The Online Safety Act Comes into Force – How Should Businesses Respond?

Ofcom has started to enforce a key part of the Online Safety Act. Digital service providers operating in the UK must now carry out risk assessments and take steps to stop children from accessing harmful or adult content on their platforms.

Companies that don’t meet Ofcom’s standards could face significant penalties (up to £18 million or 10% of global turnover), whichever is higher. In the most serious cases, senior managers or executives could be held personally responsible.

The Online Safety Act aims to protect users of online services, including children, by imposing new duties on some digital services. From 25th July 2025, it introduces significant new obligations for those service likely to be accessed by children, marking another crucial milestone in the UK’s evolving regulatory landscape.

This is just the latest phase of the online safety rollout. Businesses should already be well-advanced in their compliance work if they operate a search engine or any online service which allows users to interact with each other or encounter their content (“user-to-user” services). Those businesses should already have completed an illegal content risk assessment by March 2025 and implemented appropriate safety measures. And they should also have completed a children’s access assessment by April 2025 to determine whether children might use their platforms, triggering comprehensive children’s risk‑assessment requirements.

Any services which missed the deadlines for earlier assessments could already be at risk of enforcement action from Ofcom, and may now be automatically deemed as likely to be accessed by children, triggering the children’s risk‑assessment requirements.

Even if a business missed the deadline, they should note that the ‘child access assessments' need to be carried out annually to determine whether a user-to-user service or search service is likely to be accessed by a significant number of children.

To determine whether a service is likely to be accessed by children, the business must consider whether it’s technically possible for children to use the service – something that can only be confidently ruled out if the service uses highly effective age‑assurance tools such as facial age estimation, digital ID verification or photo‑ID matching at first use. Simply stating a minimum age in your terms of service is not enough.

If it’s technically possible for children to access the service, the business must consider other factors, like whether their commercial strategy relies on children accessing the service and whether the content or design of the service is likely to appeal to children. If any of those apply, then it is likely to be accessed by children, which means that the business must carry out a further risk assessment and implement appropriate measures.

If a business failed to carry out a children’s access assessment by the deadline of 16 April 2025, or if they concluded that the service was likely to be accessed by children, they then had to complete a further risk assessment (a children’s risk assessment) and adopt appropriate safety measures to protect children. Companies must evaluate risks of harm to children, such as violent, pornographic, self‑harm or harmful‑substance content, and implement robust safety measures appropriate to the risks. These could include effective age‑verification systems and child-friendly reporting mechanisms.

While the focus right now is on the protection of children, it’s important to note that children’s access assessments and the risk assessments must be conducted annually. Businesses also need internal processes in place to respond to ongoing platform changes that may affect their risk profile – for instance, adding new features like recommendation algorithms, group chats or user profiles. If these features increase the risk to children, they may trigger additional safety measures. If it’s important to a service not to have an age-verification barrier between users and content, then they must build compliance into their development processes, not treat it as an afterthought.

While the headline fines under the Online Safety Act may sound daunting, enforcement will focus on cases where non-compliance poses real risk, particularly to children. Business should also consider the reputational consequences of Ofcom publishing details of investigations.

Ofcom has already launched enforcement programmes to monitor whether businesses are complying with their illegal content risk assessment duties and their children’s risk assessment duties.

For businesses already investing in safeguarding, content moderation, and privacy, the shift to compliance is less about reinventing practices and more about formalising and evidencing them. This means recording assessments, documenting decision-making, updating terms of use, and ensuring teams understand their responsibilities. However, companies that are late to start will need to take a focused, cross-functional approach by involving legal, governance, and tech teams to close gaps.

Compliance should be seen as part of ethical digital practice. It strengthens user trust, aligns with broader ESG goals, and supports a safer online ecosystem. Ofcom’s guidance is detailed and designed to be practical, meaning that with good project management and clear internal communication, businesses can meet their obligations. The key is to treat this as an evolution of existing responsibilities, not an entirely new regulatory burden, and to seek advice early if there are gaps or uncertainties.