The UK’s Online Safety Act (OSA) is a landmark law that will require companies to make online services “safe by design” for all individuals, with a particularly high standard of protection required for children. The OSA was enacted in 2023, and its obligations will come into force in phases throughout 2025 and 2026. This blog post explains how the law will be brought into force, and what companies can do to prepare.

Which Services Will the OSA Apply To?

The OSA will apply to providers of i) online platforms that allow users to generate, upload, or share content with others (“user-to-user” services), and ii) search services. Online platforms and search services will fall within the scope of the OSA if they target the UK, have a significant number of users there, or otherwise present a material risk of significant harm to UK users.

Phased Implementation of the OSA’s Requirements

Ofcom has been appointed as the regulator for the purposes of the OSA. The regulator is required to publish various pieces of guidance as well as statutory codes of practice, each of which will act as a trigger to bring the legislation’s obligations into force.

Phase One: Illegal Harms Duties

The OSA will require user-to-user and search services to take measures to protect all users from illegal content and activity on their service (i.e., content or activity that may amount to a criminal offence). Ofcom has stated that it will publish its “Illegal Harms Statement” in December 2024, which will include the illegal harms codes of practice, guidance on illegal content risk assessments, and guidance on enforcement.

  • What is required?
    • Illegal content risk assessments. Once Ofcom publishes the Illegal Harms Statement, regulated services will be required to begin assessing the risks associated with their service. Ofcom will produce detailed guidance on how these assessments should be carried out, and current indications are that they will need to be completed by mid-March 2025
    • Implement mitigation measures tailored to the risks identified. Having identified the risks associated with their service, companies will need to consider implementing measures to reduce potential harm to individuals using their service. Appropriate measures will vary for each service. The illegal harms duties are expected to come into force around March 2025.

Phase Two: Child Safety Duties and Pornography

Ofcom will publish guidance and codes for duties relating to children in two phases. The regulator has stated that its children’s access guidance will be published in January 2025, with a full “Child Safety Statement” to be published in April 2025.

  • What is required?
    • Children’s access assessments. Providers will be required to assess whether their service is currently used, or is likely to be used, by a significant number of children in the UK. Providers will only be able to conclude that it is not possible for their service to be accessed by children if they implement effective age verification or age estimation techniques. Services will have until April 2025 to complete this assessment.
    • Conduct a children’s risk assessment. Services that are likely to be accessed by children must conduct an assessment which focuses on the risk of online harms that children of different age groups could face on the service. These assessments will need to be completed by July 2025.
    • Implement mitigation measures to protect children. Services must take wide-ranging measures including to protect children from encountering the most harmful types of content, and mitigate the risks identified in the children’s risk assessment. It is expected that these obligations will become enforceable around July 2025.

Phase Three: Duties on Categorized Services, Including Transparency

The OSA will impose additional duties on services that present particular risks to individuals, for example due to the presence of features that allow content to be amplified through the use of recommendation systems, or through direct messaging functions. The UK government has not yet confirmed the exact criteria that will be applied, however this is expected to occur in summer 2025, with draft codes of practice for “categorized services” to follow by early 2026.  

Conclusion

Compliance with the OSA will be a moving target in 2025, as Ofcom continues to define its expectations for companies. To begin their preparations, companies should look to identify the size of their UK user base, and the age ranges that these users are likely to fall into. This information will be key to assessing a company’s exposure to the OSA, and to the completion of the risk assessment process.

Ofcom has been vocal about its plans to police the OSA, stating in a recent open letter to online service providers that rather than waiting for the legislation to come into force, companies should “act now.” Ofcom will be able to impose sanctions on companies for noncompliance with their duties under the OSA, including fines up to the greater of £18,000,000 or 10 percent of worldwide revenue.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex digital regulation and privacy compliance in the UK and EU. For more information, please contact Nikolaos Theodorakis or Tom Evans.

Matthew Nuding contributed to the preparation of this blog post.