UK’s Online Safety Act: What Service Providers Need to Know

Additionally, for services that are likely to be accessed by children, any content that is harmful to children. Whilst it may seem that search engines, dating, gaming and social media platforms are the primary targets, the OSA has wider reach and application than commonly perceived. Numerous online service providers, including websites or applications available over the internet that host and index user-generated content, must pay close attention to this legislation and its approaching deadlines.

Who should read this?

This briefing is essential for a wide range of online service providers, many of which for the first time will become responsible for proactively assessing and mitigating against risks of harm presented by illegal and harmful content.

Providers regulated under the OSA are broadly broken down into 3 categories:

1. user-to-user (“U2U”) service providers, i.e. online services that allow users to interact with each other by generating, uploading or sharing content, such as images, videos, messages or comments, with other users of that online service (for example, social media apps, photo or video sharing services, chat services such as dating apps, online gaming services). 
2. search engine service providers, i.e. online services which are, or include, a search engine. A search engine is a feature which enables users to search more than one website and/or database; and
3. internet services on which regulated provider pornographic content (“RPPC”) is published/displayed.

Social media platforms, search engines, messaging services, gaming and dating apps, as well as pornography and file-sharing sites will all fall within scope. But the scope is deliberately broad, to ensure a diverse array of digital environments/platforms are captured – enhancing online safety for as wide a range of online users as possible. Ofcom has provided an interactive tool to assist organisations understand whether they may be within the scope of the OSA – see here.

• The rules apply to different sizes of organisations from large and well-resourced companies to very small ‘micro-businesses’. They also apply to individuals who run an online service.
• The OSA has extra-territorial affect and applies to providers that:
• provide services to a significant number of users in the UK;
• target the UK market; or
• (in case of U2U services and search services) are capable of being used in the UK by individuals and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK presented by the user-generated content or search content on that service.

Why you should care?

The OSA, supported by an expanding body of Codes of Practice and guidance published by Ofcom (available here), imposes significant legal responsibilities on providers to protect users, especially children, from harmful content. It requires online service companies to assess and mitigate risks related to illegal content like terrorism, hate speech, fraud, and child sexual abuse.

The legislation establishes varying levels of requirements dependent on the nature of the service provided. It employs different categories and scales to make the obligations vary proportionate to the associated risks. Larger, higher-risk platforms are subject to more rigorous obligations compared to smaller service providers. For instance, high-risk providers are required to implement advanced methods such as automated tools, including hash-matching and URL detection, to swiftly identify and remove specific content, such as child sexual abuse material (CSAM), from their platforms.

The OSA also lists over 130 priority offences that organisations must assess and mitigate against. Providers need to stay vigilant and proactive in implementing safety measures to protect their users from illegal and harmful content. Understanding what Ofcom now expects from each type of online service provider is integral for ensuring compliance with the legislation and mitigating the risk of penalties.  

“Illegal Content”

• Whilst the OSA covers any kind of illegal content that can appear online, it includes a list of specific offences that warrant particular attention:
• terrorism
• child sexual exploitation and abuse (“CSEA”) offences,
• hate
• harassment, stalking, threats and abuse
• controlling or coercive behaviour
• intimate image abuse
• extreme pornography
• sexual exploitation of adults
• human trafficking
• unlawful immigration
• fraud and financial offences
• proceeds of crime
• drugs and psychoactive substances
• firearms, knives and other weapons
• encouraging or assisting suicide
• foreign interference
• animal cruelty

Penalties

As costly as implementation of all the requirements might seem, there are significant penalties for failing to comply. These include fines of up to 10% of the company's qualifying group worldwide revenue or £18 million, whichever is greater. Companies may also be compelled to take corrective actions.

Ofcom can also issue statutory information requests proactively and failure to respond accurately and promptly can lead to enforcement actions. These measures are designed to ensure that online service providers take their responsibilities seriously and remain accountable.

While individuals cannot directly enforce duties under the OSA, there is potential for a future civil right of action and for claims of damages/distress to arise due to user harm.

In its recent guidance, Ofcom has clearly stated it is ‘ready to take enforcement action if providers do not act promptly to address the risks on their services’ which underscores their commitment to ensuring compliance and protecting users.

Key compliance actions?

Below we have set out some of the immediate key considerations and actions for organisations embarking on compliance projects for the OSA in 2025:

1. Assess Applicability: Determine if the OSA applies to your services. It covers services with a significant number of UK users or those targeting the UK market, including social media, video-sharing platforms, online forums, and messaging services.
2. Timeline and Compliance Roadmap: Ofcom has provided a helpful table summarizing the key milestones and compliance deadlines for organizations, broken down by service type or specific code or rule category – see OSA Timeline.
3. Regular Risk Assessments: Conduct regular illegal content risk assessments to identify and mitigate potential harms to users.
4. Compliance with Ofcom’s Codes of Practice: Familiarise yourself and follow the codes of practice set out by Ofcom, which will provide detailed steps to fulfil safety duties. Aligning with these codes will be the best way to evidence compliance.
5. Implement Safety Measures: You should consider the design of your platforms to reduce the potential for them being used as a space for criminal activity. Develop and implement systems to reduce risks of illegal activity and harmful content. This includes developing processes for taking down illegal content promptly and preventing children from accessing harmful or age-inappropriate content.
6. Transparency and Control: Be transparent about the types of content allowed on your platform and explain your approach in your terms of service (or publicly available statement). Also provide users with tools to control the content they see - for example, consider additional tools to help users reduce the likelihood that they will encounter certain types of content (e.g. eating disorders, racist or misogynistic content).
7. Reporting Mechanisms: Establish clear and accessible ways for users to report harmful content or issues they encounter.
8. User Rights: Ensure that safety measures remain balanced and respect users’ broader rights and freedoms, balancing safety with freedom of expression.
9. Documentation and Reporting: Maintain documentation of your actions and safety measures adopted and be prepared to report on compliance to Ofcom.

Key dates and next steps

Subject to the published Codes of Practice completing the Parliamentary process, enforcement will commence from 17 March 2025. However, in-scope providers are already expected to be carrying out their illegal harms risk assessments and identifying appropriate safety measures. With non-compliance potentially resulting in substantial penalties and Ofcom’s recent rhetoric around enforcement action, it is crucial for organisations to engage now and start implementing compliance plans.

From the key milestones and tiered implementation of the OSA’s provisions, the most pressing deadlines include:

If you need assistance assessing whether your services fall under the scope of the OSA or would like help planning and documenting preventative processes/measures against illegal content or harms, please reach out to our team.