that contain a search engine capable of searching multiple websites and/or databases; and 
  • services on which the provider, or someone on the provider’s behalf, publishes or displays regulated pornographic content.

An online service is considered to have “significant links” to the UK if: (i) it has a significant number of UK users; (ii) the UK is one of its target markets; and/or (iii) the service is capable of being accessed by UK users where there is a material risk of significant harm to such users (this third limb does not apply in the case of pornography services, which are regulated under Part 5 of the OSA). 

The OSA also provides for categorisation of a small proportion of online services deemed higher risk with respect to online safety. These services, which are referred to under the OSA as “Category 1”, “Category 2A” and Category 2B” services, will be subject to additional duties. This categorisation is based on service functionality and number of users, according to thresholds set out in secondary legislation. Ofcom informs relevant service providers of their categorisation and publishes and maintains a register accordingly. This is seemingly a similar concept to that of the “Very Large Online Platforms (‘VLOPs’)” under the EU’s Digital Services Act.   

See our article on the scope of the OSA for more detail here. 

What are the duties on online service providers under the OSA?

The duties under the OSA are wide-ranging and broadly cover: 

  • risk assessments (including with respect to illegal content and risks of harm to children);  
  • protecting children (such as use of proportionate systems and processes to prevent children from encountering certain types of harmful content);  
  • safeguarding all users (including use of proportionate systems and processes to minimise the duration for which certain illegal content is present on the service);  
  • user empowerment (such as provision of proportionate design features to allow adult users to reduce the likelihood of encountering certain types of harmful content); and 
  • transparency and accountability (including illegal content reporting systems and complaints procedures). 

There is a base level of duties applicable to all regulated service providers, and additional duties applicable to providers of Category 1, 2A and 2B services, as well as regulated services likely to be accessed by children. The duties take effect at a systems and processes level: they apply to the way a service is designed, operated and used, as well as content present on the service. This includes user support measures, the design of features and algorithms, risk management processes, and staff policies and practices. The duties about online content mainly concern content that is illegal, content which is lawful but “harmful to children”, and fraudulent advertising.

What is Ofcom’s role?

Ofcom is primarily tasked with producing codes of practice for the OSA, which provide regulated service providers with recommended steps that are effective to achieve compliance, as well as guidance on aspects such as risk assessments, age assurance, and identification of illegal content. Ofcom is also given investigatory and enforcement powers under the OSA, with penalties issuable of up to the higher of £18 million or 10% of global turnover and, in the most serious cases, the power to issue service cessation orders. See our article on Ofcom’s powers in more detail here.  

What is the current status of the OSA?

The OSA received royal assent in October 2023. However, its provisions take effect on a gradual basis, following publication of Ofcom’s codes of practice and guidance, and the passage of the codes through Parliament. 

Ofcom published its illegal content risk assessment guidance and the first version of its illegal content codes of practice on 16 December 2024. User-to-user and search service providers’ obligations to comply with the OSA’s illegal content safety duties have applied since 17 March 2025. This followed their obligation to complete anillegal content risk assessment by 16 March 2025.  

The first child safety obligations under the OSA started to take effect following a statement issued by Ofcom on 16 January 2025. From 17 January 2025, services that publish their own pornographic content (regulated under Part 5 of the OSA) were required to take steps immediately to implement highly effectively age assurance. All other regulated services that allow pornography content had to implement highly effective age assurance by July 2025 at the latest. Ofcom has published guidance on highly effective age assurance specific to Part 5 of the OSA.   

User-to-user and search service providers also had until 16 April 2025 to carry out a children’s access assessment to ascertain whether their service is likely to be accessed by children. Ofcom has also issued guidance on children’s access assessments to facilitate this. 

Ofcom subsequently published its children's risk assessment guidance and the first version of its protection of children codes of practiceon 24 April 2025. For user-to-user and search services likely to be accessed by children, the obligations for service providers to comply with the OSA’s children safety duties have applied since 25 July 2025. This followed their obligation to complete children’s risk assessment by 24 July 2025. 

Ofcom has also published other online safety regulatory documents and guidance, including on fees and penalties, enforcement and information gathering powersOfcom maintains a list of its online safety regulatory documents and guidance here. 

The categorisation thresholds for Category 1, Category 2A and Category 2B services were set out in the Online Safety Act 2023 (Category 1, Category 2A and Category 2B Threshold Conditions) Regulations 2025, which came into force in February 2025Ofcom intends to publish its register of categorised services in July 2026, which will determine which services fall into these categories. 

See Ofcom’s Important dates for Online Safety compliance for more details.  

Last updated: 6 January 2026

Authors

Kiran Sidhu's headshot
Kiran Sidhu
Associate – Data protection & privacy
Phone
Mike Edgar
Senior Associate – Data protection & privacy
Phone
Gemma Nash's headshot
Gemma Nash
Senior associate - Data protection
Phone
Continue reading: Scope of the Online Safety Act >>