Ofcom rolls out implementation phases for compliance with the Online Safety Act

The question

What is Ofcom’s timeframe for implementation of the Online Safety Act (OSA) and what actions will in-scope services need to take to ensure compliance?

The key takeaway

From December 2024, in-scope services must take action to ensure compliance with their duties under the Online Safety Act 2023 (OSA). Ofcom’s timeline for implementation provides a phased approach, and online service providers must be alive to the short compliance windows following publication of Ofcom’s final codes and guidance. It is anticipated that services must comply with their illegal content safety duties from March 2025, and with their child protection safety duties from July 2025. From the moment the OSA duties come into force, failure to comply could lead to enforcement action including: fines; access restrictions to payment providers and advertisers; and a total ban of the service in the UK in the most serious cases.

The background

Under the OSA, online user-to-user and search services have several new duties to protect users from illegal content and to protect children from online harms. All in-scope services with a significant number of UK users, or targeting the UK, must ensure compliance. Since the legislation was passed, Ofcom have consulted on its various codes and guidance for illegal harms, age assurance for pornography services and children’s safety. They have also advised the Government on the thresholds for categorised services, which are subject to additional, more stringent duties aimed at enhanced levels of safety, transparency, and accountability. The regulator has now published its expected timeline for publication of the codes and guidance and corresponding compliance by in-scope services. Businesses must ensure they remain vigilant and are prepared to meet the deadlines for compliance over the coming year to avoid regulatory penalties.

The development

Ofcom’s proposed timeline (which could be subject to change) is summarised below:

Phase 1: Illegal harms

• In December 2024, Ofcom will publish its illegal harms codes of practice and accompanying illegal content risk assessment guidance.
• Services will then be required to complete their illegal harms risk assessments by mid-March 2025, at which point the illegal harms safety duties will become enforceable.

Phase 2: Child safety, pornography and the protection of women and girls

• In January 2025, Ofcom’s final age assurance guidance for publishers of pornography content will be issued. Around the same time, the duties relevant to providers of pornographic content will become enforceable and Ofcom will begin monitoring compliance.
• Also in January 2025, the final children’s access assessment guidance will be published, and services will have until April 2025 to assess whether their service is likely to be accessed by children.
• In April 2025, Ofcom will publish its children’s risk assessment guidance, and services which are likely to be accessed by children must complete their children’s risk assessment by July 2025, at which point the child protection safety duties will become enforceable.
• Ofcom will open a consultation on best practice guidance relating to the protection of women and girls online in February 2025.

Phase 3: Categorisation and additional duties for categorised services

• Ofcom expects the Government to confirm the thresholds for categorisation in secondary legislation by the end of 2024. As such, Ofcom aims to publish its register of categorised services in Summer 2025 and issue draft transparency notices within a few weeks of the register’s publication, with final transparency notices to follow soon after (more information on these notices can be found here).
• The draft proposals regarding the additional duties on categorised services are expected in early 2026.

Why is this important?

The implementation of the OSA represents a shift towards more stringent regulation of online services, with an eagle-eye on user safety, transparency, and accountability. The stakes are high as non-compliance could result in substantial financial penalties, service blocks in the UK and reputational damage. Even with their current powers pre-dating the OSA’s enforcement, Ofcom frequently issue large fines for regulatory breaches, often in the millions, providing an indication of the level of fines that could be issued under the OSA, particularly for large and well-resourced companies. Prompt and adequate compliance with Ofcom’s codes and guidance will not only protect businesses against regulatory sanctions but also bolster consumer trust in an era where online safety is increasingly under scrutiny.

Any practical tips?

To stay ahead, services should carefully consider Ofcom’s draft codes and guidance to identify any proactive steps to ensure compliance before the final guidance is issued and their duties become enforceable. Some practical considerations could include:

• pre-emptively conducting an internal audit to identify risks associated with illegal content and harm to children
• reviewing algorithmic and content monitoring processes, including the use of human versus automated moderation and considering where further investment could be beneficial
• analysing the effectiveness of age verification and assurance systems; and importantly
• reviewing and updating terms of services, privacy policies, and user agreements to align with Ofcom’s draft codes and guidance.

Services should also capitalise on the opportunity to respond to Ofcom’s various consultations which will be published over the next year, including the most recent consultation on the proposed new fees and penalties regime, which closes on 9 January 2025.

Winter 2024