Ofcom issue first enforcement action under the Online Safety Act 2023

Ofcom has issued the first fine under the Online Safety Act 2023, against internet forum 4chan. Read our Public and Regulatory Team’s update on this development and what this Act might mean for you. 

In October 2025, Ofcom issued a £20,000 fine against 4chan. 4chan is an internet forum website not based in the UK and is the first online service provider to be on the end of regulatory action by Ofcom for a failure to comply with the rules set out in the Online Safety Act 2023 (OSA). In the Government’s words, the aim of the OSA is to make the UK “the safest place in the world to be online”. 

As readers will know, the OSA is a landmark piece of legislation; it introduces a swathe of new duties to protect internet users (particularly children) and is incredibly broad in scope of application. Organisations providing online services, including user to user community forums, now have duties for the safety of users on  their platforms.  

This enforcement action taken by Ofcom (the independent regulator of online safety) is significant as it is the first of its kind, showing that Ofcom are willing to use the broad range of powers granted to it under the legislation to enforce compliance. It also demonstrates the extraterritorial reach of the OSA. Even offshore service providers may be caught within the scope of this OSA if they have a sufficient “link to the UK”.

Who does the OSA apply to?

The OSA applies to a wide range of online services, including:

1. User-to-user services: Platforms where users can upload content that can be viewed or interacted with by other users. For example online forums, video-sharing platforms and online instant messaging services.
2. Search services: Services that include a search engine, collating a number of webpages.

Many organisations provide online forums or platforms for exchange of content on their websites directly between users. These services are likely to be caught and subject to the duties under the OSA, even if they are only small online communities. The OSA applies more broadly than just to large technology and social media companies, including to many organisations who might not expect to be in scope.

Duties under the OSA

There are a number of key duties under the OSA. Some of the most important are:

1. The requirement to verify the age of users in relation to age-inappropriate content;
2. To complete an illegal content risk assessment of the risk of harm arising from each type of illegal content (for instance, terrorism, child sexual exploitation and abuse and harassment) and implement measures against the risks identified. There is a recommended methodology to these risk assessments to ensure they are “suitable and sufficient” as required under the Act; it requires a working understanding of what ‘illegal content’ is and what offences must be considered. This risk assessment must be done within three months of starting a new service that falls within the scope of the OSA, and should be reviewed at least every 12 months.
3. To complete an access assessment on whether it is possible for children to access the service and if so the likelihood that this will be a significant number of children. If likely to be accessed, a “children’s risk assessment” must be completed, with measures to protect against risk implemented. There is again a recommended approach to this risk assessment to ensure it is of the required standard. The deadline for this was 24 July 2025, or three months after concluding the access assessment for a new in scope service.
4. Preventing children from accessing harmful or age-inappropriate content (including pornography, serious violence, bullying, self-harm, and eating disorders);
5. Creating clear and accessible procedures for reporting a complaint for users.

Some larger user-to-user and search services are subject to enhanced and cumulative obligations under the OSA. 

Ofcom’s role

Ofcom is tasked with overseeing compliance with the OSA. It has various enforcement powers under the OSA, including the power to (among other things) issue information notices, conduct investigations, and impose financial penalties. In serious cases, Ofcom may apply to the courts to block access to non-compliant services. The 4chan case may demonstrate a proactive approach from Ofcom to enforcing these rules. 

Fines can reach levels of up to £18 million or 10% of an organisation’s qualifying worldwide revenue. To appreciate the gravity of these powers, fines under the UK GDPR, issued by the Information Commissioner’s Office, are limited to the greater of £17.5 million or 4% of an undertaking’s total worldwide annual turnover of the preceding financial year.

Ofcom also has to develop guidance and codes of practice to explain how online platforms can meet the requirements under the Act. 

Impact on those directly affected

Organisations will need to understand whether they are in scope of the Online Safety Act and, if so, what duties they have and how to comply with them. Risk assessments will need to carried out at the appropriate times and to the correct standard, and responsible individuals should be nominated to monitor compliance and draft internal policies. 

Ofcom’s guidance is not only a regulatory tool but also a valuable resource for charities and civil society organisations seeking to enhance their digital safeguarding frameworks. By aligning their online services with Ofcom’s standards, these organisations can proactively protect individuals, especially children and vulnerable users, from online harm. Moreover, a clear and demonstrable commitment to compliance with the Act could serve as a strategic asset in funding and grant applications. Funders increasingly prioritise digital safety and inclusion, and organisations that show they are ahead of the curve in implementing robust online safety measures may be more competitive in securing financial support. This alignment with national safety standards also reinforces public trust and institutional credibility, further amplifying the impact of their work.

If you would like further advice on how the OSA might impact your organisation, please contact Melanie Carter, Partner and Head of Public & Regulatory.