Jurisdictional scope

• Services provided by UK companies; services with a significant number of UK users or the UK as a target market; and/or services capable of being accessed by UK users where there is material risk of harm to such users.

• Services in the EU; and services offered to users in the EU. Application in EEA countries envisaged.

In-scope services

• User-to-user (U2U) services (e.g. blog/forum websites).

• Search services (e.g. search engines).

• Combined services (e.g. social networking sites which include a search function).

• Pornographic services are subject to a specific regime (not addressed further in this table).

• Broad range of intermediary services (e.g., mere conduit, caching, hosting).

• Online platforms (e.g., social networking and content-sharing sites).

• Online marketplaces.

Services with additional obligations

• Additional obligations on certain large U2U and search services to be identified by Ofcom - "categorised services": draft criteria for designation published by Ofcom (e.g. for Cat. 2A U2U services with more than 3 million UK users which allows users to send direct messages).

• Draft Codes have proposed more burdensome measures to comply with standard duties on "large" and "multi-risk" services.

• Pornographic services are subject to additional obligations.

• Significant additional obligations imposed on very large online platforms (VLOPs) and very large online search engines (VLOSEs) with more than 45m users per month.

• Specific additional obligations on online marketplaces e.g. to provide certain essential information to online platform providers allowing consumers to conclude a "distance contract" under an organised distance sales or service-provision scheme.

Risk assessments

• Requirement for all U2U and search services to assess the risk of harm related to illegal content to all users

• Requirement for all U2U and search services likely to be accessed by children to assess the risk of harm to children related to content harmful to children.

• Risk assessment must be kept up to date.

• Duty for VLOPs and VLOSEs to conduct assessment of systemic risks in the EU.

• Risk assessment must be conducted annually, and off-cycle in case of new functionalities with critical impact.

Protection of children

• Key focus of the OSA.

• Numerous specific children’s duties (e.g. risk assessment duties; and the duty to protect children from certain harmful content).

• Extensive measures specified in draft Codes.

• Duty to ensure age-appropriate design.

• Prohibition on targeted advertising of children based on profiling.

• Further information to be published in forthcoming guidelines on protection of minors.

Age verification

• Duty to use age verification or age estimation (or both) to prevent children from encountering primary priority content that is harmful to children in certain circumstances (e.g. content which provides instructions for an eating disorder).

• Not specifically required, although may serve as a potential measure for age appropriate design.

Adult user empowerment

• Duty for Cat. 1 services (very large U2U services with specific functionalities) to undertake an adult user empowerment assessment; enable user verification; and implement measures to enable users to control visibility of harmful content

• N/A

Terms of service

• Duty to include extensive information in terms of service, such as how the service protects from certain types of content and how the service implements proactive monitoring.

• Additional obligations for Cat. 1 and 2A services, including to include a summary risk assessment outcome.

• Duty to include extensive information in terms of service, such as how the service protects from certain types of content and how the service implements proactive monitoring.

• Duty to inform users about significant changes to terms of service.

• Specific obligations relating to recommender system transparency.

Content moderation

• Notice and takedown system i.e., must remove illegal content once flagged, plus additional content moderation obligations may apply such as hash matching depending on type, size and risk of harm as identified in the risk assessment.

• Additional responsibilities apply to services at high risk of facilitating fraud or grooming.

• Standalone duties and guidance relating to child-safety.

• Notice and takedown system i.e., must remove illegal content only once flagged; some content moderation rules also apply to policy removals.

• Significant differences in OSA and DSA’s definition of ‘illegal’ content (the latter referring to what is illegal under applicable EU or member state laws)

• Duty on VLOPs and VLOSEs to mitigate risks identified in systemic risk assessment.

Record keeping

• Duty to maintain records relating to risk assessments and implementation of the Codes.

• Requirement for VLOPs and VLOSEs to preserve supporting documents of its risk assessment for at least three years.

Complaints and appeals

• Obligation for services to have various complaints mechanisms, including a mechanism to appeal decisions to remove illegal content or content that may be harmful to children and non-compliance with OSA duties.

• Additional duty on Cat. 1 services to enable appeals for all policy decisions.

• Obligation for online platforms to enable appeals for all restrictive action initiated by the platform (including legal and policy removals).

• Additional obligation to engage in out-of-court dispute settlement with certified bodies.

Penalties

• Up to 10% of the annual worldwide turnover or £18m (whichever is greater).

• Up to 6% of the annual worldwide turnover (1% for certain information offences, and 5% for periodic penalty payments).