Investigation into the provider of Nippydrive and its compliance with duties to protect its users from illegal content

Background

Part 3 of the Online Safety Act (‘the Act’) imposes ‘Illegal Content Duties’ on providers of regulated user-to-user (‘U2U’) services. These include requiring all user-to-user and search services in scope of the Act to undertake an illegal content risk assessment by 16 March 2025.

In addition, Part 3 of the Act imposes duties on providers of regulated user-to-user services to take or use proportionate measures to:

1. prevent individuals from encountering priority illegal content – including CSAM – by means of the service; and
2. effectively mitigate and manage the risk of the service being used for priority offences or harm to individuals arising on the service as identified in the most recent ‘Illegal Content Risk Assessment’;

They must also implement systems and processes designed to minimise the length of time for which any priority illegal content is present and swiftly take it down when they are made aware of its presence.

Regulated U2U service providers can comply with the Illegal Content Duties by implementing measures recommended in Ofcom’s illegal content Codes of Practice for user-to-user services issued on 24 February 2025 (the ‘Codes of Practice’), or through alternative measures.

These duties came into effect on 17 March 2025.

Enforcement programme

On 17 March 2025, Ofcom opened an enforcement programme to assess the measures being taken by providers of file-sharing and file-storage services to ensure users do not encounter, and offenders are not able to disseminate, image-based child sexual abuse material (‘CSAM’) on their services.

As part of this enforcement programme, on 1 April 2025 Ofcom sent a statutory information notice issued under section 100 of the Act (the ‘Notice’) to providers of a number of file-sharing and file-storage services that appear to present particular risks of harm to UK users from CSAM. The Notice required the recipients to provide, by no later than 1 May 2025:

• information to assess whether they are in-scope of the Act and, if so, the measures they have in place, and/or will soon have in place, to identify, assess and remove known image-based CSAM; and
• a record of their illegal content risk assessments.

The provider of Nippydrive was one of those providers. As of today, it has not responded to the Notice or provided a record of its illegal content risk assessment.

Investigation

Today, 10 June 2025, Ofcom has opened an investigation into the provider of Nippydrive into whether it has:

• complied with its duties to act in accordance with the requirements of the Notice pursuant to section 102(8) of the Act;
• complied with its duties to complete, and keep a record of, an illegal content risk assessment pursuant to sections 9 and 23 of the Act; and
• complied with the illegal content duties in respect of CSAM pursuant to section 10 of the Act by implementing measures recommended in the Codes of Practice or through alternative measures.

Ofcom’s Online Safety Enforcement Guidance sets out how Ofcom will normally approach enforcement under the Act. This includes our approach to information gathering and analysis and the procedural steps we must take to fairly determine the outcome of the investigation.

Where we identify compliance failures, we can impose fines of up to £18m or 10% of qualifying worldwide revenue (whichever is greater). In the most serious cases of non-compliance, and where appropriate given risks of harm to individuals in the UK, we can seek a court order to require third parties to take action to disrupt the business of the provider. This may require third parties (such as providers of payment or advertising services, or Internet Service Providers) to withdraw services from, or block access to, a regulated service in the UK.

We will provide an update on this investigation in due course.