UK Online Safety Act: Implications For Online Harm
By Becky Stacey | 3 June 2026
BISI is proud to present this piece in collaboration with CyberWomen Groups CIC. Through this partnership, we have combined our expertise in political risk with their knowledge of cyber security to deliver a fresh perspective on emerging threats.
CyberWomen Groups CIC is a student-led initiative dedicated to diversifying STEM by supporting and connecting university students interested in or studying cybersecurity, regardless of gender identity.
Summary
The Online Safety Act 2023 introduces legal duties on online platforms to prevent and remove harmful and illegal content, with enforcement led by Ofcom.
A phased rollout and reliance on platform-led implementation creates the risk of inconsistent compliance and uneven levels of user protection.
While enforcement is increasing, threat actors are likely to adapt quickly, limiting the Act’s impact on reducing online harm in the near term.
Context
The Online Safety Act 2023 sets out a new regulatory framework for online platforms operating in the United Kingdom (UK), making them responsible for identifying, reducing, and removing harmful or illegal content. It covers social media sites, search engines, and any other services where users interact with each other, no matter where the company itself is based. Ofcom is in charge of enforcing the law, which includes issuing guidance, checking whether platforms are following the rules, and taking action when they don’t.
The Act was brought in because of growing concerns about online harm; protecting children is one of its biggest priorities. Platforms now have to introduce age-assurance measures and restrict access to material that could be harmful to younger users. They’re also expected to look closely at how their systems work, including whether their algorithms are pushing harmful behaviour content to people.
The legislation became law on 26 October 2023, and is being rolled out in stages as part of Ofcom’s regulatory roadmap. The early stages focused on developing guidance and codes of practice. After that came the legal duties requiring platforms to assess the risks of their services and take steps to reduce illegal content.
In the first half of 2026, the rollout is still underway. More platforms have started bringing in age-assurance tools and making changes to how their systems operate to meet the new requirements. At the same time, Ofcom has stepped up enforcement and provided more detail on what’s expected from services used by children, including expectations around age limits, grooming risks and the safety of algorithmic feeds. This phased approach means that, while progress is being made, compliance is still developing at different speeds across platforms.
Implications
The Act reflects growing political pressure to address online harm and shifts responsibility towards platforms. As it is implemented, public expectations of safer online environments will increase. However, improvements may not be immediate, particularly during the transition period. This creates a risk of a gap between expectations and outcomes, which could lead to parents or other responsible parties reducing active oversight of children’s online activity.
The operational burden on both platforms and Ofcom is large. Platforms must build or expand content-moderation teams, develop automated tools, conduct risk assessments and introduce age-assurance systems. Recently, platforms have also had to respond to Ofcom’s requests for information about recommender systems and algorithmic safety. Ofcom, meanwhile, is responsible for supervising thousands of services of varying size and risk. The scale of this oversight makes delays inevitable and forces regulators to prioritise higher-risk platforms. As a result, enforcement is uneven, with smaller services receiving less scrutiny, allowing harmful content to remain accessible.
The Act reshapes, rather than reduces, online harm. Increased moderation influences threat actor behaviour; criminals will move to less regulated platforms or exploit gaps in enforcement. As a result, risks associated with fraud or online exploitation continue to persist. At the same time, the requirement for age assurance has led to a surge in platforms collecting IDs or biometric data. These new systems are high-value targets for cybercriminals, especially with limited assurance that these platforms have strong security controls.
The Act has birthed a growing safety-tech sector in the UK; SMEs outsource compliance to third-party providers, which leads to increasing costs and a barrier to entry for new startups. There are also many platforms choosing to geo-block the UK markets rather than bear the costs of compliance. This leads to a less diverse digital landscape, as only the wealthiest platforms can afford to operate within the UK.
Forecast
Short-term (Now - 3 months)
It is likely that enforcement will continue to increase as Ofcom prioritises higher-risk services. Compliance gaps will persist across platforms, ensuring opportunities for threat actors and ongoing fraud and exploitation
Medium-term (3 - 12 months)
As more platforms adopt age-assurance systems, more valuable sensitive data is held by private companies. It is likely that these systems will face cyber threats, with criminal groups targeting verification systems with weaker security controls.
Long-term (>1 year)
It is a realistic possibility that the UK digital environment becomes uneven, with well-resourced platforms achieving compliance while smaller services lag behind or exit the market
