In short, the Act is designed to make the UK a safer place to be online. It does this by making businesses more responsible for preventing illegal and harmful content on their services.
Ofcom is the regulator and has broad powers to enforce compliance. These include risk assessments, codes of practice, and penalties for breaches. And the penalties are tough. Ofcom can issue fines of up to £18 million or 10% of global turnover. Senior managers can even be held criminally liable for a breach.
The strongest protections in the Act are designed for children, who reportedly now account for 1 in 3 internet users. The international NGO, the 5Rights Foundation, says that half of under 18s struggle with addiction to digital devices. Harassment, eating disorders, suicide and cases of online sexual abuse are also on the increase.
These are some of the issues the Act is designed to address. For example, platforms will be required to prevent children from accessing harmful or age-inappropriate content. Parents will also have more clear and accessible reporting pathways.
The Act also protects adults by ensuring that platforms are more transparent about potentially harmful content they allow. It is also hoped that it will give adults more control over the content they see.
Big Tech might be most affected, but it’s also important to assess the implications for your business. The Act applies to any online service with user-generated content, messaging, or search functionality, regardless of size or sector. It also covers any site hosting pornographic material. In all, it is estimated that over 100,000 online services are likely to be in scope.
Specifically, the new rules cover services where users may encounter content that has been generated by other users. This could be images and videos, but even extends to messages and comments. The act calls these ‘user-to-user’ services. The Act also covers any service that allows users to search other websites or databases (search services).
Illegal and ‘harmful’ content covers a wide range of material, but broadly, the Act is so far designed to cover:
Illegal content (terrorism, fraud, hate speech).
Content harmful to children (pornography, bullying, dangerous stunts).
Pornographic content (with mandatory age verification).
Algorithmic risks (where systems might amplify harmful content).
Businesses will need to show they are committed to identifying and removing this type of content on their platforms. You may think that none of the above applies to you. However, if your business provides an online service, like a website or app, then the Act could well apply.
The first step is to figure out whether the Act applies to you. In recognition of small business concerns that the rules could be too burdensome, Ofcom has produced a series of resources.
As a first step, visit Ofcom’s online tool to check whether your business falls within scope of the Act. If you are within scope, then take a look at the important dates for compliance. The Act is coming into effect in stages, and you may already need to take action.
Conduct risk assessments on illegal content and child safety risks
Implement proportionate safety measures (moderation, reporting tools, algorithm management)
Allocate resources for compliance (training, legal advice, technical solutions)
Ofcom provides a series of sources to help navigate compliance.
As the Online Safety Act comes into force and potentially expands in the years ahead, standards can also provide support. At its core, the Act requires businesses to adopt stronger governance, technical controls, and risk management. Standards can make this easier by providing practical frameworks.
There’s currently no one individual standard relating to the Act. However, there are many standards that can be used together to build online safety for your customers and partners. For example:
BS EN ISO/IEC 27001:2023 – Information Security Management Systems (ISMS)
This standard provides a framework for establishing, implementing, maintaining, and continually improving an ISMS. By adopting ISO/IEC 27001, organisations can systematically manage sensitive information, ensuring its confidentiality, integrity, and availability. This aligns with the Online Safety Act's emphasis on protecting users from illegal and harmful content by ensuring robust information security practices.
BS EN ISO/IEC 27002:2022 –Information Security Controls
This standard offers guidelines for selecting and implementing information security controls. It covers access control, cryptography, physical security, and incident management, which are pertinent to protecting users from harmful online content.
Publishing in October 2025, ISO/IEC 27566-1:2025 introduces a global framework for age assurance systems, offering guidance on verifying or estimating a person's age without necessarily revealing their full identity. This standard is particularly relevant for organisations providing age-restricted goods or services, such as online platforms, retailers, and event venues, by helping them ensure that users meet age requirements while respecting privacy and data protection principles. By adopting ISO/IEC 27566-1, businesses can implement age checks that are both trustworthy and minimally invasive, aligning with the UK's Online Safety Act's objectives to protect children and uphold user rights online.
BS ISO/IEC 27005:2024: Gives guidance on how best to tackle information security risks. Provides information on how to perform information security risk management activities, specifically information security risk assessments and treatments.
BS ISO/IEC 27701:2025: Provides guidance on the protection of privacy, including the management of personal information. The standard also assists in demonstrating compliance with privacy regulations around the world, including the UK’s GDPR.
BS ISO/IEC 27032:2023: Information on implementing security controls required to prepare, prevent, monitor, detect and respond to common internet-related risks, threats and attacks.
BS ISO 31700-1:2023: Establishes high-level requirements for privacy by design to protect privacy throughout the lifecycle of a consumer product. This includes data processed by the consumer.
Together, these standards – and others like them – can help meet Ofcom’s expectations, reduce compliance costs, and demonstrate responsible practice.
Whether the Act already applies to your business, or could in the future, it’s worth getting familiar with requirements now. Not only with this reduce legal and compliance risks, but it will build trust with users and protect vulnerable audiences. Most importantly, it will help position your business as a responsible player in the digital economy. Standards can help you get there.
If you have any further questions about the right standards for your organization, did you know that BSI membership means you can get answers from our trained researchers at the BSI Member Enquiry Service team?
BSI members can get in touch by emailing knowledgecentre@bsigroup.com or calling +44 (0)345 086 9001.
Become a BSI member and you’ll be joining over 11,000 organizations committed to making positive change through standards. You’ll get extra support in implementing standards via a team of research professionals and stay up to date with relevant changes to standards with a monthly spreadsheet. Your personalized Membership certificate and digital Membership badge will help your organization stand out from the competition too. And every member enjoys a 50% saving on British Standards and 50% off subscriptions to BSI Knowledge and BSI Compliance Navigator. Members also get 10% off ISO and other foreign standards. Find out more about BSI Membership here.