Online Safety Act penalties and enforcement powers

Ofcom enforcement powers under the Online Safety Act

Enforcement escalation ladder under the Online Safety Act 2023, from information notices to business disruption measures.

Ofcom has a graduated enforcement toolkit under the Online Safety Act 2023. Enforcement actions escalate from information-gathering through to business disruption measures that can restrict access to non-compliant services in the UK.

Information notices (s.103): Ofcom can require services to provide information about compliance, users, and safety measures
Skilled persons reports (s.112): Ofcom can require a service to commission an independent report from a skilled person on compliance
Provisional notice of contravention (s.121): Formal notice that Ofcom considers a service is failing to comply with duties
Confirmation decision (s.122): Confirms contravention and can require specific steps, impose penalties, or both
Penalty notices: Up to 10% of qualifying worldwide revenue or £18 million, whichever is greater
Business disruption measures (ss.130-138): Court orders requiring payment providers, advertisers, or ISPs to withdraw services from non-compliant providers
Technology notices (s.121): Ofcom can require services to use accredited technology to identify and remove specific types of illegal content
Interim service restriction orders: Court can restrict a service before a final determination where there is an imminent risk of serious harm

Enforcement guidance published: 16 December 2024 (took effect immediately)
Penalty qualifying period: Calendar year two years before the charging year
Penalty calculation basis: All circumstances considered to ensure proportionality — 10% QWR is the maximum, not automatic
ISP blocking power: Ofcom can apply to court for an order requiring ISPs to block access to a non-compliant service

Ofcom Online Safety Enforcement Guidance

Maximum financial penalty

Up to 10% of qualifying worldwide revenue, or GBP 18 million (whichever is greater)

Daily default penalty

Up to 5% of qualifying worldwide revenue per day for ongoing non-compliance

Business disruption measures

Ofcom can apply to court for access restriction orders blocking UK access to non-compliant services

Information notice penalties

Failure to respond to an Ofcom information notice is a separate offence with its own penalty

Criminal liability trigger

Section 110 — senior managers face personal criminal liability for failure to comply with information notices

Criminal penalty (individuals)

Up to 2 years' imprisonment and/or an unlimited fine for senior managers convicted under s.110

Senior manager criminal liability under the Online Safety Act

Section 110 personal criminal liability for senior managers who fail to prevent information offences.

Section 110 of the Online Safety Act 2023 creates personal criminal liability for senior managers of regulated services. A senior manager commits an offence if the service provider commits an information offence under section 109 and the senior manager failed to take all reasonable steps to prevent it.

Prosecution is by the Crown Prosecution Service (CPS), not Ofcom. This is separate from the corporate penalties Ofcom can impose directly.

Relevant section: Online Safety Act 2023, section 110
Triggering offences: Failure to comply with information notice (s.109(1)), destroying or altering information (s.109(4)), providing false information (s.109(5)), encrypting information to prevent Ofcom access (s.109(6))
Liability test: Senior manager failed to take all reasonable steps to prevent the offence
Maximum sentence (indictment): Imprisonment for up to 2 years and/or an unlimited fine
Maximum sentence (summary, England and Wales): Imprisonment up to the general limit in a magistrates' court and/or a fine
Maximum sentence (summary, Scotland): Imprisonment up to 12 months and/or a fine up to the statutory maximum
Maximum sentence (summary, Northern Ireland): Imprisonment up to 6 months and/or a fine up to the statutory maximum
Who prosecutes: Crown Prosecution Service (CPS), not Ofcom

Defence 1: Short tenure: Senior manager held the role for such a short time that they could not reasonably have been expected to take steps
Defence 2: No knowledge: Senior manager had no knowledge of being named as a senior manager in the response to the information notice
Who is a senior manager: Individual named as a senior manager in a response to an Ofcom information notice (as required by the notice)

Enforcement escalation

Ofcom follows a graduated enforcement approach. The typical escalation sequence is:

Provisional notice of contravention — formal notification of suspected breach
Confirmation decision — Ofcom confirms the breach after considering representations
Enforcement notice — requires the service to take specific steps by a deadline
Penalty notice — financial penalty for confirmed non-compliance
Business disruption measures — court-ordered access restrictions for the most serious cases

Online Safety Act Platform Categorisation Thresholds

Category 1, 2A, and 2B platform thresholds for UK user-generated content platforms under the Online Safety Act 2023.

The Online Safety Act 2023 categorises user-generated content (UGC) platforms by size and functionality, with different regulatory duties for each category. Ofcom determines platform categories based on UK user numbers and platform features.

Category 1 (Option A): 34 million UK users + content recommender system
Category 1 (Option B): 7 million UK users + recommender + sharing functionality
Category 2A (Search engines): 7 million UK users (non-vertical search engines)
Category 2B (Messaging): 3 million UK users + direct messaging functionality
Fee threshold (Qualifying Worldwide Revenue): £250 million qualifying worldwide revenue
Fee exemption: UK revenue less than £10 million
Maximum penalty: 10% of global turnover OR £18 million (whichever is greater)

What Platform Categories Mean

Category 1 platforms have the highest duties, including removal of legal but harmful content for adults, transparent complaints procedures, and enhanced protections for journalists and democratic content.

Category 2A (Search) platforms must prevent illegal content appearing in search results and implement child safety measures.

Category 2B (Messaging) services must take measures to prevent illegal content being shared via private messaging.

All UGC platforms (regardless of category) must conduct illegal content risk assessments and implement safety measures to remove illegal content.

Official enforcement guidance

Ofcom: Online Safety Enforcement Guidance (December 2024) (opens in a new tab) ofcom.org.uk
Online Safety Act 2023 — Part 7: Enforcement (opens in a new tab) legislation.gov.uk
Ofcom: Online Safety regulatory documents and guidance (opens in a new tab) ofcom.org.uk

Online Safety Act penalties and enforcement powers

Online Safety Act compliance checklist

Register with Ofcom for Online Safety Act compliance

Understanding the Online Safety Act

Conduct an illegal content risk assessment

Tech Sector Compliance Overview

Enforcement escalation

Official enforcement guidance

Related guides in Digital & Technology

Online Safety Act compliance checklist

Register with Ofcom for Online Safety Act compliance

Understanding the Online Safety Act

Conduct an illegal content risk assessment

Tech Sector Compliance Overview

Enforcement escalation

Official enforcement guidance