As of 17 March 2025, platforms, sites and apps in scope of the UK's Online Safety Act 2023 (OSA) must take steps to tackle criminal content on their services, with the next set of illegal harms duties coming into force on that date. Ofcom, the online safety regulator, has reminded in-scope service providers (both user-to-user services and search engines) of their obligations, which flow from the work they were required to have done (by 16 March) to carry out 'suitable and sufficient' illegal harms risk assessments. Ofcom has published details of its illegal harms enforcement programme, which will, over the coming months, see it assess platforms' compliance with their illegal harm obligations and, where necessary, commence targeted enforcement action to achieve industry compliance.
Ongoing enforcement
Alongside enforcement action following illegal harm risk assessments, Ofcom has launched two further enforcement programmes, tackling those areas it considers to be key priorities. These programmes signal its intention, as the online safety regulator, to ensure compliance with the OSA, as well as its illegal content Codes of Practice. The areas subject to ongoing enforcement activity are:
- Age assurance measures in the adult sector: From 17 January 2025, Ofcom has been writing to all service providers that display or publish pornographic content to inform them of their obligations under the OSA and to request confirmation of the age assurance provisions they are implementing to achieve compliance. Ofcom has also perhaps signalled its intentions in this area, announcing on 27 March 2025 that it had fined OnlyFans £1 million for failure to accurately respond to requests for information about its age assurance practices. Whilst the enforcement action against OnlyFans was commenced under the previously in place video-sharing platform (VSP) regime, it provides an indication of the approach that Ofcom is likely to take under the OSA.
- Dissemination of child sexual abuse material (CSAM) by offenders: The level of harm from CSAM and the risk it poses is acute. On 17 March 2025, given the high-risk nature and susceptibility of file-sharing and file-storage platforms for the sharing and distribution of CSAM, Ofcom also announced the launch of an enforcement programme that will require providers to demonstrate how they are tackling this issue.
These enforcement programmes are aimed at assessing the safety measures being taken, or that will soon be taken, in relation to these identified risks for adult and CSAM content. It is likely that Ofcom will announce further enforcement programmes in the coming months, and in-scope platforms should be prepared to evidence their compliance to Ofcom for all the risks and duties placed on them by the OSA.
If in-scope platforms fail to engage with its enforcement programmes, Ofcom has confirmed that it will not hesitate to open investigations into individual services and, if required, use its enforcement powers. As its Enforcement Director commented: "Any provider who fails to include the necessary protections can expect to face the full force of our enforcement action". Ofcom's enforcement powers under the OSA are significant and include the ability to issue fines of up to 10% of worldwide turnover or £18 million, whichever is greater, as well as significant information gathering powers. Certain infringements of the OSA may lead to criminal liability (including for senior managers), and business disruption measures.