Does My App Need an Online Safety Act Risk Assessment
Many founders assume the Online Safety Act is only for big social networks. The test is about what your app does, not how large it is, so a small app with the wrong functionality can be firmly in scope.
This guide sets out the test, the narrow exemptions, and what you have to do if your app is regulated.
The Test Is Functionality, Not Size
Your app is a regulated user-to-user service if it lets users encounter content generated, uploaded or shared by other users. That is the trigger, and it does not depend on user numbers.
The Act also covers search services. If your app is mainly a search engine or includes search functionality across multiple sites, that can bring it into scope as well.
You are regulated only if the service has links to the UK. That test is met if you have a significant number of UK users, if the UK is a target market, or if the app can be used in the UK and poses a material risk of harm to UK users.
Functionality That Brings an App Into Scope
The features below let users interact with or see each other's content, so they typically make an app a user-to-user service.
- Direct messaging or group chat between users.
- Comments, replies or discussion threads.
- User profiles that others can view.
- Posting or sharing images, video or audio that other users can see.
- Forums, community feeds or social timelines.
- Reviews or ratings that other users can read.
- Marketplaces where users list items and contact each other.
- Multiplayer games with chat or shared content.
What Is Not in Scope
Schedule 1 of the Act exempts some narrow service types. If your app falls entirely within one of these, it is not regulated as a user-to-user service.
- Email services, where email is the only user content.
- SMS and MMS services.
- One-to-one live voice calls.
- Limited functionality services, where the only user interaction is posting comments, reviews or reactions on content the provider publishes.
- Internal business services, used only by a company's staff.
- Services provided by public bodies and certain education and childcare providers.
The exemptions are narrow. If your app combines provider content with any wider user-to-user functionality, the limited functionality exemption usually does not apply.
If Your App Is in Scope
If your app is a regulated service, the core duties apply from day one. You cannot wait until you are large.
You must complete an illegal content risk assessment under section 9, a children's access assessment under section 35, and operate a complaints procedure under section 21. If children are likely to access the app, the child safety duties also apply.
Scope Checklist
| Question | If yes |
|---|---|
| Can users see content from other users | Likely a user-to-user service |
| Does the app have links to the UK | Regulated unless exempt |
| Is the only interaction comments on your own content | May be exempt under Schedule 1 |
| Could children access the app | Children's access assessment needed |
| In scope overall | Do an illegal content risk assessment now |
How Policy Pros Can Help
We help founders work out whether an app is in scope and, where it is, get the assessments and policies in place without slowing the product down. That includes the illegal content risk assessment and the children's access assessment.
We line this up with your IT security policies and information security policies so compliance is joined up. For the full regime, see our Online Safety Act small business guide.
If you want to confirm scope from the source, see Schedule 1 of the Act and Ofcom's compliance guide for services.
Frequently Asked Questions
Does the Online Safety Act apply to my app?
If your app lets users encounter content generated or shared by other users, and it has links to the UK, it is likely a regulated user-to-user service. The test is about functionality, not user numbers, so even a small app can be in scope.
What functionality puts an app in scope?
Direct messaging, comments, user profiles, image or video sharing, forums, reviews other users can read, marketplaces and multiplayer chat all let users interact, so they typically make an app a user-to-user service.
Which apps are exempt from the Online Safety Act?
Schedule 1 exempts narrow types, including email, SMS and MMS, one-to-one voice calls, internal business tools and limited functionality services where the only interaction is comments or reviews on the provider's own content. The exemptions are narrow and easily lost if you add wider features.
Do small apps really have to do a risk assessment?
Yes. There is no general exemption based on size. If your app is a regulated service it must complete an illegal content risk assessment and a children's access assessment, with measures proportionate to your size and risk.
What do I do first if my app is in scope?
Complete an illegal content risk assessment under section 9, a children's access assessment under section 35, and put a complaints procedure in place under section 21. Document each one and review it when the app changes.
