Getting ready to regulate the OSA – Ofcom sets out three-year plan

Ofcom now has extensive powers and duties under the Online Safety Act (OSA) following Royal Assent on 26 October 2023.  It will be responsible for a wide-ranging guidance and enforcement regime. Much of the detail around compliance will be set out by Ofcom in codes of practice which will be subject to a consultation process before finalisation. While Ofcom has had plenty of time to prepare given the lengthy passage of the Online Safety Bill through Parliament, it has not been able to begin the full range of consultations prior to enactment and, in many cases, it will only be able to act following publication of secondary legislation. 

Those likely to be caught by the OSA have been watching closely to glean information about Ofcom's approach to regulating the OSA and its timeline. Ofcom published a 'Roadmap to regulation' in July 2022 which was subsequently updated in June 2023, owing to delays in finalising the legislation.  Following Royal Assent, a further updated version (the October 23 Roadmap) was published although Ofcom notes that it is not a comprehensive guide to everything it plans to produce over the first three years of the OSA regime.

Ofcom's revised timetable

Under the October 23 Roadmap, Ofcom's plans for producing guidance and codes of practice to regulate the OSA are as follows:

Phase one: illegal harms duties

On 9 November 2023, Ofcom will publish a consultation on guidance and Codes for illegal harms including:

• draft codes of practice on illegal harms duties
• a register of risks relating to illegal content, and risk profiles of service characteristics that Ofcom's assessment has found to be associated with heightened risk of harm
• draft guidance to services on how to conduct their own risk assessments
• illegal content judgements guidance
• draft guidance on record keeping and review, and
• enforcement guidance.

Following the consultation, Ofcom will consider stakeholder responses and publish a statement setting out its decisions together with final versions of the services risk assessment guidance, codes of practice and related guidance. Following publication of its statement (expected around one year after the consultation begins), in-scope services will have three months to carry out their illegal content risk assessments.  At this point, Ofcom will also submit its codes of practice on illegal harms to the Secretary of State for approval which is likely to take place towards the end of 2024 or in early 2025.  Following a 40 day approval period (and assuming they are approved), the Codes will come into force 21 days later.

As illegal harms safety duties become enforceable, Ofcom can begin investigations and enforcement relating to them.  This is expected around the end of 2024.

In 2024, Ofcom will also consult on elements of the framework that will underpin its powers to require services to use or develop accredited technology to deal with CSEA/terrorism content.  These consultations will cover Ofcom's advice to the Secretary of State on minimum standards of accuracy for accredited technologies, and guidance as to how it will use its powers.

Phase two: child safety, pornography and protecting women and girls

In December 2023, Ofcom will consult on draft guidance for services hosting pornographic content, on the use of age assurance to prevent children from normally being able to access such content.

In Spring 2024, Ofcom will publish proposals for guidance and codes of practice relating to obligations on user-to-user and search services relating to child safety including:

• draft guidance for services on carrying out children's access assessments
• Ofcom's analysis of the causes and impacts of harms to children
• draft guidance on carrying out children's risk assessments
• draft codes of practice setting out recommended measures to protect children online.

Final guidance on chlidren's access statements is anticipated in early 2025. Regulated services will have three months to carry out children's access assessments following publication.  If they determine their services are likely to be accessed by children, they will then need to carry out children's risk assessments.  Ofcom plans to publish its final statement on child safety duties in Spring 2025, allowing services to complete their children's access statements before the requirement to carry out children's risk assessments comes into force three months later.

Also in Spring 2025, Ofcom will submit the children's codes of practice to the Secretary of State and by this time, it plans to have published its draft guidance on protecting women and girls.

Phase three: additional duties for categorised services – including transparency reporting, user empowerment, fraudulent advertising and user rights

Ofcom has to advise the government on service categorisation thresholds and produce a register of categorised services for regulated services designated as Category 1, 2A and 2B. Ofcom will advise the government on the thresholds to enable it to make secondary legislation on categorisation. This advice will be informed by the responses to a call for evidence which Ofcom published on 11 July 2023 (see below). Ofcom aims to send its advice in Spring 2024 together with draft guidance on transparency reporting. It will then publish the register of services as soon as possible after the government publishes the relevant secondary legislation. Assuming this is achieved by Summer 2024, Ofcom anticipates publishing a register of categorised services by the end of 2024.

Ofcom then plans to publish further proposals regarding duties on categorised services including a draft code of practice on fraudulent advertising in early 2025.  Depending on the timing of relevant secondary legislation, it will begin issuing transparency notices in mid 2025.  During this period it will consult on final codes and guidance to be published around the end of 2025.

Repeal of the video-sharing platform (VSP) regulation

The Secretary of State will set out in secondary legislation the date on which the VSP regulation will be repealed (with at least six months' notice).  Secondary legislation will also specify the timing for VSP providers to conduct risk assessments and child access assessments with at least 3 months' notice. 

Fees

The online safety regime will be funded by fees payable to Ofcom by providers of regulated services whose qualifying worldwide revenue meets or exceeds specified thresholds.  Ofcom will consult on this regime which will be largely implemented by secondary legislation following Parliamentary scrutiny.  Ofcom is working with DSIT to implement the regime by the 2026/27 financial year.  We expect the fees to be payable only by the larger in-scope service providers.

What else has Ofcom produced so far?

Back In July 2022, Ofcom issued a call for evidence to help it understand the range of approaches and techniques platforms can employ to help them meet their proposed duties under the OSA.

In March 2023, Ofcom set out its planned approach to risk assessments under the Online Safety Bill.  See our article on risk assessments for more.

In July 2023, Ofcom issued a call for evidence on the research it needs to carry out to prepare its advice to government on categorising regulated services under the OSA. It sought input from industry on how companies measure user numbers on the relevant user-to-user services. As Ofcom stated, this information is crucial given that user numbers will determine category 1 and 2B thresholds and are also included in calculation of 2A thresholds. The call closed on 12 September 2023.

What does this mean for you?

Ofcom has repeatedly stressed that it will focus on a pragmatic approach and work in close cooperation with other members of the Digital Regulatory Cooperation Forum (the ICO, the FCA and the CMA), as well as with other countries. It has also set up an Online Safety Group to help deliver its obligations under the OSA.  The October 23 Roadmap sets out Ofcom's expectation that the online safety regime will deliver the following key outcomes:

• stronger governance with safety represented at all levels of the organisation, particularly in the biggest services
• design and operation of services with safety in mind, particularly improvements in and wider deployment of measures to address areas of greatest potential risk, especially to children
• user choice and the ability to adjust the content they see and interact with online
• transparency to drive trust.

As much of the OSA relies on codes of practice and guidance in terms of how it is to be implemented and what is required to ensure compliance, certainty is still some way off. Ofcom has clearly already been hard at work as it now plans to publish its first codes of practice on illegal harms duties shortly after the OSA's commencement rather than within 100 days of enactment as it had originally planned. However, as the October 23 Roadmap makes clear, it will be an at least three-year process before the full framework is operational.

This timetable could be pushed back where Ofcom is dependent on secondary legislation being published. As Ofcom notes in the October 23 Roadmap, with a general election coming up, it seems quite possible that there will be delays which may, in the event of a Labour victory, even substantially change what compliance looks like.

Ofcom estimates that around 100,000 online services could be subject to the OSA and those in scope will be relieved to hear that while it aims to be proactive about supervision, it is also focusing on being proportionate in its approach and targeted in its activities.