Impact of the UK's Online Safety Act on Tech Businesses
The UK's Online Safety Act (OSA), set to come into force on 25 July 2025, will usher in a new era of online safety, particularly for children. This legislation, enforced by Ofcom, the UK's media regulator, aims to address the issue of harmful content online by imposing specific requirements on tech providers regarding content moderation, age verification, and risk assessment.
Under the OSA, all providers are required to implement robust systems to detect and promptly remove illegal and criminal content, such as hate speech, child sexual abuse material, terrorist content, and other priority offences. Category 1 large platforms, those with over 34 million UK users or 7 million with content sharing, face the most stringent duties, including transparency in content moderation policies, detailed user reporting channels, and clear redress mechanisms for content removal decisions.
Platforms accessible to children have strict duties to implement age verification or assurance mechanisms to prevent underage users from accessing age-inappropriate or harmful content. Services offering user-generated pornographic content must have age verification and age assurance systems in place by July 2025. Content must also be filtered appropriately for different ages, with transparency in algorithms and a ban on exploitative design patterns like "dark patterns" that manipulate users.
The OSA imposes a statutory duty of care on digital services to assess, mitigate, and manage risks arising from content, particularly focusing on harm to children. Providers must understand their specific service’s risk level of facilitating illegal or harmful activity, including during crisis periods, and proactively reduce risks such as exposure to child sexual abuse, exploitation, illegal suicide/self-harm content, and others causing harm to women, girls, and children. These risk assessments must be ongoing and integrated into the design and operation of the service, ensuring clear governance and transparent accountability.
Ofcom enforces the OSA, with powers to require information, impose fines up to £18 million or 10% of global turnover, and issue business disruption measures if platforms fail to comply. Compliance with finalized codes of practice, particularly the Protection of Children Codes, is mandatory by July 2025. Platforms must demonstrate adherence or justify alternative safety measures.
However, smaller companies, especially SMEs and startups, have expressed concerns that the OSA may place excessive pressure on them in terms of cost and technical feasibility. Kevin Quirk, director at AI Bridge Solutions, claims that the Act presents a real challenge for these businesses. Boris Cipot, senior security engineer at Black Duck, suggests that content may be removed or prohibited due to generic rules disregarding context due to the fear of penalties, potentially disregarding different viewpoints.
Nick Henderson-Mayo, Director of Learning and Content at VinciWorks, raises concerns about the potential impact on encryption, as scanning mandates might lead to over-censorship. While the OSA may dissuade companies from launching and operating in Europe, Cipot believes that the long-term effect will be beneficial in ensuring online safety improves. Non-compliance with the OSA can result in fines of up to the greater of 10% of global annual turnover or £18m.
Tech businesses operating under the UK's OSA need to act now to conduct gap analyses, assign accountability, and build cross-functional governance to meet expectations and reduce compliance risk. This represents a fundamental shift toward proactive user safety, especially for young users.
Computing entities in the UK faced with the Online Safety Act (OSA) must prioritize education-and-self-development to navigate its stringent cybersecurity measures, as compliance failures can lead to severe penalties. For instance, providers will need to understand their service's technology risks and implement robust systems to promptly remove illegal content, particularly for children. Smaller companies, however, might find the OSA challenging due to its financial and technical demands, necessitating a re-evaluation of their strategies and investments in this area.
