Ofcom's approach to implementing the Online Safety Act

Consultation on new priority offences on serious self-harm and cyber flashing

In December 2025, the government created two new priority offences under the Act: encouraging or assisting serious self-harm, and cyberflashing. Both were previously non-priority offences under the Act. This means we need to update our regulatory documents and guidance to reflect this change. 

We are proposing updates across the Illegal Harms regulatory documents to reflect the change in the law. These are:

• Risk Assessment Guidance
• Risk Profiles
• Register of Risks
• Codes of Practice
• Illegal Content Judgements Guidance and
• Record Keeping and Review Guidance.

The consultation closed on 24 April 2026 and all information can be found here. Responses are being reviewed and we expect to publish the statement in June 2026.

Certain services formally notified (RFI) by Ofcom for their illegal content and children’s risk assessment records 

Under the Online Safety Act, online service providers must assess the risks associated with illegal content on their service and relevant services must assess the risks of content harmful to children on their service.

We recommend providers review these risk assessments at least annually and we will be requiring certain providers to submit their records to us for review.

In 2025, we requested and received 104 risk assessment records under our risk assessment enforcement programmes. A report outlining our findings from Year 1 can be accessed here.

In 2026, providers notified by Ofcom will need to provide records for their services to us between 1 May - 31 July 2026. 

You can read about our request to services in this news update.

Duty to report child sexual abuse (CSEA) content to the National Crime Agency (NCA) 

The Online Safety Act requires that all regulated service providers must report all detected and unreported CSEA content present on their services to the NCA. If a service is based outside the UK, the requirement is to report CSEA content that is UK-linked. The duty applies to all regulated user-to-user and search services; however, this is not being commenced for search services until a later date. This webpage details the duty to report child sexual exploitation and abuse (CSEA) content: know the rules and how to comply.

The duty came into force on 7 April 2026 for user-to-user services, following the regulations relating to the reporting of CSEA to the NCA being laid by the UK Government on 12 March 2026. Providers of online user-to-user services should register with the NCA’s Child Sexual Exploitation & Abuse Industry Reporting Portal to enable you to submit reports. 

Fees regime 

The deadline for submission of Qualifying Worldwide Revenue (QWR) Returns by fee-liable providers in respect of the 2026/27 charging year has now passed, and Ofcom is in the process of verifying returns submitted. All Fees related information and detailed timetables can be found here. If a provider thinks it should have notified Ofcom in respect of the 2026/27 charging year but has not - it should reach out to the OS Fees team (osfeesregime@ofcom.org.uk) to discuss this. 

Key dates:

• June to September 2026: Notification window for 2027/28 charging year will open for new fee liable providers.
• September 2026: Ofcom expects to publish the 2026/27 tariff and issue invoices for the 2026/27 charging year.
• September 2026 to March 2027: Providers pay invoices for 2026/27 charging year (with possibility of payment in instalments for those liable to pay more than £75,000).

Technology Notices

Under section 121 of the Act, Ofcom can require providers of user-to-user or search services to use accredited technology to identify and prevent users encountering terrorism and/or child sexual exploitation and abuse (CSEA) content on their service.

In December 2024, we consulted on two parts of the framework that underpin the Technology Notice powers: our proposals for what the minimum standards of accuracy for accredited technologies could be, to inform our advice to Government; and our draft guidance about how we propose to exercise our technology notice function.

We published our final advice to the Secretary of State and our final guidance to providers in May 2026 (Statement: Technology Notices). The Secretary of State must then approve and publish minimum standards of accuracy. Ofcom (or a third-party appointed by Ofcom) must subsequently establish a process to accredit technologies that meet these standards. Once technologies are accredited, where necessary and proportionate, Ofcom can use the Technology Notice functions.

Ofcom finalises additional safety measures on perceptual hash matching for intimate image abuse

Last year, we consulted on a range of additional online protections designed to push tech platforms to go further in tackling illegal content online. As part of these measures, we proposed a new requirement for sites and apps to use a proactive technology – known as “hash matching” – to detect intimate images that are shared without consent, such as explicit deepfakes.

Given the urgent need for better online protections for women and girls – who are disproportionately affected by non-consensual intimate image abuse - we have decided to accelerate our timeline as published in February 2026 (Ofcom fast-tracks decision on measures to block illegal intimate images).

We will now announce, in May, our final decision on our proposals that tech firms should expand their use of proactive technology to prevent illegal intimate images from reaching users. Subject to the parliamentary process, and given the summer parliamentary recess, we expect any new Codes of Practice measures to come into effect in the early Autumn. 

Ofcom finalises additional safety measures on crisis response

Last year, we consulted on a range of additional online protections designed to push tech platforms to go further in tackling illegal content and content harmful to children online. As part of these measures, we proposed to recommend that some platforms -based on their service type, size and risk profiles - have a crisis response protocol in place, to ensure they can act promptly and effectively to address the risk of an increase of such content online during a crisis. We also proposed to recommend that some platforms have a direct communication channel available during a crisis, in order for law enforcement agencies to communicate relevant information with them efficiently. 

Given the speed at which online harms can escalate during times of crises, and the serious risks this can pose to public safety, we have decided to accelerate our work on this measure. 

We will now announce, in June, our final decision on our proposal on crisis response. 

Subject to the parliamentary process, and given the summer parliamentary recess, we expect any new Codes of Practice measures to come into effect in the early Autumn. 

Media literacy statement of recommendations

In September 2025, we published our consultation on draft recommendations for how online platforms should promote media literacy. It set out our expectations for how regulated services should give people the right skills, understanding and tools to take control of their online experience, gain digital confidence, and critically engage with the content they see. 

We will publish our final statement of recommendations in June 2026. 

Categorisation and consultation on additional duties on categorised services

The Government’s secondary legislation setting the thresholds that will determine which services are categorised under the Act was subject to legal challenge, which concluded in August 2025. We have considered the implications of the judgment and have adjusted our plans for the categorisation register and the consultation on the additional duties that will apply to categorised services accordingly. We are carrying out a representations process during spring 2026 which will give the services that we believe meet the threshold conditions an opportunity to comment on our provisional decisions before we finalise the register. 

Subject to the outcome of this process, we plan to publish the categorisation register and consult on the additional duties that apply to categorised services around July 2026 and this will be open until the end of September.

This consultation process will cover duties relating to fraudulent advertising, terms of service, user empowerment, identity verification, news publisher content, journalistic content, and content of democratic importance. We will publish our final policy statements as soon as possible, by mid-2027 at the latest. Where we can, we will bring forward final statements ahead of the main package to maintain pace. We are already planning on publishing our final statement on the terms of service guidance in early 2027.  

Subject to publication of the register of categorised services around July 2026, providers of category 1 and 2a services will also need to provide up-to-date risk assessment records to Ofcom by October 2026. Category 1 and 2a services will also need to publish summaries of their risk assessment findings by November 2026. Further detail on meeting these duties is available here, for illegal content risk assessments, and here, for children's risk assessments.

Age assurance statutory report

As required by the Act, we will publish a report by the end of July 2026 assessing how services have used age assurance and how effective it has been for the purpose of complying with their duties under the Act. We published a Call for Evidence in November 2025 asking for input on this topic.  

Additional safety measures to improve our codes

In June 2025 we launched a consultation on a targeted set of additional safety measures designed to make online services safer, building on our Illegal Harms and Protection of Children Codes. These include measures to prevent illegal content going viral, tackling harms at the source, and adding more protections for children in relation to livestreams. The consultation is now closed and we are currently considering consultation responses.

We will publish our statement by autumn 2026 and will provide an update with more specific detail on timings once we have reviewed all the responses. 

Content harmful to children statutory report

As required under the Act, we will review and report on the incidence and severity of content harmful to children and publish our findings in October 2026. This will include advice as to whether we consider that changes to primary priority content and priority content are appropriate.  

The Online Information Advisory Committee will publish its first statutory report no later than 1 November 2026. The Committee also intends to publish information about individual projects it carries out.  

App stores statutory report

As required under the Act, we will publish a report on the use of app stores by children by January 2027. This will assess the role app stores play in children encountering harmful content and evaluate the use and effectiveness of age assurance by app store providers. 

This will support the Secretary of State in determining whether app stores should be brought into scope of the Act. We published a Call for Evidence in November 2025 asking for input on this topic.

Transparency regime (Categorised services)

We issued final guidance on transparency reporting in July 2025. 

All categorised services will be required to publish their first transparency reports in 2027. An update on the timeline for transparency reporting will be provided after publication of the register for categorised services.

Researcher Access  

In July 2025, we published a report examining how independent researchers could gain better access to information from regulated online services to support work on online safety matters. In parallel to our work, the UK Parliament enacted the Data (Use and Access) Act 2025 that allows the UK Government to create, if it chooses to do so, a new framework to support this enhanced access. We are ready to support this work and will provide further updates in due course.