Introduction: Where the Online Safety Act Stands in 2026
The UK Online Safety Act has moved from legislative ambition to live enforcement. Ofcom is now actively scrutinising platforms, issuing compliance notices, and — in the most serious cases — pursuing fines and criminal referrals. For any business providing an online service accessible to UK users, the question is no longer whether to comply, but whether your current compliance posture is robust enough to withstand regulatory inspection.
The Act's reach is international. It applies to services with links to the UK whether the provider is headquartered in London, Dublin, Delaware, or anywhere else. Ofcom has made clear it will pursue non-UK operators where there is evidence of harm to UK users.
TL;DR – The phased compliance deadlines have now passed. If you have not yet completed your illegal content risk assessment, your children's access assessment, and — where applicable — your children's risk assessment, you are already exposed to enforcement action. Complete them immediately. The Act applies to any online service accessible in the UK, and Ofcom is no longer waiting.
Contents
- Introduction: Where the Online Safety Act Stands in 2026
- Why the Online Safety Act Demands Attention Right Now
- Who the Online Safety Act Applies To
- User-to-user services
- Search services
- Video-sharing platforms
- Services with pornographic content
- Compliance Deadlines: Where Things Stand in 2026
- Understanding the Core Requirements of the Online Safety Act
- How the Act Categorises Harmful Content
- The 17 Priority Illegal Content Categories
- Non-Priority Illegal Content
- Your Risk Assessment Obligations
- What a Compliant Risk Assessment Looks Like
- Ofcom's Four-Step Methodology
- What Evidence to Use
- When to Conduct a Fresh Assessment
- Your Legal Obligations in Practice
- Conducting a Compliance Audit
- Proactive Prevention vs. Reactive Moderation
- Detecting, Removing, and Reporting Illegal Content
- Age Assurance: The Raised Bar
- Transparency Reporting
- User Safety Measures
- Building Compliance Into Your Operations
- Staff Training
- Algorithmic Accountability
- Content Governance and Appeals
Why the Online Safety Act Demands Attention Right Now
When the Act received Royal Assent in October 2023, many platforms took a wait-and-see approach. That window has closed. Ofcom's enforcement programme is operational: the Illegal Harms Codes of Practice came into force in March 2025, the Protection of Children Codes followed in July 2025, and Ofcom has since begun its first wave of formal compliance reviews targeting both large platforms and mid-tier services that assumed they were below the regulatory radar.
The regulator has been explicit that size is not a shield. Smaller platforms carrying high-risk content categories — particularly those involving children, financial fraud, or intimate image abuse — are being prioritised alongside the major players. Reputational damage, service restrictions, and personal liability for senior managers are all live consequences, not theoretical ones.
Who the Online Safety Act Applies To
The Act covers businesses both inside and outside the UK that provide services accessible to UK users. The level of obligation scales with the service type and the risks it poses, but very few interactive online services are entirely out of scope.
The regulations apply across a broad spectrum of online services:
User-to-user services
User-to-user services allow people to generate and share content that other users can see. They include:
- social media platforms
- video-sharing services
- private messaging apps
- online marketplaces
- dating apps
- review platforms
- file- and audio-sharing services
- discussion forums and community boards
- information-sharing platforms
- online gaming environments
Search services
A search service enables users to search more than one website or database for information or content. There are two main types:
- General search services allow users to search content from across the web.
- Vertical search services allow users to search for specific products or services offered by different providers — such as flights, financial products, or insurance.
Video-sharing platforms
Video-sharing platforms (VSPs) allow users to upload and share video content. Most VSPs — including large social platforms with video functionality — are now subject to the full suite of online safety duties. Some platforms established in the UK were already bound by earlier VSP regulations; they now operate under the consolidated Online Safety Act framework.
Services that meet the legal criteria for UK-regulated VSP status must notify Ofcom, which maintains a list of notified platforms.
Services with pornographic content
This category covers online services where the provider publishes or displays pornographic content, as well as services that allow users to upload and share such content. These services face the most immediate and stringent age assurance requirements under the Act.
Compliance Deadlines: Where Things Stand in 2026
All three major compliance phases have now passed. If your organisation has not acted on each milestone, you are in arrears and should treat remediation as urgent.
| Date | Milestone | Status / Action required |
| March 2025 | Illegal Harms Codes of Practice came into force |
Illegal content risk assessment — must be complete Children's access assessment — must be complete Pornographic content services — highly effective age assurance must be in place |
| April 2025 | First version of the Protection of Children Codes of Practice published | Children's risk assessment — must be complete |
| July 2025 | Protection of Children Codes of Practice came into force | Specific services required to disclose risk assessments to Ofcom — deadline passed |
| 2026 onwards | Active enforcement and compliance reviews | Ofcom conducting formal reviews; platforms must demonstrate ongoing compliance and up-to-date risk assessments |
Ofcom has confirmed it will treat the failure to complete risk assessments as a standalone compliance breach — separate from any harm that may have actually occurred on a platform. Incomplete documentation is itself an enforcement trigger.
Understanding the Core Requirements of the Online Safety Act
How the Act Categorises Harmful Content
The Act identifies and categorises harmful content into 17 kinds of priority illegal content and a broader category of other illegal content, including non-priority offences. Platforms must actively work to prevent, detect, and remove material falling under these definitions — not simply respond to it after the fact.
The 17 Priority Illegal Content Categories
- Terrorism: Content promoting, inciting, or glorifying terrorist activities.
- Harassment, stalking, threats, and abuse: Material involving targeted harassment, stalking, credible threats, or sustained abuse.
- Coercive and controlling behaviour: Content depicting or encouraging coercive control in intimate or family relationships.
- Hate offences: Material inciting hatred against individuals or groups based on protected characteristics.
- Intimate image abuse: The non-consensual sharing of private sexual images — now also addressed by the Criminal Justice Act 2024, which created new specific offences including the taking of such images without consent.
- Extreme pornography: Content depicting extreme sexual acts that are illegal under UK law.
- Child sexual exploitation and abuse (CSEA): Material involving the sexual exploitation or abuse of children, including AI-generated imagery which Ofcom has explicitly confirmed falls within scope.
- Sexual exploitation of adults: Content depicting or facilitating the sexual exploitation of adults.
- Unlawful immigration: Material facilitating or promoting illegal entry or stay.
- Human trafficking: Content related to the illegal trade of people for exploitation or commercial gain.
- Fraud and financial offences: Material promoting or facilitating fraudulent financial activity, including investment scams and authorised push payment fraud.
- Proceeds of crime: Content concerning the handling or laundering of illegally obtained money.
- Assisting or encouraging suicide or self-harm: Material that encourages or provides means for self-harm or suicide, a category Ofcom has flagged as particularly acute for platforms used by young people.
- Drugs and psychoactive substances: Content promoting the sale or use of controlled drugs and novel psychoactive substances.
- Weapons offences: Material promoting the illegal acquisition, possession, or use of knives, firearms, or other weapons.
- Foreign interference: Content involving foreign state or non-state actors interfering in UK democratic processes or public discourse.
- Animal welfare: Material depicting or promoting cruelty to animals.
It is worth noting that Ofcom's enforcement guidance published in late 2025 specifically highlighted fraud, CSEA, and suicide and self-harm content as areas where it found the most significant gaps in platform compliance during its initial review cycle. If your service has any exposure to these categories, they warrant priority attention.
Non-Priority Illegal Content
Beyond the 17 priority categories, all service providers must assess whether other forms of illegal content are likely to appear on their platform. Ofcom's Register of Risks identifies a range of non-priority illegal content, but the obligation extends further: if you have evidence or reasonable grounds to believe a particular type of illegal harm — even one not listed — is likely to occur on your service, it must be included in your risk assessment. The threshold is evidence-based, not exhaustive-list-based.
Your Risk Assessment Obligations
What a Compliant Risk Assessment Looks Like
A risk assessment under the Act is not a tick-box exercise. Ofcom expects documented, evidence-based analysis that demonstrates genuine engagement with the specific risks your service presents. A generic template submitted without service-specific evidence is unlikely to satisfy a compliance review.
Ofcom's Four-Step Methodology
- Identify risks: Map the specific ways in which illegal or harmful content could emerge on your platform, given its features, user base, and content types.
- Evaluate severity: Assess the likelihood and potential impact of each risk, considering both the probability of occurrence and the harm to users — particularly children and other vulnerable groups.
- Mitigate risks: Implement proportionate, documented safeguards. Ofcom's Codes of Practice set out recommended measures; departing from them requires you to demonstrate that your alternative approach is equally effective.
- Review and update: Risk assessments are living documents. They must be updated following significant platform changes, new regulatory guidance, or emerging threats identified through your own moderation data.
What Evidence to Use
Robust assessments draw on incident and moderation logs, user complaint data, law enforcement referrals, industry threat intelligence, and — where relevant — independent expert analysis. Platforms that have conducted user research on how their service is actually used by children tend to produce more credible assessments. Document everything: Ofcom may request your underlying evidence, not just your conclusions.
When to Conduct a Fresh Assessment
A new or substantially revised assessment is required whenever you make significant changes to your service's features or algorithms, when Ofcom publishes updated guidance or codes, or when your own data suggests a material shift in the risk landscape. Annual reviews are a minimum baseline; higher-risk services should review more frequently.
Your Legal Obligations in Practice
Conducting a Compliance Audit
A compliance audit maps your current policies, technical measures, and governance arrangements against the requirements of the Act and Ofcom's Codes of Practice. It should cover risk assessment documentation, content moderation workflows, reporting mechanisms, age assurance systems, transparency reporting, and staff training records. Gaps identified in an audit are far less costly to address proactively than during an Ofcom investigation.
Proactive Prevention vs. Reactive Moderation
The Act explicitly requires proactive measures for priority illegal content — waiting for users to report harmful material is not sufficient. For the highest-risk categories, platforms must deploy systems capable of detecting content before it reaches other users. The standard Ofcom applies is proportionality: larger platforms with greater resources face higher expectations, but no regulated service is excused from having some proactive capability.
Detecting, Removing, and Reporting Illegal Content
Platforms must have technically effective systems for identifying prohibited content, clear timelines for removal, and established channels for reporting to Ofcom and, where appropriate, law enforcement. The National Crime Agency and Internet Watch Foundation remain key referral bodies for CSEA content specifically. Platforms should have documented escalation procedures that staff can follow without ambiguity.
Age Assurance: The Raised Bar
Age verification requirements have become one of the most actively enforced areas of the Act. Ofcom's guidance makes clear that "highly effective age assurance" means more than a self-declaration checkbox. Technical measures — such as age estimation technology, credit card verification, or third-party identity checks — are expected for services likely to be accessed by children. Pornographic content services that have not implemented such measures by now are in direct breach. For other services, the children's access assessment determines whether age assurance is required and at what level.
Transparency Reporting
Platforms above certain thresholds must publish annual transparency reports covering their approach to illegal content, moderation volumes, appeals data, and age assurance measures. Ofcom has published a transparency reporting framework, and reports that fail to address its key metrics are treated as inadequate. Smaller services below the threshold are still expected to be able to produce compliance documentation on request.
User Safety Measures
Building Compliance Into Your Operations
Effective compliance is an operational discipline, not a one-off project. Automated content detection, human moderation, clear community standards, and accessible user reporting tools all need to work together. Ofcom has noted that platforms relying exclusively on automated moderation — without human review for edge cases and appeals — are likely to fall short of the standard required.
Staff Training
Everyone involved in content decisions, user safety, product development, and legal affairs needs a working understanding of the Act's requirements. Training should cover the priority illegal content categories, escalation procedures, how to handle user reports, and what triggers a mandatory referral to external authorities. Records of training completion should be maintained as part of your compliance documentation.
Algorithmic Accountability
AI-driven recommendation and moderation systems are under specific scrutiny. Ofcom expects platforms to be able to explain how their algorithms affect the distribution of potentially harmful content, and to demonstrate that automated systems are regularly audited for bias and effectiveness. As generative AI tools become more widely used to create content, platforms also need to consider how their moderation systems handle AI-generated material — including synthetic CSEA imagery, which is explicitly in scope.
Content Governance and Appeals
Community guidelines must be clear, consistently enforced, and accompanied by a meaningful appeals process. Users who have content removed or accounts actioned must have a route to challenge those decisions. Ofcom has indicated that platforms with no functional
