Online Safety Act - Small Business Guide
The Online Safety Act 2023 places legal duties on the businesses behind online services, and those duties are already in force. If your service lets users interact, post content or search, you are likely in scope.
There is no general exemption for small businesses. The duties are proportionate to your size and the risk on your service, but the starting point is that the law applies to a small forum or app in the same way it applies to a large platform.
This guide explains who the Act covers, the duties that are now live, the key dates, and what a small UK service needs to do to comply.
Who the Online Safety Act Applies To
The Act regulates two broad types of service that have links to the UK: user-to-user services and search services. It also covers services that publish pornographic content.
A user-to-user service is anything that lets people post or share content that others can see, or interact with each other. That includes social platforms, forums, messaging features, dating apps, online marketplaces, video and image sharing, review sections and multiplayer games with chat.
Your service has links to the UK if it has a significant number of UK users, if the UK is a target market, or if it can be used in the UK and there are reasonable grounds to believe it poses a material risk of harm to UK users. Where the company is based does not matter.
The Duties Now in Force
The duties came in over 2025 in stages, and the main ones now apply to in-scope services.
Illegal content
Every regulated service must carry out an illegal content risk assessment under section 9 of the Online Safety Act 2023 and then meet the safety duties in section 10. That means assessing the risk of priority illegal content such as child sexual abuse, terrorism, fraud and intimate image abuse, then putting proportionate systems in place to reduce it.
Protecting children
Every service must complete a children's access assessment under section 35 to decide whether it is likely to be accessed by children. If it is, you must carry out a children's risk assessment under section 11 and meet the child safety duties in section 12.
Complaints and record-keeping
You must operate a complaints procedure under section 21 that is easy to find and use. You must also keep written records of your risk assessments and review them under section 23.
Key Online Safety Act Dates
| Duty | Section | Compliance date |
|---|---|---|
| Illegal content risk assessment | s.9 | 16 March 2025 |
| Illegal content safety duties | s.10 | 17 March 2025 |
| Children's access assessment | s.35 | 16 April 2025 |
| Children's risk assessment | s.11 | 24 July 2025 |
| Child safety duties | s.12 | 25 July 2025 |
What This Means If You Run a Small Service
If you have not yet done your assessments, the duties still apply and Ofcom can act. The practical first step is to document an illegal content risk assessment, then complete a children's access assessment to decide whether the child safety duties bite.
Ofcom has said it will prioritise services that present the greatest risk, including those with large UK audiences, but it has also set up a taskforce for small but risky services. Size is not a shield.
Keep your assessments written down and dated. You must review them, and redo them before you make a significant change to your service.
Penalties for Getting It Wrong
Ofcom can fine a provider up to 18 million pounds or 10 percent of qualifying worldwide revenue, whichever is greater. It can also apply business disruption measures, which can require payment and advertising partners to withdraw from a non-compliant service.
Senior managers can face criminal liability for failing to comply with Ofcom information requests. For a small business the more immediate risk is enforcement action and the cost of fixing compliance under pressure.
How Policy Pros Can Help
We help small UK services meet the Online Safety Act duties without building a compliance function they do not need. That starts with a documented illegal content risk assessment and a children's access assessment, then the complaints and record-keeping process to support them.
If you are unsure whether you are even in scope, our guide on whether your app needs an Online Safety Act risk assessment walks through the test, and our complaints procedure guide sets out what section 21 requires.
Online safety sits alongside your wider security and data obligations, so we align it with your IT security policies rather than treating it as a separate silo. See the GOV.UK Online Safety Act explainer and Ofcom's compliance dates for the official position.
Frequently Asked Questions
Does the Online Safety Act apply to small businesses?
Yes. There is no general exemption for small businesses. The duties are proportionate to the size of your service and the risk it carries, but a small forum, app or marketplace with UK users is regulated in the same way as a large platform. Some narrow service types are exempt under Schedule 1, such as email and one-to-one voice calls.
Are the Online Safety Act duties already in force?
Yes. The illegal content duties have applied since March 2025 and the child protection duties since July 2025. If you have not completed your risk assessments, the duties still apply and Ofcom can take enforcement action.
What do I have to do first under the Online Safety Act?
Start with an illegal content risk assessment under section 9, then a children's access assessment under section 35 to decide whether the child safety duties apply to you. Both must be written down, dated and reviewed.
What are the penalties under the Online Safety Act?
Ofcom can fine a provider up to 18 million pounds or 10 percent of qualifying worldwide revenue, whichever is greater. It can also apply business disruption measures and pursue criminal liability against senior managers who fail to comply with information requests.
Who regulates the Online Safety Act?
Ofcom is the regulator. It has published codes of practice and guidance for illegal harms and the protection of children, and it has powers to require information, investigate and fine providers that do not comply.
