Coming to the close of 2025, we have already observed significant shifts across industry during the early stages of the UK’s online safety regulatory regime. While there have been encouraging areas of progress, looking ahead to 2026 we want to see providers of online services delivering meaningful, measurable improvements for users online.
We have reflected on this progress, and our strategic priorities for 2026, in our first summary report on the technology sector’s response to the UK’s new online safety rules.
One of these priorities is providing a safer life for women and girls' online. On 25 November we published new guidance, which sets out nine areas for technology firms to improve women and girls’ online safety by taking responsibility, designing their services to prevent harm and supporting their users.
Looking ahead, we have published an update to our timelines for the key deliverables on our regulatory roadmap – outlining the timings for future codes, guidance, consultations, and statutory reports as we continue implementing the Act.
We continue to support regulated service providers through our accessible guidance and interactive digital tools. As part of this we have now created a digital library, so all current regulatory documents and guidance are in one place, and we launched new guidance for the gaming industry and file-storage and file-sharing services.
What's in this bulletin
Taking action on online safety
Online Safety in 2025 Report
On 4 December we published our first summary report on the technology sector’s response to the UK’s new online safety rules. Its purpose is to shine a light on how the tech industry is acting to keep UK people safe online and reduce their experience of harm. The report draws upon insights from across our work, including analysis of illegal harms risk assessments and our user focused research.
As we look ahead to 2026, we’ve set out the key priorities for industry. These build on the priorities and progress made this year, and you can explore the full detail in our Online Safety in 2025 report.
Making sure that age checks are effective
The top 100 most popular pornography providers, and other major services that allow pornography, must ensure they are using highly effective age assurance in line with our guidance, making it even harder for children to access harmful content. We will take further enforcement action where our evidence suggests this is not the case.
Stronger child protections
The services most used by children (including Facebook, Instagram, TikTok, YouTube, Roblox and Snap) must provide us with comprehensive information about the practical steps they are taking to protect children. They must prioritise risks associated with personalised feeds and improve their content moderation and recommender systems where needed, in line with our Codes.
Preventing child sexual abuse and grooming
We will expand our focus on services that present a high risk of child sexual abuse material (CSAM) beyond file-sharing and assess major services’ measures to protect children from potentially risky contact by adults. Subject to the outcome of our current consultation on additional safety measures, these services should adopt automated technologies to detect new CSAM material, where these are accurate and effective.
More effective removal of terror and illegal hate content
Major service providers must ensure their content moderation processes work effectively, taking account of our Codes.
Safer experiences for women and girls
Service providers should carefully consider and implement our guidance to prevent harm to women and girls and support users, including meeting their duty to tackle non-consensual intimate image sharing. We will report in the first half of 2027 on their progress.
Clearer risk oversight
Providers must send their risk assessments to us, on request, between 1 May-31 July 2026, taking account of the areas for improvement highlighted in our report on this year’s assessments, including confirming to us the named individual inside their business who is responsible for those assessments. We expect the relevant categorised services to have published summaries of their risk assessments by October 2026. We will also monitor whether providers are adequately assessing risks before they make significant changes to their products, such as introducing relevant AI functionalities.
Risk assessment standards and improvements
Alongside the Online Safety in 2025 Report, we have also published our analysis of risk assessment records from the first year of the duties being in force. In 2025, we requested and received 104 risk assessment records under our risk assessment enforcement programmes. Our analysis of the records revealed notable issues in the way providers conducted risk assessments and kept records.
The five areas of improvement we highlight are:
- Assess all kinds of illegal and harmful content
- Improve analysis of features, functionalities and other characteristics
- Demonstrate confidence in controls
- Base decisions on relevant evidence
- Implement appropriate risk governance
We will be providing supervised service providers with bespoke feedback on where their risk assessment records have fallen short and, in 2026, will request for relevant providers to send us their illegal content and children’s risk assessment records between 1 May and 31 July. We will take enforcement action where necessary improvements have not been made.
Small but risky services update
Alongside our work with the largest and most-used online platforms, Ofcom’s Small but Risky Services Taskforce was established in 2024 to tackle the distinct challenges posed by online platforms with small userbases but high potential for harm. These services, typically used by around 1% or less of the UK population as active monthly users, often feature high-risk functionalities or foster harm-endorsing cultures.
The taskforce works to ensure compliance with the Online Safety Act, focusing on platforms hosting priority harm content such as CSAM, hate and terror content, suicide, self-harm, eating disorder forums, and violence against women and girls.
This year, the taskforce has concentrated on several high-risk areas, including file-sharing and file-storage services which pose particular risks of CSAM. Through targeted engagement, we have secured improvements and protections across dozens of platforms and seen several geo-block the UK or close down entirely. The improvement in safety standards secured will make it much harder for CSAM to be shared on these services. This approach complements Ofcom’s broader compliance and enforcement efforts, securing online safety improvements faster across a wider range of services.
Enforcement progress
We have continued our enforcement work where providers of online services are failing to meet their duties under the Online Safety Act, focusing our efforts where we consider the risk to UK users to be greatest. Since our last bulletin, we have made progress in a number of areas, including issuing formal compliance decisions and penalties, closing investigations where providers have taken steps to leave the UK market and successfully concluding compliance remediation periods.
Penalties
- Illegal content: On 13 October, Ofcom issued a £20,000 fine to 4chan for its failure to respond to two statutory information requests, with an additional fine of £100 per day for up to 60 days if it does not provide the required information.
- Pornographic content: Ofcom issued a fine of £50,000 to Itai Tech Ltd on 19 November for its failure to implement highly effective age assurance on its nudification website by the 25 July deadline, and a further £5,000 for its failure to respond to a statutory information request.
- Pornographic content: On 4 December, Ofcom issued a £1,000,000 fine to provider AVS Group Ltd for failure to implement highly affective age assurance measures on its services, AVS Group Ltd must now implement highly effective age assurance within 72 hours of today’s decision or face a daily penalty of £1,000 per day. We have also fined AVS Group £50,000 for failing to respond to our information request and will impose a daily penalty on the company of £300 per day until it responds or for 60 days, whichever is sooner.
Concluded enforcement activities
- Pornographic content: On 19 November, Ofcom closed its investigation into Trendio Ltd for failure to introduce age assurance checks on 11 of its websites. Trendio Ltd engaged constructively with our investigation and provided information indicating it had taken steps in good faith towards compliance by the deadline. Trendio Ltd remains subject to obligations under the Act.
- CSAM on file-sharing platforms: Investigations into the providers of Krakenfiles, Nippyshare, Nippyspace, and Nippydrive were closed on 13 October due to the providers making these services unavailable to UK users following our engagement.
- CSAM on file-sharing platforms: Providers DStorage (provider of 1Fichier) and Wojtek (provider of Gofile) engaged constructively with Ofcom, revising their illegal content risk assessments and implementing appropriate perceptual hash matching solutions due to our informal enforcement work.
New enforcement action
- Pornographic content: We have opened investigations into a further 10 providers of pornographic content, bringing the total number of investigations opened in this sector to 18, covering 83 sites. This enforcement programme concerns the duty to protect children from encountering pornographic content. These companies were prioritised based on the risk of harm posed by the services and their user numbers, including significant increases since the 25 July 2025 deadline.
What you need to know and do
Obligations for regulated services
Industry fees
The Online Safety Act 2023 requires that Ofcom’s operating costs for the online safety regime are recovered through fees imposed on certain providers of regulated services. Providers whose “qualifying worldwide revenue” is above the £250m threshold set by the Secretary of State for Science, Innovation and Technology have a duty to pay these fees. Specifically, providers of regulated services will, in respect of a charging year, need to:
- Notify Ofcom in certain circumstances.
- Pay online safety fees to Ofcom if their QWR in the qualifying period meets or exceeds the QWR threshold and they are not exempt
Subject to the Parliamentary process, these Regulations will come into effect on 11 December 2025. Once in force, there will be a four-month notification window for relevant platforms to submit their revenue data to Ofcom for the 2026/27 charging year.
You can visit the OS fees page, which collates our fees publications and provides resources to register for the fees portal. Further updates relating to relevant fees guidance and consultation documents can be found below.
Guidance
Strengthening protections for women and girls online
After consulting in February 2025, we published our guidance for improving women and girls’ online safety on 25 November 2025. This guidance sets out how platforms can take action against harmful content and activity that affects women and girls, in recognition of the unique risks they face online. Currently:
- 98% of intimate images reported to the Revenge Porn Helpline were of women.
- 99% of deepfake intimate image abuse depicts women.
- Every case reported to the National Stalking Helpline includes online contact or monitoring.
- 77% of women are not comfortable expressing political opinions online because they fear being targeted with abuse.
- Nearly 70% of boys aged 11-14 have been exposed to online content that promotes misogyny and other harmful views.
Ofcom has written to sites and apps outlining the urgent need for industry-wide action, setting an expectation for all tech firms to take immediate action in line with the guidance.
We will publish an assessment of how providers are keeping women and girls safer on their services in May 2027, around 18 months after the guidance is issued.
We have also launched a new Women and Girls’ Online Safety hub to bring together practical resources for service providers. It also links to Ofcom’s research on online hate and abuse, and signposts to specialist support organisations for those affected by these harms.
Update: Data Preservation Notices and Information Powers Guidance
On 15 December, we will publish our statement on Data Preservation Notices and updated Online Safety Information Powers Guidance following our consultation earlier in the year. These updates relate to our powers under section 101 of the Online Safety Act in relation to Data Preservation Notices and Coroner Information Notices.
Final Online Safety fees guidance on QWR and Notification Processes Released
Following our consultations that ran earlier this year for online safety fees QWR and Notification Guidance, we have released a combined statement on Guidance on Qualifying Worldwide Revenue and Notification guidance. This statement outlines our final guidance to support providers in calculating their QWR figure, how to navigate the notifications process and what evidence is required for returns.
Upcoming information requests
In our January 2025 bulletin, we outlined our powers to request information from organisations under the Online Safety Act and what our approach would be. Recipients of these requests must respond fully, accurately, and by the deadlines we set. Our requests will be proportionate and have a clearly stated purpose, and we will aim to give reasonable notice of our requests to help with planning. The table below sets out a forward look at some of our current planned requests (although some timings and scope may change). We will be in contact with organisations individually where these requests are relevant.
| Planned date | Topic of information request | Service providers affected |
|---|---|---|
| November - December 2025 |
|
Selected service providers to be notified by Ofcom |
| November 2025 - January 2026 | Information to support Ofcom’s statutory report on the use of app stores by children | |
| January 2026 | Information to support Ofcom’s consultations on additional duties for categorised services. | |
| January - March 2026 | Information to support monitoring and impact programme relating to recommender systems on sites popular with children |
Please note that Ofcom may also use its information gathering powers under the Act to make additional requests, such as in response to compliance concerns, or under section 101 of the Act to support a coroner’s investigation into the death of a child.
Consultations
Consultation on draft guidance for categorised services concerning disclosure of information about a deceased child’s use of their platform – December 2025
On 15 December, we will publish a consultation on our draft guidance for categorised services concerning the disclosure of information to bereaved parents about their child’s use of the platform. This is part of the additional duties that apply to categorised services. We expect these duties to come into force in late 2026 when we finalise the guidance.
Consultation on Statement of Charging Principles - Online Safety Fees – November 2025
On 21 November 2025, we published our fourth and final consultation to implement the online safety fees regime. This consultation sets out our draft Statement of Charging Principles (SoCP), which details the principles we propose to apply when determining the fees payable by providers of regulated services, and includes details on how providers will be invoiced and can make payments. We encourage you to respond to this consultation no later than 5pm on 9 January 2026. We will publish our final SoCP in Q1 2026.
Resources and support
You can find our resources and support materials on our guide for services.
Supporting online video games services to comply
We’ve published a new resource for providers of online video games services. This includes guidance on how the Online Safety Act applies to gaming services, the risks that games may present to users, particularly children, and what providers of online games need to do to comply.
New digital library for online safety regulatory documents
We've created an online safety regulatory documents and guidance page that brings together all current regulatory documents, guidance and previous versions in one place. This new digital library makes it easier to access the information you need to help comply with the Online Safety Act.
Research, statistics and data hub
We maintain a central hub that brings together Ofcom’s latest research, statistics and data on online safety. This includes insights from user research, risk assessments and evidence on illegal and harmful content. Services can use this resource to better understand the online safety landscape and inform their compliance strategies under the Online Safety Act.
What’s coming up from Ofcom
Updated regulatory roadmap
Ofcom has published an update on our timelines for implementing the remaining phases of the Online Safety Act. This covers when we will deliver the further codes, guidance, statutory reports, and advice to Secretary of State that are required under the Act.
In this update, we confirm revised timings for publishing the register of categorised services and our consultation on the additional duties for those services. We now plan to publish these in July 2026 (subject to the outcome of the representations process we will be carrying out before finalising the categorisation register).
Over the next 12 months, Ofcom will continue to produce key regulatory documents at pace, including our final guidance on super-complaints (February 2026), and our additional safety measures statement (Autumn 2026). We are also committing to publishing two statutory reports on the effectiveness of age assurance (July 2026) and children’s use of app stores (January 2027).