Scope of the Online Safety Act

Are you on the OSA hook?

Download PDF

With many substantive provisions of the OSA (addressing illegal harms) now in force, organisations should ensure that they have clearly established whether or not they are in scope of this new legislation. This article is aimed at helping service providers navigate this complex process.

Which service providers are in scope?

“Each provider will need to consider if its internet service falls within the scope of the regime, and then consider which parts of its online offering will be subject to regulation under the Act. Some providers will have a single service subject to regulation, and others may operate several relevant services…In some situations, only a discrete or peripheral part of a service will be in scope of the regime." - Ofcom

The OSA applies to providers of three main types of online service: (i) user-to-user (‘U2U’); (ii) search engines; and (iii) pornography services.

U2U
In its overview of regulated services, as part of Ofcom’s statement on illegal harms, Ofcom explains that a U2U service is an internet service that allows user-generated content (‘UGC’), whether generated directly on the service, uploaded to or shared on the service, to be encountered by another user. In effect, this means that a U2U service is one where users can engage with each other’s posts or other content. Ofcom has listed a range of services that it considers to be U2U services including (among others) social media sites, video and messaging services (including chatrooms), online marketplaces, gaming and dating sites.

Search services
A search service is a service or functionality within a service that enables a person to search websites or databases. Such services can include both horizontal search services i.e., a general search engine that scans the entire web for results and displays them, and vertical search services that help users to find specific products or services (e.g., airline comparison websites for flights). A website which incorporates a search engine for the purposes of searching that site only will not be a search service for the purposes of the OSA.

Pornography services
Providers of pornographic content are in scope of specific duties set out in Part 5 of the OSA. However, to the extent that pornography services enable users to share their own content, they will be subject to the broader provisions of the OSA, which apply to U2U services. Content will be considered pornographic for the purposes of the OSA where it is reasonable to assume that the content was produced for the purpose of sexual arousal. Pornographic content can include e.g., images, audio and video, but excludes content that consists only of text, or text accompanied by emojis or non-pornographic GIFs. See our article on Part 5 for more information.

Size and risk

Ofcom has produced guidance and codes of practices on the measures that providers of each of these service types should take. The applicable measures will vary depending on the size of the service and also how “risky” the service is perceived to be. Ofcom divides the size of services into large services i.e., those with an average user base of approximately 7 million per month, and smaller services i.e., everything else. Risk levels are divided into three categories: (i) low risk; (ii) single risk i.e., a particular single type of harm has been identified as being likely to affect users when they use the service; and (iii) multi-risk i.e., a service faces significant risks from at least two different types of harm. 

Jurisdictional Scope: Is a service provider “regulated”?

Once a provider has established whether its organisation provides one of the above types of in-scope services, it is important to consider if the provider is a “regulated” service provider, and accordingly, is required to meet duties under the OSA. A service is “regulated” if it has “links to the UK” and is not exempt - see below.

What does “links to the UK” mean?

A provider has “links to the UK” irrespective of where it is based, if any of the following apply:

1. The service has a significant number of UK users: “significant number” is not defined in the OSA for the purposes of the UK links test. Ofcom expects service providers instead to be able to explain their judgment of whether or not they consider themselves to have a significant number of UK users. This is particularly the case for providers that conclude they do not have a significant number of UK users. Ofcom is not concerned with the methodology used to calculate the number of UK users, but confirms that providers do not need to include their employees as “users” of the service, and also that a user must actually have engaged with the service to be counted. Importantly, the OSA is only concerned with the number of “UK users” of the service, so where the user is an individual, they count as a user only where they are in the UK. Similarly, where the user is an entity, it counts only where it has been formed or incorporated in the UK.
2. UK users form a “target market” for the service: Again, the legislation provides no direct explanation of a “target market”, albeit Ofcom has stated that the test will likely be met if a service is designed for UK users, is marketed toward UK users or generates revenue from UK users.
3. The service is capable of being used in the UK by individuals and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK presented by the content generated on it: Ofcom has provided limited guidance on how this condition should be interpreted, but it may well be interpreted broadly given that it is designed to capture services that are not captured by (1) or (2) above. Providers of non-U2U pornography services should note that this third condition does not apply when determining whether their service is in scope of the OSA.

Can a service provider rely on an exemption?

Certain types of U2U services are exempt and therefore not within scope of the OSA:

1. services offering email, SMS or MMS only;
2. services offering one-to-one live aural communications only;
3. services limited to enabling or sharing comments or reviews on provider content (e.g., comments sections of newspaper articles); or
4. a combination of any of the above.

Interestingly, a service provider cannot benefit from exemption (3) above where a user can substantively comment on the comment of another user, though it would be able to allow users to apply "likes" or emoji-type reactions only and stay within the exemption.

Other exemptions apply to both U2U and search services:

1. internal business services e.g., business intranets and content management systems;
2. services provided by public bodies, including foreign governments; and
3. services provided by persons providing education or childcare.

The exemptions for non-U2U pornography services are set out in a separate part of the OSA, and largely mirror those set out for U2U and search services. Additional exemptions for such services include certain on-demand pornography services.

Additional obligations

If a provider is in scope of the OSA and cannot benefit from an exemption, it should also confirm whether it may be subject to additional obligations on the basis that it has been designated as providing category 1, 2A or 2B services. These are services which meet certain thresholds are set out in secondary legislation made by the Secretary of State (The Online Safety Act 2023 (Category 1, Category 2A and Category 2B Threshold Conditions) Regulations 2025). These thresholds are as follows:

• Category 1 should apply to services that either: (i) use a content recommender system and have more than 34 million UK users on the U2U part of the service (around 50% of the UK population) or (ii) allow users to reshare UGC, use a content recommender system and have more than 7 million UK users on the U2U part of the service (around 10% of the UK population).
• Category 2A should apply to horizontal search services with more than 7 million UK users.
• Category 2B should apply to services which allow users to send direct messages and have more than 3 million UK users on the U2U part of the services.

The secondary legislation setting out the thresholds described above were subject to legal challenge by Wikimedia in Spring / Summer of 2025. However, the challenge was dismissed by the High Court in August 2025. Following the conclusion of this legal challenge, Ofcom will now resume its next steps in categorising those services that it considers as falling within these thresholds. Ofcom has confirmed that it will carry out a representative process in early 2026 to give companies an opportunity to comment on its decision before Ofcom finalises its register of categorised services in July 2026.

How will the scope of the OSA evolve with technology?

Ofcom has recognised that the OSA and in particular its provisions on scope may need to evolve as technology changes. Ofcom has indicated that its expectations will have “flex” according to technological innovations and that it may adapt its enforcement approach to cope with change. For example, Ofcom has stated that, in certain contexts, AI-generated content can be UGC falling within the rules for U2U services, and certain types of generative AI services may regulated as a (or forming a part of a) search service. 

Last updated: 8 January 2026