Skip to content

Scope

Are you on the OSA hook?

Summary

or skip to full article

The OSA applies to three main types of online service: (i) user-to-user, i.e. services that allow users to interact with each other, like social media sites, gaming sites and online market places; (ii) search engines; and (iii) pornography services.

In-scope services will only have to meet the duties under the OSA if they are considered to be “regulated”. A service is “regulated” if it has “links to the UK” and is not exempt. The UK links test is met if a service has a “significant number of UK users”, the UK forms part of the service’s “target” market or the service is capable of being used in the UK and there are reasonable grounds to believe that the content on the service presents a “material risk of significant harm” to UK users.

Ofcom has produced draft guidance and codes of practice on the safety measures each type of service provider should take, and more are expected over the next year or two. The applicable measures will vary depending on the size of the service and also how “risky” the service is perceived to be.

Finally, providers may be subject to additional obligations on the basis that they have been designated as providing category 1, 2A or 2B services. These are services which meet certain thresholds to be set out in secondary legislation by the Secretary of State - the thresholds are expected to be finalised in 2025.

Get an indication on whether your organisation is in-scope of the Online Safety Act by exploring the flowcharts below:

User-to-user services
Click to expand

Search services
Click to expand

Are you on the OSA hook?

Download PDF

With the first substantive provisions of the OSA (addressing illegal harms) now in force as of December 2024 (see our previous blog post), organisations should ensure that they have clearly established whether or not they are in scope of this new legislation. This article is aimed at helping service providers navigate this complex process.

Which service providers are in scope?

Each provider will need to consider if its internet service falls within the scope of the regime, and then consider which parts of its online offering will be subject to regulation under the Act. Some providers will have a single service subject to regulation, and others may operate several relevant services…In some situations, only a discrete or peripheral part of a service will be in scope of the regime." - Ofcom

The OSA applies to providers of three main types of online service: (i) user-to-user (‘U2U’); (ii) search engines; and (iii) pornography services.

U2U
In its overview of regulated services, as part of Ofcom’s recent statement on illegal harms, Ofcom explains that a U2U service is an internet service that allows user-generated content (‘UGC’), whether generated directly on the service, uploaded to or shared on the service, to be encountered by another user. In effect, this means that a U2U service is one where users can engage with each other’s posts or other content. Ofcom has listed a range of services that it considers to be U2U services including (among others) social media sites, video and messaging services (including chatrooms), online marketplaces, gaming and dating sites.

Search services
A search service is a service or functionality within a service that enables a person to search websites or databases. Such services can include both horizontal search services i.e., a general search engine that scans the entire web for results and displays them, and vertical search services that help users to find specific products or services (e.g., airline comparison websites for flights). A website which incorporates a search engine for the purposes of searching that site only will not be a search service for the purposes of the OSA.

Pornography services
Providers of pornographic content are in scope of specific duties set out in Part 5 of the OSA. However, to the extent that pornography services enable users to share their own content, they will be subject to the broader provisions of the OSA, which apply to U2U services. Content will be considered pornographic for the purposes of the OSA where it is reasonable to assume that the content was produced for the purpose of sexual arousal. Pornographic content can include e.g., images, audio and video, but excludes content that consists only of text, or text accompanied by emojis or non-pornographic GIFs. See our article on Part 5 for more information.

Size and risk

Ofcom is developing guidance on the measures that providers of each of these service types should take. The applicable measures will vary depending on the size of the service and also how “risky” the service is perceived to be. Ofcom intends to divide the size of services into large services i.e., those with an average user base of approximately 7 million per month, and smaller services i.e., everything else. Risk levels are divided into three categories: (i) low risk; (ii) specific risk i.e., a particular type of harm has been identified as being likely to affect users when they use the service; and (iii) multi-risk i.e., a service faces significant risks from at least two different types of harm.

Jurisdictional Scope: Is a service provider “regulated”?

Once a provider has established whether its organisation provides one of the above types of in-scope services, it is important to consider if the provider is a “regulated” service provider, and accordingly, is required to meet duties under the OSA. A service is “regulated” if it has “links to the UK” and is not exempt - see below.

What does “links to the UK” mean?

A provider has “links to the UK” irrespective of where it is based, if any of the following apply:

  1. The service has a significant number of UK users: “significant number” is not defined in the OSA for the purposes of the UK links test. Ofcom expects service providers instead to be able to explain their judgment of whether or not they consider themselves to have a significant number of UK users. This is particularly the case for providers that conclude they do not have a significant number of UK users. Ofcom is not concerned with the methodology used to calculate the number of UK users, but confirms that providers do not need to include their employees as “users” of the service, and also that a user must actually have engaged with the service to be counted. Importantly, the OSA is only concerned with the number of “UK users” of the service, so where the user is an individual, they count as a user only where they are in the UK. Similarly, where the user is an entity, it counts only where it has been formed or incorporated in the UK.
  2. UK users form a “target market” for the service: Again, the legislation provides no direct explanation of a “target market”, albeit Ofcom has stated that the test will likely be met if a service is designed for UK users, is marketed toward UK users or generates revenue from UK users.
  3. The service is capable of being used in the UK by individuals and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK presented by the content generated on it: Ofcom has provided limited guidance on how this condition should be interpreted, but it may well be interpreted broadly given that it is designed to capture services that are not captured by (1) or (2) above. Providers of non-U2U pornography services should note that this third condition does not apply when determining whether their service is in scope of the OSA.
Can a service provider rely on an exemption?

Certain types of U2U services are exempt and therefore not within scope of the OSA:

  1. services offering email, SMS or MMS only;
  2. services offering one-to-one live aural communications only;
  3. services limited to enabling or sharing comments or reviews on provider content (e.g., comments sections of newspaper articles); or
  4. a combination of any of the above.

Interestingly, a service provider cannot benefit from exemption (3) above where a user can substantively comment on the comment of another user, though it would be able to allow users to apply "likes" or emoji-type reactions only and stay within the exemption.

Other exemptions apply to both U2U and search services:

  1. internal business services e.g., business intranets and content management systems;
  2. services provided by public bodies, including foreign governments; and
  3. services provided by persons providing education or childcare.

The exemptions for non-U2U pornography services are set out in a separate part of the OSA, and largely mirror those set out for U2U and search services. Additional exemptions for such services include certain on-demand pornography services.

Additional obligations

If a provider is in scope of the OSA and cannot benefit from an exemption, it should also confirm whether it may be subject to additional obligations on the basis that it has been designated as providing category 1, 2A or 2B services. These are services which meet certain thresholds to be set out in secondary legislation by the Secretary of State. Ofcom has published its recommendations to the Secretary of State on this issue as follows:

  • Category 1 should apply to services that either: (i) use a recommender system and have more than 34 million UK users on the U2U part of the service (around 50% of the UK population) or (ii) allow users to reshare UGC, use a content recommender system and have more than 7 million UK users on the U2U part of the service (around 10% of the UK population).
  • Category 2A should apply to horizontal search services with more than 7 million UK users.
  • Category 2B should apply to services which allow users to send direct messages and have more than 3 million UK users on the U2U part of the services.

The thresholds have now been laid before Parliament in secondary legislation, which is expected to pass shortly.

How will the scope of the OSA evolve with technology?

Ofcom has recognised that the OSA and in particular its provisions on scope may need to evolve as technology changes. For example, in relation to AI, Ofcom has confirmed that generative AI content could be UGC, that a “user” may include a GenAI enabled bot and that a GenAI model could constitute a “search service”. Ofcom has indicated that its expectations will have “flex” according to technological innovations and that it may adapt its enforcement approach to cope with change.

Last updated: 22 January 2025

Authors