Ofcom Initiates First Investigation into Individual Service Provider Under Online Safety Act

Ofcom has opened its first formal investigation into an online service provider under the Online Safety Act (OSA). The regulator is looking into whether the operator of an online forum has failed to meet its legal duties under the new law. Specifically, Ofcom is examining whether the provider has:

• Put proper safety measures in place to protect UK users from illegal content and activity;
• Carried out and kept a record of a suitable risk assessment for illegal harms; and
• Responded fully and properly to a legally binding request for information from Ofcom.

Ofcom has decided not to publicly disclose the name of the provider or the forum involved, given the sensitive nature of the case.

Legal Context: Provider Duties Under the OSA

Under the OSA, all user-to-user and search services in scope were required to conduct an illegal content risk assessment by 16 March 2025. This assessment was designed to evaluate the risks of UK users encountering illegal content, including “priority illegal content” as defined by the OSA.

In addition, providers of regulated user-to-user services to must also:

• Implement proportionate measures to mitigate and manage:
  • the risk of their service being used for the commission or facilitation of a priority offence; and
  • the risks of harm to individuals using their platform.
• establish and maintain proportionate systems and processes to:
  • prevent users from encountering priority illegal content;
  • minimise the time that any priority illegal content remains on the platform, and ensure swift removal once identified.
• include provisions in the platform’s terms of service to protect users from illegal content. These terms must be clear, easily accessible, and consistently applied.

At the same time, duties to use systems and processes to ensure users can easily report illegal content and make relevant complaints also came into effect on 17 March 2025.

Ofcom has published codes of practice and guidance to help services understand how to comply with these obligations. In addition, providers are required to respond promptly and accurately to any statutory requests for information from Ofcom.

Ofcom’s enforcement approach

In this case, Ofcom has stated that it made several attempts to engage with the provider and issued a legally binding request for the provider’s illegal harms risk assessment, which should have been completed. However, after receiving only a limited and unsatisfactory response, Ofcom has chosen to escalate the issue by launching a formal investigation.

Ofcom will now gather and evaluate evidence to determine whether a legal breach has occurred. If Ofcom identifies non-compliance, it has the authority to impose fines of up to £18 million or 10% of the provider’s qualifying worldwide revenue, whichever is higher. In cases of severe non-compliance, particularly where there is significant risk of harm to UK users, Ofcom may seek a court order to compel third parties to take action that disrupts the provider’s operations. This could involve requiring third parties – such as payment providers, advertising services, or Internet Service Providers (ISPs) – to withdraw their services from, or block access to, the provider’s regulated service in the UK.

How can we help?

For further guidance or support with complying with the OSA, book a free consultation with us.