Online Safety Act: duties for online services

Is your service in scope?

The Act regulates two types of service:

User-to-user services - platforms where users can share content with other users:

• Social media platforms
• Video sharing services
• Forums and message boards
• Dating apps
• Gaming platforms with chat or community features
• Online marketplaces with user reviews or comments
• Messaging services (where content can reach multiple recipients)

Search services - services enabling users to search multiple websites or databases:

• General search engines
• Specialist search engines (not limited to one website)

Out of scope:

• One-to-one email services
• Internal business communication tools
• Services with no UK users or UK links
• News publisher websites (regulated separately)

Overview of your duties

The Act imposes duties based on service type and size. All regulated services have baseline duties, with additional obligations for larger platforms and those accessible by children.

Service categories

Ofcom categorises regulated services based on UK user numbers and platform functionality. Your category determines which additional duties apply beyond baseline requirements.

Category 1 (largest user-to-user services)

These platforms have the highest duties. Ofcom determines Category 1 status using two alternative tests:

• Option A: 34 million UK users AND a content recommender algorithm
• Option B: 7 million UK users AND a recommender system AND content sharing functionality

Category 1 platforms must address legal but harmful content for adults, protect journalistic and democratic content, give users content filtering tools, and publish transparency reports.

Category 2A (search services)

Search engines with 7 million or more UK users (excluding vertical search limited to specific websites). Must prevent illegal content appearing in search results and implement child safety measures.

Category 2B (user-to-user with messaging)

Services with 3 million or more UK users that include private messaging functionality. Must take measures against illegal content shared via private messages.

All other regulated services

Services below category thresholds still have baseline duties covering illegal content risk assessment, content removal, terms of service, and complaints procedures.

Key duties in detail

Illegal content duty

All regulated services must take steps to prevent users encountering priority illegal content. This covers 130+ offences listed in Schedule 7 of the Act, including:

• Child sexual exploitation and abuse material (CSEA)
• Terrorism content
• Hate crimes
• Fraud and financial crime
• Drugs and weapons offences
• Revenge pornography and intimate image abuse
• Harassment and stalking
• Immigration crime facilitation

You must conduct a risk assessment, implement safety measures proportionate to your risks, and remove illegal content swiftly when you become aware of it.

Children's safety duty

If children can access your service, you must protect them from content that is harmful to children, even if that content is legal for adults. This includes:

• Pornographic content
• Content promoting self-harm, suicide, or eating disorders
• Content promoting violence
• Bullying content
• Content that is harmful for children to see

You must conduct a children's access assessment to determine if children are likely to access your service. If yes, you must implement age assurance measures and apply additional protections.

Implementation deadlines

The Online Safety Act introduces duties in stages. Missing these deadlines puts you at risk of enforcement action.

What the deadlines mean for you

By 16 March 2025: Complete your illegal content risk assessment. This is a written document identifying how your service could be used to commit or facilitate illegal activity. You must be able to show this to Ofcom if asked.

From 17 March 2025: Ofcom can enforce illegal content duties. Your safety measures must be operational - content moderation systems, reporting mechanisms, and removal processes.

By 16 April 2025: Complete your children's access assessment to determine if children are likely to access your service.

From 25 July 2025: Children's safety duties become enforceable. Age assurance and child-specific protections must be in place.

Steps to compliance

Enforcement and penalties

Ofcom has substantial enforcement powers under the Online Safety Act:

• Information notices: Ofcom can require you to provide information about your service, users, and safety measures
• Provisional and confirmation notices: Formal warnings requiring you to take specific action to comply
• Fines: Up to 10% of qualifying worldwide revenue or £18 million, whichever is greater
• Business disruption measures: Court orders to restrict payment services or advertising, or require ISPs to block access to non-compliant services
• Senior manager liability: Criminal offences for failing to comply with information notices or obstructing Ofcom investigations

Ofcom prioritises the most serious harms - particularly child sexual exploitation, terrorism, and fraud. However, all in-scope services must meet baseline compliance requirements.