On 26 October 2023, the UK adopted the Online Safety Act 2023, which introduces new obligations for online platforms to improve user safety online by ensuring content that is illegal and harmful is monitored and removed. We previously compared the Act in its draft form with the EU Digital Services Act here and will be updating the table soon.


The Act affects user-to-user services and search engines.  A ‘user-to-user service’ is an internet service by means of which content is generated directly on the service by a user of the service and may be encountered by another user of the service. A ‘search service’ is an internet service that is, or includes, a search engine capable of searching multiple websites.

Certain ‘user-to-user services’ and ‘search services’ are exempt.  For example:

  • services that are only provided for corporate internal business purposes, or
  • user-to-user services that involve limited functionality (e.g. only emails or SMS can be generated).

The Act will cover service providers outside the UK if:

  • services that are only provided for corporate internal business purposes, or
  • user-to-user services that involve limited functionality (e.g. only emails or SMS can be generated).
  • the service has a significant number of UK users, or
  • UK users form the sole or primary target market for the service; or
  • the service may be used in the UK by individuals and there is a material risk of significant harm to individuals in the UK.

Service providers within the scope of the Act will be designated under one (or more) of the following three categories if they meet specific thresholds in terms of number of users:

  • Category 1: High-risk user-to-user services;
  • Category 2A: Search services or a combined user-to-user and search service; and
  • Category 2B: User-to-user services not meeting the Category 1 threshold.

Obligations under the Act

The extent of the obligations under the Act will depend on which of the above categories they fall into, with Category 1 service providers being subject to the most onerous obligations.  However, providers of any regulated user-to-user services and search services must comply with these core obligations:

  • Conduct illegal content risk assessments and take down any illegal or harmful content;
  •  Set up policies, terms of use, and complaints procedures allowing users to report illegal or harmful content; and
  • Conduct a children’s access assessment and prevent any content harmful to children.

Category 1 service providers must keep records of compliance with their obligations, publish them, enable functionality within the services to empower users to control the content they are exposed to, and, if children are likely to access their services, comply with specific child safety duties.

Penalties & Ofcom enforcement powers

Ofcom can impose a penalty of the greater of £18 million or 10% of global annual turnover, amongst other powers, including:

  • Powers to compel a service provider to give information;
  • Requirement to name a responsible senior manager;
  • Powers of entry, inspection and audit;
  • Powers to issue warning notices;
  • The requirement to take corrective steps; and
  • Powers to make service restriction orders.

In addition, the Act establishes a criminal liability regime, creating new offences such as the false communications offence, which protects individuals from communications where the sender intends to cause harm by sending knowingly false information.  The Act also empowers Ofcom to bring criminal sanctions against senior managers in specific circumstances, for example, for failing to comply with Ofcom’s information requests or failing to comply with a child’s online safety duty.

Implementation Timelines

The Act will be implemented via secondary legislation and relevant Ofcom guidance published in stages according to the Ofcom plans below.

  • Nov 2023 – Consultation on illegal content
  • Dec 2023 – Consultation on child safety, pornography, and protecting women and girls
  • Spring 2024 – advice to the Secretary of State on categorization
  • End of 2024 – publishing a register of categorized services
  • Early to mid-2025 – codes of practice on fraudulent advertising and transparency notices