In the first 12 months of Online Safety Act enforcement, Ofcom has opened investigations into 30 companies covering 96 sites and apps, issued 16 fines against 6 providers totalling nearly £4 million, closed 4 cases after the services in question geoblocked UK users rather than comply, and launched a monitoring and impact programme targeting the six biggest social media platforms used by children. By any reasonable measure this is active enforcement. By another measure, Ofcom has collected just £55,000 of the roughly £3 million in fines it has imposed, and most of the Act's most consequential duties, including those relating to algorithmic content moderation and AI-generated content, have not yet been formally tested.
This article explains what Ofcom is actually doing with its powers under the Online Safety Act 2023, which platforms have been targeted, where the enforcement gaps sit, and why the first jurisdictional challenge to the Act, brought by 4chan in a US federal court, matters beyond its specific facts. The underlying question is whether a national regulator can meaningfully enforce content duties against services operated from another jurisdiction. In 2026, that question is being answered case by case.
What Ofcom is actually enforcing
The Online Safety Act 2023 received Royal Assent on 26 October 2023 and creates a duty of care framework for providers of user-to-user services, search services, and online pornography services with UK users. The Act's core obligations came into force in phases from March 2025 onwards. The illegal content duties, which require providers to carry out and retain written risk assessments of illegal content appearing on their services and to implement proportionate measures to reduce those risks, became enforceable on 17 March 2025. The child safety duties, which include highly effective age assurance on services that allow or publish pornographic content, came into force later in 2025.
Ofcom, as the designated regulator under the Act, can impose fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is higher. It can also require internet service providers to block a non-compliant service, apply for business disruption orders in the courts, and hold senior managers personally liable for specified compliance failures. The ceiling on penalties is therefore substantial, but the enforcement process is deliberate. Ofcom must follow a procedure that includes a provisional notice of contravention, a period for the provider to make representations, a confirmation decision, and a statutory minimum of 28 days to pay any penalty imposed.
The fines issued so far and what they were for
Between November 2025 and April 2026, Ofcom issued a series of escalating fines under the Act. The first confirmation decision was published on 18 November 2025, confirming a £20,000 fine against 4chan for failing to provide an illegal content risk assessment when requested. The fine was deliberately modest in amount but significant in precedent: it established that Ofcom would enforce the Act against services with no UK physical presence where those services have a significant UK user base.
The scale increased during winter 2025-26. AVS Group, a Belize-registered operator of 18 adult websites, was fined £1 million for failing to implement highly effective age assurance, plus £50,000 for failing to respond to Ofcom's information requests, in December 2025. Itai Tech Ltd received a £50,000 penalty reduced on the basis of cooperation, after the company geoblocked UK users on receipt of the investigation. Kick Online Entertainment SA, the operator of the Kick.com streaming platform, was fined £800,000 in February 2026 for age assurance failures, plus £30,000 for failing to respond to information requests, and a daily penalty of £200 per day until it provided the required information. 8579 LLC, a further adult site operator, received the largest fine to date: £1.35 million for a section 12 contravention, plus £50,000 for a section 102(8) breach, in February 2026.
The 4chan enforcement intensified on 19 March 2026, when Ofcom issued a total of £520,000 in new fines against the image board: £450,000 for failure to implement age assurance, £50,000 for failure to complete an illegal content risk assessment, and £20,000 for failure to set out in its terms of service how users are protected from illegal content. Daily penalties of £500, £200, and £100 respectively begin on 2 April 2026 and run until 1 June 2026 if the underlying failures remain unresolved. Across all enforcement, Suzanne Cater, Ofcom's Director of Enforcement, has made clear that the regulator views age assurance and risk assessments as 'cornerstones' of the Act.
How Online Safety Act enforcement actually works
Online Safety Act enforcement runs through Ofcom, the UK communications regulator. Ofcom can open investigations into providers of user-to-user, search, and pornography services with UK users, issue information requests, impose fines of up to £18 million or 10% of worldwide revenue, block non-compliant services via UK ISPs, and hold senior managers personally liable in specified cases.
That summary is deliberately flat because enforcement pattern matters more than enforcement ceiling. The ceiling has not yet been tested, nor has a business disruption order, nor has personal senior manager liability. What Ofcom has demonstrated in the first 12 months is a practical enforcement model: start with information requests; fine failures to respond as a discrete offence; escalate to substantive contraventions; impose daily penalties to accelerate compliance; and pursue recovery through the courts where necessary.
The AI platform investigations
Two current investigations indicate how Ofcom is applying the Online Safety Act to generative AI products. On 12 January 2026, Ofcom opened a formal investigation into X Internet Unlimited Company following reports that the Grok AI chatbot, embedded in the X platform, had been used to generate non-consensual intimate images and material that may constitute child sexual abuse material. The investigation focuses on compliance with sections 9 and 10 of the Act, which require a suitable and sufficient illegal content risk assessment and an updated assessment before significant service changes, and section 11, which requires proportionate measures to prevent users encountering priority illegal content.
On 15 January 2026, Ofcom opened a separate investigation into Novi Ltd, operator of the Joi.com generative AI service, for potential failures under sections 12 (age assurance) and 36 (children's access assessments). The investigation is part of Ofcom's broader enforcement programme on age assurance across the adult content sector, but it is also the first action under the Act specifically concerning a generative AI service's compliance with age and risk duties.
On 21 April 2026, Ofcom opened a formal investigation into Telegram focused on whether the platform's existing CSAM safeguards meet the Act's illegal content duties. Ofcom's rationale is particularly significant. In its March 2026 annual review the regulator had acknowledged that Telegram, alongside X, Discord and Reddit, had introduced age controls in response to the Act. Opening a formal investigation despite that improvement signals that Ofcom will pursue enforcement where the safeguards themselves appear inadequate in practice, not only where no safeguards are in place. The NSPCC and the Internet Watch Foundation both publicly welcomed the investigation.
The jurisdictional challenge and what it tests
The Act applies to any user-to-user or search service with 'links to the United Kingdom', defined in section 4 of the Act. Ofcom concluded in its 4chan confirmation decision that the threshold was met by 4chan having approximately 7% of its users based in the UK, making UK users its second-largest national user base. That reading of the statute is now being tested in a US court.
On 27 August 2025, 4chan filed proceedings in the US District Court for the District of Columbia seeking a declaration that Ofcom's enforcement actions are inconsistent with the US Constitution, and an injunction restraining Ofcom from enforcing the Act against a US-based service with no UK assets. 4chan's counsel, Preston Byrne, has argued publicly that the platform's conduct is protected by the First Amendment in the only jurisdiction in which it operates. Ofcom's confirmation decision contains an extended reply to the jurisdictional challenge, running to more than a page, which reasserts the regulator's position that the Act applies extraterritorially to services with a significant UK user base.
The question is not purely academic. The UK Act contains, as yet untested, mechanisms enabling Ofcom to curtail or prevent the operation in the UK of non-compliant services based outside the UK, most obviously by requiring ISPs to block access. The practical and political costs of invoking those mechanisms against a US service are significant and are likely to be tested only if the more gradual route, fines plus interest plus court-led debt recovery, fails to achieve compliance. For now, 4chan remains accessible in the UK and has declined to pay.
Where the enforcement picture is weakest
The combined data point behind Ofcom's first year is worth stating clearly. Of roughly £3 million in fines imposed by March 2026, approximately £55,000 had been paid. One firm had paid and geoblocked the UK. Two penalties were interim and still subject to the broader investigations. Two more were within the 28-day payment window. One firm had not paid but had come into compliance. That picture is consistent with a regulator in early enforcement rather than with a fully mature regime.
Three specific gaps are visible in the pattern. First, the enforcement so far has clustered in adult content, file-sharing, and image-board cases, which are politically easier targets than major platforms. Ofcom's monitoring and impact programme, reviewing child safety on Facebook, YouTube, TikTok, Roblox, Snapchat, and Instagram, is ongoing, but no mainstream social platform has yet faced a confirmation decision under the Act. Second, the Act's obligations around algorithmic recommender systems, arguably the most consequential provisions for mainstream social media, have not yet been subject to a formal enforcement test. Third, the geoblocking exit route, used by Kraken files, Nippy drive, Nippy share, and Nippy space to close their cases, removes UK users' exposure but does nothing to change global operator conduct.
There is also a political dimension worth naming. US Vice President JD Vance told European leaders in 2025 that the US administration was 'growing tired' of foreign countries attempting to regulate US tech businesses. Transatlantic regulatory divergence is not purely a technical matter: it sits inside a broader US-UK trade and political relationship. How that plays out in the 4chan proceedings, and in any future enforcement against a major US platform, will shape the Act's real reach through 2026 and 2027.
Fun fact: The Online Safety Act 2023 runs to 245 pages of primary legislation and is supplemented by more than 40 codes of practice and pieces of guidance issued by Ofcom, the longest of which runs to over 400 pages on its own. The full statutory framework, in its printed form, is approximately three times the length of the 1998 Human Rights Act and is widely described by practitioners as the most complex content regulation instrument ever enacted in the United Kingdom.
Conclusion
The first 12 months of Online Safety Act enforcement have produced a regulator that is active, methodical, and willing to test the Act against overseas providers, but that is also constrained by the slow procedural architecture the Act itself built in. Ofcom has demonstrated the model: open an investigation, issue information requests, fine the failure to respond, escalate to substantive breaches, impose daily penalties to drive compliance. What the next 12 months will test is whether the model holds against larger targets. The X/Grok investigation opened in January 2026, the Telegram investigation opened on 21 April 2026, the monitoring programme covering the six largest children-used platforms, and the pending 4chan litigation in Washington are the four strands to watch. If any one of them produces either a substantive enforcement decision or a court ruling on extraterritorial reach, the trajectory of Online Safety Act enforcement through 2027 will be shaped accordingly. If none of them does, the Act will continue to deter effectively at the margins while leaving the core platform question open.
the UK regulatory landscape
AI platform liability
Related reading: BBC Charter Review and the licence fee explained, What the EU AI Act means for UK businesses in 2026.
Continue Reading
All articles →Newsletter
Stay updated on Digital News