Today Ofcom, the UK’s online safety regulator, has released an important update on deadlines for the UK Online Safety Act (“OSA”) regime becoming applicable and enforceable on businesses in scope. It has also set out details of its areas of initial enforcement focus for the first time.
The OSA applies to almost all online services with UK users that allow or empower user to user interactions, or include search engine functionality across multiple sites. Although it received Royal Assent in 2023, the applicability of the OSA’s substantive duties has been contingent on Ofcom finalising various codes of practice and guidance setting out the measures Ofcom believes are required to comply with the law.
Ofcom’s update has now confirmed the following key timings, based on when it is likely to finalise the corresponding codes/guidance:
Compliance step | Applicable to |
Deadline |
Illegal harms risk assessments | All U2U/search services Some U2U/search services |
Start in December 2024 Complete in March 2025 Ofcom will require some services to provide a copy by 31 March 2025 |
Child access assessments | All U2U/search services (to determine whether the child-related duties will be relevant or not) | Start in January 2025 Complete by April 2025 |
Comply with illegal content safety duties | All U2U/search services* | Around March 2025 |
Child risk assessments | Services likely to be accessed by children (following child access assessment) Some of the above services |
Start in April 2025 Complete in July 2025 Ofcom will require some services to provide a copy by 31 March 2025 |
Comply with child safety duties | Services likely to be accessed by children* | Around July 2025 |
Respond to transparency notices | Categorised services | From summer 2025 |
Comply with other categorised duties | Categorised services | TBD but will not be until 2026 |
*These duties won’t come into force for UK-established video-sharing platforms (VSPs) until later, likely Q3 2025, due to the need for the existing VSP regulation to be repealed before the OSA applies to the handful of relevant organisations.
Although Ofcom has said that timings might change as Ofcom continues its work, businesses should now operate on the basis of the above – there is now very little time before the first of these deadlines comes into effect.
Ofcom’s statement also sets out the following eight enforcement priorities for the first three years, and says Ofcom is “ready to launch immediate enforcement action” once duties are applicable. In-scope services should therefore particularly pay attention to these areas.
It is clear that Ofcom sees risk assessments – the first initial obligations falling on all impacted organisations – as the first key enforcement priority for 2025. However, Ofcom categorises five of these eight priorities as being design changes. There is therefore plenty for affected business to do, as well as assess.
Ofcom tells us: “We expect our early enforcement action to focus on ensuring services are adequately assessing risk and putting in place the measures that will be most impactful in protecting users, especially children, from serious harms such as those relating to CSAM, pornography and fraud.”
Some of the measures this statement alludes to include those which may be especially challenging and time-consuming to implement in practice, particularly highly effective age assurance and certain proactive monitoring tools as set out in the draft illegal harms codes for CSEA and fraud materials.
On these automated content moderation tools, Ofcom has said that it expects to consult in spring 2025 on how further automated tools can be used to proactively detect illegal/harmful content going beyond the measures it has already consulted on, so it is possible Ofcom will strengthen its codes with further automated content moderation measures after this date.
Earlier in the year, Ofcom sought input from various organisations – those most likely to be caught by the fee regime – on how they would assess the relevant qualifying revenue to charge fees. Ofcom will consult later this month on the assessment of qualifying revenue and the relevant threshold, as well as any relevant exemptions. The regime itself is not expected until later, with Ofcom aiming for the 2026/2027 financial year.
Businesses should already have determined whether they are in scope of the OSA – if this has not yet been done, then identifying application of the law must be the initial priority. A non-exhaustive list of functionality that could bring unsuspecting businesses in scope include:
As we await the final Illegal Harms guidance to be published, it is clear that organisations will need to be preparing the evidence and information needed for their risk assessment. This involves identifying the relevant “risk profiles” that apply to your OSA-caught services, and identifying what measures you need to put in place based on an assessment of the risk of certain illegal harms, especially one of the 15 priority illegal harms, occurring on your services. Part of this process is identifying what evidence your business holds – or will need to start gathering – to demonstrate that you have correctly identified your residual risk.
Ofcom does promise to offer certain tools to SMEs caught by the OSA – but it does not commit to a timeframe for when these will become available.
For help understanding whether the OSA applies to your business and how to comply with the above requirements, contact a member of our Online Safety group below. For other helpful resources, see our Online Safety page here.