Today marks the official entry into force of the provisions of the Online Safety Act (OSA) which relate to the identification and prevention of illegal harms.
As previewed in our article on the OSA enforcement program and in our illegal harms explainer article, 16 March 2025 was the deadline for in-scope services to complete illegal content risk assessments and to implement the measures outlined in Ofcom’s illegal content codes of practice (or other equally effective measures) to address the risks identified in these illegal content risk assessments.
To mark the date and as part of the OSA’s objective to make the UK the safest place in the world to be online, Ofcom has published a statement on and launched an enforcement programme into, child sexual abuse material (CSAM) on file sharing and storage services.
What does this mean in practice?
From today, Ofcom will, in theory, have the ability to take enforcement action against in-scope services that have not complied with the obligations to carry out an illegal harms risk assessment and to implement appropriate mitigating measures to address risks identified within this assessment. However, the statement published on its website today indicates that Ofcom does not expect in-scope services to have fully implemented appropriate measures by today, but rather that, from today, the duties to adopt appropriate measures will come into force.
Potentially, the reason for this slight discrepancy between today’s statement and Ofcom’s previous statement on illegal harms, in terms of when measures need to be fully implemented, is that the duty to implement appropriate measures is subject to the codes of practice completing the Parliamentary process, a procedure which may not yet have come to a conclusion.
Equally, the slightly revised timeline aligns with recent statements made by Ofcom which indicate that, while large services have been asked to submit copies of their illegal content risk assessments by 31 March 2025, Ofcom is unlikely to take any formal enforcement actions for non-compliance with the illegal harms provisions until September 2025 (other than in respect of very severe cases of non-compliance).
In practice, the net result of these various statements is that:
- Illegal content risk assessments ought still to have been carried out by 16 March 2025.
- If illegal content risk assessments have not yet been carried out, in-scope service providers can take some comfort from the fact that, as reported by us here, Ofcom has already requested certain providers of higher risk services to provide copies of their illegal content risk assessments by 31 March 2025. If no such request has been received, Ofcom is unlikely to commence any formal investigation or enforcement action until September 2025 (though Ofcom may not look favourably on assessments completed after the initial deadline of 16 March).
- If illegal content risk assessments have been carried out, the focus should now be on ensuring that appropriate measures identified as part of these assessments are not only implemented over the next 6 months, but also tested, reviewed and improved in advance of September 2025 (including to take account of any updates to Ofcom’s guidance and codes of practice).
What services are most likely to receive Ofcom’s attention?
Finally, of particular note, is that both the statement and enforcement programme published today emphasise how file-sharing and file-storage services are particularly susceptible to the sharing of image-based CSAM. Ofcom therefore intends to prioritise the tackling of image-based CSAM on high risk services in the following ways:
- Assessing the measures taken by these services to comply with their illegal content duties.
- Taking enforcement action where such service providers have not complied with such duties or cooperated with formal information requests.
- Continuing to engage with these providers to better understand their efforts to detect CSAM and to comply with their illegal content duties.
Ofcom has also confirmed that advisory letters have been sent to a number of file sharing and storage service providers to inform them of their duties under the OSA. Service providers that potentially fall within either of these categories should be prepared to provide Ofcom with copies of their illegal content risk assessment(s) and to comply with any requests for information which may be forthcoming in September 2025.