Regulation

The Online Safety Act

A comprehensive law designed to protect children and adults online.

Home / Resources / Regulation / UK / The Online Safety Act

Overview of the Online Safety Act

The Online Safety Act is a new law designed to protect both children and adults online. It places a range of new duties on social media companies and search services, making them more responsible for their users’ safety on their platforms. The Act mandates that companies implement systems and processes to reduce the risk of underage users accessing their services, prevent illegal activity and take down illegal content when it appears.

The Act became law in 2023, with the first day of implementation on 16th December 2024.

Protection for children and adults

The Act’s strongest protections focus on children. Platforms must prevent minors from accessing harmful or inappropriate content and provide clear and accessible mechanisms for parents and children to report problems online when they do arise.

For adults, the Act enhances transparency by requiring major platforms to disclose the types of content they allow, remove illegal content when it appears and provide users with greater control over what they see.

Regulatory oversight

Ofcom, the UK’s communications regulator, will oversee compliance with the Act. It will issue codes of practice detailing how providers can meet their safety obligations and enforce regulations proportionate to a platform’s risk level, size, and capacity. Platforms are also required to respect users’ rights while implementing safety measures.

Scope of the Act

The Act applies to social media platforms (widely defined as “user-to-user services”), search engines and pornographic websites. This could include:

Social media platforms
File-sharing and cloud storage services
Video-sharing websites
Online forums
Dating apps
Instant messaging services
Online video gaming

It also extends to companies based outside of the UK if they have a UK user-base, target the UK market, or pose a material risk to UK users.

Content regulations under the Act

Illegal content

Platforms must take strong measures against illegal activities, including:

Child sexual abuse material
Coercive control
Extreme violence and pornography
Fraud and scams
Inciting violence and terrorism
People smuggling and illegal immigration
Selling illegal drugs or weapons

Content harmful to children

The Act categorises harmful content into:

Primary Priority Content (must be completely inaccessible to children):

Pornography
Content promoting self-harm, eating disorders, or suicide

Priority Content (requires age-appropriate restrictions):

Bullying and abuse
Graphic violence
Dangerous challenges or stunts

Implementation timeline

The Online Safety Act became law on 26 October 2023, and work is underway to bring its protections into effect as quickly as possible. Ofcom is taking a phased approach to introducing the Act’s duties, with the government also responsible for passing secondary legislation to support the framework.

On 17 October 2024, Ofcom published an updated roadmap detailing its plans for enforcement and compliance. As part of its role, Ofcom is developing guidance and codes of practice to help online platforms meet their obligations. These codes undergo public consultation before being finalised and must be approved by Parliament before taking effect.

Key phases of implementation

Illegal content duties
The illegal content duties are now in effect, and as of 17 March 2025, Ofcom has enforcement powers under the new regime.
Service providers were required to complete their illegal content risk assessments by 16 March 2025.
The illegal harms codes of practice were approved by Parliament on 16 December 2024, alongside Ofcom’s risk assessment guidance and policy statement on protecting users from illegal harms online.

Protecting children from harmful content

On 17 January 2025, Ofcom published age assurance guidance to prevent children from accessing online pornography. Platforms that host their own pornographic content (Part 5 services) must now implement robust age verification in line with Ofcom’s guidelines.
Ofcom also released children’s access assessment guidance, requiring in-scope service providers to assess whether their services are accessible to children by 16 April 2025.
Draft codes of practice on protecting children from harmful content—such as material promoting self-harm or suicide—have been developed. Public consultation on these codes closed on 17 July 2024.
From Spring 2025, platforms will need to conduct risk assessments for harms to children, with full implementation of the child safety regime by Summer 2025.

Platforms in scope must ensure their services enforce age restrictions and offer safe, age-appropriate experiences for children.

Highly effective age assurance

Ofcom has outlined highly effective age assurance methods to ensure that children are protected from harmful and age-inappropriate content online. These methods help online platforms comply with their legal obligations under the Act by preventing underage users from accessing restricted content while respecting user privacy.

Ofcom’s guidance on highly effective age assurance and its implementation in practice is applied consistently across all parts of the online safety regime. In summary, Ofcom’s position:

States that any age-checking methods deployed by services must be technically accurate, robust, reliable and fair to be considered highly effective.
Provides a non-exhaustive list of methods that Ofcom considers capable of being highly effective, including: email-based age estimation, open banking, photo ID matching, facial age estimation, mobile network operator age checks, credit card checks and digital identity services.
Confirms that methods such as self-declaration of age and online payments that do not require a person to be 18 are not considered highly effective.
Stipulates that pornographic content must not be visible to users before or during the process of completing an age check. Additionally, services must not host or allow content that encourages or directs users to circumvent an age assurance process.
Sets expectations that sites and apps take into account the interests of all users when implementing age assurance, ensuring strong protections for children while respecting privacy rights and ensuring adults can access legal pornography.

Ofcom considers that this approach will secure the best outcomes for protecting children online during the early years of the Act being in force. While Ofcom has decided not to introduce numerical thresholds for highly effective age assurance at this stage (e.g., 99% accuracy), it acknowledges that such thresholds may complement its four criteria in the future, subject to developments in testing methodologies, industry standards, and independent validation.

Ofcom has outlined 4 key criteria to determine if an age assurance method is highly effective. The solutions implemented must be: Technically accurate, robust, reliable and fair.

Alongside traditional methods like identity document checks, Ofcom has recognised email address-based age estimation – a method pioneered by Verifymy – as highly effective.

Ofcom’s official guidance states that email-based age estimation is capable of being highly effective due to the below reasons:

“Email-based age estimation estimates the age of a user by analysing the purposes for which the user’s provided email address has been used. This could include where the email address has been used with financial institutions, utility providers and other relevant services.
Based on the evidence provided by the Age Verification Providers Association and Verifymy, we consider that this method is capable of achieving high levels of technical accuracy. There are ways to increase the robustness, for example by requiring users to verify their ownership of the email address. Where the underlying data points are based on strong digital identity verification (e.g. through banks, mortgage lenders), this is likely to indicate reliability. Finally, we consider that this method can be operated without risk of material bias, indicating fairness. We have concluded that, overall, email-based age estimation, if deployed in line with the criteria, is capable of being highly effective at determining whether or not a user is a child.
Accordingly, we have added email-based age estimation to the non-exhaustive list of age assurance methods that are capable of being highly effective.”

Verifymy also offers additional age assurance methods classed as highly effective under the Act:

Age Verification (AV)
1. Photo-identification (photo-ID) matching – This works by capturing relevant information from an uploaded photo-ID document and comparing it to an image of the user at the point of ID upload to verify that they are the same person.
2. Credit Card Authentication – In the UK, individuals must be 18 or over to obtain a credit card, therefore, credit card issuers are obliged to verify the age of applicants before providing them with a credit card. Credit-card based age checks work by asking a user to input their credit card details, after which a payment processor sends a request to check the card is valid by the issuing bank. Approval by the issuing bank can be taken as evidence that the user is over 18.
3. Mobile Phone: Each of the UK’s MNOs has agreed to a code of practice whereby they automatically apply a content restriction filter (CRF), which prevents children from accessing age-restricted websites over mobile internet on pay-as-you-go and contract SIMs. Users can remove the CRF by proving they are an adult. MNO age checks rely on checking whether the CRF on a user’s mobile phone has been removed. If the CRF has been removed, this indicates that the recorded user of the device is over 18. Confirmation of whether or not the recorded user is over 18, based on the status of the CRF, is shared with the relying party.
Age Estimation Technology
1. Facial Age Estimation – This works by analysing the features of a user’s face to estimate their age.
2. Email-based age estimation – These are solutions that estimate the age of a user by analysing the other online services where that user’s provided email address has been used. This could include where an email address has been associated with financial institutions such as mortgage lenders.

Implementation and Compliance

Mandatory age checks for certain services – Platforms that publish pornographic content must implement robust age verification measures immediately.
Ongoing monitoring and reporting – Ofcom requires companies to monitor the effectiveness of their age assurance measures and report compliance.
Penalties for non-compliance – Companies failing to implement appropriate age verification systems risk fines and enforcement action by Ofcom.

By using these highly effective age assurance methods, online platforms can better protect children while ensuring compliance with the Online Safety Act.

Enforcement measures

Ofcom has broad enforcement powers, including:

Fines of up to £18 million or 10% of global revenue, whichever is greater
Criminal action against senior managers who obstruct investigations or fail to comply with child safety duties
Cutting off non-compliant platforms from financial services and UK accessibility

Ofcom can take action against non-UK companies with significant UK user-bases to ensure that overseas platforms comply with safety regulations.

Conclusion

The Online Safety Act marks a significant shift in digital regulation. It holds platforms accountable for user safety while balancing free speech considerations. With Ofcom’s oversight, phased implementation, and strong enforcement measures, the Act aims to create a safer online environment for all users in the UK.

Verifymy can supply ‘highly effective’ age assurance, which is required by the Act to prevent minors from seeing Primary Priority Content, such as suicide, self-harm information and pornography.

We can also estimate users’ ages to protect them from other Priority Content, which includes bullying and harmful challenges. Additionally, our services include content moderation for sites to detect and remove illegal or harmful content.

Get in touch to talk to a regulatory expert and understand how to protect your business and ensure compliance.

About the author

Lina Ghazal

Lina is Head of Regulatory & Public Affairs at Verifymy, with over 10 years of experience working across media and tech, in both the public and private sectors — including at Ofcom, TF1, and Meta. Lina specialises in building impactful policy initiatives and partnerships, and has worked closely with regulators, industry leaders, and civil society across Europe, the Middle East, Africa, and the US to help shape the future of online safety.

Got a question?

How can we help?

Verifymy can assist services in excluding minors altogether and determining the age range of child users so their experience can be tailored appropriately to their age.

Age assurance methods

Verifymy’s age assurance solution for any online product, service or business, features the widest range of age verification and age estimation methods to ensure the highest pass rates possible with minimal business disruption.

Email address

An age estimation method that uses an email address to accurately determine user age while preserving privacy.

Facial age estimation

An age estimation method based on a person’s facial features captured in a short selfie video.

Government-issued ID

An age verification method that uses ID scanning to determine a user’s exact age.

Government-issued ID and face match

An age verification method that uses government-issued IDs to determine a user's age and employs face match technology to verify ID ownership.

Credit card

An age verification method using credit card authorisation to confirm age.

Name & address

An age verification method that uses customer order details to verify age during account creation or order processing.

Mobile phone number

An age verification method confirming the phone is in the possession of and authorised for use by a person aged 18+

Get in touch

Discover how we can help you solve your compliance and safeguarding challenges.