The implementation of the Online Safety Act: understanding Ofcom’s new requirements | Criminal Law Blog

Following the enactment of the Online Safety Act (“OSA”) in October 2023, Ofcom has prepared a multi-stage plan for its implementation. Under this legislation, online service providers are subject to a number of new obligations, and Ofcom has a duty to ensure compliance with these requirements. 

 

1. Who do these new obligations apply to? 

 

As defined by article 3 of the OSA, this legislation and the obligations resulting from it, apply to two types of online service providers: 

 

• Regulated user-to-user services 

This encompasses internet service providers through which content may be generated, uploaded or shared by a user of the service, and then encountered by other users directly through the platform. Some examples of such platforms include Instagram or Wikipedia. 

 

• Search services 

These are internet services that is or includes, a search engine. Some examples of platforms include Google or Amazon. 

 

2. What are the new requirements? 

 

• Illegal harms 

 

Under this Code, by mid-March 2025 all providers of services within the scope of the OSA must take action to assess the risks of illegal content appearing on their services. 

 

Their assessment must be suitable and sufficient enough to identify all the risks they face. From 31 March 2025, Ofcom will expect all relevant specific services to disclose their risk assessments to them. 

 

• Protection of Children 

 

In particular, under the age assurance guidance, providers of pornography content will have a duty to ensure, by the use of age verification or estimation (or both), that children are not normally able to encounter this content. The age verification must be “highly effective”, and in particular, “self-declaration of age” will no longer be adequate. Service providers will need to comply with Ofcom’s “non-exhaustive” list of “highly effective” age assurances – some examples of these assurances include open banking, photo identification, and credit card checks.

 

By 16 April 2025, providers will need to carry out a Children’s Access Assessment, to assess whether the service is likely to be accessed by children. If the service deems that this is likely, then they need to carry out a children’s risk assessment by July 2025. Ofcom then expects relevant services to disclose their risk assessment to them from 31 July 2025.

 

• Protecting women and girls 

In February 2025, Ofcom is due to publish draft guidance on protecting women and girls, containing advice on content and activity which disproportionately affects them. 

 

Once codes of practice have passed through parliament, service providers will need to take the steps laid down in the Codes or use other effective measures to protect these service users.

 

• Transparency duties 

A small proportion of regulated services who meet certain thresholds set out in secondary legislation to be adopted by the government, will have additional requirements to comply with. 

 

In particular this will involve transparency reporting, which will include providing “hard evidence” about the effectiveness of safety measures. It is anticipated these reports will be mandated around the end of 2025. 

 

3. What powers does Ofcom have to ensure compliance?

 

Ofcom expects online service providers to comply and have stated that they will launch immediate enforcement action if companies do not act promptly to address the risks posed by their services. They have powers to issue formal and enforceable requests for information, and have stated their intent to do so, as soon as they are able.

 

Furthermore, under the OSA, where compliance failures are identified by Ofcom, they can impose fines of up to £18m or 10% of the service provider’s qualifying worldwide revenue (whichever is greater). In most serious cases of non-compliance, Ofcom can seek a court order imposing business disruption measures, which may require third parties (such as providers of payment or advertising services) to withdraw or limit access to the services in the UK.

 

Service providers may also commit a criminal offence if they fail to comply with an information notice or if they fail, without reasonable excuse, to take compliance action which is specified in an Ofcom decision finding that the service is in breach of certain duties relating to the child sexual exploitation and abuse and child safety. In such cases, director and other senior managers of the provider may also be criminally liable for the failures. 

 

Further Information

If you have any questions regarding this blog, please contact Alice Trotter in our Criminal team.

 

ABOUT THE AUTHOR

Alice Trotter is an Associate in our Criminal Litigation team.