Search every question across sub-FAQs

Teams should treat Regulated Service Scope under the UK Online Safety Act as a source-linked operating decision: first decide whether the service is in scope or exempt, then confirm which duties are triggered, assign the team that can change the process, and keep evidence showing the decision and review trigger.

In practice, the first check is simple: the Act applies to search services and services that allow users to post content online or interact with each other, including services such as social media services, consumer file cloud storage and sharing sites, video-sharing platforms, online forums, dating services, and online instant messaging services. Some services are exempt, including email services, SMS and MMS services, one-to-one live aural communications, certain limited functionality services, some combination services, public-body services, and certain education or childcare services.

Useful evidence is not just a safety policy. Keep the source, service map, risk assessment, mitigation evidence, age-assurance rationale, terms/complaints records, and Ofcom-readiness trail together.

The common failure pattern is treating online safety as generic moderation without checking service scope, exemptions, child access, illegal content duties, code measures, age assurance, complaints, and transparency reporting.

Teams should treat Ofcom Enforcement under the UK Online Safety Act as a source-linked operating decision: confirm whether the service is in scope and which illegal-content, children-safety, age-assurance, user-empowerment, transparency, complaints, risk-assessment, or Ofcom Enforcement duty is triggered, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to classify the service, user-to-user/search functionality, child-access status, illegal-content risk, and Ofcom code mapping before assigning the Online Safety Act action.

Useful evidence is not just a safety policy. Keep the source, service map, risk assessment, mitigation evidence, age-assurance rationale, terms/complaints records, and Ofcom-readiness trail together.

The common failure pattern is treating online safety as generic moderation without checking service scope, child access, illegal content duties, code measures, age assurance, complaints, and transparency reporting.

Teams should treat Age Assurance under the UK Online Safety Act as a source-linked operating decision: confirm whether the service is in scope and which provider duty is triggered for illegal content, children safety, age assurance, user empowerment, transparency, complaints, or risk assessment, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to classify the service, user-to-user/search functionality, child-access status, illegal-content risk, and Ofcom code mapping before assigning the Online Safety Act action.

Useful evidence is not just a safety policy. Keep the source, service map, risk assessment, mitigation evidence, age-assurance rationale, terms/complaints records, and Ofcom-readiness trail together.

The common failure pattern is treating online safety as generic moderation without checking service scope, child access, illegal content duties, code measures, Age Assurance, complaints, and transparency reporting.

Teams should treat Categorisation under the UK Online Safety Act as a source-linked operating decision: confirm whether the service is in scope and which illegal-content, children-safety, age-assurance, user-empowerment, transparency, complaints, risk-assessment, or Ofcom enforcement duty is triggered, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to classify the service, user-to-user/search functionality, child-access status, illegal-content risk, and Ofcom code mapping before assigning the Online Safety Act action.

Useful evidence is not just a safety policy. Keep the source, service map, risk assessment, mitigation evidence, age-assurance rationale, terms/complaints records, and Ofcom-readiness trail together.

The common failure pattern is treating online safety as generic moderation without checking service scope, child access, illegal content duties, code measures, age assurance, complaints, and transparency reporting.

Teams should treat Children's Access Assessment under the UK Online Safety Act as a source-linked operating decision: confirm whether the service is in scope and which illegal-content, children-safety, age-assurance, user-empowerment, transparency, complaints, risk-assessment, or Ofcom enforcement duty is triggered, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to classify the service, user-to-user/search functionality, child-access status, illegal-content risk, and Ofcom code mapping before assigning the Online Safety Act action.

Useful evidence is not just a safety policy. Keep the source, service map, risk assessment, mitigation evidence, age-assurance rationale, terms/complaints records, and Ofcom-readiness trail together.

The common failure pattern is treating online safety as generic moderation without checking service scope, child access, illegal content duties, code measures, age assurance, complaints, and transparency reporting.

The overlap means a service can have to follow both online safety and data protection rules at the same time. Ofcom and the ICO say online services should design safety measures with privacy in mind, and the ICO says services likely to be accessed by children may also need to follow the Children's code.

Teams should treat Ico Overlap under the UK Online Safety Act as a source-linked operating decision: confirm whether the service is in scope and which illegal-content, children-safety, age-assurance, user-empowerment, transparency, complaints, risk-assessment, or Ofcom enforcement duty is triggered, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to classify the service, user-to-user/search functionality, child-access status, illegal-content risk, and Ofcom code mapping before assigning the Online Safety Act action.

Useful evidence is not just a safety policy. Keep the source, service map, risk assessment, mitigation evidence, age-assurance rationale, terms/complaints records, and Ofcom-readiness trail together.

The common failure pattern is treating online safety as generic moderation without checking service scope, child access, illegal content duties, code measures, age assurance, complaints, and transparency reporting.

Under the Online Safety Act, user-to-user services and search services in scope must assess the risks of illegal content on their services and use that assessment to decide what proportionate measures to take. For user-to-user services, section 9 covers illegal content risk assessment duties; for search services, section 26 does the same.

A visitor should first confirm whether the service is a regulated user-to-user service or search service, then check whether it is exempt, and then map the service features and user flows that could expose users to illegal content. The practical outcome should be a recorded decision, an owner, and a review date.

If the service is in scope, the assessment should happen before or when the service becomes subject to the regime, and it should be kept up to date as the service changes. Schedule 3 sets out timing rules for illegal content risk assessments.

Useful evidence is not just a safety policy. Keep the source, service map, risk assessment, mitigation evidence, age-assurance rationale, terms/complaints records, and Ofcom-readiness trail together.