Ofcom's approach to implementing the Online Safety Act

Ofcom has provided an update on our progress since the Online Safety Act became law.

The Act makes companies that operate a wide range of online services legally responsible for keeping people, especially children, safe online. These companies have new duties to protect UK users by assessing risks of harm, and taking steps to address them. All in-scope services with a significant number of UK users, or targeting the UK market, are covered by the new rules, regardless of where they are based.

We have moved swiftly to begin implementing the Act launching our consultation on illegal harms online in November 2023, followed in December 2023 by draft guidance for online pornography services on how they should use highly effective age assurance so that children are not normally able to encounter pornographic material. In May 2024, we published proposals for how services should approach their new duties relating to content that is harmful to children.

From December 2024, services will need to act to comply with their duties

Ofcom will be publishing Codes of Practice and guidance on how in scope companies can comply with their duties. If you provide an online service, there are actions you must take when duties come into force. This page explains the important milestones.

Phase one: illegal harms

We will publish our Illegal Harms statement in December 2024. This will include the first edition of the Illegal Harms Codes of Practice and the illegal content risk assessment guidance. At this time all providers of services in scope of the Act must complete their assessments by mid-March 2025. Once the Codes of Practice have passed through Parliament, service providers will need to take the steps laid down in the Codes or use other effective measures to protect users and Ofcom can enforce against non-compliance. We expect that the illegal harms safety duties will become enforceable around March 2025.

Alongside our Illegal Harms statement in December 2024, we will also publish our final enforcement guidance, and final record keeping and review guidance. We also plan to launch a further consultation which builds on the foundations established in the first Codes in spring 2025.

Phase two: child safety, pornography and the protection of women and girls

In January 2025 we will issue our final age assurance guidance for publishers of pornographic content. We expect these duties relevant to part 5 providers to become enforceable around the same time and we will start to monitor compliance.

We will publish our final children’s access assessments guidance in January 2025. Service providers will then have three months to complete the children’s access assessment process. Services likely to be accessed by children must then carry out a children’s risk assessment within three months of us publishing our Protection of Children Codes and risk assessment guidance in April 2025. Those services should prepare to complete their children’s risk assessments by July 2025. We expect that the child protection safety duties will become enforceable around July 2025.

In February 2025, we will publish our draft guidance on protecting women and girls, containing advice on content and activity which disproportionately affects women and girls, and on assessing and reducing the risk of harm to them.

Phase three: categorisation and additional duties for categorised services

A small proportion of regulated services will be designated Category 1, 2A or 2B services if they meet certain thresholds set out in secondary legislation to be made by Government. Our final stage of implementation focuses on additional requirements that fall only on these categorised services.

These categorised services will be required to comply with a range of additional requirements, depending which category they are in, largely focused on bringing an enhanced level of safety, transparency, and accountability to the online world. 

The next stage is for Government to confirm the thresholds for categorisation in secondary legislation, which we expect to take place by the end of 2024. We have reprioritised our work on the duties on categorised services to ensure we deliver most quickly in the areas that we expect to be particularly beneficial in protecting users once the thresholds are confirmed. We expect to:

• publish the register of categorised services in summer 2025,
• issue draft transparency notices within a few weeks of publication of the register, and to issue final transparency notices soon after,
• publish draft proposals regarding the additional duties on categorised services no later than early 2026.

Progress update on implementing the Online Safety Act  

Ofcom's approach to implementing the Online Safety Act (PDF, 565 KB)

Dull Ofcom o roi’r Ddeddf Diogelwch Ar-lein ar waith (PDF, 540 KB)