Full Report
New Ofcom guidance is designed to help tech companies comply with their obligations around tackling illegal online harms under the Online Safety Act
Analysis Summary
# Regulation/Compliance: Ofcom Online Safety Act Guidance for Tech Firms
## Overview
This regulation summary pertains to the guidance issued by Ofcom, the UK communications regulator, for technology firms regarding their obligations under the **Online Safety Act (OSA)**. The guidance focuses specifically on measures required to tackle illegal online harms occurring on their platforms, such as terrorism, hate speech, fraud, child sexual abuse, and assisting/encouraging suicide.
## Key Details
- Issuing Authority: Ofcom (UK communications services regulator)
- Effective Date: The Online Safety Act was passed in October 2023. Specific guidance was issued following consultation, imposing an initial compliance deadline of March 16, 2025, for risk assessments.
- Jurisdiction: United Kingdom (UK)
- Status: In Effect (Guidance issued based on the previously passed Act)
## Requirements
### Mandatory Requirements
1. **Illegal Harms Risk Assessment:** Tech platforms must complete risk assessments concerning illegal online harms by **March 16, 2025**.
2. **Accountability Structure:** Name a senior person within the organization who is accountable to the most senior governance body for compliance, reporting, and complaints duties.
3. **Moderation Resource Allocation:** Ensure moderation teams are appropriately resourced to remove illegal material quickly upon awareness.
4. **Reporting Accessibility:** Ensure reporting and complaints functions are easy to find and use.
5. **Algorithm Testing:** Improve the testing of algorithms to actively reduce the dissemination of illegal content.
6. **Tackling Online Grooming (Children):** Implement measures to tackle pathways to online grooming, specifically ensuring children’s profiles and locations are not visible to other users and providing guidance on sharing personal information risks.
7. **CSAM Detection:** Utilize hash-matching and URL detection tools specifically to identify child sexual abuse material (CSAM).
8. **Intimate Image Abuse Detection:** Use tools to identify illegal intimate image abuse and "cyberflashing."
9. **Fraud Reporting Channel:** Establish a dedicated reporting channel for organizations with fraud expertise to flag known scams to platforms in real-time for immediate action.
10. **Terrorist Content Removal:** Remove users and accounts that generate or share posts on behalf of UK government proscribed terrorist organizations.
### Recommended Practices
1. The regulator (Ofcom) will support providers in achieving compliance.
2. Further codes of practice, including measures around AI use for harm mitigation and crisis response protocols, are expected following an additional consultation in Spring 2025.
## Affected Organizations
- Industries: Social media firms, search engines, messaging services, gaming apps, dating apps, pornography sites, and file-sharing sites.
- Organization Size: Applicable to tech firms covered by the scope of the Online Safety Act, suggesting major platforms are primary targets.
- Geographic Scope: United Kingdom.
## Compliance Timeline
- October 2023: Online Safety Act passed.
- **March 16, 2025**: Deadline for tech platforms to complete illegal harms risk assessments.
- Spring 2025: Expected additional consultation on secondary codes of practice (AI use, crisis response).
- Ongoing: Continuous obligation to moderate illegal content and maintain reporting channels.
## Implementation Guidance
### Assessment Phase
- Conduct a comprehensive risk assessment focused specifically on the illegal online harms listed (terrorism, fraud, CSAM, etc.) as mandated by the OSA.
### Implementation Phase
- Appoint and formally document the senior accountable individual and their reporting structure to the board/senior governance body.
- Review and enhance content moderation staffing, training, and tooling to ensure swift removal of identified illegal material.
- Conduct technical audits on algorithms to measure propensity to promote illegal content and implement remediation plans.
### Validation Phase
- Use internal and/or third-party audits to verify that reporting mechanisms are easily accessible and functional.
- Test the effectiveness of new detection tools (hash-matching, URL detection) for CSAM and intimate imagery.
## Technical Requirements
- Implementation of **hash-matching and URL detection** for CSAM.
- Use of detection tools for **illegal intimate image abuse and cyberflashing**.
- Algorithmic testing to **reduce dissemination** of illegal content.
## Penalties & Enforcement
- Fines: Up to **£18 million ($22.8 million) or 10% of annual income**, whichever is higher.
- Other Consequences: UK Technology Secretary Peter Kyle stated the regulator has backing to ask the **courts to block access to sites** that fail to comply.
- Enforcement: Ofcom reserves the right to take **early enforcement action** against platforms that fall short of the new duties.
## Related Standards
- The obligations stem directly from the UK's **Online Safety Act**. (No explicit mention of NIST/ISO alignment in the context provided, but internal security frameworks would need to support these operational requirements.)
## Resources
- Official Documentation: The underlying legislation is the **Online Safety Act**.
- Guidance Documents: Ofcom has issued **new codes of practice** focusing on illegal online harms.
- Tools: Tools for hash matching, URL detection, and algorithmic testing are implied necessities.
## Practical Recommendations
1. **Prioritize Risk Assessment:** Immediately begin the mandated illegal harms risk assessment to meet the March 2025 deadline.
2. **Establish Governance:** Formally designate the senior compliance owner and integrate their reporting duties into the highest level of governance.
3. **Enhance Detection Technology:** Invest in and deploy specialized tooling to detect CSAM and intimate image abuse, as these areas carry specific technical mandates.
4. **Operational Readiness:** Audit moderation team capacity and workflow immediacy to ensure prompt removal of identified illegal content.