My organisation runs a small online forum – is it in scope of the OSA?

Given the focus on large social media and video sharing platforms when it comes to discussing online safety, operators of small, community-run forums might be forgiven for thinking their services would not be caught by the Online Safety Act (OSA). They would, however, be sorely mistaken. With over 100,000 online services predicted to be in scope of the OSA, it is clear that its reach goes well beyond just big tech platforms.

While larger and higher risk online platforms will be subject to more obligations under the OSA, there is no general exemption for small platforms such as niche, volunteer-run forums. If a service falls within scope of the OSA, its provider will be required to comply, regardless of the service’s size and composition. 

Does the OSA apply to my forum?

The OSA applies to providers of three types of online service: (i) user-to-user (U2U); (ii) search engines; and (iii) pornography services. The scope of the OSA is intentionally broad and Ofcom has specifically called out discussion forums and chat rooms as falling within the wide definition of U2U service (essentially an online service that allows users to engage with each other’s posts, comments or other content).

If a forum only comprises a minor part of a much larger online offering that is otherwise not in scope of the OSA, the forum itself will still be in scope. For example, a provider of a fashion retail website that also operates a customer forum, where users can share and comment on each other’s outfit choices, will still be in scope of the OSA for the forum part of its service (though the primary service offered by the website is not in scope).

Notably, there also needs to be a ‘UK link’ for the OSA to apply to a forum, i.e.: (i) it has a significant number of UK users; (ii) the UK users form a target market for the forum, and/or (iii) it is capable of being used by UK individuals and there is a material risk of content on the service presenting significant harm to those individuals. If your forum meets at least one of these ‘UK links’ criteria, then it will be in scope of the OSA. For more information on when the OSA applies, see our scope explainer article.

My forum is in scope of the OSA – what do I need to do to comply?

Illegal content risk assessment

All in-scope services, regardless of size or type, will need to complete an illegal content risk assessment. The outcome of this assessment will inform the safety measures that a service then needs to implement to comply with the OSA.

The illegal content risk assessment involves: (i) identifying the types of illegal content that may be present on the forum (including by reference to 17 types of “priority illegal content” identified by Ofcom); (ii) assessing the risk of users encountering that illegal content on the forum; and (iii) identifying and implementing mitigating measures to address these risks. Ofcom has published guidance on how to carry out an illegal content risk assessment, and we break this down in our illegal harms explainer article.

Note that Ofcom has identified discussion forums as an at-risk service type, since illegal content can be shared and discussed in a public (and therefore prominent and easily accessible) setting. Other risk factors include if the forum allows sharing of images or videos, commenting on content, or permits users to create profiles or post anonymously.

Even if a forum is assessed as being low or negligible risk for all types of illegal harm, there are still a number of foundational protections that its providers will need to put in place to demonstrate compliance with the OSA. Ofcom’s Illegal Harms Codes of Practice list 14 basic measures that it recommends all in-scope U2U service providers put in place, which include having terms and conditions that are easy to access and understand; a user complaints process for when illegal content is discovered on the service; the ability to review and take down content; and a specific individual appointed to be responsible for OSA compliance. In practice, this may not be too onerous for very small forums, which have a limited amount of content that is all subject to human review.

The deadline for completing an illegal content risk assessment and implementing resulting safety measures is 16 March 2025.

Children’s access assessment

All in-scope services must also conduct a children’s access assessment (CAA) to assess if their service, or part of their service, is likely to be accessed by children. Providers of forums will therefore need to consider: (i) if it is possible for children to access the forum and, if so, (ii) whether there are significant numbers of children using the forum or the forum is likely to attract significant numbers of children. A provider can only conclude that children are not able to access the forum (part (i)) if it has implemented highly effective age assurance to keep under 18s off it. For further guidance on carrying out CAAs, see our protection of children explainer article. The deadline for completing a CAA is 16 April 2025.

If a provider concludes in its CAA that children are likely to access its forum, it will also need to conduct a children’s risk assessment (CRA) within three months of Ofcom finalising the Protection of Children Codes (expected end of April 2025; therefore the deadline to complete CRAs will likely be July 2025). This assessment will look at the risk of different types of content that could be harmful to children being present on the forum and will be conducted on a similar basis to the illegal content risk assessment.

What are the risks of non-compliance?

Ofcom has wide enforcement powers under the OSA, including the right to enter, inspect and audit business premises and to impose fines of up to £18 million or 10% of qualifying worldwide revenue (whichever is higher). See our enforcement explainer article for more information on Ofcom’s enforcement powers.

Ofcom has stated that it will take a risk-based approach to enforcement, with enforcement measures being “targeted” and “proportionate”. Consequently, its focus is likely to be on the largest organisations with the biggest reach and those that present the highest level of risk to users. Small and/or low risk services, such as niche, community forums, are unlikely to be subject to Ofcom’s most severe enforcement powers. However, that is not to say that providers of smaller services should take their compliance obligations lightly. Ofcom has been clear that it will not hesitate to take action against organisations that have not taken steps to comply with the OSA (noting that it will likely show more leniency to organisations that have made efforts to comply, even if such efforts are not completely successful).

Final word

Ofcom has been clear that there is no “one size fits all” approach to complying with the OSA and that its guidance and recommended compliance measures are designed to be risk-based and proportionate. Accordingly, Ofcom’s expectations for smaller services, such as small forums, will be different to those for larger services. That said, there are no specific exemptions for small services. With compliance deadlines looming and more coming in the summer, the time to act is now for operators of forums, no matter how small, niche or low-risk they may be.