Investigation into X Internet Unlimited Company and its compliance with duties to protect its users from illegal content and child users from harmful content

Background

Part 3 of the Online Safety Act (‘the Act’) imposes duties on providers of regulated user-to-user (‘U2U’) services to prevent users encountering illegal content and children encountering harmful content. The Act also requires U2U services in scope of the Act to consider the risks of harm presented by its service to its users by carrying out a:

• suitable and sufficient illegal content risk assessment; and
• suitable and sufficient children’s risk assessment (where the service is likely to be accessed by children).

The duty to carry out an illegal content risk assessment came into effect on 16 March 2025, and a children’s risk assessment on 24 July 2025.

In addition, Part 3 of the Act imposes duties on providers of regulated U2U services to, among others:

• take or use proportionate measures to prevent individuals from encountering priority illegal content – including intimate image abuse and Child Sexual Abuse Material (‘CSAM’) – by means of the service;
• effectively mitigate and manage:
  • the risk of the service being used for the commission of priority offences; and
  • the risks of harm to individuals, as identified in the most recent ‘Illegal Content Risk Assessment’;
• implement systems and processes designed to minimise the length of time for which any priority illegal content is present and swiftly take it down when they are made aware of its presence;
• use proportionate systems and processes designed to prevent children of any age from encountering, by means of the service, primary priority content – including pornographic content – that is harmful to children. This includes the use of highly effective age assurance to prevent children from encountering primary priority content; and
• effectively mitigate and manage the risks of harm to children, as identified in the most recent ‘Children’s Risk Assessment’. 

Providers are also required to allow for users to easily report illegal content and content that is harmful to children, in addition to operating complaints procedures in relation to such content. Providers are required to provide for appropriate action to be taken in response to complaints. 

The duties relating to illegal content came into effect on 17 March 2025, and the duties to protect children from harmful content came into effect on 25 July 2025.

Investigation

Ofcom has today opened an investigation into XIUC’s compliance with its duties under the Act. The investigation follows widespread reports that a Grok model on X is/was being used to generate and share content that may amount to intimate image abuse, CSAM and pornography that is accessible to children. 

Ofcom’s investigation will seek to establish whether there are reasonable grounds to believe that XIUC has failed, or is failing, to comply with its legal obligations as set out above. 

Ofcom’s Online Safety Enforcement Guidance sets out how Ofcom will normally approach enforcement under the Act. This includes our approach to information gathering and analysis and the procedural steps we must take to fairly determine the outcome of the investigation. 

Where we identify compliance failures, we can impose fines of up to £18m or 10% of qualifying worldwide revenue (whichever is greater). In the most serious cases of ongoing non-compliance, and where appropriate given the risks of harm to individuals in the UK, we can make an application to a court for ‘business disruption measures’, through which a court could impose an order, on an interim or full basis, requiring payment providers or advertisers to withdraw their services from a platform, or requiring internet service providers to block access to a site in the UK. The court may only impose such orders where appropriate and proportionate to prevent significant harm to individuals in the UK.

We will provide an update on this investigation as soon as possible.