European Tech Regulation

The Online Safety Act

The UK’s Online Safety Act (OSA) imposes extensive new obligations on certain types of online service providers to protect users against illegal and harmful content.

Affected businesses

The OSA imposes obligations on providers of the following types of online services:

  • ‘User-to-user’ (U2U) services (e.g., social media platforms, messaging services, marketplaces, etc.)
  • Search services (e.g., search engines)

Services that publish or display certain pornographic content

The OSA will apply where the service provided has ‘links with the UK’ – this is defined widely.

U2U services and search services that meet certain thresholds will be categorised accordingly and subject to additional heightened duties, such as transparency reporting. Whilst the thresholds have NOT yet been set, it is anticipated that they will target services with high numbers of UK users and/or high-risk functionalities (as set out below).

*Based on Ofcom’s preliminary analysis using the data collated as part of its research and advice.

Key impacts

The OSA imposes ‘duties of care’ on in-scope online service providers. The nature of these duties varies depending on the type (i.e., U2U, search, etc.) and category of service (i.e., its reach and functionality), but can be broadly broken down into obligations requiring changes to technology, policies, processes and governance.

Key obligations include (amongst others):

  • Illegal content risk assessments – U2U and search services must determine the risk of users encountering illegal content.
  • Protection from illegal content – U2U and search services must take proportionate measures to mitigate risks identified in their risk assessments (e.g., prevent users from encountering certain illegal content).
  • Protection of children – U2U and search services ‘likely to be accessed by children’ must take proportionate measures to prevent and protect children from encountering content harmful to children (e.g., by using age verification measures).
  • User empowerment – Certain categorised services must provide users with the ability to control what content is visible to them.

The proportionality of measures to be taken in relation to any of the duties will correspond to the size of – and risks assessed by – the relevant service. All detailed guidance relating to the duties will be contained in Codes of Practice to be issued by Ofcom, the UK’s communications regulator.

Enforcement

The OSA provides Ofcom with wide-ranging and powerful enforcement tools, including:

  • Fines – which may be up to 18 million pounds or 10% of worldwide revenue, whichever is higher.
  • Business disruption measures – orders prohibiting ancillary services from being provided to noncompliant services, or preventing access to the service.
  • Powers to interview, require information, entry and inspection – including without a warrant in certain circumstances (but with seven days’ notice).
  • Takedown notices for terrorism or child sexual exploitation and abuse (CSEA) content – requiring services to identify and swiftly remove terrorism-related and/or child sexual exploitation and abuse-related content.
  • Criminal prosecution of senior managers under certain circumstances – e.g., if they fail to comply with an Ofcom information notice.

Key timings

Although the OSA officially became law on 26 October 2023, Ofcom will now take a three-year phased approach to implementation and enforcement.

The precise timeline will depend on the outcomes of Ofcom’s ongoing consultations and government approvals. However, based on Ofcom’s October 2023 road map:

By the end of 2024: Ofcom expects its codes on illegal harms to come into force, from which point relevant services must comply with the illegal content duties under the OSA, including conducting the illegal harms risk assessment within three months. Ofcom also expects secondary legislation to be passed setting out the categorisation thresholds, along with publication of a register comprising all categorised services.

By the end of 2025: Ofcom expects its respective codes on the protection of children and categorised services to be finalised. The children codes are expected to come into force by the end of 2025 with the categorised codes to follow at the start of 2026, from which point relevant services must comply with the protection of children duties and the categorised services duties under the OSA, as appropriate.

Group contacts

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.