November 8, 2024

If your business provides online services in the UK which involve any user-to-user interaction, it is likely that the OSA will regulate that activity. The new regime affords significant enforcement powers to Ofcom, including fines of up to £18 million or 10% of global revenue, and potential business disruption or criminal penalties for serious breaches.

On 17 October 2024, Ofcom published an important update on the UK's new online safety regime under the OSA, detailing revised timelines.

In this update, we cover:

• the background and scope of the OSA;
• key upcoming milestones and deadlines for compliance;
• Ofcom's enforcement priorities; and
• steps for achieving compliance.

What is the background and scope of the OSA?

The OSA received Royal Assent on 26 October 2023 and now applies to most online services with certain UK links e.g. targeting UK users, regardless of the provider's location or size. There are duties under the Act which apply to search services, but it is the duties which are imposed on user-to-user services (as the name suggests, services that allow users to post content online or to interact with each other) which have caused the most concern. A wide range of businesses clearly fall within this category - such as consumer file or video sharing sites, forums, chat facilities, dating services and online instant messaging services.

The key initial duties relate to conducting certain risk assessments and also children's access assessments (on whether the service is likely to be accessed by children, even if in-scope services are not targeted at children). User-to-user services must already include specific provisions in their terms, covering users' rights to claim for breach of contract in certain circumstances, and in future (when the relevant Ofcom Code takes effect) terms must also cover matters such as how individuals are to be protected from illegal content and how complaints are to be handled.

Those who operate other types of website, apps or online service may also fall within the user-to-user service category, even where these services are not at the core of their regular trade or business. An example would be a business which decides to add a shoutbox/chat widget facility to its website or app, which inadvertently allows a user to make publicly visible remarks about another user/user's comment. This is the sort of service that could easily be caught; in contrast, most below-the-line review facilities on a trader's website will generally not be within scope.

Furthermore, services that are designated as "categorised services" based on certain thresholds will be subject to additional duties, depending on the category assigned: 1, 2A or 2B. The designations will determine which businesses will face much stricter requirements, including transparency reports and stronger content controls. However, many of the most popular services are yet to be designated and the final categorisation thresholds remain unknown. Back in March 2024, Ofcom provided its advice to the Secretary of State on which/how services should be categorised, but secondary legislation is necessary to set out the thresholds.

Another issue relates to the fact that the Act applies to services even if the companies providing them are outside the UK, if indeed they have links to the UK. Where a service has a significant number of UK users, focuses on UK users as a target market or is capable of being accessed by UK users and there is a material risk of significant harm to such users, the service will be territorially in-scope. Is everything crystal clear now that the Act is on the statute books? Not quite. Despite being passed over a year ago, many of the duties are still lacking in detail due to the phased implementation of the key duties. However, as Ofcom finalises the remaining codes of practice and guidance documents, further clarification will follow.

What are the key milestones and deadlines?

A key date for diaries is December 2024. This is the month from which your business, if affected, will need to start taking steps to comply with the new duties in relation to each affected service.

We set out below the main expected milestones, timeline, Ofcom action and what you need to do to ensure that your affected service(s) will be compliant with the OSA.

Milestone	Timeline	Event	Action
Fees	October 2024	Ofcom has recently published: - consultation on calculation of fees (how to determine qualifying worldwide revenue (QWR), any exemptions, approach to calculating fees) - advice to the Secretary of State on QWR threshold - related draft statutory instruments (see link above)	Respond if desired.
Phase One - Illegal harms	December 2024 to March 2025	Ofcom to publish (December 2024) illegal harms codes of practice with guidance on conducting risk assessments.	Illegal harms safety duties and illegal risk assessment duties will become enforceable around March 2025 i.e. three months after Ofcom publication, so the illegal content risk assessment for each in-scope service should be completed by then. Specific services must disclose risk assessments to Ofcom from 31 March 2025.
	December 2024	Ofcom to publish (December 2024): - enforcement guidance - record-keeping and review guidance Categorised services - government secondary legislation on categorisation thresholds expected to be laid "by the end of 2024".
Phase Two - Child safety - Age assurance - Protection of women and girls	January 2025 to July 2025	Ofcom to publish: - children's access assessment guidance - age assurance guidance for pornographic content providers (January 2025) - draft guidance for online harms that disproportionately affect women and girls (February 2025) - protection of children codes of practice with risk assessment guidance (April 2025) Ofcom's advice to the Secretary of State on OSA fees is also expected in April 2025.	Children's access assessments must be completed by April 2025 i.e. three months after guidance publication. Respond to the consultation if desired. From July 2025, in-scope service providers must comply with children safety/protection duties and risk assessment duties for services likely to be accessed by children. Complete risk assessments by July 2025 i.e. three months after publication. Specific services must disclose assessments to Ofcom from 31 July 2025.
Phase Three - Categorised services - Additional duties	Spring 2025 to early 2026	Ofcom to publish: - final guidance on transparency reporting by categorised services (early 2025) - register of categorised services (summer 2025, within four to five months after secondary legislation on thresholds is passed) - media literacy statement (summer 2025, May to June) - draft consultation on additional measures to strengthen the first codes of practice on illegal harms and protection of children (spring, April to June 2025) - consultation on additional duties on categorised services ("no later than early 2026", "first quarter of 2026")	Ofcom will, within "a few weeks" of publishing register, send draft transparency notices to categorised services, and final notices "soon after", so categorised services must be ready to respond to the drafts and submit to Ofcom the required transparency reports in line with the reporting guidance from around the end of 2025. Categorised services should consider responding to Ofcom's consultation and will need to comply with additional duties on categorised services once in force.
Fees	Around April 2026	Fees regime to be implemented.	If liable to pay a fee, notify Ofcom accordingly and pay the fee.

The above timeline gives an indication of anticipated key dates, but note that timings according to Ofcom's webpage and PDF differ, and actual timings will depend on various factors including Parliament passing the relevant secondary legislation within the anticipated timeframes.

Ofcom's helpful diagram is below:

© Crown Copyright 2024, from Implementing the Online Safety Act: progress update, October 2024 - Timetable for implementing the Act.

What are Ofcom's enforcement priorities?

With just a few months before the first set of duties comes into effect, Ofcom has outlined its eight key priorities. The focus remains on tackling illegal harms and protecting children, which is to be achieved by ensuring that those businesses which provide regulated services conduct risk assessments and implement strong safety measures. Please see Ofcom's diagram below.

© Crown Copyright 2024, from Implementing the Online Safety Act: progress update, October 2024 - Ofcom's focus for the next three years.

In more detail, Ofcom has stated that its focus for the next three years is as follows:

• Risk assessment and governance
  Focusing on user safety and naming senior accountable people.
• Child protection
  Ensuring robust age check and content filtering are in place to protect children from harmful material.
• Child abuse
  Blocking the possibility of sharing child sexual abuse materials. Ensuring children do not face unsafe contact from adults.
• Illegal content
  Ensuring hate speech, terrorism or other illegal content is taken down quickly.
• Gender abuse
  Implementing accessible reporting systems for women and girls facing online harassment and misogyny.
• Online fraud
  Implementing systems to detect, deter and prevent fraudulent activities.
• User empowerment
  Providing users (especially children) with tools to control their online experience, including content filtering tools.
• Transparency
  Categorised services will need to demonstrate transparency in how they are protecting users and complying with their obligations.

What does your business need to do now?

• Determine whether each service offered by your business is within the scope of the OSA
  If the answer to the above question is yes, consider whether each service is categorised and, if so, what category. Begin preparing for the necessary risk assessments and designing systems to mitigate those risks. Also ensure service terms have been updated as necessary, as certain provisions on what must be included in in-scope services' terms are already in force.
• Gather evidence
  Start gathering evidence of potential risks, as Ofcom has indicated it plans to take swift enforcement action for non-compliance.

• Get set for technological change
  Ofcom has advised that services should remain proactive in implementing safety technologies e.g. robust age assurance systems and the OSA is set to impose even more onerous duties.
  Additionally, Ofcom is expected to consult in spring 2025 on further automated tools to detect harmful content, which may lead to even stricter rules.

What sort of challenges might your business face in meeting the demands of the OSA? How significant will these be, given the scale of the changes required, both technical and organisational (e.g. terms updates)? If, for example, your business needs to implement age verification and proactive monitoring tools, this is going to require substantial technological investment and ongoing maintenance. There will be some financial assistance to ease the burden - Ofcom indicates that measures will be put in place - but this will only be the case for small and medium-sized enterprises. The majority will have to bear the full brunt of the significant costs involved.

In summary, the revised timeline is a welcome update by Ofcom. Despite some aspects being later than originally expected, much work is still required - not just from Ofcom, but also from the multitude of affected businesses which must ensure they are compliant by the relevant deadlines.

With thanks to Katja Obed for preparing this article.