11 December 2023

Online Safety Act – In-Scope Services

On 26 October, the Online Safety Act (the ‘Act’) attained Royal Assent, passing into law. We outline a full overview of the Act here.

Services under the scope of the Act will need to comply. This broadly applies to companies that operate online services. These are categorised into:

  • user-to-user services such as social media photo and video-sharing services, chat and instant messaging platforms, online and mobile gaming;
  • search services, which allow users to search websites or databases; and
  • pornography sites, which publish or display certain pornographic content.

In this article, we focus on user-to-user services and search services. It is important to note that the rules differ depending on the type of online service being regulated, and the risks that they are deemed to pose to users; particularly users who are children. Below, we set out the services caught by the scope of the Act.

Jurisdictional Scope

To fall within the scope of the Act in the first instance, the service must be ‘regulated’ (i.e., have links with the UK and not be exempt). Accordingly, the Act has wide territorial reach and is not restricted to purely UK-based companies and services.

To have ‘links with the UK’, the service must meet any of the following criteria:

  1. the service hosts a significant number of UK users;
  2. UK users constitute the sole or primary target market for the service; and
  3. the service is capable of use within the UK, with reasonable grounds to believe the user-generated content on the service provides a material risk of significant harm to individuals within the UK.

In regard to 1. (a ‘significant number of UK users’) above, the Act does not specify a defined amount of users that constitutes ‘significant’, but OFCOM has indicated that the onus will fall on companies to be able to explain and justify cases where they have not taken their UK user base to be significant.

In regard to 3. (‘reasonable grounds to believe there is a material risk of significant harm’), it should be noted that this is designed to capture services that would not (but should) otherwise be caught by 1. or 2. above. Accordingly, this is expected to have wide application.

User-to-user services

These are internet services through which user-generated content may be encountered by other users through the platform, such as websites or applications (for example, Instagram or Wikipedia).

This can be broken down further as follows:

  • ‘Content’ captures anything including anything communicable by means of an internet service. This can include images, audio content, videos and so on. This could even extend to, for example, user-generated music playlists on an online service.
  • ‘Users’ are also undefined; the Act defines those who are ‘not’ users as opposed to those who are. The intention here is to capture as many individuals as possible. Exemptions from ‘Users’ generally only applies when acting in the course of the service provider’s business. There is debate here regarding third-parties who act for service-providers. Online services should take care to ensure they fully understand the scope of this exemption.
  • ‘Encountered’ includes any way a user experiences content, including hearing, seeing or reading. The content only needs be possible of being encountered by a user; it does not have to be encountered in actuality; this is an extremely wide scope. Further to this, the length of time that content is available is irrelevant.

The key takeaway here is that the definition of user-to-user services is broad, and many services and functionalities will be caught.

Search services

These are any ‘internet service that is or includes a search engine’ (for example Amazon or Yahoo). The definition is broad, but less so than user-to-user services.

  • ‘Search’ can be a number of methods such as by input of speech, using tags or meta data to filter content and text. Accordingly, the definition does not only capture large search engines, but could capture any service offering a search functionality e.g., a way of filtering through tags on a site, listing sites and so on.
  • A ‘search engine’ will be taken to be separate from a service if it is controlled by an external person or body that does not control other parts of the overall service.


There are some limited exemptions to the scope of the Act, which are defined very tightly. It should be noted that the exemptions are not expected to be universally applicable to all circumstances; services should take care before assuming they can take advantage of these. Some examples of exemptions from the scope of the Act, include:

  • Services provided by public bodies or educational providers who are using the service to exercise their public or educational functions;
  • Services comprising internal business resources or tools to a closed group of individuals connected to the business;
  • User-to-user services that are highly limited in their functionalities, such as purely being able to post comments generated by the provider itself (note that this is a narrow exemption and should be considered carefully where being relied on); and
  • User-to-user services where the only user-generated content is emails, SMS messages, MMS messages or one-to-one live aural communications.


The crucial takeaway from this article is that the scope of the Act is broad, with OFCOM estimating that it will encompass more than 100,000 online service providers. As described above, this will apply to organisations based in and outside the UK; a service merely needs to have links with the UK to be caught.

Those operating online services should take care to digest the Act fully and be aware that it is highly likely to be applicable to them. For example, a chat function through an online board game application could be caught by the scope, despite perhaps not being expected to do so. Services may need to adjust how they function if they are caught by the scope of the Act to ensure full compliance.

It will be important to remain aware of OFCOM’s ongoing actions in this area; Consultations and Codes of Practice will be released in the coming months that will further affect the function of the Act. Please see our timeline which sets out how OFCOM expect the Act’s regime to develop.

If you would like any further information or have queries on the content of this article, please contact David Varney or another member of our Technology team.

This article was written by Victoria McCarron.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more