Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

UK Online Safety Act

A quick guide to the UK Online Safety Act

Key contacts Related insights

Below we summarise the UK's ground-breaking Online Safety Act, its key provisions and its practical implications for digital service providers.

What is the Online Safety Act?

The UK Online Safety Act (OSA) represents one of the most comprehensive attempts globally to regulate online platforms and improve digital safety for users, particularly children.

The OSA is regulated by Ofcom, the UK's existing communications regulator, with enforcement powers including penalties of up to £18 million or 10% of global turnover (whichever is higher). The OSA has been implemented in phases throughout 2025, with key obligations now in force.

How will the Online Safety Act apply?

The application of the OSA depends on the type of service provided and the level of risk associated with that service. The approach is fundamentally risk-based, with higher-risk services subject to more extensive obligations.

Scope of application

The Online Safety Act regulates three main categories of services:

  1. User-to-User Services: Internet services where user-generated content (whether uploaded or generated directly on the service) can be encountered by other users of the service.
  2. Search Services: Traditional search engines that index and provide access to online content.
  3. Providers of Online Pornographic Content: Services that provide pornographic content online.

Risk-based categorisation

Services deemed particularly high-risk due to their functionality or large user base will be designated as:

  • Category 1 Services: the highest-risk platforms with the most extensive obligations
  • Category 2A Services: high-risk services with significant user bases
  • Category 2B Services: services with specific risk factors requiring enhanced duties

Exemptions

Certain services are exempt from OSA obligations, including:

  • Email and instant messaging services
  • Services with only limited user-generated content functionality (e.g., platforms only allowing reviews or 'below the fold' comments)
Category chart for UK Online Safety Act based on risk level
Category chart for UK Online Safety Act based on risk level

Extraterritoriality

The Online Safety Act has significant extraterritorial reach, designed to protect UK users regardless of where the service provider is located. The Act applies to any provider of a user-to-user or search service that "has links" to the UK, meaning:
the service has a "significant number" of UK users; or
UK users form one of the target markets for the service.

International businesses must therefore assess whether their services fall within the OSA's scope and consider whether to implement UK-specific compliance measures or adopt OSA standards globally.

Key obligations

plus

The OSA introduces comprehensive new duties that vary depending on the nature of the service and its risk categorisation:

  • Risk assessments - Assess risks from illegal content and content harmful to children
  • Illegal content systems - Proportionate measures to protect users from illegal content
  • Reporting procedures - User-friendly reporting and complaints system
  • Terms of service - Clear, accessible and consistently implemented terms.
  • Children's access - Evaluate if children can access your service
  • Children's safety - Age-gating, verification and safety protections
  • Freedom of expression - Balance safety with fundamental rights
  • Record keeping - Maintain records of assessments and compliance measures

Additional duties for higher-risk services

plus

Designated Category 1, 2A, and 2B services will face additional obligations including:

  • Fraudulent advertising controls: Systems to prevent and remove fraudulent advertisements;
  • Transparency reporting: Regular public reporting on content moderation activities;
  • Journalistic content protection: Special duties to protect legitimate journalistic content.

Codes of practice

plus

Ofcom is publishing codes of practice that are crucial for compliance. Whilst not mandatory, providers will be treated as complying with particular duties if they implement the measures described in the relevant Code of Practice. These codes provide practical guidance on meeting OSA obligations and are expected to be regularly updated to reflect technological developments.

What actions should you take now?

Immediate compliance requirements

plus
  • Service assessment: Determine whether your services fall within the OSA's scope.
  • User analysis: Assess your UK user base and market presence.
  • Risk mapping: Identify potential illegal content and child safety risks on your platform.
  • Illegal content duties: Ensure systems are in place to address illegal content (in force since March 2025).
  • Children's access assessments: Complete assessments if not already done (required since April 2025).
  • Children's safety duties: Implement all required protections for under-18 users (in force since July 2025).
  • Age verification: Sites with pornographic content must have robust age checks in place (mandatory since July 2025).

Ongoing compliance actions

plus
  • Compliance monitoring: Continuously assess compliance with current obligations.
  • System enhancement: Upgrade content moderation and safety tools to meet current standards.
  • Policy updates: Ensure terms of service and user policies reflect current OSA requirements.

Ongoing monitoring

plus
  • Regulatory updates: Stay informed about Ofcom guidance and secondary legislation.
  • Industry best practices: Monitor how other platforms are approaching compliance.

Governance and training

plus
  • Internal stakeholder engagement: Discuss OSA implications with relevant departments (legal, product, engineering, policy).
  • Staff training: Ensure teams understand new obligations and compliance requirements.
  • Vendor management: Assess third-party service providers' OSA compliance capabilities.

Key takeaways

The Online Safety Act represents a paradigm shift in digital regulation, imposing unprecedented duties on online service providers. Whilst the phased implementation provides time for preparation, the breadth and complexity of the obligations require immediate attention and strategic planning.
Success will depend on understanding the risk-based approach, implementing robust systems and processes, and maintaining ongoing compliance as the regulatory landscape evolves. Early preparation and proactive engagement with the regulatory framework will be essential for avoiding significant penalties and protecting both users and business interests.

The OSA's extraterritorial reach means that global platforms cannot ignore these obligations, regardless of their primary jurisdiction. The OSA sets a new international standard for online safety that is likely to influence digital regulation worldwide.

How can we help?

  • Assess and advise whether organisations are caught by the scope of the OSA and if so what steps should be taken to comply with the requirements imposed.
  • Assist in scoping and undertaking necessary risk assessment
  • Advise on whether changes can be made to allow organisations to fall outside the scope of the OSA, or to rely upon applicable exemptions where the services which bring them in scope are not part of their core business.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Key contacts

If you have any questions, contact a member of the UK Online Safety Act team for assistance:

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.