It is now six weeks since new rules came into force to protect children online in the UK. In that time, Ofcom has seen sweeping change across industry, with many of the UK’s most popular websites and apps putting in place age checks, alongside other new measures.
The UK’s biggest and most popular adult services – including PornHub – and many smaller adult sites have begun deploying age checks across their services.
Meanwhile, a range of companies across social media, dating, gaming and messaging – including Roblox, Reddit and X, among others – have also announced new age checks to prevent children accessing harmful content.
Another area of focus is content recommender systems, which can be children’s main pathway to encountering the harms covered by the Act, including suicide, self-harm and eating disorder content. To hold sites and apps to account, Ofcom has launched a monitoring and impact programme. This primarily focuses on the biggest platforms where children spend most time – including Facebook, Instagram, Roblox, Snap, TikTok and YouTube.
Where we are concerned that platforms are not complying, we are progressing our enforcement work. To date, this has included opening investigations covering 35 porn services, as well as 11 investigations relating to other areas of online safety, and expanding our list of enforcement programmes covering a range of service providers’ legal duties.
More updates, deadline reminders, and resources to help are below.
What's in this bulletin
Taking action on online safety
Age checks to protect children from harmful content
Pornography sites implement age assurance
Ahead of the protection of children rules coming into force, major porn providers operating in the UK confirmed to Ofcom that they planned to introduce effective checks to comply with the new rules. This included PornHub – the most-visited pornographic service in the UK – alongside a wide range of other services, with those happy to be named including BoyfriendTV, Cam4, FrolicMe, inxxx, Jerkmate, LiveHDCams, MyDirtyHobby, RedTube, Streamate, Stripchat, Tube8, and YouPorn. This follows our outreach in which we wrote to hundreds of dedicated pornography services outlining their obligations and asking for their compliance plans.
All of the top 10 sites in the UK, as well as hundreds of smaller sites, have now deployed age checks across their services. This means it will be harder for children in the UK to access online porn than in any other OECD country. Ofcom is actively checking compliance across the sector and, where necessary, opening new investigations – see below.
Reddit to Roblox, Bluesky to Bumble: more online services respond to the rules
The new rules also importantly require online services to prevent children encountering harmful content relating to suicide, self-harm, and eating disorders, plus introduce protections for children from dangerous stunts or challenges, misogynistic, violent, hateful or abusive material, and online bullying. This is leading to more change across a range of online sectors including social media, dating, gaming and messaging, from more sophisticated content moderation to new age checks.
We’ve seen companies announcing or introducing age checks to start meeting the new rules or to enforce the minimum age in their terms of service, including:
- Social media services like Reddit, X and Bluesky;
- Dating services including Bumble, Match Group (which includes Tinder, Hinge and other services), Grindr and Feeld;
- Messaging and communications services like Discord, Kik and Telegram;
- And gaming services like Xbox, Roblox and Steam.
Knowing whether users are children or adults is a key step for online services in providing age-appropriate experiences and a safer online environment. Age checks sit alongside a range of other measures to protect children set out in Ofcom’s Codes of Practice and guidance and we expect to see further improvements in the coming months.
All age assurance methods involve the processing of personal data and, as such, they are subject to the requirements of the UK’s data protection regime and should follow a data protection by design approach.
Securing changes on apps and sites that children use most
24 July was the deadline for online service providers to complete their first children’s risk assessments. Since then, Ofcom has requested and received 29 children’s risk assessment records, as part of a recently launched enforcement programme (see below for more details). These records will enable us to monitor compliance and drive improvements across industry in how risks are identified and managed. We will share insights and trends to support understanding of good practice, and suggest potential areas for improvement, later in the year.
Even where sites and apps do not technically allow content harmful to children under their terms of service, Ofcom’s research shows that such content can be all too prevalent. In particular, we know that content recommended in personalised ‘for you’ feeds represent children’s main pathway to encountering these harms. Our Codes are clear, among other things, that algorithms must be configured for children so that the most harmful material is blocked.
To hold sites and apps to account, in July we launched an extensive monitoring and impact programme, primarily focused on the biggest platforms where children spend most time – including Facebook, Instagram, Roblox, Snap, TikTok and YouTube. In addition to reviewing children’s risk assessments, this will include:
- Scrutinising these platforms’ practical actions to keep children safe – we will interrogate in particular: whether they have effective means of knowing who their child users are; how their content moderation tools identify types of content harmful to children; how effectively they have configured their algorithms so that the most harmful material is blocked in children’s feeds; and how they have prevented children from being contacted by adult strangers;
- Tracking children’s online experiences to judge whether safety is improving in practice - through our ongoing programme of children’s research and consulting with children through new work with the Children’s Commissioner for England; and
- Swift enforcement action if evidence suggests that platforms are failing to comply with their child safety duties.
This activity is in addition to our ongoing actions to enforce the illegal content safety duties, including measures to protect children from sexual abuse and exploitation online.
The Online Safety Act requires providers of regulated services to take proportionate steps to prevent users encountering illegal content, and to prevent children from seeing certain harmful material, such as porn, self-harm, suicide and eating disorder content. There is no requirement on them to restrict legal content for adult users. In fact, they must carefully consider how they protect users' rights to freedom of expression while keeping people safe. Companies can choose to have more restrictive terms of use than our rules require, but we've provided very detailed guidance to help them understand what’s required for compliance, including how to make judgements about whether content is illegal content, or content harmful to children.
Enforcement progress
Since our last bulletin, Ofcom has opened more than a dozen new investigations under the Act, in line with our commitment to take action where we suspect service providers are failing to protect users and comply with their new legal obligations. We continue to focus our work where we consider the risk to UK users to be greatest.
In the previous bulletin, we introduced our enforcement programmes focusing on Child Sexual Abuse Material (CSAM), pornographic content, and illegal content risk assessments, which remain live and continue to make progress.
Live enforcement programmes
- CSAM: In June, we opened investigations into the providers of the following file-sharing and file-storage services: Krakenfiles, Im.ge, Nippybox, Nippyshare, Nippyspace, Nippydrive and Yolobit. We are also engaging constructively with a number of other such services to tackle the sharing of CSAM on them.
- Pornographic content: In July, we extended our existing age assurance enforcement programme to cover all platforms that allow users to share pornographic material, whether they are dedicated adult sites or other services that include pornography. Since then, we have opened investigations into whether five providers – 8579 LLC, AVS Group Ltd, Kick Online Entertainment S.A., Trendio Ltd and Duplanto Ltd – have highly effective age checks in place to protect children from encountering pornography across 35 websites. Collectively, these websites have over 9 million monthly UK visitors.
- Illegal content risk assessments: This enforcement programme is monitoring compliance with the illegal content risk assessment duties and record keeping duties, and has involved requesting over 60 risk assessments from a range of services. In June, we opened an investigation into the provider of 4chan.
New enforcement programme: children’s risk assessments
In July, as the new protection of children rules came into force, we opened a new enforcement programme to monitor if services are meeting their children’s risk assessment duties. We expect this programme to run for at least 12 months, during which time we may decide to open separate formal investigations if we have concerns that a service provider may not be meeting its duties under the Act.
New enforcement programme: protect children from harmful content through the use of age assurance
Research suggests that there are a number of small but risky services accessible to UK children whose principal purpose is to host harmful content such as eating disorder content, self-harm content, suicide content or serious violent content. This programme is focused on the implementation of robust age checks by such services. Its main objectives are to monitor compliance with the relevant duties in the Act, to monitor how our guidance on highly effective age assuranceis being applied by industry, and to support the adoption of best practice
Details of new investigations will be published on our website.
What you need to know and do
Obligations for regulated services
Reminder of obligations now in force
- The children’s safety duties (and related requirements) are now in force – services likely to be accessed by children must implement measures set out in the Codes of Practice or effective alternative measures. For more information, you can check how to comply with the protection of children codes and read our statement on protecting children from harms online.
- The illegal content safety duties (and related requirements) came into force earlier this year. All services in scope of the Act must implement measures set out in the Codes of Practice or effective alternative measures. For more information, you can check how to comply with the illegal content rules and read our statement on protecting people from illegal harms online.
Upcoming information requests
In our January bulletin, we outlined our powers to request information from organisations under the Online Safety Act and what our approach would be. Recipients of these requests must respond fully, accurately, and by the deadlines we set. Our requests will be proportionate and have a clearly stated purpose, and we will aim to give reasonable notice of our requests to help with planning, as a well as sending the request in draft form first.
The table below sets out a forward look at some of our current planned requests (although some timings and scope may change). We will be in contact with firms individually where these requests are relevant.
| Planned date | Type of information request | Service providers affected |
|---|---|---|
| October to November 2025 | Information to support Ofcom’s consultations on additional duties for categorised services | Selected service providers to be notified by Ofcom |
| October to November 2025 | Information to support Ofcom’s consultation on fraudulent advertising measures | Selected service providers to be notified by Ofcom |
| November to December 2025 | Information to support Ofcom’s statutory report on the use of age assurance | Selected service providers and age assurance vendors to be notified by Ofcom |
| November to December 2025 | Information to support Ofcom’s statutory report on the use of app stores by children | Selected app store providers to be notified by Ofcom |
Please note that Ofcom may also use its information gathering powers under the Act to make additional requests, such as in response to compliance concerns, or under section 101 of the Act to support a coroner’s investigation into the death of a child.
Consultations
Online safety fees and penalties: Qualifying Worldwide Revenue (QWR) – consultation closes 10 September 2025
Following the publication of our statement on Online Safety Fees and Penalties in June, we are consulting on further guidance for providers in relation to calculating their QWR. This is intended for all online safety services including VSPs with expected QWR at or above £250m. You can review the proposals and respond to the consultation by 10 September 2025.
Online safety fees: Draft notification guidance – consultation closes 1 October 2025
We are also consulting on our draft notification guidance to aid providers in the notification process. This is intended for all online safety services including VSPs with expected QWR at or above £250m. The consultation sets out our proposed guidance on:
- The details that all notifying providers must supply to Ofcom;
- The range of evidence and/or supporting information which providers can supply to Ofcom;
- Guiding principles to determine the types of evidence and/or supporting information which providers should supply to Ofcom.
You can review the proposals and respond to the consultation by 1 October 2025.
Additional safety measures – consultation closes 20 October 2025
We are currently consulting on our latest proposals to strengthen our Codes of Practice for providers of online services, aiming to make online services safer by design. The consultation sets out proposals across several areas including stopping illegal content going viral, tackling harms at the source, and providing greater protection to children. You can review the proposals and respond to the consultation by 20 October 2025.
You can watch the recording of our July webinar on the additional safety measures consultation.
Super-complaints – consultation closes 3 November 2025
We have launched a consultation on the Online Safety draft super-complaints guidance. The Act allows expert organisations representing users or the public to raise a 'super-complaint' with Ofcom. The purpose of super-complaints is to allow such organisations to bring robust evidence and facts to Ofcom’s attention about the most significant online harms and restrictions on free expression arising on regulated online services.
You can review the proposals and respond to the consultation by 3 November 2025.
Resources and support
You can find our resources and support materials on our Guide for services page.
Explainer videos: recordings from our protection of children event
We held our second OSA Explained conference on 4 June, focusing on the Protection of Children duties. This included sessions about what constitutes content harmful to children under the Act, how to complete your children’s risk assessment, foundational steps to protecting children, highly effective age assurance, and recommender systems.
You can now rewatch these sessions online.
Illegal content risk assessment toolkit demo
In January, we released our digital toolkit to help providers of user-to-user and search services to understand how to comply with the illegal content rules. For a detailed walkthrough of how to use the toolkit, whether for a new risk assessment or reviewing an existing assessment, you can now watch a video demonstration.
What’s coming up from Ofcom
Next steps on our regulatory roadmap
Data Preservation Notices consultation – September 2025
Following the Royal Assent of the Data Use and Access Act 2025 in June, we will consult on updates to our Online Safety Information Powers Guidance in relation to Data Preservation Notices. Following a request from a coroner or procurator fiscal, we must issue a Data Preservation Notice to services specified by the coroner requiring them to retain data relating to a deceased child’s online activity. Our draft guidance is intended to support service providers to respond to Data Preservation Notices as swiftly and effectively as possible. We will also consult on updates to our guidance regarding Coroner Information Notices.
Guidance: a safer life online for women and girls – later in 2025
In February 2025, we published draft guidance, setting out nine areas where technology firms should do more to improve women and girls’ online safety by taking responsibility, designing their services to prevent harm and supporting their users. We received over 100 responses from civil society groups, academics, industry and other experts. We expect to publish the final guidance by the end of 2025.
Further fees consultations – later in 2025
By the end of the year, we will consult on our Statement of Charging Principles (SoCP), which will set out the principles that we propose to apply when determining the fees that providers will pay. This is in addition to existing consultations on QWR and Notification Guidance. The QWR Guidance aids providers in the process of calculating their QWR to determine if they are eligible to pay fees. The Notification Guidance helps providers comply with their duty to notify us of their eligibility to pay fees.