Ofcom announces updated timelines for Online Safety Act implementation

Ofcom has published an updated timetable outlining its plans for the implementation of the Online Safety Act (‘OSA’), with new duties on online services due to kick in from March 2025. 

Who does the OSA apply to?

The OSA captures two key categories of services: (i) user-to-user services (‘U2U’), being services where a user can encounter the content of another user; and (ii) search services. Companies operating such services will, if the service has links with the UK and is not exempt, be subject to new proactive duties. This includes conducting a risk assessment of each service they operate to determine which measures should be implemented to mitigate their users’ exposure to illegal content and their sites being used to commit crime. See here for a previous blog with more background on the OSA. 

What key dates are coming up?

If you provide an in-scope service, it is important to keep track of the various deadlines and guidance publication dates that are coming up. These include:

• Risk assessments. Ofcom will publish finalised guidance detailing how companies should assess the risk of illegal content being present on, or criminal offences being committed via, their services, in December 2024. If your service is in scope as a U2U or search service, you should complete your risk assessment by mid-March 2025. 
   
• Illegal harms duties. Ofcom expects to publish its ‘Illegal Harms’ codes of practice in March 2025. These codes will set out the measures Ofcom recommends services follow to tackle illegal content and criminal activity online. The size and risk profile of a service will determine exactly which of the measures apply. If your service is in scope and you fail to comply with the applicable measures, or fail to use other effective measures to protect users, you could be enforced against by Ofcom from this date. 
   
• Children’s access assessment. In-scope U2U and search services must be assessed in terms of whether children are likely to access them and in what numbers. Importantly, such services can only conclude that children cannot access a service if they deploy effective age gating techniques. If a significant number of children use a service, or the service is likely to attract significant numbers of child users, additional duties will apply to protect those users from certain ‘harmful’ content. Ofcom expects to publish final guidance on this assessment in January 2025. If your service is in scope, you must complete an access assessment by April 2025.
   
• Children’s risk assessment. If you conclude, following an access assessment, that your in-scope service is likely to be accessed by children, you are then required to conduct an additional assessment to assess the risks of harm to your child users. Ofcom plans to publish finalised guidance on these assessments in April 2025, and your risk assessment must be completed by July 2025. 
   
• Child safety duties. Ofcom expects to publish its final codes of practice concerning the protection of children in July 2025. If your in-scope service is likely to be accessed by children, you should adhere to the applicable measures recommended by Ofcom in the codes (which will be informed by the outcome of your risk assessment) from that date.

What steps can services take now?

There are at least three initial steps you can take towards compliance with the OSA if you provide an online service. 

1) Check if the service is in scope. If you provide an online service, you should ideally have already assessed whether it is caught by the OSA. If not, consider whether your online service, or any part of it, allows users to encounter one another’s content, or to search more than one website or database. If so, identify whether such services have the requisite link with the UK: do you target your services into the UK, have a significant number of UK users, or expose UK users via your service to a material risk of harm? If so, do you benefit from an applicable exemption?

While headlines may focus on compliance by the likes of Meta, X and Tiktok, the OSA does not only apply to social media – Ofcom’s own assessment estimated that over 100,000 online services could be in scope. Online forums, file-sharing sites, marketplaces, messaging apps, gaming platforms, and dating apps are all potentially caught. As such, if your online presence contains user interaction in some form, you should be considering if the OSA applies.

2) Start your illegal content risk assessment. While Ofcom is yet to finalise its guidance, if you are in scope, you should not delay in starting to prepare an illegal harms risk assessment, including gathering relevant evidence. Based on what Ofcom has published to date, in-scope providers will need to assess the risk level of their service by reference to at least 15 types of illegal harm and consider Ofcom’s lists of ‘risk factors’. As these assessments are likely to require significant effort, if in scope you should ideally be taking initial steps now using the draft guidance that is available. 

3) Familiarise yourself with Ofcom’s proposed measures. The OSA deems services to be compliant if they adopt the relevant measures from Ofcom’s codes of practice. Based on Ofcom’s draft codes, compliance may involve creating new policies and guidelines, making use of recommended technologies (such as keyword detection and hash matching), or ensuring a site or app has certain functionality (e.g., muting, blocking or disabling comments) or default settings. Online services will benefit from considering as early as possible which measures may apply, and the possible lead time required to implement them. 

While Ofcom guidance is yet to be finalised, given the relatively tight timeframes before the OSA comes into force, if you operate an in-scope online service, now is the time to start taking these steps. You will, of course, then need to monitor Ofcom’s ongoing work in this area in order to complete your risk assessment and we are helping clients monitor this evolving area.