Online Safety Act Enforcement: Immediate Action Required for UK Businesses

July 2025 marks a critical turning point in the UK’s Online Safety Act (OSA) implementation. After extensive preparation, Ofcom has now commenced active enforcement of key provisions, issuing deadlines that demand immediate attention from businesses providing online services with a significant UK user base or targeting the UK market.

Ofcom’s consultation phase is over; enforcement is here. Businesses that have been preparing must now ensure their compliance measures are robust, particularly concerning children’s safety and illegal content, or face severe consequences.

What Your Business Needs to Know Now and Why Should Be Concerned:

Ofcom’s enforcement actions this week underscore several critical, immediate concerns:

• Children’s Risk Assessments Due Imminently: Formal information requests have been issued, requiring online service providers to submit their children’s risk assessment records by 7 August 2025. This is a statutory requirement, and these assessments must align with Ofcom’s Children’s Safety Codes of Practice, which came into effect on 24 April 2025. [1]
• Active Enforcement of Illegal Harms Duties: Enforcement began on 17 March 2025, with Ofcom already launching several investigations. Businesses must ensure their illegal harms risk assessments are complete and documented. [2]
•  Age Assurance for Adult Content: For services that publish or host pornographic content, the deadline for implementing “highly effective” age assurance measures is 25 July 2025. This is a critical and immediate requirement for these providers.[3]

 Consequences of Non-Compliance

The risks of non-compliance are severe and multi-faceted, extending far beyond financial penalties. Ignoring these duties could lead to significant financial, legal, and reputational repercussions, as follows:

1. Severe Financial Penalties: Ofcom can levy fines of up to £18 million or 10% of a provider’s qualifying worldwide revenue (QWR), whichever is greater. [4]
2. UK GDPR Overlap & Cumulative Risk: OSA duties often involve processing personal data (e.g., age verification, content moderation). This processing must strictly comply with UK GDPR. Breaches can incur separate fines from the ICO, up to £17.5 million or 4% of global annual turnover. A single incident could trigger parallel investigations from both Ofcom and the ICO, significantly escalating legal and financial exposure.
3. Criminal Liability for Directors: New criminal offences exist for senior managers in specific instances, notably for failure to comply with Ofcom information notices (e.g., Sections 109 & 110 of the OSA 2023). This introduces a significant personal risk. [5]
4. Business Disruption Measures: Ofcom can seek court orders to block UK access to non-compliant services or compel payment/advertising providers to withdraw services. This could effectively cut off revenue and market presence. [6]
5. Immense Reputational Damage: Beyond legal penalties, public investigations and associated media attention can severely damage brand trust and deter users and investors, often causing long-term financial and market impact.

What Businesses Should Do

For those who have been thinking about compliance, the time for ‘thinking’ is over; it’s time for decisive action. Businesses should:

1. Verify Risk Assessment Records (Urgent!): Ensure all children’s and illegal harms risk assessments are complete, comply with Ofcom’s guidance, and are thoroughly documented. Confirm these include Data Protection Impact Assessments (DPIAs) where necessary.
2. Prepare to Submit Information: Respond comprehensively and promptly to Ofcom’s statutory information requests.
3. Implement & Test Safety Measures: Confirm age verification, content moderation, and other safety mechanisms are fully operational and effective.

Looking Ahead

While July 2025 marks a pivotal enforcement phase, Ofcom’s work continues with upcoming activities including the publication of the register of categorised services, guidance on online safety for women and girls (end of 2025), and the launch of the super-complaints’ regime (consultation expected September 2025). Businesses must maintain an ongoing commitment to compliance as the regulatory framework evolves.

[1] See Ofcom Guidance on Child Safety: https://www.ofcom.org.uk/online-safety/protecting-children
[2] See Ofcom on Illegal Harms: https://www.ofcom.org.uk/online-safety/information-for-industry/illegal-harms and recent Investigations: https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/enforcing-the-online-safety-act-ofcom-opens-9-new-investigations
[3] Ofcom on Age Assurance Deadlines: https://www.ofcom.org.uk/online-safety/protecting-children/new-rules-for-a-safer-generation-of-children-online
[4] Chapter 6 of Part 7 of the Online Safety Act 2023; Ofcom’s “Online Safety Fees and Penalties” consultation: https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/consultation-online-safety-fees-and-penalties
[5] GOV.UK circular on new criminal offences: https://www.gov.uk/government/publications/online-safety-act-new-criminal-offences-circular/online-safety-act-new-criminal-offences-circular
[6] Ofcom’s “Guide for services: complying with the Online Safety Act” under “business disruption measures”: https://www.ofcom.org.uk/cymru/online-safety/information-for-industry/guide-for-services