We have provided below a high-level timeline for the key implementation milestones of the Online Safety Act 2023 along with a detailed table, available at the bottom of the page as a PDF, which lists the status and timescales (to the best of our knowledge) for each individual component of the regime.

This page was last updated on 20 February 2025.

Current status

• December 2024: Ofcom published its illegal harms statement including its risk assessment guidance, record keeping and review guidance, illegal content judgements guidance and enforcement guidance. The illegal harms codes of practice for user-to-user and search services were laid in Parliament for approval. The risk assessment duties came into force, with services having three months to complete their first risk assessment.
  
• January 2025: Ofcom published its age assurance and children’s access statement, including the child access assessment guidance and the age assurance guidance for part 3 and part 5 providers. The children’s access assessment duties came into force, with services having three months to complete their assessment.

Upcoming milestones

• 25 February 2025: consultation on guidance for protection of women and girls
  
• By 16 March 2025: illegal harms duties in force. All providers must complete an illegal harms risk assessment and from this date (when the illegal harms codes are expected to be in force) must take measures to ensure compliance with them.
  
• By 16 April 2025: all providers must have completed a children’s access assessment (under-18s).
  
• April 2025: Ofcom is due to publish its statement on protection of children, including the final guidance for children’s risk assessments and its codes of practice for user-to-user services and search.
  
• April 2025: Ofcom is due to launch a further consultation on the next iteration of the illegal harms codes of practice
  
• By July 2025: the child safety duties are expected to be in force. Services likely to be accessed by children must have completed a “suitable and sufficient” children’s risk assessment and implement the safety measures required (including age assurance).
  
• Spring 2025: DSIT is due to lay its regulations for the OSA super-complaints designation regime.
  
• Spring 2025: DSIT is due to publish its final Statement of Strategic Priorities for Online Safety.
  
• Summer 2025: Ofcom is due to publish its register of categorised services (subject to the regulations receiving Parliamentary approval)
  
• Summer 2025: Ofcom is due to publish its report on researcher access to data; DSIT is also expected to launch a consultation on regulations required to bring the researcher access regime provisions, included in Data (Use and Access) Bill, into force.
  
• Summer/winter 2025: Ofcom is due to issues its draft and final transparency notices issued to categorised services.
  
• Early 2026: Ofcom is expected to launch its consultations on the various additional duties on categorised services.
  
• TBC 2026: revised illegal harms codes of practice.

Further detail is provided in the latest version of Ofcom’s roadmap and in our detailed table, attached below.