Though passed in 2023, the UK’s Online Safety Act (OSA) only really began to take meaningful effect in 2025, as Ofcom published guidance which caused providers’ duties to crystalise. In this two-part series, our first article recaps the key stories from the first proper year of the OSA – before our second article provides a whistlestop tour of what to expect in 2026.
After an extended gestation period, the OSA finally took substantive effect in 2025. As explained in our post from over a year ago, 2025 was the year when all providers of user-to-user, search or pornographic services had to act. In simplified terms, this meant conducting the various risk assessments mandated under the OSA and putting in place the requisite safety measures.
Baptism by risk assessment
A simple task? Well, no not exactly. Even to assess the risk of illegal content and activity, a provider was required to assess 17 categories of illegal content designated a priority under the OSA, plus a further bucket of so-called non-priority illegal harms, for each service it offered. This ranged from assessing the risk of terrorist content appearing on the service, to considering whether the service could be used to facilitate proceeds of crime offences.
These requirements applied to all providers in the scope of the OSA, regardless of scale and size. Given the compliance burden and the risks of failing to meet the OSA’s requirements, understandably, some providers – like the London Fixed Gear and Single-Speed forum for cyclists and a forum dedicated to hamsters – chose to shut down rather than try to comply.
The deadline to conduct the illegal content risk assessments was 16 March 2025. Services that were likely to be accessed by under-18s then had to prepare their risk assessment of content harmful to children by 24 July 2025.
Ofcom later reported that it had gathered and reviewed 72 illegal content risk assessments and 32 children’s risk assessments, amounting to over 10,000 pages of analysis. These were produced by many of the highest reach services. Ofcom found that, though many had prepared comprehensive and well-written records, there were “notable issues” for some providers to fix. In December 2025, Ofcom also made a host of recommendations for all providers to consider when they next refresh their assessments.
Inevitably, some providers either did not do their risk assessments or did not provide them to Ofcom…
Enforcement kicks off
…which led to Ofcom’s first enforcement action under the OSA.
As our article in July 2025 explained, Ofcom’s early enforcement work focused on “low-hanging fruit”: those platforms that Ofcom suspected of doing nothing (or next to nothing) to comply with the OSA. This included services that Ofcom suspected had not completed an illegal content risk assessment, that had failed to implement highly-effective age assurance (HEAA) or which had simply failed to respond to an Ofcom information notice.
Relative to the size of the fines Ofcom has the power to impose (the greater of £18 million and 10% of qualifying worldwide revenue), most of the financial penalties issued in 2025 were relatively small, with fines in the tens of thousands of pounds against Itai Tech Ltd (for failing to implement HEAA and respond to an information notice), 4chan (for failing to implement HEAA, respond to an information notice, and complete an illegal content risk assessment) and the provider of Im.ge (for failing to respond to information notices). However, in December 2025 Ofcom upped the ante and fined AVS Group Ltd £1,000,000 for failure to implement HEAA and £50,000 for failure to respond to an information notice. In all cases other than Itai Tech Ltd, Ofcom also imposed a daily rate penalty for continued non-compliance.
Ofcom ended 2025 having opened investigations into 92 online services, with Melanie Dawes indicating enforcement against household names is coming in 2026: "You will see some action from us on some of the big household names over the coming months. You’ll see us move against the bigger platforms when it comes to enforcement as well”.
Questioning global reach
In the meantime, however, not every provider accepted that Ofcom had jurisdiction under the OSA.
After ignoring Ofcom’s correspondence for months, 4chan reportedly responded to the regulator’s Confirmation Decision thanking them for “several dozen pages of, in America, legally void correspondence. It will make excellent bedding for my pet hamster” (the OSA finally providing some benefits to hamsters after being responsible for its owners’ forum being closed down).
The platform has now launched legal action in Washington, USA, claiming that, as its state of incorporation (Delaware) claimed independence from Britain in 1776, Ofcom have no jurisdiction in respect of it. 4chan therefore sought (i) a permanent injunction prohibiting Ofcom from enforcing the OSA in the US; and (ii) a declaration that its demands are unenforceable under US law.
In Ofcom’s riposte, it characterises 4chan’s case as an attempt to argue that the “American Revolution prevents the UK from regulating U.S.-based internet services, even when the services furnish illegal content to hundreds of thousands of UK users”. Ofcom added that “Some court, in some future case, may have to resolve complex cross-border regulatory issues under the Online Safety Act. But this is not that case.”
Even if it is not, the reach of the OSA means that it will continue to affect companies situated far outside of the UK’s physical borders. Some platforms, including numerous file-sharing platforms and Itai Tech Ltd took themselves out of the scope of the OSA entirely by implementing geo-blocking to make their services unavailable to UK users. Though this can be effective in taking providers outside of the OSA, Ofcom has made it clear, in comments relating to an ongoing investigation of a suicide forum, that such measures will not prevent enforcement where they are “ineffective and/or not consistently maintained”.
Inevitably, geo-blocks are not a panacea either. As has been widely reported, UK users can still access geo-blocked websites by using virtual private networks (VPNs). These saw a spike in usage during July 2025 – coinciding with the introduction of HEAA for user-to-user sites which included content that is harmful to children, notably for platforms allowing pornography. Ofcom have asserted that this VPN usage has since fallen back to pre-July 2025 levels – but the challenge VPNs pose to implementing UK-specific internet regulation remains.
Categorisation challenges
On its original timetable, Ofcom had hoped to publish its register of categorised services in Summer 2025. These are some of the most widely-used services that will be subject to additional obligations under the OSA. However, this timing fell by the wayside following Wikimedia’s judicial review of the categorisation regulations under the OSA.
Wikimedia, the organisation that operates Wikipedia, argued that the regulations would lead to it being deemed “Category 1” and therefore subject to duties that would fundamentally change the way it operates. For instance, Category 1 services have to give users the option to only interact with content only from “verified” users. Wikipedia argued that this was incompatible with how the service operates and would have severe impacts on its ability to operate. Wikipedia argued that this meant that the regulations had been made unlawfully for several reasons.
The Court did not overturn the categorisation regulations but was clearly concerned by how the duties on categorised services could affect freedom of expression and other human rights. The Court therefore left open the possibility of Wikimedia bringing further legal action if Ofcom ultimately designates Wikimedia as a Category 1 service.
The judgment has clearly given Ofcom much to chew on, in particular regarding how to interpret the categorisation regulations in such a way to mitigate the risk of further challenge down the line. Ofcom has “adjusted” its plans on timings for the categorisation register significantly, and is planning to consult with providers of potential categorised services in the first half of 2026 and finalisation of the register expected in July 2026.
Public debate
Consistent with the level of public scrutiny the OSA received prior to it being fully-fledged, public debate on the regime raged on in 2025 both at home and abroad.
UK public inquiries have proved an unlikely forum for Ofcom to be publicly questioned in relation to the effectiveness of the UK’s online safety regime; both in the context of the Covid-19 pandemic’s impact on children’s lives online (in the context of Module 8 of the Covid-19 Inquiry) and online radicalisation (in the context of the Southport Inquiry). Both inquiries are yet to release their reports, including any recommendations for changes for the future.
Meanwhile overseas, the OSA became a prime target for US lawmakers targeting “Europe’s Threat to American Speech and Innovation”, with Nigel Farage speaking to the US House Judiciary Committee in September 2025 about the OSA.
Not all doom and gloom
Significant progress in online safety has been made over the course of 2025.
Ofcom’s report “Online Safety in 2025” captures the practical, real world changes in several areas towards a safer online experience: from the introduction of age checks and other online safety measures like user support and reporting tools on a range of widely used services, to the withdrawal of dangerous services from the UK, and the increased use of ‘hash-matching’ technologies by a variety of service to identify and remove CSAM.
However, Ofcom is all too aware that “service providers must now go further” and expect them in 2026 “to shift from taking initial compliance steps to delivering meaningful, measurable improvements for their users”.
What’s next?
So, the first proper year of the OSA is over, but what’s next? Look out for our next article which will explore what you can expect in 2026 (spoiler alert: the work for Ofcom and in scope services has only just begun…).
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2026-01-28-11-42-24-951-6979f620da2c44bd51323e05.jpg)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2026-01-30-12-40-19-052-697ca6b34d2a6c08cfd2f86c.jpg)
