
The Online Safety Act (‘OSA’) is the UK’s legislative framework for a new regulatory regime aimed at making the internet safer for UK users. It seeks to do this by changing and increasing the liability of in-scope online service providers to require them to take a proactive approach to managing the safety risks encountered by users. This extends to in-scope service providers that operate outside the UK. The first set of duties on in-scope service providers became enforceable in December 2024; the remaining duties will become enforceable in phases through to 2027.
The framework provided by the OSA will be supported through codes of practice and guidance issued by Ofcom and through secondary legislation. These will collectively form one of the most far-reaching and comprehensive online safety initiatives in existence globally.
Who is in scope?
The OSA applies to a wide range of online services, including social media and messaging platforms, search engines, and websites that host user-generated content. Ofcom has estimated that over 100,000 service providers may be in scope.
More specifically, the OSA applies to providers of the following types of online services that have “significant links” to the UK (‘regulated services’):
- “user-to-user services”, which are services through which content and communications that are generated, uploaded or shared by users may be encountered by another user of the service;
- “search services”, which are services that contain a search engine capable of searching multiple websites and/or databases; and
- services on which the provider, or someone on the provider’s behalf, publishes or displays regulated pornographic content.
An online service is considered to have “significant links” to the UK if: (i) it has a significant number of UK users; (ii) the UK is one of its target markets; and/or (iii) the service is capable of being accessed by UK users where there is a material risk of significant harm to such users (this third limb does not apply in the case of pornography services, which are regulated under Part 5 of the OSA).
The OSA also provides for categorisation of a small proportion of online services deemed higher risk with respect to online safety. These services, which are referred to under the OSA as “Category 1”, “Category 2A” and “Category 2B” services, will be subject to additional duties. This categorisation will be based on service functionality and number of users, according to thresholds set out in secondary legislation. Ofcom will inform the relevant service providers of their categorisation and publish and maintain a register accordingly. This is seemingly a similar concept to that of the “Very Large Online Platforms (‘VLOPs’)” under the EU’s Digital Services Act.
See our article on the scope of the OSA for more detail here.
What are the duties on online service providers under the OSA?
The duties under the OSA are wide-ranging and broadly cover:
- risk assessments (including with respect to illegal content and risks of harm to children);
- protecting children (such as use of proportionate systems and processes to prevent children from encountering certain types of harmful content);
- safeguarding all users (including use of proportionate systems and processes to minimise the duration for which certain illegal content is present on the service);
- user empowerment (such as provision of proportionate design features to allow adult users to reduce the likelihood of encountering certain types of harmful content); and
- transparency and accountability (including illegal content reporting systems and complaints procedures).
There is a base level of duties applicable to all regulated service providers, and additional duties applicable to providers of Category 1, 2A and 2B services, as well as regulated services likely to be accessed by children. The duties take effect at a systems and processes level: they apply to the way a service is designed, operated and used, as well as content present on the service. This includes user support measures, the design of features and algorithms, risk management processes, and staff policies and practices. With respect to online content, the duties mainly concern content that is illegal, content which is lawful but “harmful to children”, and fraudulent advertising.
What is Ofcom’s role?
Ofcom is primarily tasked with producing codes of practice for the OSA, which should provide regulated service providers with recommended steps that are effective to achieve compliance, as well as guidance on aspects such as risk assessments, age assurance, and identification of illegal content. Ofcom is also given investigatory and enforcement powers under the OSA, with penalties issuable of up to the higher of £18 million or 10% of global turnover and, in the most serious cases, the power to issue service cessation orders. See our article on Ofcom’s powers in more detail here.
What is the current status of the OSA?
The OSA received royal assent in October 2023. However, its provisions take effect on a gradual basis, following publication of Ofcom’s codes of practice and guidance, and the passage of the codes through Parliament.
Ofcom published its first Code of Practice, centred on illegal harms, in December 2024. Subject to the Code passing through the Parliamentary process, regulated service providers will have until 17 March 2025 to implement the measures set out in the Code or use other effective measures to protect users from illegal content and activity. This follows an obligation to carry out an illegal harms risk assessment, which must be completed by 16 March.
The first child safety obligations under the OSA have also started to take effect, following a statement issued by Ofcom on 16 January 2025. As of 17 January 2025, services that publish their own pornographic content (regulated under Part 5 of the OSA) are required to take steps immediately to implement highly effectively age assurance. All other regulated services that allow pornography must implement highly effective age assurance by July 2025 at the latest. Ofcom has published guidance on highly effective age assurance specific to Part 5.
As a further consequence of Ofcom’s recent statement, user-to-user and search service providers have until 16 April 2025 to carry out a children’s access assessment to ascertain whether their service is likely to be accessed by children. Ofcom has also issued guidance on children’s access assessments to facilitate this. The first version of the corresponding code of practice on protection of children is expected to be published by Ofcom in April 2025.
Ofcom has also conducted several public consultations to inform its other codes of practice, including recently on fees and penalties under the OSA and Ofcom’s powers and how it plans to exercise these. These consultations collectively received significant engagement and the published outcomes ran into thousands of pages.
In addition, Ofcom has submitted evidence to the government on the categorisation thresholds for Category 1, Category 2A and Category 2B services. Once these thresholds are confirmed by the government and the corresponding secondary legislation is laid in Parliament, Ofcom will engage with relevant stakeholders it considers to meet the thresholds, and will publish a register of the categorised services.
See Ofcom’s implementation roadmap for more details.
Last updated: 22 January 2025