CareersContact

Looking for something?

Back to news and insights
Article

Ofcom’s Online Safety Act multiplies companies’ penalty risk exposure

June 10, 2025
HomeNews and insightsOfcom’s Online Safety Act multiplies companies’ penalty risk exposure

Another massive regulatory penalty risk has entered the scene. The UK's Office of Communications (Ofcom)’s 2023 Online Safety Act (OSA) doesn't just add a multimillion-pound risk for any business with an online presence, it can also trigger multiple enforcement actions. On top of monitoring data privacy risk exposure, companies should be aware that Ofcom's new regime can now pile additional penalties for related breaches. For legal and tech teams already juggling fragmented digital regulations, it is important to build infrastructure and risk assessments fit for all forms of regulatory scrutiny. 

The OSA received royal assent in October 2023 and is being implemented in three phases. The first phase went into effect on 17 March 2025 and full implementation is expected in 2026. A new Online Information Advisory Committee – established on 28 April 2025 with a three-year term – held its first meeting on 16 May 2025. Given that child safety is a huge driving force behind the Act and public pressure on the government is immense, companies should prepare for regulatory scrutiny to be intense and high profile.

Applicability

Ofcom warns that the OSA may apply to any organisation offering “an online service (a service made available over the internet)” that operates in the UK, which also covers organisations located outside of the UK. More specifically, the OSA applies to:

  • User-to-user services
  • Search services
  • Pornography providers  

Ofcom’s website provides a tool to check if the OSA applies to your business.

Enforcement, Fines and Penalties

The Ofcom rules state that:

“Companies can be fined up to £18 million or 10% of the qualifying worldwide revenue, whichever is greater. Criminal action can be taken against senior managers who fail to ensure information requests from Ofcom are fulfilled.”

Where a company is found to have breached obligations under Ofcom rules, it is also possible that said offence leads to the Information Commissioner’s Office investigating for related breach of the Data Protection Act 2018, regarding processing of personal data. Such breaches may result in a separate fine of £17.5 million or 4% of the total annual worldwide turnover in the preceding year, whichever is greater.

Compliance with the Online Safety Act

Ofcom has stressed that proportionality would be key when it comes to enforcement of the OSA and the evaluation of companies’ compliance efforts. In FRA’s experience supporting penalty calculations and negotiations under various laws and regulations, we know that many factors are weighed against the maximum penalties allowed for in the text of the law, but a core element of a good defense in most cases is a strong, well-documented compliance program.

In complying with the OSA, a cross-disciplinary approach will be needed in updating existing risk assessments and controls. Here we list some key questions to tackle:

1. Perform comprehensive risk assessments

  • The OSA requires illegal content risk assessments and has already begun requesting evidence of such risk assessments. Is your company keeping its risk assessment dynamic to reflect the changing risk landscape?
  • Leverage available data for robust risk assessments and for transparency reporting to the OSA, including user demographic data and performance metrics of automated content monitoring technology.
  • Ensure that risk assessments are formally documented, with methodologies and assumptions clearly stated.

2.   Implement or enhance controls to mitigate identified risks

  • Consider reviewing existing controls to identify overlaps with data privacy controls and identify gaps in controls for further enhancement to be compliant with the OSA.
  • Consider how geolocation and geofencing controls can be implemented or enhanced to provide stronger safeguards.
  • Consider what a proportionate investment in advanced tools might look like for your company, e.g. AI-powered content classifiers, automated reporting systems, or real-time flagging mechanisms to enhance detection and response.

The Global Ripple Effect

The introduction of the OSA raises broader questions for other national regulators and international businesses. A key concern is how the OSA may intersect with differing legal frameworks, particularly in the US, where many major hosting platforms are based.  

The era of self-regulation of online content is ending, and regulators like Ofcom are setting a new benchmark for content moderation — one that demands transparency, defensibility, and continuous risk management. As UK enforcement expands, a wave of similar regulations is likely to follow globally. It is imperative that organisations take active measures to stay ahead of a rapidly evolving regulatory landscape.

With thanks to Erin McDonald and Florence Duault for their contributions.

No items found.
Authors

Weng Yee Ng

Partner
Associée
,
London

Alejandro Gomez-Igbo

Director
Directeur
,
London
Related expertise
Disgorgement and Penalty Calculations
Data & Technology
Advisory
Get in touch
Related Experts
Related case studies
Related News and insights
Shivam Patel

Shivam Patel

Senior Associate
Dubai
More info
Greg Capello

Greg Capello

Director of Information Technology
Providence
More info
Yousr Khalil

Yousr Khalil

Partner & Head of French Office
Paris
More info
Francesca Caruso

Francesca Caruso

Senior Associate
New York
More info

RTX Resolves Corruption Allegations

Find out more

SAP

Find out more
Article

The False Claims Act (FCA) Enforcement – Healthcare

June 11, 2025
Article

How to design a robust investigations programme

June 10, 2025
Article

How to demonstrate the effectiveness of your internal controls for fraud prevention

June 10, 2025
Article

What makes a robust fraud risk assessment

June 10, 2025

Contact Us

To request further information about our services and industry experience or to have an FRA Partner contact you directly, please complete the contact form or send us an email.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Article
Article
Disgorgement and Penalty Calculations
Data & Technology
Advisory