Online Safety Act illegal harms Codes of Practice now enforceable

On 17 March the illegal harms Codes of Practice under the UK's Online Safety Act became enforceable, but many feel the OSA does not go far enough and are pushing for further change.

Illegal harms safety duties commence under OSA

User-to-user and search services caught by the UK's Online Safety Act 2023 (OSA) were required to have completed their first illegal content risk assessments by 16 March 2025 and, as of 17 March 2025, services must comply with illegal harms safety duties which are now enforceable. This means that providers need to take the safety measures set out in the Codes or use other effective measures to protect users from illegal content and activity. If services take alternative measures, the onus will be on them to demonstrate these are sufficient to achieve compliance, so, for the vast majority of in-scope services, the Codes of Practice and related regulatory documents and guidance will be the easiest route to compliance. Ofcom is "ready to take enforcement action if providers do not act promptly to address the risk on their services".

Categorisation threshold regulations made

A number of the safety duties under the OSA apply only to services which reach certain thresholds relating to user numbers. Those that do are referred to as categorised services in the OSA. The thresholds were not stated on the face of the OSA but left to be agreed by the Secretary of State following Ofcom recommendations.

The Online Safety Act 2023 (Category 1, Category 2A and Category 2B) Threshold Conditions Regulations 2025 (Regulations), were made on 26 February 2025 and came into force on 27 February 2025. They set out the thresholds for when user-to-user (U2U) and search services become categorised services subject to additional requirements under the OSA as follows: 

Category 1

A U2U service where, in respect of the U2U part of that service it: 

• has an average number of monthly active UK users of over 34 million and uses a content recommender system, or

• has an average number of monthly active UK users over 7 million, uses a content recommender system and provides a functionality allowing users to forward or share regulated user-generated content on the service with other users of the service.

Category 2A

A search engine of a regulated search service or a combined service where it has an average number of monthly active UK users that exceeds 7 million and: 

• is not a search engine which only enables a user to search selected websites or databases in relation to a specific topic, theme or genre of search content, and 

• is facilitated by means of an arrangement between the provider of a regulated search service or combined service with one or more entities which relies on an application programming interface or other technical means to present search results to users.

Category 2B

A regulated U2U service where in respect to the U2U part of that service it:

• has an average number of monthly active UK users exceeding 3 million, and 

• provides a functionality for users to send direct messages to other users of the same service which is designed so that messages cannot be encountered by any other users of that service unless further action is taken by the user who sent or who received the message. 

Content recommender system

A content recommender system is a system that uses algorithms to determine the way in which user-generated content is encountered by other users. 

Average number of monthly active users

The average number of monthly active users is calculated as the mean number of active UK users per month for the previous six-month period.

Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2025

These Regulations were made on 19 March 2025 and come into force on 3 November 2025. They set out the procedures which regulated user-to-user service providers must adhere to when reporting CSEA content to the National Crime Agency as required under s66 OSA. They cover how reports and records should be made and what information should be retained, including in relation to personal data. The Appendix sets out the information which must be included in the report.

Online Safety Act 2023 (Commencement No 5) Regulations 2025

These Regulations, also made on 19 March 2025, bring a number of sections of the OSA into force on 3 November 2025, in so far as they relate to user-to-user services only (not to search services). The relevant provisions being brought in are:

• section 66(1) and (2) (requirement to report CSEA content to the NCA)

• section 66(7) to (10)

• section 69 (offence in relation to CSEA reporting)

• section 100(6)(a)(iii) (power to require information) in respect of section 66(1), (2) and (7) to (10)

• section 104(13)(a)(xii) (reports by skilled persons) in respect of section 66(1), (2) and (7) to (10)

• section 120(2)(a) (admissibility of statements)

• sections 199 to 203, 204(2) to (4) and 205 (information offences: supplementary and general) in respect of section 69

• paragraph 12 of Schedule 8 (transparency reports).

Ofcom enforcement programme on CSAM

On 17 March 2025, Ofcom announced it had opened an enforcement programme to assess measures being taken by providers of file-sharing and file-storage services that present particular risks of harm to UK users from image-based CSAM to ensure users do not encounter, and offenders are not able to disseminate, such content on their services. Ofcom has written to these types of provider and will shortly send them formal requests for information to establish whether they are in scope of the OSA, assess the measures they have or will put in place, and request records of their illegal content risk assessments.

Other online safety initiatives

The debate continues about whether or not the OSA goes far enough, particularly in relation to protecting children online. The Protection of Children (Digital Safety and Data Protection) Bill, also known as the 'Safer phones Bill' is a Private Members' Bill brought by Josh MacAlistair. It originally proposed banning mobile phones in schools among other things, and was re-published on 5 March 2025. It has been significantly watered down in order to gain government backing.

The original Bill proposed:

• a ban on phones in schools 

• raising the age of digital consent from 13 to 16 

• strengthening Ofcom's powers to protect children from apps and services which are additive by design 

• potentially regulating the design, supply, marketing and use of mobiles by under-16s.

The Bill now proposes: 

• guidance on the use of smartphones and social media by children within twelve months 

• a government plan for research into the impact of use of social media on children within 12 months 

• the government to say within a year whether it will raise the age of digital consent to 16.

The messaging from the government on the relative merits of the OSA and what else may be required to make the online environment safe without adversely impacting free speech has been slightly mixed. On the one hand, Secretary of State Peter Kyle has criticised the OSA as uneven, on the other, he has said it introduces some "very good powers". However, in the political background, online safety remains an extremely hot topic as the Private Members' Bill illustrates. Recently, the TV series 'Adolescence' has revitalised the debate, not least round banning phone in schools and raising the age of digital consent. Further away geographically at least, there is also the issue of the Trump administration's views on non-US legislation which impacts US-based businesses – some of which will be well within the OSA's scope.

Nothing in the political debate should detract from businesses complying in full with the OSA's requirements as Ofcom will certainly be scrutinising compliance and preparing to use its enforcement powers where necessary.