If your business runs a website where users can post, comment, upload or message each other, the UK's Online Safety Act may place legal duties on you — and not only if you are a household-name platform. The law is one of the most significant pieces of internet regulation the UK has introduced, and a common misconception is that it only concerns the big social networks. This guide explains, in plain English, who it applies to, the core obligations it creates, and the role of the regulator, Ofcom.
This article is general information, not legal advice. The duties under the Online Safety Act depend on the specifics of each service. For decisions about your own obligations, consult Ofcom's official guidance or take professional advice.
What the Act is
The Online Safety Act is UK law designed to make online services safer for users, and especially for children, by requiring certain providers to take responsibility for the content and activity their services enable. Rather than dictating exactly what content is allowed, the law focuses on the systems and processes a service has in place to manage risk.
The headline idea is a shift from "publish and react" to "assess and prevent": in-scope services are expected to understand the risks on their platform and design their service to reduce them.
Who it applies to
This is where many businesses are caught off guard. The Act applies, broadly, to two kinds of service:
- User-to-user services — anywhere users can share content with, or interact with, other users. That clearly includes social media, but it also reaches forums, community sites, comment sections, review platforms, messaging features and sites that allow user uploads.
- Search services — services that let users search multiple websites and databases.
Two points matter for ordinary businesses:
- It is not just for tech giants. A small business running a discussion forum, a comments area or any feature where users interact may fall within scope. Duties are proportionate to size and risk, so smaller, lower-risk services generally face lighter requirements — but "small" does not automatically mean "exempt."
- It can apply across borders. A service based outside the UK can still be in scope if it has a significant number of UK users or targets the UK market.
If your site has any user-interaction feature, the safe first step is to check whether you are covered rather than assume you are not.
The core duties
The precise obligations vary by the type and size of service, but in general terms they cluster around a few themes.
| Duty area | What it broadly involves |
|---|---|
| Risk assessment | Identifying the risks of harm on your service |
| Illegal content | Systems to prevent, detect and remove illegal content |
| Protecting children | Extra measures where children are likely to access the service |
| Transparency & reporting | Clear terms, reporting routes and (for larger services) reporting duties |
In practice that means in-scope providers are generally expected to:
- Carry out risk assessments to understand what could go wrong on their platform.
- Put proportionate systems and processes in place to deal with illegal content and reduce the risk of it appearing.
- Take particular care to protect children where they are likely to use the service, which can include age-assurance measures for higher-risk content.
- Have clear terms of service and easy ways for users to report problems.
The emphasis throughout is on having sensible, proportionate processes — not on achieving the impossible standard of a perfectly clean platform overnight.
The role of Ofcom
The Act is enforced by Ofcom, the UK's independent communications regulator. Ofcom's role is central, and it works in several ways:
- Codes of practice and guidance. Ofcom publishes detailed codes setting out how services can comply. Following them is a recognised route to meeting the duties.
- Information powers. Ofcom can require services to provide information about how they operate and manage risk.
- Enforcement. For serious breaches, Ofcom has significant powers, including the ability to impose substantial fines.
Because Ofcom's codes and guidance define what compliance actually looks like in detail, they — together with GOV.UK — are the authoritative sources to check. This article points you to the framework; Ofcom provides the specifics.
What businesses should do
For most organisations, a sensible, proportionate response looks like this:
- Check whether you are in scope. Audit any feature that lets users post, upload, interact or message.
- Understand your risks. If you are covered, work through the relevant risk assessment for your type and size of service.
- Review your systems. Look at how you handle illegal content, how users report problems, and what protections apply if children may access your service.
- Keep clear records and terms. Document your approach and make your terms and reporting routes easy to find.
This sits alongside other UK digital rules a business may already deal with, such as cookie consent under PECR and the broader DMCC Act governing digital markets, consumers and competition. Treating compliance as a connected discipline, rather than a series of one-off scrambles, is part of building compliance as a competitive advantage. It also helps to understand the wider direction of platform regulation, including how AI assistants and tools in business increasingly intersect with content and safety expectations.
Industry commentators have published practical overviews aimed at smaller organisations trying to make sense of the law. London consultancy CM Beyer, for instance, offers a plain-English explainer on understanding your obligations under the Online Safety Act — a helpful orientation, though it is not a substitute for Ofcom's official guidance.
The bottom line
The UK Online Safety Act places real duties on services that host user content or let people interact, and its reach extends well beyond the big platforms to forums, comment sections and many ordinary business websites. The core obligations are about assessing risk, managing illegal content, and protecting children — all in proportion to a service's size and risk profile. Ofcom is the regulator, setting the codes and wielding the enforcement powers. Because the detail depends on your specific service, treat this as a starting map and rely on Ofcom and GOV.UK for the authoritative route — and on professional advice for decisions about your own duties.