Ofcom, the UK's communications regulator, has been handed one of the most ambitious and contentious regulatory mandates in the democratic world: policing social media platforms under the Online Safety Act 2023. The Act, which came into force in March 2025, gives Ofcom sweeping powers to fine platforms up to £18 million or 10% of global revenue for failing to protect users from illegal and harmful content. It is the UK's attempt to bring Big Tech under democratic control, ending the era of self-regulation and forcing platforms to take responsibility for the harms they enable.

But can Ofcom actually do this? The regulator has approximately 350 staff working on online safety, facing off against companies like Meta, Google, and TikTok that employ tens of thousands of engineers and content moderators and have legal budgets that dwarf Ofcom's entire annual funding. Early enforcement has been cautious, focusing on illegal content removal rather than the systemic issues—algorithmic amplification, addictive design, misinformation—that critics say are the real harms. And tech platforms have already signalled they may restrict UK services rather than comply with transparency requirements they consider commercially sensitive.

The question is whether Ofcom has the resources, expertise, and political backing to hold Big Tech accountable—or whether the Online Safety Act will prove to be another example of ambitious legislation undermined by weak enforcement.

What the Online Safety Act requires

The Online Safety Act 2023 is one of the most comprehensive attempts by any democracy to regulate social media. It places legal duties on platforms to:

  • Remove illegal content including terrorism, child sexual abuse material (CSAM), fraud, hate speech, and harassment.
  • Protect children from harmful content, including pornography, bullying, self-harm promotion, and eating disorder content, with age verification for adult services.
  • Assess and mitigate risks of harm, including through algorithmic amplification, addictive design features, and viral spread of misinformation.
  • Provide transparency about content moderation policies, algorithms, and how they handle complaints.
  • Offer user controls allowing people to filter content, block users, and report harmful material.

Platforms must conduct regular risk assessments, publish transparency reports, and demonstrate to Ofcom that they are taking "proportionate measures" to mitigate identified risks. Ofcom has the power to demand internal data, audit algorithmic systems, and impose fines for non-compliance.

The Act applies to any platform with over 1 million UK users, covering Meta (Facebook, Instagram, WhatsApp), Google (YouTube), X (formerly Twitter), TikTok, Snapchat, Reddit, Telegram, and dozens of smaller services.

Ofcom's Social Media Crackdown: Can the Regulator Tame Big Tech Under the Online Safety Act?
Photo: SV1XV / Wikimedia Commons (CC BY-SA 2.0)

Ofcom's resources: David vs Goliath

Ofcom's online safety division has approximately 350 staff and an annual budget of around £90 million for this function. This sounds substantial until you compare it to the scale of the platforms it must regulate.

Meta employs over 40,000 content moderators globally and spends an estimated $5 billion annually on safety and security systems. Google has similar resources. TikTok, despite being smaller, employs over 10,000 moderators. These companies have armies of engineers, data scientists, lawyers, and policy experts dedicated to content moderation and regulatory compliance.

Ofcom, by contrast, must regulate all of these platforms—plus dozens of smaller ones—with a staff that is a fraction of the size of a single platform's safety team. The regulator has hired technical experts, but it lacks the deep engineering expertise to audit complex algorithmic systems or the legal firepower to fight prolonged court battles against companies with effectively unlimited resources.

Critics argue this is a fundamental mismatch. "Ofcom is being asked to regulate some of the most powerful and technically sophisticated companies in the world with a budget smaller than a mid-sized tech startup," said one former regulator. "It is not a fair fight."

Ofcom's response is that it does not need to match platforms' resources because it can compel disclosure, hire external auditors, and impose fines large enough to force compliance. But this assumes platforms will cooperate, that external auditors can understand proprietary systems, and that fines will be enforced—none of which is guaranteed.

Early enforcement: cautious and narrow

Ofcom's enforcement to date has been cautious. The regulator began by requiring platforms to submit risk assessments and safety policies, which are being reviewed on a rolling basis. Information requests have been sent to major platforms, asking for data on content moderation volumes, algorithmic amplification, and user complaints.

But as of August 2025, no fines have been issued. Ofcom has indicated that formal enforcement will begin once the initial compliance period ends in late 2025, and that early actions will focus on clear-cut failures—such as platforms that fail to remove child sexual abuse material or do not have basic age verification for pornography.

What Ofcom has not done is tackle the systemic issues that many critics see as the core harms of social media: algorithmic amplification of misinformation, addictive design features, and business models that profit from engagement regardless of social cost. These are harder to regulate because they are not about specific pieces of content but about how platforms are designed and operated.

Ofcom has published guidance on algorithmic transparency, requiring platforms to explain how their recommendation systems work and what they optimise for. But platforms have resisted, arguing that algorithmic details are commercially sensitive and that disclosure would allow bad actors to game the system. Ofcom has not yet forced the issue, leading critics to question whether it ever will.

Platform resistance: the threat to withdraw services

Tech platforms have not passively accepted regulation. Several have threatened to restrict UK services rather than comply with requirements they consider unreasonable or commercially damaging.

Meta has warned that end-to-end encryption on WhatsApp and Messenger may be incompatible with the Online Safety Act's requirements to scan for child sexual abuse material, and that it may withdraw encrypted services from the UK rather than weaken encryption globally. Privacy advocates support Meta on this point, arguing that client-side scanning (the proposed solution) would undermine encryption and create security vulnerabilities.

X (formerly Twitter) has been more openly hostile. Elon Musk has described the Online Safety Act as "Orwellian" and suggested that X may limit UK operations rather than comply with transparency requirements. While this is likely bluster—the UK is too large a market to abandon—it signals that platforms will fight regulation aggressively.

Smaller platforms, particularly those based outside the UK and EU, may simply ignore Ofcom's requirements, calculating that the regulator lacks the resources to pursue enforcement globally. Ofcom can seek court orders to block non-compliant platforms, but this is politically and technically difficult, and risks accusations of censorship.

The encryption vs safety dilemma

One of the most contentious aspects of the Online Safety Act is its treatment of encrypted messaging. The Act requires platforms to prevent the sharing of child sexual abuse material, even on end-to-end encrypted services like WhatsApp, Signal, and iMessage.

The problem is that end-to-end encryption, by design, prevents anyone—including the platform—from seeing message content. The only way to detect illegal material on encrypted services is to scan messages before they are encrypted (client-side scanning) or to weaken encryption by creating "backdoors" for law enforcement.

Both approaches are opposed by privacy and security experts, who argue that client-side scanning is technically flawed, easily circumvented, and creates vulnerabilities that hostile states and criminals will exploit. Weakening encryption, they argue, would undermine the security of billions of users to catch a small number of offenders.

Meta, Apple, and Signal have all said they will not implement client-side scanning and will withdraw encrypted services from the UK if required to do so. This puts Ofcom in an impossible position: enforce the law and lose encrypted services that protect journalists, activists, and ordinary users, or back down and be accused of failing to protect children.

The government has insisted that the Act does not ban encryption and that technical solutions exist. But as of mid-2025, no such solution has been demonstrated, and the standoff continues.

What success would look like—and why it is unlikely

For the Online Safety Act to succeed, Ofcom would need to:

  • Force platforms to disclose algorithmic systems and demonstrate that they are not amplifying harmful content for profit.
  • Impose meaningful fines on major platforms for systemic failures, not just isolated content moderation errors.
  • Audit and verify that platforms are actually mitigating risks, not just submitting compliance paperwork.
  • Resist political and industry pressure to water down enforcement or exempt powerful platforms.

This is a tall order. Ofcom is a regulator that has historically focused on broadcasting and telecoms, not global tech platforms. It has a culture of negotiation and consensus-building, not aggressive enforcement. And it operates in a political environment where the government is wary of being seen as anti-innovation or hostile to business.

The risk is that the Online Safety Act becomes another example of ambitious legislation that looks tough on paper but is undermined by weak enforcement, industry resistance, and regulatory capture. Platforms submit risk assessments, publish transparency reports, and make minor changes to content moderation policies, but the fundamental business model—maximising engagement through algorithmic amplification of divisive content—remains untouched.

International context: the UK is not alone

The UK is not the only country trying to regulate social media. The EU's Digital Services Act (DSA), which came into force in 2024, imposes similar requirements on platforms, with the European Commission as the primary enforcer for the largest platforms. The DSA has more resources and a larger market to leverage, but it faces similar challenges around enforcement, encryption, and platform resistance.

Australia, Canada, and several US states have also introduced online safety legislation, though none as comprehensive as the UK or EU. The global trend is toward greater regulation, but the effectiveness of these laws remains unproven.

The advantage of the UK acting alongside the EU is that platforms cannot easily ignore two of the world's largest markets. If the UK and EU coordinate enforcement and share intelligence, they have more leverage. But if they diverge—or if platforms successfully play regulators off against each other—the impact will be diluted.

The bottom line: ambition without resources

The Online Safety Act is one of the most ambitious attempts by any democracy to regulate social media and hold Big Tech accountable for the harms its platforms enable. But ambition is not enough. Effective regulation requires resources, expertise, political will, and the ability to withstand industry pressure.

Ofcom has some of these elements but not all. It is under-resourced relative to the scale of the task, lacks deep technical expertise in algorithmic systems, and operates in a political environment that is wary of being seen as anti-business. Early enforcement has been cautious, focusing on illegal content rather than systemic harms.

The risk is that the Online Safety Act becomes a paper tiger: tough-sounding legislation that produces compliance theatre but does not fundamentally change how platforms operate. If that happens, the harms will continue, public trust in regulation will erode, and the opportunity to bring Big Tech under democratic control will be lost.

The next 12 months will be critical. If Ofcom can impose meaningful fines, force algorithmic transparency, and demonstrate that it will not be intimidated by platform threats to withdraw services, the Online Safety Act may succeed. If not, it will join a long list of well-intentioned regulations that failed to match rhetoric with reality.

Frequently asked questions

What powers does Ofcom actually have over social media platforms?

Under the Online Safety Act 2023, Ofcom can require platforms to assess and mitigate risks of illegal content (terrorism, child sexual abuse, fraud) and certain legal but harmful content (particularly for children). Platforms must have effective content moderation, age verification for adult content, and transparent complaints processes. Ofcom can demand information, conduct investigations, and impose fines up to £18 million or 10% of global annual revenue (whichever is higher). In extreme cases, Ofcom can seek court orders to block non-compliant platforms in the UK. However, Ofcom cannot dictate specific content decisions or require platforms to remove legal content.

Why do critics say Ofcom is under-resourced for this task?

Ofcom has approximately 350 staff working on online safety regulation, with a budget of around £90 million for this function. By comparison, Meta alone employs over 40,000 content moderators globally and spends billions on safety systems. Ofcom must regulate dozens of platforms—Meta, Google/YouTube, X, TikTok, Snapchat, Telegram, Reddit, and many smaller services—each with different business models, technologies, and jurisdictions. Critics argue Ofcom lacks the technical expertise to audit complex algorithmic systems, the legal resources to fight well-funded tech companies in court, and the budget to conduct meaningful enforcement at scale.

Have any platforms been fined yet under the Online Safety Act?

As of August 2025, no fines have been issued. Ofcom is in the 'implementation phase', requiring platforms to submit risk assessments and safety policies. The regulator has issued information requests to major platforms and published guidance on compliance, but formal enforcement actions have not yet begun. Ofcom has indicated that fines will be imposed for serious breaches once the initial compliance period ends in late 2025. Tech industry observers expect the first test cases to involve smaller platforms or clear-cut failures (e.g., failure to remove child sexual abuse material), rather than systemic issues like algorithmic amplification of misinformation.

Sources

  1. Ofcom — Online Safety Act implementation updates
  2. UK Government — Online Safety Act 2023 guidance
  3. Financial Times — Ofcom's Big Tech challenge
  4. TechCrunch — Online Safety Act compliance tracker