UK Online Safety Act

Below we summarise the UK's ground-breaking Online Safety Act, its key provisions and its practical implications for digital service providers.

What is the Online Safety Act?

The UK Online Safety Act (OSA) represents one of the most comprehensive attempts globally to regulate online platforms and improve digital safety for users, particularly children.

The OSA is regulated by Ofcom, the UK's existing communications regulator, with enforcement powers including penalties of up to £18 million or 10% of global turnover (whichever is higher). The OSA has been implemented in phases throughout 2025, with key obligations now in force.

How will the Online Safety Act apply?

The application of the OSA depends on the type of service provided and the level of risk associated with that service. The approach is fundamentally risk-based, with higher-risk services subject to more extensive obligations.

Scope of application

The Online Safety Act regulates three main categories of services:

1. User-to-User Services: Internet services where user-generated content (whether uploaded or generated directly on the service) can be encountered by other users of the service.
2. Search Services: Traditional search engines that index and provide access to online content.
3. Providers of Online Pornographic Content: Services that provide pornographic content online.

Risk-based categorisation

Services deemed particularly high-risk due to their functionality or large user base will be designated as:

• Category 1 Services: the highest-risk platforms with the most extensive obligations
• Category 2A Services: high-risk services with significant user bases
• Category 2B Services: services with specific risk factors requiring enhanced duties

Exemptions

Certain services are exempt from OSA obligations, including:

• Email and instant messaging services
• Services with only limited user-generated content functionality (e.g., platforms only allowing reviews or 'below the fold' comments)

Extraterritoriality

The Online Safety Act has significant extraterritorial reach, designed to protect UK users regardless of where the service provider is located. The Act applies to any provider of a user-to-user or search service that "has links" to the UK, meaning:
the service has a "significant number" of UK users; or
UK users form one of the target markets for the service.

International businesses must therefore assess whether their services fall within the OSA's scope and consider whether to implement UK-specific compliance measures or adopt OSA standards globally.

What actions should you take now?

Key takeaways

The Online Safety Act represents a paradigm shift in digital regulation, imposing unprecedented duties on online service providers. Whilst the phased implementation provides time for preparation, the breadth and complexity of the obligations require immediate attention and strategic planning.
Success will depend on understanding the risk-based approach, implementing robust systems and processes, and maintaining ongoing compliance as the regulatory landscape evolves. Early preparation and proactive engagement with the regulatory framework will be essential for avoiding significant penalties and protecting both users and business interests.

The OSA's extraterritorial reach means that global platforms cannot ignore these obligations, regardless of their primary jurisdiction. The OSA sets a new international standard for online safety that is likely to influence digital regulation worldwide.

How can we help?

• Assess and advise whether organisations are caught by the scope of the OSA and if so what steps should be taken to comply with the requirements imposed.
• Assist in scoping and undertaking necessary risk assessment
• Advise on whether changes can be made to allow organisations to fall outside the scope of the OSA, or to rely upon applicable exemptions where the services which bring them in scope are not part of their core business.