From 7 April 2026 most online services in scope of the Online Safety Act, specifically user-to-user services, will be required to report detected and unreported CSEA content to the National Crime Agency (NCA), in line with UK CSEA offences.
Services will be required to report to the NCA via its Child Sexual Exploitation & Abuse Industry Reporting Portal (CSEA-IRP), unless reporting to an equivalent body outside of the UK.
This requirement is known as the CSEA reporting duty. If you are unsure whether your service is in scope of the Online Safety Act, you can use the Regulation Checker to find out.
This quick guide will help you to understand:
- how the reporting duty applies;
- who needs to report;
- what steps you should take;
- what must be reported; and,
- where to report.
How the reporting duty applies
The Online Safety Act requires service providers to operate the service using systems and processes which ensure (so far as possible) that the provider reports all detected and unreported CSEA content present on the service to the NCA.
The new Reporting Regulations set out the practical steps services need to follow to comply. They explain in more detail what you must do in practice when submitting reports to the NCA. This includes registration with the NCA before submitting reports, report formats and timeframes, data retention requirements, and the information that must be included in a report.
Who needs to report?
The duty applies to all regulated user-to-user and search services, however the regulations coming into force on 7 April 2026 apply to user-to-user services only. Commencement for search services is expected at a later date.
A user-to-user service is an internet service that enables users to generate, share or upload content (such as messages, images, videos, comments, audio) on the service that may be encountered by other users of the service. This includes services that enable user interactions.
UK-based service providers must report all detected and unreported CSEA content to the NCA. Providers based outside the UK must report UK-linked CSEA content to the NCA.
The duty to report CSEA content applies regardless of service size or the level of CSEA risk identified on a service.
To protect online users, the regime also includes an associated criminal offence of reporting false information as part of that reporting requirement.
A user-to-user service is considered in scope of the CSEA reporting duty if it is provided from within the UK, or if it is based outside of the UK but has a large number of UK users or actively targets the UK as one of its main markets. Providers from outside of the UK are only required to report UK-linked detected and unreported CSEA content to the NCA.
What you need to do
- Review your existing content moderation and reporting processes to identify gaps.
- Ofcom recommends that you ensure your systems capture all CSEA content detected - whether identified by users, hash-matching tools, or proactive detection.
- Read the Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2026)
- If you already report to another body outside the UK, check whether all relevant CSEA content is being reported there - if not, you will need to report the gap to the NCA.
- Register for the NCA Child Sexual Exploitation & Abuse Industry Reporting Portal (CSEA-IRP) so you are ready to start sending your reports when the duty comes into effect. The portal will be available to register your organisation on 7 April 2026.
Why reporting CSEA matters and what it means for your service
When your service detects and reports CSEA content, you play an important role in helping law enforcement identify offenders, disrupt abuse networks and, most importantly, safeguard victims of child sexual exploitation and abuse.
Up to now, US-based services have been legally required to report CSEA content to the National Center for Missing & Exploited Children (NCMEC) through its CyberTipline. This obligation has not applied universally. As a result, services located outside the US have chosen to report CSEA content to NCMEC on a voluntary basis.
In the UK, without a specific duty to report CSEA until now, some services have been removing CSEA content from their service without law enforcement ever being made aware of it. This means opportunities to take action against CSEA offenders and safeguard victims of exploitation and abuse have been missed.
This reporting duty changes that. It ensures that when your service detects CSEA, that detection triggers action, not just removal.
Does reporting make a difference?
Reports submitted by services are not just logged and forgotten - they trigger real action. The example below illustrates what that can look like in practice.
Case study
The user of a social media account uploaded multiple indecent images and videos of children, alongside extreme pornographic material. The NCA received separate referrals and disseminated the intelligence at pace to a police force, due to the possibility that some of the media files were first-generation material - content not previously seen on the internet, which is considered very high risk.
The police made an arrest and safeguarded a child victim. The suspect was charged with indecent image offences and offences related to sexual assault of a child and was sentenced to 9 years’ imprisonment.
What must be reported
If your service is based in the UK, you must report all detected and unreported CSEA content present on your service to the NCA. If your service is based outside the UK, you must report UK-linked detected and unreported CSEA content to the NCA.
Detected CSEA content
“Detected” means any CSEA content that the service detects. It does not matter how the service becomes aware of it. This can include user reporting, reports from other child protection agencies, hash matching for known CSAM, or other proactive detection of CSEA content. The duty does not require services to detect CSEA content and is not dependent on any duties on services to tackle or detect CSEA.
Unreported CSEA content
“Unreported” means CSEA content that has not already been reported to an foreign agency (for example, the US Cyber Tipline operated by the National Center for Missing and Exploited Children (NCMEC)).
Services should not duplicate reporting efforts. This means you should not report the same CSEA content to both NCMEC and the NCA. Where NCMEC receives industry reports linked to the UK (i.e. relating to a UK user), existing processes mean NCMEC passes the report to the NCA to action.
What counts as CSEA content?
CSEA content means any content that amounts to one of the CSEA offences listed in Schedule 6 of the Act. These offences include child sexual abuse material (CSAM) and grooming offences. The reporting duty covers all content that constitutes a Schedule 6 offence, including known and unknown CSAM and content that amounts to grooming offences.
Providers from outside of the UK are only required to report UK-linked CSEA content to the NCA. Content is UK‑linked if the provider has evidence of a link between the content and the UK, such as where the content was published or uploaded, the nationality or location of the person committing an offence, or the location of a suspected victim.
Where to report
When the CSEA reporting duty comes into effect on 7 April 2026, in-scope regulated user-to-user services that are not already reporting to NCMEC will need to register for the NCA Industry Reporting Portal (CSEA-IRP) and submit reports in the format and timeframes set out in the regulations. The regulations explain all the information that a report must include, where available.
In the meantime, services can report CSEA to NCMEC’s CyberTipline. If the referral relates to a child in immediate danger, call 999 to report an emergency to your local UK police force or if known, the local UK police force of the child in danger.
If you already report to NCMEC (or report elsewhere)
Many services already report CSEA they identify. US-based services are required to report to NCMEC, and many services outside the US have voluntary reporting arrangements into NCMEC. The Online Safety Act allows services to report to the NCA or a “foreign agency” (a body outside the UK with functions corresponding to the NCA’s functions for receiving and disseminating CSEA reports) e.g. NCMEC.
If a service is already reporting all CSEA content under UK CSEA offences to NCMEC, it will not be “unreported” CSEA content for the new reporting duty. Services should not report the same content to the NCA, as NCMEC already refers relevant UK-linked reports to the NCA. If a service only reports some CSEA content to NCMEC, it needs to start reporting all relevant CSEA content. This includes content that may be legal in some jurisdictions but constitutes a UK offence, where it is UK‑linked
Monitoring and enforcement
As well as working closely with the NCA and other child protection agencies to understand services’ compliance with this requirement, Ofcom can also require services to provide information directly as part of carrying out our functions, including assessing compliance with the reporting duty. If in-scope providers are found not to be complying with this duty to report CSEA to NCA, Ofcom can take enforcement action, which may result in a penalty being imposed of up to 10% of qualifying worldwide revenue or £18 million (whichever is the greater), may require remedial action to be taken and may involve Ofcom applying to the court for business disruption measures. More information on Ofcom’s Online Safety Enforcement can be found in our guidance.