As we move into 2026, we continue to see action taken in response to the Online Safety Act, including more services introducing age checks across social media, dating, gaming and messaging, alongside ongoing enforcement activity where services fall short. We’ve seen further progress in the adult sector: of the top 100 dedicated pornography services, 77 now have age assurance in place and a further 7 have geoblocked UK users (as of the end of January 2026).
This quarter also marks a significant moment: for the first time we have publicly set out clear demands to the platforms children use the most, requiring them to go further to keep children safe online, demanding further action to enforce their minimum age rules with highly-effective age checks, tackle grooming, make feeds safer and test their products rigorously.
Looking ahead to the next quarter, service providers should ensure their illegal content and children’s risk assessment are up to date. Service providers should also take steps to report all detected and unreported child sexual exploitation and abuse content present on their service to the National Crime Agency (‘NCA’) when the duty comes into force on 7 April 2026.
Ofcom is consulting on updates to the illegal harms regulatory documents and guidance for new priority offences. The consultation period for the draft guidance for categorised services concerning the disclosure of information about a deceased child’s use of their platform will be closing soon. Further details on these consultations, including how to respond, can be found below.
Later this month, we will publish our final Plan of Work 2026/27, setting out our priorities and areas of work across all of our regulatory sectors for the next financial year (building on Ofcom’s Three Year Plan 2025–2028). You can view our proposed Plan of Work.
We want to hear from you
We’re collecting feedback to improve the Online Safety Industry Bulletin and understand how you use it. The form takes around 2 minutes to complete. Your responses will help us shape future editions and the resources we signpost.
What's in this bulletin
Taking action on online safety
Raised expectations for services
We have written to Facebook, Instagram, Roblox, Snapchat, TikTok and YouTube, the services children use the most, setting out four clear demands for further action, with a deadline of 30 April to report back on the steps they will take. While there are many examples of progress to be welcomed, the industry has not done enough. We will report on platforms’ responses in May and announce any next steps for regulatory action. We have been clear these platforms must implement:
- Effective minimum-age policies - using highly effective age assurance to enforce minimum age rules. Our research shows 72% of children aged 8–12 are still accessing sites and apps with a minimum age of 13.
- Failsafe grooming protections - strict controls to stop strangers contacting children they do not know, including use of highly effective age assurance to check users’ ages.
- Safer feeds for children - algorithms are children’s main pathway to harm online. We are issuing legally-binding information requests to large platforms to inform our assessment of recommender systems, and not hesitating to take enforcement action if we identify failings.
- An end to product testing on children - platforms must notify us that they have, as required by law, assessed the risk of significant updates before they are deployed.
If we are not satisfied with platforms’ responses, we will be ready to take enforcement action. You can read the full news release.
Enforcement progress
We have continued our enforcement work where providers of online services are failing to meet their duties under the Online Safety Act, focusing our efforts where we consider the risk to UK users to be greatest. Since our last bulletin, we have made progress in a number of areas, including issuing formal compliance decisions and penalties where adult services have failed to implement highly effective age assurance to protect children, closing investigations where providers have taken steps to leave the UK market, and opening a range of new investigations into a service providers’ compliance with duties to protect their users from illegal content.
- Protecting children: Ofcom has fined 8579 LLC £1.35 million for failing to put highly effective age assurance in place to prevent children from readily accessing pornographic content (with daily penalties of £1,000 until age assurance is implemented, or for 100 days, whichever is sooner), and £50,000 for failing to respond to an information request (with a daily penalty of £250 until it responds, or for 60 days, whichever is sooner).
- Protecting children: Ofcom has fined Kick Online Entertainment SA £800,000 for failing to put in place age checks to protect children from pornographic content, and £30,000 for failing to comply with statutory information request requirements (with a daily penalty of £200 until it responds, or for 60 days, whichever is sooner).
- Illegal content: Ofcom has fined the provider of Im.ge, a file-sharing service, £20,000 for failing to comply with two statutory information requests.
- Illegal content: Ofcom has issued a provisional notice of contravention to a suicide forum with setting out provisional breaches of duties in relation to its illegal content risk assessment, illegal content safety duties (related to measures to prevent individuals encountering priority illegal content, operating a service designed to minimise the length of time priority illegal content is present and swiftly take down illegal content, specify how individuals are to be protected from illegal content) and duties relating to content reporting and complaints procedures in relation to illegal content.
- Protecting children: Ofcom has published the non‑confidential version of its Confirmation Decision in relation to Itai Tech Ltd, and the investigation is now closed. In response to the investigation, Itai Tech Ltd implemented a block restricting users with UK IP addresses from accessing its service and has paid the penalty set out in the Confirmation Decision.
- Illegal content: Ofcom opened a new formal investigation into X (formerly Twitter) in January to assess compliance with duties to protect users from illegal content and harmful material, following concerns about Grok AI generating and sharing content that may amount to intimate image abuse, child sexual abuse material and pornography that is accessible to children.
- Illegal content: Ofcom opened an investigation into the provider of two online image boards to assess compliance with duties to protect users from illegal content (including non-consensual intimate images and child sexual abuse material), implement appropriate content reporting, complaints procedures and terms of service, and complete and keep a record of a suitable and sufficient illegal content risk assessment.
- Protecting children: Ofcom opened investigations into Novi Ltd and Reply Buzzer Ltd, to assess compliance with duties to prevent children from encountering pornographic content through highly effective age assurance. The investigation into Novi Ltd also assesses compliance with duties relating to children’s access assessments.
What you need to know and do
Obligations for regulated services
It is now nearly a year since service providers completed their first illegal content risk assessment (16 March 2025). Ofcom recommends that services review their risk assessments at least annually. We recognise some services may be unsure what this means in practice.
Keeping your risk assessments up to date
You must take appropriate steps to keep your risk assessments up to date, including responding to key triggers. This includes:
- Updating your risk assessment if Ofcom makes any significant change to a Risk Profile that relates to your service. A current and important example of this is the addition of new priority offences: in December 2025, the Government upgraded cyberflashing and encouraging or assisting serious self-harm to priority offences under the Online Safety Act. Ofcom will be consulting on updated Risk Profiles to reflect these changes, which means providers will need to review and update their illegal content risk assessments accordingly. For full details on what this means in practice and when to act, see ‘Updates to Illegal Harms regulatory documents and guidance for new priority offences’ in the Consultations section below; and
- Before making any significant change to your service’s design or operation, carry out a further suitable and sufficient illegal content or children’s risk assessment on the impacts of that change.
In practice, reviewing your risk assessment at least annually, means considering your most recent risk assessment alongside any new evidence you have collected during operation of your service, or new developments in the external environment.
Only providers formally notified by us will be required to send us their illegal content and children’s risk assessment records.
Duty to report child sexual abuse (CSEA) content to the National Crime Agency (NCA)
The Online Safety Act requires that all regulated service providers must report all detected and unreported CSEA content present on the service to the NCA. If your service is based outside the UK, you are only required to report CSEA content that is UK-linked. The requirement applies to all regulated user-to-user and search services; however, this is not being commenced for search services until a later date. We have also published a webpage detailing the duty to report child sexual exploitation and abuse (CSEA) content.
This duty will come into force on 7 April 2026, following the regulations relating to the reporting of CSEA to the NCA being laid by the UK Government on 12 March 2026. Providers of online services should register with the NCA’s Child Sexual Exploitation & Abuse Industry Reporting Portal to enable you to submit reports.
Further communications will be published by Ofcom, the Home Office and the NCA. Services should look out for these to help them prepare to meet the reporting duty.
Regulated services that already report all detected CSEA content to the National Center for Missing and Exploited Children (NCMEC) in the USA are not required to report to the NCA and should not duplicate their reporting.
Industry fees
The notification window for Online Safety fees for the 2026/27 charging year is now open. Regulated service providers must assess whether their qualifying worldwide revenue (QWR) meets or exceeds the threshold of £250 million set out by the Secretary of State for Science, Innovation and Technology in the Online Safety Act Threshold Regulations.
Fee liable providers are required to notify Ofcom by 11 April 2026. This notification should be completed via the Online Safety Fees Portal which is now live. Providers should register as early as possible, and at least two weeks before the notification deadline, using this form.
We encourage any providers who may be liable to pay fees to review the Online Safety Fees Regulations and the supporting guidance documents available on our fees webpage, where you can find contact details if you have questions about your obligations or the notification process.
Update on Categorisation and the representations process
The Online Safety Act introduces a system for categorising some regulated online services as Category 1, 2A or 2B if they meet specific threshold conditions. Services that are categorised will have additional duties, depending on which category they fall into. Last year, we requested information from relevant service providers to support our assessments of whether their services meet the threshold conditions for inclusion on the register of categorised services, and to assess certain regulated services against conditions relating to emerging Category 1 services.
Before we finalise our assessments, we will seek representations on our provisional decisions from relevant providers. We expect to issue our provisional decisions in late March, after which providers will have four weeks to submit written representations. We plan to publish the register of categorised services as well as the list of emerging Category 1 services around July 2026. We plan to publish these alongside our consultation on additional duties for categorised services.
Additional duties relating to risk assessments for categorised services
Once the categorisation register is published, Category 1 and 2A providers will have additional risk assessment duties. These duties will not be subject to consultation and will come into force when the register is published.
As explained in our risk assessment guidance, the Act requires Category 1 and Category 2A providers must:
- Publish a summary of the findings of their most recent illegal content risk assessment and, if applicable, children’s risk assessment (in terms of service for Category 1, or a publicly available statement for Category 2A), including as to levels of risk and the nature and severity of potential harm; and
- Provide Ofcom with a copy of their risk assessment record(s) as soon as reasonably practicable after making or revising a record
We will provide further information closer to the date on how providers can meet this duty.
Guidance
Publication of the Statement and the final guidance for Online Safety super-complaints
The Online Safety Act 2023 allows eligible organisations representing users of regulated online services, or members of the public, to raise a super-complaint with Ofcom. On 10 February, Ofcom published the Statement and the final guidance for super-complaints. The super-complaints webpage sets out the key eligibility and admissibility requirements, and includes an online expression of interest form for organisations to notify Ofcom that they are considering submitting a super-complaint.
Upcoming information requests
In April 2026, selected service providers will be notified by Ofcom to provide illegal content and children's risk assessment records.
Please note that Ofcom may also use its information gathering powers under the Act to make additional requests, such as in response to compliance concerns, or under section 101 of the Act to support a coroner’s investigation into the death of a child.
Additionally, as detailed above, we will be seeking representations from specific providers on our provisional decisions from providers of services we are minded to include on the register and/or the list of emerging Category 1 services.
Consultations
Closing 23 March 2026
In December, we published a consultation on our draft guidance for categorised services concerning the disclosure of information to bereaved parents about their child’s use of the platform. This is part of the additional duties that apply to categorised services. This consultation closes on 23 March 2026, and we expect these duties to come into force in late 2026 when we finalise the guidance.
Closing 21 May 2026
In February the Tribunal Procedure Committee launched a Government consultation on possible amendments to the Tribunal Procedure (Upper Tribunal) Rules 2008 to support the new appeal rights created by the Online Safety Act 2023. The consultation seeks views on introducing a time limit for applications for permission to appeal by persons with a sufficient interest in Ofcom’s regulatory decisions, and on whether to adjust the default costs position to give the Upper Tribunal greater discretion to award costs in Online Safety Act cases. The consultation closes on 21 May 2026.
Opening March 2026
In December 2025, the Government upgraded cyberflashing and encouraging or assisting serious self-harm to priority offences under the Online Safety Act. We have published a consultation on updates to the Illegal Harms regulatory documents and guidance to reflect the new priority status of these offences. The scope of consultation is narrow, limited to the necessary updates to the regulatory products. In light of this, the consultation period is short compared to our larger consultations.
The requirement to conduct a risk assessment and to consult Ofcom’s Risk Profiles also applies to these new priority offences. We recommend providers update their illegal content risk assessments as soon as practical after the statement is published.
Resources and support
New Child Access Assessment toolkit and updated Regulation Checker
A launch of new and updated tools is planned for early May 2026. We will publish a new toolkit to assist services in the completion of their Child Access Assessment. This tool will help services complete their assessment, and aid with the associated record-keeping duties. This release will also contain a new and improved version of our Online Safety Regulation Checker, which assists services to understand if they are in scope of the Online Safety Act. The new version aims to make it even simpler to understand your duties. Please note that the existing tooling and guidance on these two topics remains in date and can be used with confidence until this release.
Revamped Online Safety Act compliance guide
We’ve launched a revamped Online Safety Act compliance guide for providers of online services. The guide brings together clear, practical guidance on online safety duties, integrates our step‑by‑step digital toolkits so providers can access support when they need it, and signposts to further resources including this quarterly bulletin, our digital library and tailored industry guidance. This work is informed by feedback from more than 50 small to medium-sized services (across the UK, North America and Europe), and we will continue to improve the guide alongside wider enhancements to our toolkits and resources.
What else is coming up for Ofcom
Next steps on regulatory roadmap
Spring 2026 – Media literacy statement of recommendations
In September 2025, we consulted on draft recommendations setting out our expectations for how regulated services should help people take control of their online experience, build digital confidence, and critically engage with the content they see. We are reviewing responses and aim to publish our final statement of recommendations in spring 2026.
For more details on upcoming duties and consultations, see our important dates page.