Key takeaways
The Online Safety Act 2023 requires all regulated online services to take specific steps to protect users from illegal content. These 'illegal harms duties' apply to every user-to-user service and search engine accessible to UK users, regardless of size or where the company is headquartered.
Ofcom published illegal harms codes of practice under the Act, setting out the specific measures platforms must implement. There are 17 categories of priority illegal content, including terrorism, child sexual abuse material, hate crimes, fraud and content facilitating serious violence.
The illegal harms duties require platforms to: risk assess for illegal content, implement proportionate safety measures, and have effective systems to report illegal content to law enforcement. Following Ofcom's codes creates a presumption of legal compliance.
Ofcom's enforcement powers are significant: fines up to 10% of global annual turnover, and for the most serious cases, court-ordered service restriction orders blocking a platform for UK users. In June 2026, Ofcom published guidance on stopping illegal content going viral during civil unrest following the Belfast riots.
The illegal harms duties apply to the systems and processes platforms use to manage illegal content -- not to individual pieces of content. Ofcom regulates systemic failure, not individual posts.
Reviewed: June 2026Key facts
|
What the illegal harms duties require
The illegal harms duties are one of the two main sets of obligations in the Online Safety Act 2023 (the other being children's safety). They apply to any service that allows users to generate, share or interact with content -- what the Act calls a 'user-to-user service' -- and to search engines. The duties apply regardless of where the company is based: if UK users can access the service, the service is in scope.
Platforms must take a risk-based approach. They must assess the risk that their service could be used to facilitate or disseminate each category of illegal content, and then implement proportionate safety measures to address those risks. A small forum with limited features faces different requirements from a major social media platform -- the key is proportionality to risk.
The 17 priority illegal harms
Ofcom's illegal harms codes focus on 17 categories of priority illegal content:
| Category | What it covers |
|---|---|
| Terrorism | Content that promotes, facilitates or glorifies terrorist activity |
| Child sexual abuse material (CSAM) | Any sexual content involving children -- highest priority category |
| Hate crimes | Content inciting hatred based on protected characteristics |
| Harassment and stalking | Persistent unwanted contact, threatening behaviour |
| Controlling behaviour | Content facilitating coercive control in relationships |
| Extreme pornography | Content depicting extreme sexual violence |
| Content facilitating serious violence | Instructions, incitement for attacks causing serious harm |
| Drugs and weapons | Content facilitating illegal sale or use of controlled drugs and prohibited weapons |
| Fraud | Content facilitating financial fraud and scams |
| Suicide and self-harm facilitation | Content providing methods or encouragement for self-harm |
| Intimate image abuse | Non-consensual sharing of intimate images ('revenge porn') |
| Foreign interference | State-sponsored disinformation operations |
| Animal cruelty | Content depicting illegal cruelty to animals |
| People smuggling | Content facilitating illegal entry to the UK |
| Modern slavery | Content facilitating trafficking or exploitation |
| Unlawful immigration | Content facilitating unlawful entry, visa fraud |
| Illegal financial services | Unregulated financial promotions, investment fraud |
What Ofcom does when illegal content goes viral
In June 2026, civil unrest following events in Belfast presented a specific challenge for online platforms: illegal incitement content spreading rapidly across social media. Ofcom published guidance on 9 June 2026 on how platforms should respond to such events, and sent an open letter on 10 June 2026 to UK online service providers setting out its expectations.
Ofcom's guidance addressed the specific challenge of speed: in a crisis, illegal content can reach millions of users before it is identified and removed. Platforms' systems must be capable of rapid escalation and response during high-risk periods. Ofcom made clear that pre-existing crisis response plans, rapid content review escalation, and proactive monitoring during known risk periods are all expected elements of a compliant system.
Transparency reporting requirements
Larger platforms -- designated as Category 1 services -- must publish annual transparency reports setting out data on their content moderation practices, the volume of illegal content identified and removed, and their performance against Ofcom's safety requirements. These reports are public documents and form part of the evidence base that Ofcom uses to monitor systemic compliance.
Transparency reports must include: the number of pieces of illegal content reported, removed or restricted; the accuracy of automated detection systems; appeal rates and outcomes; and information about the platform's risk assessment and safety measures. Ofcom can use transparency report data to identify platforms where systemic issues may exist.
Related guides
Disclaimer: This guide is for informational purposes only. Kael Tripton Ltd is not regulated by the FCA. Data sourced from Ofcom, legislation.gov.uk, GOV.UK and CMA. Verify current information at ofcom.org.uk.
Frequently asked questions
What are the illegal harms duties under the Online Safety Act?
The illegal harms duties require all user-to-user platforms and search engines accessible to UK users to: risk assess for 17 categories of priority illegal content, implement proportionate safety systems, and have processes to report illegal content to law enforcement. The duties focus on systemic platform failures, not individual pieces of content.
What are the 17 priority illegal harm categories?
The 17 categories include: terrorism, child sexual abuse material (CSAM), hate crimes, harassment and stalking, controlling behaviour, extreme pornography, content facilitating serious violence, drugs and weapons, fraud, suicide and self-harm facilitation, intimate image abuse, foreign interference, animal cruelty, people smuggling, modern slavery, unlawful immigration and illegal financial services.
Does the Online Safety Act apply to small platforms?
Yes. The illegal harms duties apply to all regulated user-to-user services and search engines accessible to UK users, regardless of size. However, the required measures are proportionate to risk -- a small forum faces different requirements from a major social media platform. Very small platforms may have lighter obligations than Category 1 services (the largest platforms).
What did Ofcom do about illegal content during the Belfast civil unrest?
On 9 June 2026, Ofcom published guidance on how platforms should stop illegal content going viral during civil unrest. On 10 June 2026, Ofcom sent an open letter to UK online service providers setting out expectations for rapid crisis response, pre-existing crisis plans, escalation protocols and proactive monitoring during high-risk periods.
How does Ofcom enforce the illegal harms duties?
Ofcom can investigate platforms that fail to implement required safety systems. Fines can be up to 10% of global annual turnover or 18 million pounds, whichever is higher. For persistent non-compliance, Ofcom can apply to court for a service restriction order blocking the platform for UK users. Ofcom focuses on systemic failures -- whether a platform's processes and systems meet the required standard -- rather than individual pieces of content.
What is a Category 1 service under the Online Safety Act?
Category 1 services are the largest and most high-risk user-to-user platforms -- those designated by Ofcom based on user numbers and high-risk features. Category 1 services face the most extensive transparency reporting requirements and certain additional duties. Designation as Category 1 is based on Ofcom's assessment of the platform's scale and risk profile.
Can I report illegal content to Ofcom?
Ofcom does not handle individual reports of illegal content. For illegal content on specific platforms, use the platform's own reporting tools. For terrorism content, you can also report to the Counter Terrorism Internet Referral Unit (CTIRU). For child sexual abuse material, report to the Internet Watch Foundation (IWF). Ofcom's role is to ensure platforms have effective reporting systems, not to process individual reports.
What does Ofcom's codes of practice mean for platforms?
Ofcom's illegal harms codes of practice set out specific measures that platforms should implement to comply with their legal duties. Following the codes creates a presumption of legal compliance -- if a platform is investigated for a breach, demonstrating that it followed the relevant code measure is a strong defence. Platforms can deviate from the codes but must demonstrate equivalent compliance through other means.
