Key takeaways
The Online Safety Act 2023 is the UK's primary legislation for making online services safer. It places legal duties on social media platforms, search engines and other online services to protect users from harmful content.
Ofcom is the UK's online safety regulator. Under the Act, Ofcom sets the codes of practice that platforms must follow, conducts investigations and can impose fines of up to 10% of global annual turnover for non-compliance.
The Act creates a tiered system: all regulated services must follow basic safety duties; larger platforms face additional requirements; and the largest platforms designated as having 'category 1' status face the most stringent obligations.
For users, the Act gives rights to report harmful content, opt out of recommendation algorithms, and use tools to reduce exposure to certain content types. It also requires platforms to enforce their own terms of service consistently.
Ofcom fined a pornography website in June 2026 for failing to implement age verification under the Act -- the first enforcement action of its kind.
Reviewed: June 2026Key facts
|
What the Online Safety Act requires
The Online Safety Act 2023 received Royal Assent in October 2023. It places a duty of care on companies that operate user-to-user services (where users share content with each other) and search engines accessible to UK users. The duties require these companies to have systems and processes in place to identify and mitigate the risks of harm to users from illegal content and, for services used by children, from legal but harmful content.
The Act is not primarily about removing specific pieces of content -- it is about requiring platforms to have effective systems to manage harmful content at scale. Ofcom's role is to set codes of practice that explain how platforms can meet their duties, and to enforce compliance.
What Ofcom does under the Act
Ofcom is the UK's designated online safety regulator. Its responsibilities under the Act include: publishing codes of practice and risk assessment frameworks that platforms must follow, conducting investigations into platforms that may be in breach, taking enforcement action including issuing fines, and publishing transparency reports on platforms' compliance.
Ofcom can impose fines of up to 10% of a company's global annual turnover for serious or repeated breaches. For the largest global platforms, this represents potential fines running into billions of pounds. Ofcom can also apply to court for service restriction orders that could block non-compliant platforms from being accessible in the UK.
Age verification requirements
The Online Safety Act requires that services hosting pornographic content implement robust age verification to ensure children cannot access it. Ofcom issued guidance on what constitutes adequate age verification. In June 2026, Ofcom took its first enforcement action under this requirement -- fining a pornography website for failing to have effective age checks in place.
Age verification methods accepted by Ofcom include credit card verification (which implies the holder is an adult), mobile phone network age checks, photo ID verification services, and other technically robust methods. Self-declaration of age (clicking 'I am 18+') does not meet the requirement.
Protections for children
Services likely to be accessed by children face enhanced duties under the Act. These include: conducting children's risk assessments, applying age-appropriate design standards, restricting the use of harmful features (such as certain recommendation algorithms) for younger users, and ensuring children cannot access adult-only content.
Ofcom announced in June 2026 that the government is introducing social media restrictions for under-16s. Ofcom is responsible for implementing and enforcing these restrictions. The specific mechanisms -- age assurance requirements for social media platforms -- are being set out by Ofcom as part of its codes of practice under the Act.
What the Act means for users
Users of regulated platforms have rights under the Act including: the right to report harmful content and have it acted upon within defined timescales, the ability to opt out of recommendation algorithms, and access to tools to control their experience. Platforms must enforce their own terms of service consistently and cannot apply terms in an arbitrary or discriminatory way.
What is not covered
The Online Safety Act focuses on user-generated content platforms and search engines. It does not directly regulate private messaging services to the same extent (end-to-end encrypted messaging has specific provisions), news publishers, email services or business-to-consumer communications. Government bodies and public bodies are also excluded.
Related guides
Disclaimer: This guide is for informational purposes only. Kael Tripton Ltd is not regulated by the FCA and does not provide financial advice. Telecoms information is sourced from Ofcom, the UK communications regulator. Always verify current information at ofcom.org.uk.
Frequently asked questions
What is the Online Safety Act?
The Online Safety Act 2023 is UK legislation that places a legal duty of care on social media platforms, search engines and other online services to protect users from harmful content. It received Royal Assent in October 2023. Ofcom is the regulator responsible for implementing and enforcing the Act.
What can Ofcom do to enforce the Online Safety Act?
Ofcom can issue fines of up to 10% of a company's global annual turnover for serious or repeated breaches. It can also apply to court for service restriction orders that could block non-compliant platforms from being accessible in the UK. Ofcom also publishes transparency data on platform compliance.
Does the Online Safety Act apply to all websites?
No. The Act applies primarily to user-to-user services (platforms where users share content with each other) and search engines that are accessible to UK users. News publishers, email services and business-to-consumer communications services are generally outside scope. The specific obligations vary by the type and size of service.
What are age verification requirements under the Online Safety Act?
Services hosting pornographic content must implement robust age verification to prevent children from accessing it. Acceptable methods include credit card verification, mobile network age checks and photo ID verification. Clicking 'I am 18' does not meet the requirement. Ofcom issued its first fine for non-compliance with age verification in June 2026.
What rights do users have under the Online Safety Act?
Users have the right to report harmful content and have it acted upon, the ability to opt out of recommendation algorithms, and access to safety tools to control their experience. Platforms must enforce their own terms of service consistently and cannot apply them arbitrarily.
Does the Online Safety Act cover children?
Yes, with enhanced requirements. Services likely to be accessed by children face additional duties including children's risk assessments, age-appropriate design standards, restrictions on harmful features for younger users, and prevention of access to adult content. Ofcom is implementing social media age restrictions for under-16s under the Act.
Does the Online Safety Act apply to WhatsApp and Signal?
End-to-end encrypted messaging services have specific provisions under the Act. Ofcom has powers to require messaging platforms to use accredited technology to identify child sexual abuse material in encrypted messages, though these powers are subject to significant debate and ongoing development. The Act does not require platforms to break end-to-end encryption for general content moderation.
When did the Online Safety Act come into force?
The Online Safety Act received Royal Assent on 26 October 2023. Different provisions have come into force at different dates, with Ofcom issuing codes of practice progressively through 2024 and 2025. Enforcement action (including the June 2026 age verification fine) marks the active enforcement phase of the Act.
