UK Online Safety Act – Countdown to December 2024 as Ofcom announces new deadlines and enforcement priorities
Written By
Associate
UK
I am an Associate in our London Privacy & Data Protection team with strong expertise in Online Safety.
Partner
UK
I am a partner working on data and online safety compliance from our London office. I work with a wide variety of organisations, particularly in the media, sports and life sciences sectors. I also advise extensively on children's and employee privacy matters.
Related
Practices
Sectors
Trending Topics
Regions
Countries
Today Ofcom, the UK’s online safety regulator, has released an important update on deadlines for the UK Online Safety Act (“OSA”) regime becoming applicable and enforceable on businesses in scope. It has also set out details of its areas of initial enforcement focus for the first time.
Shifted deadlines – but less than six months to go before the first (illegal harms) duties will apply
The OSA applies to almost all online services with UK users that allow or empower user to user interactions, or include search engine functionality across multiple sites. Although it received Royal Assent in 2023, the applicability of the OSA’s substantive duties has been contingent on Ofcom finalising various codes of practice and guidance setting out the measures Ofcom believes are required to comply with the law.
Ofcom’s update has now confirmed the following key timings, based on when it is likely to finalise the corresponding codes/guidance:
| Compliance step | Applicable to |
Deadline |
| Illegal harms risk assessments | All U2U/search services Some U2U/search services |
Start in December 2024 Complete in March 2025 Ofcom will require some services to provide a copy by 31 March 2025 |
| Child access assessments | All U2U/search services (to determine whether the child-related duties will be relevant or not) | Start in January 2025 Complete by April 2025 |
| Comply with illegal content safety duties | All U2U/search services* | Around March 2025 |
| Child risk assessments | Services likely to be accessed by children (following child access assessment) Some of the above services |
Start in April 2025 Complete in July 2025 Ofcom will require some services to provide a copy by 31 March 2025 |
| Comply with child safety duties | Services likely to be accessed by children* | Around July 2025 |
| Respond to transparency notices | Categorised services | From summer 2025 |
| Comply with other categorised duties | Categorised services | TBD but will not be until 2026 |
*These duties won’t come into force for UK-established video-sharing platforms (VSPs) until later, likely Q3 2025, due to the need for the existing VSP regulation to be repealed before the OSA applies to the handful of relevant organisations.
Although Ofcom has said that timings might change as Ofcom continues its work, businesses should now operate on the basis of the above – there is now very little time before the first of these deadlines comes into effect.
A first insight into Ofcom’s enforcement priorities – risk assessment and design changes in the initial firing line
Ofcom’s statement also sets out the following eight enforcement priorities for the first three years, and says Ofcom is “ready to launch immediate enforcement action” once duties are applicable. In-scope services should therefore particularly pay attention to these areas.
- Services prioritise user safety, tackling risks to users, and naming senior accountable people (i.e. – risk assessments and governance structures)
- Children are protected from harmful content and activity, including pornography (including via “tough” age checks and re-jigged recommender systems)
- Offenders can’t share child sexual abuse content and children don’t face unsafe contact
- Illegal content – including hate and terror – is taken down quickly
- Women and girls face less gendered harm and abuse online (including appropriate reporting channels)
- Online fraud is reduced (including through detection, deterrence and prevention measures)
- Users – especially children – are empowered to have control over their online experience
- More transparency in how platforms keep users safe, and what Ofcom is doing to deliver positive change (for categorised services, this will include transparency reporting by the end of 2025)
It is clear that Ofcom sees risk assessments – the first initial obligations falling on all impacted organisations – as the first key enforcement priority for 2025. However, Ofcom categorises five of these eight priorities as being design changes. There is therefore plenty for affected business to do, as well as assess.
Ofcom tells us: “We expect our early enforcement action to focus on ensuring services are adequately assessing risk and putting in place the measures that will be most impactful in protecting users, especially children, from serious harms such as those relating to CSAM, pornography and fraud.”
Some of the measures this statement alludes to include those which may be especially challenging and time-consuming to implement in practice, particularly highly effective age assurance and certain proactive monitoring tools as set out in the draft illegal harms codes for CSEA and fraud materials.
Potentially more proactive automated moderation measures to come
On these automated content moderation tools, Ofcom has said that it expects to consult in spring 2025 on how further automated tools can be used to proactively detect illegal/harmful content going beyond the measures it has already consulted on, so it is possible Ofcom will strengthen its codes with further automated content moderation measures after this date.
Fees – consultation coming, but fee regime not expected until 2026/2027 financial year
Earlier in the year, Ofcom sought input from various organisations – those most likely to be caught by the fee regime – on how they would assess the relevant qualifying revenue to charge fees. Ofcom will consult later this month on the assessment of qualifying revenue and the relevant threshold, as well as any relevant exemptions. The regime itself is not expected until later, with Ofcom aiming for the 2026/2027 financial year.
What now? Do you know if you’re caught?
Businesses should already have determined whether they are in scope of the OSA – if this has not yet been done, then identifying application of the law must be the initial priority. A non-exhaustive list of functionality that could bring unsuspecting businesses in scope include:
- forums – including for business users
- chat rooms or ancillary chat functionality
- marketplaces allowing user sales or listings
- certain review functionality
- file-sharing
- certain direct messaging services
Next steps – prepare and begin to risk assess
As we await the final Illegal Harms guidance to be published, it is clear that organisations will need to be preparing the evidence and information needed for their risk assessment. This involves identifying the relevant “risk profiles” that apply to your OSA-caught services, and identifying what measures you need to put in place based on an assessment of the risk of certain illegal harms, especially one of the 15 priority illegal harms, occurring on your services. Part of this process is identifying what evidence your business holds – or will need to start gathering – to demonstrate that you have correctly identified your residual risk.
Ofcom does promise to offer certain tools to SMEs caught by the OSA – but it does not commit to a timeframe for when these will become available.
For help understanding whether the OSA applies to your business and how to comply with the above requirements, contact a member of our Online Safety group below. For other helpful resources, see our Online Safety page here.
