Investigation into the provider of Im.ge and its compliance with duties to protect its users from illegal content

Online safety Illegal and harmful content Enforcement
Published: 10 June 2025
Last updated: 12 February 2026

Open

Investigation into

The provider of Im.ge

Case opened

10 June 2025

Summary

We are investigating whether the provider of Im.ge has failed/is failing to comply with its duties under the Online Safety Act 2023 to:

  • respond to a statutory information request;
  • complete a suitable and sufficient illegal content risk assessment;
  • make and keep a record of this assessment; and
  • comply with the safety duties about illegal content which apply in relation to regulated user-to-user services.
Relevant legal provision(s)

Sections 9, 10, 23 and 102(8) of the Online Safety Act.

Provisional Decision: Risk Assessment duties 

In accordance with section 130 of the Online Safety Act 2023, we have today issued the provider of Im.ge with a provisional notice of contravention.  

Ofcom considers that there are reasonable grounds for believing the provider of the Im.ge service has contravened its duties under section 9(2) to carry out a suitable and sufficient illegal content risk assessment. Ofcom is minded to exercise its powers under section 134 of the Act which allow for Ofcom to determine the outcome of a risk assessment in certain circumstances. In this case, we are minded to include a determination in respect of the identified risk that section 10(2)(b) and (c) of the Act applies as if the Im.ge Service had carried out an illegal content risk assessment and identified that it was high risk of image-based CSAM. 

We will consider any representations provided in response to this provisional notice of contravention before we make a final decision on this matter. 

Additional information related to this investigation 

On 15 January 2026, Ofcom published a non-confidential version of the Confirmation Decision issued to the provider of the Im.ge Service, in relation to its failure to comply with two statutory information requests. The Confirmation Decision, issued to the provider of the Im.ge Service on 17 December 2025, imposed a penalty of £20,000 on the provider of the Im.ge Service in respect of both breaches.  

Ofcom’s investigation continues to examine whether there are reasonable grounds to believe that the provider of Im.ge has failed, or is failing, to comply with its duties to protect its users from illegal content. We will provide updates on these matters in due course 

Confirmation Decision: Non-confidential version 

Ofcom has today published a non-confidential version of the Confirmation Decision issued to the provider of the Im.ge Service on 17 December 2025 in relation to its failure to comply with two information notices under section 102(8)(a) of the Online Safety Act 2023 (‘the Act’). We are also publishing the first and second information requests referred to in this decision.

Confirmation Decision: Information Notice duties

In accordance with section 132 of the Online Safety Act 2023 (the Act’), we have today issued the provider of the Im.ge Service with a Confirmation Decision in relation to its failure to comply with two statutory information requests.

Ofcom has determined that the provider of the Im.ge Service has breached its duty under section 102(8)(a) of the Act to comply with a statutory request for information, on two separate occasions.

We are imposing a fixed penalty of £20,000 on the provider of the Im.ge Service in respect of both breaches. This penalty was set having regard to our Penalty Guidelines.

In addition, the Im.ge Service is now required to take immediate steps to comply with section 102(8) by providing the information requested in two statutory information requests, which included the following:

  1. a copy of the record of the Illegal Content Risk Assessment in respect of the service; and
  2. information relating to its qualifying worldwide revenue.

In the event of continuing non-compliance, a daily rate penalty of £100 per day will be imposed starting from the day after the date of the Confirmation Decision for either 60 days or until the provider of the Im.ge Service provides Ofcom with the information requested in the two statutory information requests (whichever is sooner).

A non-confidential version of the Confirmation Decision will be published shortly.

Ofcom’s investigation into the Im.ge Service’s compliance with its duties to complete, and keep a record of, a suitable and sufficient illegal content risk assessment and its compliance with the illegal content duties in respect of CSAM remain ongoing. We will provide updates on these matters in due course.

Provisional Decision: Information Notice duties

In accordance with section 130 of the Online Safety Act 2023, we have today issued the provider of Im.ge with a provisional notice of contravention.

Ofcom considers that there are reasonable grounds for believing the provider of this service has contravened its duties under section 102(8) of the Act to comply with two requests for information. We will consider any representations provided in response to this provisional notice before we make a final decision on this matter.

The additional duties under investigation

Ofcom’s investigation continues to examine concurrently whether there are reasonable grounds to believe that the provider of Im.ge has failed, or is failing, to comply with the other duties under investigation, including duties to complete and keep a record of a suitable and sufficient illegal content risk assessment and protect its users from illegal content. We will provide updates on these matters in due course.

Background

Part 3 of the Online Safety Act (‘the Act’) imposes ‘Illegal Content Duties’ on providers of regulated user-to-user (‘U2U’) services. These include requiring all user-to-user and search services in scope of the Act to undertake an illegal content risk assessment by 16 March 2025.

In addition, Part 3 of the Act imposes duties on providers of regulated user-to-user services to take or use proportionate measures to:

  1. prevent individuals from encountering priority illegal content – including CSAM – by means of the service; and
  2. effectively mitigate and manage the risk of the service being used for priority offences or harm to individuals arising on the service as identified in the most recent ‘Illegal Content Risk Assessment’;

They must also implement systems and processes designed to minimise the length of time for which any priority illegal content is present and swiftly take it down when they are made aware of its presence.

Regulated U2U service providers can comply with the Illegal Content Duties by implementing measures recommended in Ofcom’s illegal content Codes of Practice for user-to-user services issued on 24 February 2025 (the ‘Codes of Practice’), or through alternative measures.

These duties came into effect on 17 March 2025.

Enforcement programme

On 17 March 2025, Ofcom opened an enforcement programme to assess the measures being taken by providers of file-sharing and file-storage services to ensure users do not encounter, and offenders are not able to disseminate, image-based child sexual abuse material (‘CSAM’) on their services.

As part of this enforcement programme, on 1 April 2025 Ofcom sent a statutory information notice issued under section 100 of the Act (the ‘Notice’) to providers of a number of file-sharing and file-storage services that appear to present particular risks of harm to UK users from CSAM. The Notice required the recipients to provide, by no later than 1 May 2025:

  • information to assess whether they are in-scope of the Act and, if so, the measures they have in place, and/or will soon have in place, to identify, assess and remove known image-based CSAM; and
  • a record of their illegal content risk assessments.

The provider of Im.ge was one of those providers. As of today, it has not responded to the Notice or provided a record of its illegal content risk assessment.

Investigation

Today, 10 June 2025, Ofcom has opened an investigation into the provider of Im.ge into whether it has:

  • complied with its duties to act in accordance with the requirements of the Notice pursuant to section 102(8) of the Act;
  • complied with its duties to complete, and keep a record of, an illegal content risk assessment pursuant to sections 9 and 23 of the Act; and
  • complied with the illegal content duties in respect of CSAM pursuant to section 10 of the Act by implementing measures recommended in the Codes of Practice or through alternative measures.

Ofcom’s Online Safety Enforcement Guidance sets out how Ofcom will normally approach enforcement under the Act. This includes our approach to information gathering and analysis and the procedural steps we must take to fairly determine the outcome of the investigation.

Where we identify compliance failures, we can impose fines of up to £18m or 10% of qualifying worldwide revenue (whichever is greater). In the most serious cases of non-compliance, and where appropriate given risks of harm to individuals in the UK, we can seek a court order to require third parties to take action to disrupt the business of the provider. This may require third parties (such as providers of payment or advertising services, or Internet Service Providers) to withdraw services from, or block access to, a regulated service in the UK.

We will provide an update on this investigation in due course.

Contact

Enforcement team (csam.programme@ofcom.org.uk)

Case reference

CW/01300/06/25