From March 17, online platforms are expected to have risk assessments in place to understand how likely it is for its users to encounter illegal content on their service.
Over 100,00 services are estimated to be in scope under the Online Safety Act (OSA), whether they are user-to-user services or search engines. There is no requirement for service providers to have a physical presence in the UK to be in scope, only if they “have links to the UK”, so it is likely that most service providers that offer online services to UK customers must comply with the duties under the OSA.
In addition to the priority illegal content that service providers must conduct a risk assessment for, there are also over 40 recommended measures that Ofcom expects service providers to implement over the course of the next few months and to ‘comply or explain’ if they are not implemented.
Under the microscope
Ofcom is likely to take a pragmatic approach and prioritize larger sites as well as those at a higher risk of presenting illegal harms. However, Ofcom has made it clear that everyone under the OSA must comply with their duties or else they could pay fines of up to £18m ($23m) or 10% of global turnover, whichever is higher
Suzanne Cater, Enforcement Director at Ofcom, has made it clear that “platforms must now act quickly to come into compliance with their legal duties … make no mistake, any provider who fails to introduce the necessary protections can expect to face the full force of our enforcement action.”
Ofcom has also opened an enforcement programme to review measures taken to prevent image-based child sexual abuse material from being published or disseminated. Given Ofcom has identified smaller file-sharing and file-storage providers, and written to them in relation to their OSA duties, this shows that everyone under the OSA will likely be reviewed and be under the microscope in terms of compliance with the OSA.
Risk assessments
There are a number of upcoming deadlines for risk assessments that service providers should be mindful of. Upon completing the risk assessments, Ofcom has indicated there will be a ‘forbearance period’ of up to six months to implement the recommended measures and enforcement will be taken pragmatically.
- March 16, 2025: Platforms should have completed their illegal harms risk assessments and implement recommended measures by September 2025.
- April 16, 2025: Platforms to complete their children’s access risk assessment.
- July 2025: Platforms must complete children’s risk assessments and implement appropriate safety measures by February 2026. All services that provide adult content must also implement highly effective age assurance.
On the horizon
Further guidance is expected from Ofcom later this year as it seeks to implement the next phases of the OSA, this includes the protection of children, women and girls, and guidance for categorized services which is likely to include transparency reports much like the EU’s Digital Services Act.
The consultation on the draft guidance for how to protect women and girls online is also open to set out what measures can be taken by service providers. The consultation closes May 23, 2025.
Next steps
In the immediate short term, service providers should focus on completing the relevant risk assessments and begin implementing the recommended measures to the specifications outlined by Ofcom.
Ofcom has made it clear that although it will take a pragmatic approach with enforcement, everyone is expected to comply with their legal duties under the OSA and everyone will be reviewed one way or another. Therefore, it is vital that service providers make sure they comply with the OSA as soon as possible because Ofcom will be turning up the heat on enforcement.
As Deputy Managing Partner of Katten’s London affiliate, Terry Green is a trusted advisor to international banks, social media platforms, investment funds, large hotel groups, family offices and luxury retailers. Larry Wong is a trainee solicitor in the Social Media Group at Katten.
