The UK’s Online Safety Act (OSA): what you need to do now

• By March 16, 2025, in-scope services must assess the risk of illegal harms on their services.
• From March 17, 2025, the OSA’s illegal harms safety duties become live and in-scope services will need to take the safety measures set out in Ofcom’s Illegal Content Codes or use other effective measures to protect users from illegal content and activity. 

Below are some key points for online providers to keep in mind to ensure compliance, as well a brief insight into Ofcom’s enforcement priorities for the initial implementation of the OSA regime. 

There has been no shortage of detailed guidance in this area for online providers to navigate and which we have been working through with clients. Ofcom has published an Illegal Harms Statement which included Illegal Content Codes of Practice for user-to-user services and search services providers (the Illegal Content Codes) and other key guidance, including how providers can conduct their illegal harms risk assessment and keep appropriate records and review processes.

As a reminder, the OSA has a very wide scope and applies to ‘user-to-user services’ (any service which essentially allows users to create and share content or interact with each other) and ‘search services’ (any service with a search engine across more than one website or database) with links to the UK even if based elsewhere. A service’s duties are dictated by their categorisation according to functionality and active user numbers.

Conducting the illegal harms risk assessment 

Ofcom has provided granular detail on how it expects services to complete their illegal harms risk assessment. The guidance requires services to assign a risk level to 17 types of priority illegal content which encompasses the 130 priority offences under the OSA and, also, for other illegal content (including non-priority offences). 

Ofcom’s guidance outlines the steps that services can follow to meet the risk assessment requirements including a proposed universal four-step methodology informed by industry best practice. Online providers must complete an assessment for each in-scope service they provide, ensure it is ‘suitable and sufficient’ and take appropriate steps to keep it up to date. 

Ofcom noted that it would be gathering a selection of illegal harms risk assessments from specific providers by March 31, 2025. In that context, the Ofcom has recently announced an enforcement programme to monitor compliance with the illegal content risk assessment duties and record keeping duties, noting it has requested records of the illegal content risk assessments from a number of in-scope services and that it will use this information to identify possible compliance concerns. Going forward, Category 1 services will have to submit their illegal harms risk assessments to Ofcom.

Compliance with illegal harms duties 

The Illegal Content Codes outline how online providers can comply with their (a) illegal content safety duties, (b) content reporting duties, and (c) complaints procedures duties as specified in the OSA. They contain a comprehensive set of recommended safety measures to reduce the risk of illegal harms. Online providers that implement Ofcom’s recommended measures will be considered to have complied with the relevant duties, but providers are also free to demonstrate compliance with their OSA obligations through other means – for example if they have a global approach which ensures compliance with the OSA as well as other obligations such as the DSA.

There are approximately 40 recommended safety measures under the Illegal Content Codes for user-to-user services, which have been broadly categorised into eight thematic areas as measures in relation to:

1. Governance and accountability
2. Content moderation
3. Reporting and complaints
4. Recommender systems
5. Settings, functionalities and user support
6. Terms of service
7. User access
8. User controls

Early enforcement priorities 

In addition to the publication of its Enforcement Guidance, Ofcom has outlined the following eight enforcement priorities for the initial implementation of the OSA: 

1. Stronger governance and accountability for risks to user safety.
2. Children are protected from harm online, including pornography.
3. Offenders can’t share child sexual abuse content and children don’t face unsafe contact.
4. Illegal content – including hate and terror – is taken down quickly.
5. Women and girls face less harm and abuse online.
6. Online fraud is reduced for people online.
7. All users – especially children – are empowered to have control over their online appearance.
8. More transparency in how platforms keep users safe. 

Ofcom has been clear that it is prepared to take early enforcement action against deliberate or flagrant breaches of duties under the OSA, particularly where there is a very significant risk of serious and ongoing harm to UK users. Following enforcement action, Ofcom has the power to impose possible fines of up to GBP18 million or 10% of qualifying worldwide revenues (whichever is greater). 

Providers within scope should therefore pay close attention to these key priority areas and take all relevant steps to ensure they comply with their duty to assess the risk of illegal harms by March 16, 2025 and thereafter comply with their illegal content duties and other applicable OSA obligations.