Quick answer
The UK Online Safety Act 2023 is the law that makes many social media sites, search services, forums, video platforms, messaging-style user-to-user services and pornography services responsible for managing online safety risks for UK users.
It is not one single switch that turned on overnight. It has come into force in phases. As of July 2026, the illegal content duties and child protection duties are active. Age checks for services that allow pornography or certain child-harmful content have been in force since 25 July 2025. Ofcom is also moving through the next stage for larger categorised services.
What changed in 2026?
The biggest change is that the Online Safety Act is no longer just a future compliance project. Core duties are now live, Ofcom is asking services for records, and enforcement has started to move from guidance into penalties and investigations.
The Act received Royal Assent in October 2023.
Regulated services must assess and reduce the risk of illegal content and activity.
Many services likely to be accessed by children must use safety measures that match their risks.
The biggest and highest-impact services face extra duties once categorisation is confirmed.
Who has to comply?
The Act applies to regulated services that have links to the UK. In plain English, that can include services where users can post, share, message, upload, comment, search, stream or encounter content generated by other users.
It is a mistake to think this is only about the largest social networks. Smaller services can still be in scope if UK users can access them and the service has relevant user-to-user, search or pornography features.
Examples that may be in scope
- Social networks and video-sharing platforms.
- Forums, communities and comment-enabled services.
- Search engines.
- Adult sites and services that publish or allow pornography.
- Marketplaces or apps with user posts, messages or reviews.
What matters
- Whether UK users can access the service.
- Whether users can interact with each other or find user-generated content.
- Whether children are likely to access it.
- Whether the service has risk factors such as anonymity, recommender systems, live streaming or private messaging.
Illegal content duties
The illegal content duties are a core part of the Act. They require regulated services to assess the risk that their platform is used for illegal content or activity, then put proportionate systems and processes in place to reduce those risks.
This includes priority offences such as child sexual exploitation and abuse, terrorism, harassment and stalking, hate offences, fraud and financial offences, and other criminal content listed or captured by the regime.
For users, the practical effect should be clearer reporting routes, faster action on genuinely illegal material, and better systems behind the scenes. For platforms, it means risk assessments, record keeping, staff training, moderation processes and terms that are actually enforced.
Children, harmful content and age checks
The child safety duties are one of the most visible parts of the law. Services likely to be accessed by children must assess the risk that children encounter harmful content and take steps to reduce that risk.
Age assurance is now central to this. Services that allow pornography must have highly effective age checks. Services that allow certain content harmful to children, including suicide, self-harm and eating disorder content, may also need highly effective age assurance if they do not ban that content for all users.
Age checks are not the same as simple age gates
A box asking “Are you over 18?” is not enough. Stronger methods can include facial age estimation, photo ID checks, credit card checks, mobile network checks, bank-based checks or digital identity wallets. The exact method depends on the service and its risk profile.
The benefit is clear: children should have less access to pornography and the most harmful content. The drawback is also real: adults may be asked to prove age more often, and that creates privacy, data security and trust questions around age-check providers.
Categorised services: what is still being finalised?
Not every duty applies to every platform. The Act creates extra duties for larger or higher-impact services in Category 1, Category 2A and Category 2B.
As of 3 July 2026, it is safest to say the public categorisation stage is still being finalised, with Ofcom expecting the register of categorised services in July 2026. Until that register is published, do not treat any unofficial list of Category 1 services as final.
Extra duties may include
- Transparency reporting.
- Extra risk assessment and record keeping requirements.
- User empowerment tools.
- User identity verification options.
- Protections for journalistic and democratic content.
- Fraudulent advertising duties.
Why this matters
Some older summaries speak as if the biggest platforms have already been formally categorised. That is too strong unless the register has been published. The correct position is that baseline duties are active, while some additional duties depend on the categorisation process.
Fraud, scams and paid advertising
The Act also affects online fraud. Fraud and financial offences are part of the illegal harms framework, so regulated services need to consider scam risks in their illegal content risk assessments.
There are also specific duties about fraudulent paid-for advertising for some categorised services. These are not the same as every website being responsible for every advert on the internet. They are targeted duties that depend on the type and category of service.
For ordinary users, the intended result is fewer scam posts, phishing links, impersonation schemes, fake investment offers and fraudulent ads. The honest caveat is that fraud moves quickly. The Act can force better systems, but it will not remove every scam.
Ofcom enforcement: what can happen if services ignore the rules?
Ofcom is the UK regulator responsible for enforcing the online safety regime. It can request information, investigate services, issue enforcement notices and impose penalties.
The maximum penalty can be up to £18 million or 10% of qualifying worldwide revenue, whichever is higher. In serious cases, Ofcom can also seek service restriction orders or business disruption measures, such as requiring other companies to stop supporting a non-compliant service.
Enforcement is already real
Ofcom has already fined pornography providers for age-check failures. That matters because it shows the regime is not only guidance. Services that ignore age assurance or information requests can face actual penalties.
Honest pros and cons
The Online Safety Act has a sensible aim: reduce serious online harm, especially to children. But the way that aim is implemented affects privacy, smaller websites, free expression and technical design.
Pros
- More responsibility on platforms: Services can no longer rely only on user reports after harm has already happened.
- Stronger child protection: Age checks and child-risk assessments should reduce access to pornography and the most harmful content.
- Clearer enforcement: Ofcom has investigatory powers and can issue significant penalties.
- Better reporting and complaints processes: Users should see clearer routes to report illegal content and challenge platform decisions.
- More pressure on scam content: Fraud risks now have to be considered as part of online safety compliance.
Cons
- Privacy risk from age checks: More people may have to prove age through ID, biometrics or third-party checks.
- Overblocking risk: Platforms may remove borderline lawful content to reduce regulatory risk.
- Small-site burden: Risk assessments, moderation processes and documentation can be heavy for small teams.
- Encryption tension: Child safety duties and private messaging create unresolved technical and civil-liberties concerns.
- False sense of safety: Determined bad actors and offshore services can still adapt, rebrand or move users elsewhere.
Privacy, encryption and VPNs
The privacy debate is not a side issue. It is one of the main trade-offs in the Act. Age checks can reduce children's access to harmful content, but they also make online access more identity-based. That can make users worry about who sees their ID, whether biometric estimates are stored, and how third-party age-check providers handle data.
VPN interest has grown because users often associate the Act with tracking, age verification and blocked websites. A VPN can help protect browsing privacy from local networks and internet providers, but it is not a magic bypass for every age-check system. Some services can still require proof of age, block known VPN IP ranges, or use account-level signals.
Be honest about VPN limits
A VPN can hide your IP address from the sites you visit and help on public Wi-Fi. It cannot make an unsafe age-check provider safe, and it cannot guarantee access to a service that requires verified age or identity.
What about encrypted messaging?
The Act includes powers and duties that have raised concerns about encrypted messaging, especially around detecting child sexual exploitation and abuse. The practical problem is that scanning private messages without weakening end-to-end encryption is technically and politically contested. As of this update, it is better to describe this as an unresolved tension rather than claiming the government is currently reading private messages.
Small website checklist
If you run a forum, app, community, marketplace or site with user comments, do not assume the Act is irrelevant because you are small. Your obligations depend on features, users and risk.
- Check whether your service is in scope. Look at user-to-user features, search features and UK access.
- Complete a risk assessment. Record what illegal content or child risks could realistically appear.
- Review your reporting flow. Users should be able to report illegal content clearly and easily.
- Update your terms. Terms should explain what content is banned and how moderation works.
- Keep records. Save decisions, risk reviews, complaints processes and moderation policies.
- Consider age assurance only where needed. Do not collect more identity data than your risk profile requires.
Frequently asked questions
Is the UK Online Safety Act already in force?
Yes, key parts are already in force. Illegal content duties have applied since March 2025, and child safety and age-check duties came into force in July 2025. Some additional duties for categorised services are still being implemented.
Does the Act ban VPNs?
No. The Act does not ban VPNs. Some services may block known VPN IP addresses as part of age assurance or abuse prevention, but that is different from VPNs being illegal.
Does every site need age verification?
No. Age assurance depends on the service and its risks. Services that allow pornography need strong age checks. Other services may need age assurance if children are likely to access them and harmful content is present or permitted.
Can Ofcom fine companies?
Yes. Ofcom can impose penalties, and the maximum can reach £18 million or 10% of qualifying worldwide revenue, whichever is higher. The regulator can also use other enforcement routes for serious or persistent non-compliance.
Is the Act good or bad?
It is mixed. It gives regulators tools to push platforms to deal with serious harms, especially involving children. It also creates privacy, free expression and compliance-burden concerns. A fair assessment should include both sides.
Sources checked
This guide was updated against current official guidance and regulator materials available on 3 July 2026.