Ofcom's enforcement of the OSA: some initial reflections
In addition to our explainer on Ofcom's approach to OSA enforcement, we provide below some initial reflections on OSA enforcement to date along with a tracker (also available as a PDF at the bottom of this page), which we will keep updated, detailing individual open and closed cases.
Sufficient time has not yet elapsed for Ofcom to use the full sweep of its powers, and the focus of investigations so far may - of necessity - have been on the procedural stages of the process. While there have been concerns about Ofcom’s approach to enforcement, it is clear that there is a steady workflow going through the enforcement team, resulting already in a number of fines, as well as instances when companies have chosen to comply with the regime – and motivating compliance is a central element of this process.
1. Don’t Ignore Ofcom
In many of the cases opened by Ofcom, it has used its statutory information-gathering powers. Where services have ignored Ofcom’s requests for information, Ofcom has added that non-compliance to its investigation and found discrete breaches in relation to that non-compliance. So Ofcom’s fine to 4Chan was in respect of its failure to respond to two statutory information requests (lump sum plus daily penalty); it has also fined Kick £30,000 and included a £50k fine related to information requests alongside its recent fine of £1.35m for a porn site provider's failure to implement highly effective age assurance (HEAA). Of course, we have yet to see what Ofcom will do if a service ignores the fines (it does not appear, for example, that 4Chan has yet paid its fine) and we do not know if any other fines have, in fact, been paid; Ofcom has refused to answer Freedom of Information (FOI) requests which have sought to find this out. Under the OSA, it could however seek orders for business disruption measures.
2. Resources
Ofcom is clear that it does not have the resources to tackle all possible breaches; it will have to be selective about which cases it decides to investigate. We can already see a certain pragmatism in Ofcom choosing to close files once a service is no longer available in the UK (and taking action about historic violations) because in those situations “it is no longer an administrative priority to pursue enforcement action”. This then raises questions about what percentage of cases Ofcom can take forward and how it is selecting those cases. While its Enforcement Guidance highlights three factors it takes into account (see our explainer blog here), we can see a couple of themes in its selection so far.
3. Low Hanging Fruit?
Ofcom’s primary focus to date has been on age verification: this is an area where it is relatively easy to determine whether services are compliant (is there appropriate age verification or not?). Similarly, services where it seems the provider has done nothing to comply with the statutory requirements have also been the subject of scrutiny. The question of whether there is a risk assessment or even a response to an information request is a binary question, rather than requiring a more nuanced assessment of whether the risk assessment is good enough (the example of Snap, which is about the quality of the risk assessment, seems to have been about a risk assessment that was very poor). While cases have been opened with regard to the illegal content duties (and some services have taken steps to meet their duties), there are as yet no investigations specifically targeting the children’s risk assessments (though some providers seem not to have carried out a children’s access assessment, a fact which has come to light through their lack of age verification).
4. Does Size Matter?
Many of the investigations have involved smaller services, rather than the major platforms such as Instagram or TikTok. Indeed, Ofcom only opened an investigation into X after the serious violations of women’s and children's rights, which had taken place through the images generated by Grok, became the subject of much media attention in January 2026; this tool had, however, been reported on as far back as May 2025. This has given rise to some concern that Ofcom is not (yet) tackling some of the most impactful sites. On the other hand, this could be said to be the consequence of Ofcom’s “low-hanging fruit” strategy – the larger providers are unlikely to have done nothing to comply, and therefore assessing whether their performance is adequate will take longer. Moreover, some of the sites that Ofcom have tackled are incredibly high harm – such as the suicide forum – though whether this is Ofcom’s choice or the result of political and public pressure is another question.
5. Jurisdiction
Ofcom has been clear that it will enforce rules against service providers that are not in the UK, even if the outcome of this is merely geo-blocking rather than a change to the design or operation of the service. This does lead to the question of how effective such geo-blocks are in protecting users in the UK. Much depends both on how the geo-blocking is implemented - though Ofcom does note that it will monitor to ensure the blocks are effective - as well as the behaviour of users (eg use of VPNs). Ofcom has noted that it may continue action where the service does not consistently maintain the geo-blocking or if it promotes routes to users to avoid the restrictions. Given the resourcing limitations, we might ask how Ofcom will select the services to keep monitoring, how long Ofcom will keep monitoring them, and how Ofcom will deal with mirror sites (see their investigation into the online suicide forum). There are also some unanswered questions here about what Ofcom will do when measures designed to enforce the rules – such as fines – are ignored. Will Ofcom move to use access blocking powers?
6. Speed
Ofcom does not move fast. On the one hand this is the sign of regulator seeking to establish the facts before taking action and to respect the principles of administrative justice, both of which are desirable. Moreover, some of the slowness may be a result of Ofcom going through a learning process, especially as regards the Business Disruption Measures; it does not know (yet) the level of evidence that the court will require to issue such orders. Nonetheless, there might be questions about how much latitude Ofcom allows providers before choosing to open investigations. For example, Ofcom has opened an investigation in relation to X/Grok quite swiftly after the undressing problem was in the news in January 2026. But there were news stories raising problems with the feature from May 2025, raising the question of whether Ofcom should have been looking at X’s risk assessment of the feature (or checking that there was one) much earlier.
7. Ofcom’s Powers
There have been some crisis points already which raise questions not just about whether Ofcom will choose to act, but also about the circumstances in which it can act. We can point to the Southport riots (admittedly before the Codes were in force), the concerns around the suicide forum as well as X/Grok and the undressing problem. The OSA is not a regime for dealing with crises but about ensuring that the systems as a whole operate well; in a letter to Select Committee chairs last October, Dame Melanie Dawes characterised its implementation as something that “requires culture change across the tech industry”. The OSA contains no take down powers and the business disruption measures are powers to use in extremis; as Ofcom’s Group Director Oliver Griffiths recently noted, “[t]here are no other mechanisms in the Act to allow Ofcom to impose urgent and directive requirements on service providers”.
