The OSA received Royal Assent on 26 October 2023 and introduced a number of duties for online platforms to tackle illegal and harmful content, as well as to safeguard UK users (especially children).
Since OSA was introduced, a great deal of work has been done to implement these protections, with Ofcom leading the process. The OSA is being brought into force in phases, with the different duties becoming enforceable at different stages between late 2024 and 2026. Further information on the duties and enforcement powers introduced under the OSA is available here.
Under the OSA, Ofcom are also required to prepare Codes of Practice that set out the measures which online platforms should take to comply with these duties. Currently, two Codes of Practice are in force: the Illegal Content Codes and the Protection of Children Codes.
The Illegal Content Codes came into force on 17 March 2025. They set out the requirements and guidance for providers of user-to-user services – that is, platforms where users share or interact with content created by others – to help them meet several duties under the OSA. These include:
- the illegal content safety duties set out in section 10(2) to (9) of the OSA;
- the duty about content reporting set out in section 20 of the OSA; and
- the duties about complaints procedures set out in section 21 of the OSA.
This update provides examples of the implementation and early enforcement action of the OSA since March 2025 following the introduction of the Illegal Content Codes.
Ofcom’s Investigations and Enforcement Action
Since the spring, Ofcom has launched five enforcement programmes and opened 21 investigations into the providers of 69 sites and apps, underscoring its firm line in relation to compliance. The following three examples have revealed key findings and lessons for online platforms serving users in the UK.
Hash Matching technology – early engagement brings about positive change
Ofcom commenced investigations into file-sharing services which were subsequently found to have serious compliance gaps in preventing the distribution of child sexual abuse material ("CSAM").
Both services have now committed to deploying automated “perceptual hash-matching technology”. This is a technique which generates a compact digital “fingerprint” of an image or audio file on an online platform based on its visual or auditory features, so that similar content can be identified even if it has been resized, compressed, or slightly altered.
Implementing hash matching technology is one of the core measures required under the Illegal Content Codes, and Ofcom has subsequently closed these investigations.
Responding to geo-blocking
In response to Ofcom’s enforcement programmes, Ofcom has noted that several online platforms had started “geo-blocking” users in the UK. Geo-blocking is a technique that restricts access to internet content based on a user’s location, thereby allowing the online platform to prevent its services falling within the scope of the OSA.
Ofcom acknowledges that geo-blocking can indirectly reduce the risk of UK users being exposed to illegal or harmful content. However, Ofcom has also made it clear that geo-blocking must be effective and consistently maintained.
For example, an online suicide forum – the first target of Ofcom’s OSA enforcement – implemented a UK deblock shortly after proceedings commenced against it. However, Ofcom later discovered the platform was displaying messaging encouraging users to circumvent the block. Ofcom has since required that the messaging be removed from the site’s landing page, and the forum remains on Ofcom’s watchlist.
Ofcom is also continuing to closely monitor other platforms that implement geo-blocks.
4chan - a precedent for applying the OSA to global platforms?
4chan has become the focal point of one of Ofcom’s most high-profile enforcement actions to date under the OSA.
The US-based anonymous image board platform, often criticised for its role in hosting graphic content, hate speech, harassment campaigns and extremist ideologies, has been fined £20,000 and issued with daily penalties of £100 for breaching its duties under the OSA.
In particular, it failed to provide an illegal harms risk assessment and also failed to comply with statutory information requests. Ofcom said that 4chan had until 13 November 2025 to pay the fine.
4chan has refused to pay and instead filed a lawsuit against Ofcom in a Washington DC federal court. It argues that Ofcom’s actions violate US constitutional free speech protections and exceed the UK regulator’s jurisdiction. The platform seeks a permanent injunction prohibiting Ofcom from enforcing the OSA in the US, characterising the enforcement efforts as an “illegal campaign of harassment” against US businesses with no UK establishment.
Ofcom maintains that the OSA applies extraterritorially to any online service that:
- provides services to a significant number of users in the UK;
- targets the UK market; or
- poses a material risk or significant harm to UK users.
4chan, which operates out of Delaware, falls squarely within this scope according to Ofcom, because of its reach and impact on UK audiences.
This case highlights the tension and difficulty of enforcing the OSA against global online platforms. The outcome of this case could set a precedent for the enforceability of the OSA against offshore services, a development which will be closely watched across legal, regulatory and tech circles.
Comment
The early enforcement activity under the OSA demonstrates Ofcom’s determination to apply the regime robustly, even against international platforms. The 4chan litigation underscores a key challenge of enforcement, being the practical limits of jurisdictional reach and the difficulty of enforcing UK standards against services without UK establishment.
For small to medium-sized enterprises operating online platforms, the implications of the OSA should be carefully considered. While the OSA primarily targets large, high-risk services, the compliance duties apply broadly.
Businesses without extensive compliance resources may struggle to interpret and implement Ofcom’s complex codes of practice, especially around content moderation systems, data reporting, and child safety controls. While larger platforms can absorb compliance costs and defend regulatory action, smaller operators may choose to withdraw UK access entirely through geo-blocking or another restrictive service design.
How To Get In Contact
If you require assistance with any aspect of data protection, or have questions about your legal obligations, please contact our Data Protection and Privacy team on +44 204 600 9907 or email info@culbertellis.com.
