Ofcom's approach to OSA enforcement

This explainer sets out Ofcom’s approach to enforcement under the OSA to date. It develops points made in our earlier explainer and is published in conjunction with our commentary piece drawing out some early reflections on its approach, supplemented by a tracker (also available at the bottom of this page) detailing the status of their individual enforcement interventions to date, including thematic programmes and individual open and closed investigations; this tracker will be kept regularly updated.

General Overview of Enforcement Powers

Ofcom’s powers of enforcement are set down in the Online Safety Act (OSA) in Chapter 6 of Part 7 (ss 130 et seq) – they relate to what the Act refers to as “enforceable requirements” (listed at s 131). The Act sets down a process of engagement, which gradually increases the pressure on the service provider, whilst allowing space for the service provider to respond to Ofcom’s concerns and make representations. Ofcom has produced an infographic to describe the process (see below); Ofcom can choose at any time to close an investigation. Ofcom has a range of enforcement mechanisms: it can specify the steps a service provider should take to come into compliance; it can issue a fine; and, as a last resort, it can apply for “business disruption measures”. So, for example, Ofcom issued a £20,000 fine on 4Chan in October 2025 and a fine of £50,000 to Itai Tech in November 2025. Ofcom has produced Guidance detailing how, in the normal course of events, it will use its enforcement powers.

Ofcom has opened a number of enforcement programmes, focussing on particular topics, reflecting possible industry-wide problems:

• Age Assurance – Part 5 Services;
• Age Assurance – Part 3 Services;
• Child Sexual Abuse Material (CSAM) on file-sharing services;
• Illegal Content Risk Assessment (ICRA) and associated duties;
• Children’s Risk Assessment.

The focus on these programmes has been the protection of children. From its work plan, Ofcom describes this as its top priority. On top of that, Ofcom intends in 2026 to address child sexual abuse material (CSAM) and grooming beyond file-sharing and file-storage services. Ofcom is also looking to broaden its focus to include more on increasing effectiveness of content removal and improving online safety for women and girls following the publication of its Guidance in Autumn 2025. It also plans to continue work on risk assessments which have proved to be deficient so far.

Process of Enforcement

The Act starts with the issuing of a provisional notice of contravention (s 130), though this implies that Ofcom has already made an initial assessment and decided to open an investigation (as set out in para 2.19 Enforcement Guidance); it will also likely have used its information gathering powers (see ss 100 et seq), though it does not have to do so. Usually, it will contact the service provider but, again, does not have to do so (see Guidance para 4.14). This initial inquiry phase can be seen in the X/Grok example, where Ofcom wrote to X to understand the issues at some basic level before making (relatively quickly, given the urgency and scale of the problem) the formal decision to open an investigation. Ofcom can pick up on issues from all sorts of sources – for example, from a company’s risk assessment or response to a request for information, or from complaints, evidence from civil society organisations (eg the decision to reopen enforcement action against the online suicide forum which had claimed it had geo-blocked UK users) or pressure from MPs.

The decision whether to take further action is informed by the general duties set down for Ofcom in s 3 Communications Act 2003, taking into account that enforcement action should be proportionate and targeted to cases where action is necessary. Ofcom sets out in its Enforcement Guidance (para 3.9) the factors it will consider when deciding whether to open a case because, as it notes, it does not have the capacity to take action in all possible cases. The factors are:

• the risk of harm or its severity;
• the strategic significance; and
• the resource implications.

An initial assessment can lead to a decision that a formal investigation is not necessary. Moreover, Ofcom can engage with service providers in ways not specified in the Act. Ofcom can send advisory or warning letters (and sometimes write open letters as it did in relation to generative AI and chatbots). For example, Ofcom reported (after the process had finished) that it had given gave Snap the opportunity to engage in a compliance remediation process in relation to their illegal harms risk assessment – this sort of process is described by Ofcom (Enforcement Guidance para 3.13) as being “a period of engagement with the service provider to give them the opportunity to address or remedy any compliance concerns identified in lieu of opening an investigation” (and can involve accepting commitments). Ofcom can also engage in compliance monitoring to ensure that behaviour leading to concerns about compliance is not repeated. Ofcom can use these techniques during investigations too.

Once a formal investigation is opened, Ofcom investigates whether there has been a breach of any of the duties – and the service provider being investigated is under a duty of cooperation. As noted, Ofcom can require information from relevant persons; it can also obtain a report from a “skilled person”; or require people to attend interviews. Section 107 in conjunction with Schedule 12 gives Ofcom powers of entry, inspection and audit. The enforcement mechanisms can be used in relation to a failure to comply with these investigatory powers as well as in relation to a breach of a duty (and information notices can be addressed to persons other than regulated service providers). Additionally, a failure to comply with an information notice is a criminal offence (see ss 109 et seq). If the investigation suggests reasonable grounds for believing the service provider is failing - or has failed - to comply with its obligations under the Act, Ofcom will issue a provisional notice of contravention under s 130.

After a provisional notice has been issued, the provider is given a period of time (usually at least 20 working days (see eg Youngtek)– though this can be shorter (as in the case of 4Chan) in which it can make representations which Ofcom will consider before going any further. Ofcom can also issue more requests for information and take other investigative steps. It can also seek to resolve the concerns by other means (eg accepting assurances). It does not seem, with the possible exception of interim business measures, that Ofcom can require a service provider to take particular steps before the enforcement decision is finalised; there are no formal interim measures set out in the Act.

After this, Ofcom makes its decision (under s 132), including whether to impose any sanctions. In its final decision it will set out the reasons for the finding as well as any steps required for the provider to come into compliance and any penalty payable (and when the penalty should be paid). Section 392 Communications Act requires Ofcom to produce Penalty Guidelines. Ofcom may apply a daily penalty as well as a lump sum – as can be seen in the investigation into AVS Group. Ofcom notes that where there have been risk assessment failings, it may require a provider to take steps to remedy overlooked harms as well as dealing with the failings in the risk assessment process itself (Guidance, para 6.48). In one case, it substituted its own view of the risk for that of the provider which had carried out an inadequate risk assessment (as permitted by s 134 OSA). Ofcom must publish any confirmation decision, or a penalty notice issued under ss 139-141 (see s 149).

Additionally, OSA provides for a number of offences. There are offences relating to failure to comply with information notices or to comply with the steps set out in a confirmation decision, for failure to comply with a children’s online safety duty (set out in sections 12(3)(a), 12(3)(b), 81(2) or 81(4)) or for failure to comply with a requirement in relation to child sexual abuse (see section 133(6) and (7)). Alternatively, Ofcom could seek to impose business disruption orders on a service which has not complied with a confirmation decision or not paid a penalty.

Ofcom has a separate taskforce to engage with smaller sites that may present particular risks to users, though there are no details as to which services are in scope of this team and what the team’s approach is to enforcement (as opposed to encouraging compliance).