UK and EU ramp up online safety enforcement: Ofcom issues first OSA fine as Commission probes child protection under DSA

Online safety matters continue to make headlines in the UK and EU, with Ofcom this week providing an update on its recent enforcement activity under the Online Safety Act (the OSA), and the European Commission (the Commission) launching investigative actions under the Digital Services Act (the DSA) concerning how major tech companies protect children online. 

Ofcom enforcement activity

Ofcom has not hesitated in exercising its regulatory powers. It has opened over 20 formal investigations since the first OSA duties came into force in March 2025, with over a dozen still active. The regulator is currently operating five ‘enforcement programmes’: (i) tackling child sexual abuse material (CSAM); (ii) protecting children from adult content via age assurance; (iii) monitoring compliance with illegal content risk assessment duties; (iv) monitoring compliance with children’s risk assessment duties; and (v) tracking age assurance on ‘small but risky’ services whose principal purpose is to host harmful content. 

Ofcom has also launched an extensive ‘monitoring and impact programme’ to comprehensively review child safety on the biggest social media platforms (such as Facebook, YouTube and TikTok).

Ofcom’s latest enforcement update gives insights into Ofcom’s regulatory approach to online safety:

1) Enforcement against non-UK companies will proceed, despite legal and political headwinds

Ofcom has confirmed its £20,000 fine against popular online forum 4chan. This first fine issued under the OSA concerns 4chan’s failure to respond to Ofcom information requests, which included a request for its illegal content risk assessment. Conducting such an assessment is a fundamental obligation in the OSA applicable to all in-scope search and user-to-user services.

Ofcom’s latest action comes despite 4chan previously responding to Ofcom’s provisional notice of contravention by filing US court proceedings aimed at preventing Ofcom enforcing the OSA against US companies. It is unclear yet what Ofcom’s next steps will be if 4chan does not comply, but the OSA includes (as yet untested) mechanisms aimed at enabling Ofcom to significantly curtail, or prevent, non-compliant services based outside the UK from continuing to operate within the UK.

2) The regulator is responding pragmatically to geo-blocking 

Ofcom has closed four investigations on the basis that the relevant sites have opted to block access by UK users rather than adhere to the regulator’s Codes of Practice. Ofcom has indicated that it will only cease investigations following the site being confirmed as unavailable to UK users for a sustained period. Ofcom has also demonstrated that it will not tolerate sites actively encouraging users to circumvent the block – it is continuing to monitor an online suicide forum that had done so.

3) Early engagement is bringing positive change (without fines) 

Ofcom’s update notes that its early enforcement activity has ‘[driven] significant improvements’ in tackling CSAM, with two file-sharing sites of significant concern having engaged constructively and implemented perceptual hash-matching technology in response. Ofcom has consequently closed these investigations.

In its September bulletin, Ofcom also remarked on the ‘sweeping change’ in the industry, with many popular UK websites and apps – including Reddit, Tinder and X – proactively implementing age-gating measures in response to the OSA’s child safety duties coming into effect. 

EU investigates protection of children online

In the EU, it is clear that child safety is also a key focus for enforcement under the DSA (for further background on the DSA, see here). Last week, the Commission announced that it has sent information requests to Snapchat, YouTube, Apple App Store and Google Play aimed at understanding the measures these companies have put in place to protect minors.

These are the first DSA-related investigatory steps taken by the Commission since the adoption of the Guidelines on the Protection of Minors in July 2025, which apply to online platforms within the DSA’s scope that are accessible to minors. They list measures aimed at protecting children from online risks and recommend the use of effective age assurance methods. 

Last week, the Commission also announced that the European Board for Digital Services’ (EBDS) Working Group for the protection of minors has agreed to take action, in co-ordination with the competent authorities in Member States, to ensure that smaller online platforms comply with the DSA. These actions will include identifying the platforms which pose the greatest risk for children and checking platforms’ compliance.

Key takeaways 

• Ofcom is taking a pragmatic approach to OSA enforcement, engaging proactively with providers to bring them into compliance, including entering into ‘compliance remediation’ processes with services rather than necessarily opening formal investigations. 

• Both Ofcom and the Commission are particularly focused on the protection of children – two of Ofcom’s enforcement programmes, and the majority of its live investigations, concern the use of age-gating, and there has been a focus on child safety in a number of recent Commission enforcement actions.

• It is also clear from Ofcom’s enforcement actions in the UK, and from the work of the EBDS in the EU, that it is not only large platform providers who need to be concerned about their compliance, especially in respect of child safety – smaller platforms that can pose significant risk are also in focus.