As Ofcom’s Illegal Harms Codes come into force, platforms are required to implement robust measures to protect users from CSAM and illegal content.
Today (17th March 2025) sees another crucial milestone for online safety, as platforms are now required to take the necessary safety measures to protect users from illegal content and activity, as set out in Ofcom’s Illegal Harms Codes.
That means that providers will need to take the safety measures set out in the Illegal Harms Codes or use other effective measures to protect users from illegal content and activity, including Child Sexual Abuse Material (CSAM).
We expect to see a significant increase in the range of providers hash matching for known CSAM. For example, all file-storage and file-sharing services will have to undertake hash matching, regardless of size. Ofcom will also assess the measures being taken to stop the spread of CSAM, by file-sharing and file-storage providers, through their new enforcement programme. These are welcome steps and will help to ensure the UK becomes the safest place to be a child online.
The need for these new measures is underscored by the escalating concerns over the widespread presence of CSAM online.
In 2024, the Internet Watch Foundation (IWF) uncovered over 290,000 web pages containing CSAM—representing a 5% increase from the previous year. These pages contain hundreds, if not thousands, of indecent images of children. This is the most child sexual abuse webpages the IWF has ever discovered in its 29-year history and is a five per cent increase on the 275,650 webpages identified in 2023.
By holding tech companies accountable, the Online Safety Act places responsibility on platforms to minimise harm and deliver more positive outcomes for children. It is imperative that this new legislation delivers ambitious and effective regulation to ensure services undertake necessary steps to combat child sexual abuse material online.
As implementation enters this next phase, the IWF stands ready to work alongside Ofcom as it enforces the Online Safety Act and to help companies to do everything they can to comply with the new duties.
Background to Ofcom's Illegal Harms Codes
In December 2024, Ofcom, the UK's regulator for online safety, published its Statement on Illegal Harms, which outlines the “Illegal Harms Codes” – a framework for service providers to comply with the Online Safety Act (OSA). These Codes provide clear guidance on how services should assess the risks of illegal content or activities and take appropriate actions to manage and mitigate these risks.
Commencing 17 March 2025, providers of regulated online services will be required to implement effective safety measures to address the risk of illegal harms on their platforms. This will include a focus on detecting and removing illegal content, with an emphasis on safeguarding users from potential harm.
A key component of the Act is its mandate that services proactively detect and remove known CSAM. The measures to tackle CSAM include deploying hash-matching technology to detect and remove child sexual abuse material, as well as detecting and removing content matching listed CSAM URLs. Providers required to use hash-matching technology to detect and remove CSAM are:
- Large user-to-user (U2U) services which are at medium or high risk of image-based CSAM;
- U2U services which are at high risk of image-based CSAM, and have more than 700,000 monthly active UK users;
- Or U2U services which are at high risk of image-based CSAM and are file-storage and file-sharing services.
This represents a crucial advancement in safeguarding children from online sexual abuse.
Beyond the introduction of these new rules, the Online Safety Act also introduces significant penalties for non-compliance. Providers are required, by law, to respond to any statutory request for information by Ofcom. Where the response provided is not satisfactory, Ofcom will open investigations into the provider.
Providers who fail to meet the safety standards outlined in the Illegal Harms Codes could face fines of up to 10% of their turnover or £18 million, whichever is higher. Ofcom is prepared to take enforcement action against those failing to comply with these crucial regulations.
The next major milestone is 31 March 2025, when certain large services, as well as small but risky sites, will be required to publish risk assessments. These assessments must detail how users could potentially encounter harm on the platform and outline measures to mitigate those risks. The publication of these risk assessments is essential for ensuring transparency and accountability in how providers address safety concerns. Service providers must ensure they have robust risk assessments in place to meet the requirements and safeguard their users.
As the Online Safety Act comes into full force, these new regulations will reshape how online services manage safety and responsibility. The enforcement of the Illegal Harms Code represents a critical move toward creating safer, more secure online spaces for everyone and will help to ensure the UK becomes the safest place to be a child online.
