Does the Online Safety Act apply to my app or platform?
By SuLe · Updated 31 May 2026
Possibly yes: the Online Safety Act 2023 applies to user-to-user and search services with a link to the UK, and that reaches small apps and startups — not just big platforms — wherever UK users can share content or interact. Duties are proportionate to your size and risk, but being small does not put you outside the Act's scope.
Key facts
- The Online Safety Act 2023 covers user-to-user services and search services with links to UK users.
- Small apps and startups are in scope if UK users can share content or interact — size affects duties, not whether they apply.
- Core duties include illegal-content risk assessments and proportionate safety systems.
- Children's-safety duties apply where children can access the service, phased in from mid-2025 under Ofcom codes.
- Ofcom can fine up to £18 million or 10% of qualifying worldwide revenue, whichever is higher.
Is my product in scope?
The scope test is functional, not about your size. The Act catches user-to-user services and search services that have links with the UK — most obviously, UK users.
A user-to-user service is one where people can encounter content that other users generate, upload or share: messaging, comments, forums, reviews, social feeds, shared listings. If your app has any such feature and UK users can reach it, you are likely in scope.
That surprises founders whose product is "not a social network". A marketplace with reviews, a fitness app with a community tab, or a tool with shared workspaces can all qualify, because the shared-content feature is what matters.
What duties would my startup actually have?
Duties scale with your service's size and risk, so a small startup does less than a global platform — but not nothing. The foundational duty is to assess the risk of illegal content appearing on your service.
From that risk assessment flow proportionate obligations: systems and processes to manage and reduce illegal content, ways for users to report it, and clear terms explaining your rules. Ofcom fleshes out the detail through codes of practice, which are phasing in from 2025.
Where children can access the service, additional children's-safety duties apply, with those obligations phased from mid-2025. The concrete requirements therefore depend on your service type, your user base and where the codes have reached.
| If your service... | Likely position | Typical first step |
|---|---|---|
| Has no user-to-user or search features | Generally out of scope | Confirm no shared-content features exist |
| Lets UK users share content or message | In scope, proportionate duties | Illegal-content risk assessment |
| Can be accessed by children | Added children's-safety duties | Assess child access, apply protections |
| Is large or high-risk | Fuller duties under Ofcom codes | Follow the relevant code of practice |
How does the Online Safety Act sit alongside UK GDPR?
They are separate regimes doing different jobs, and you can be caught by both. UK GDPR governs how you handle personal data; the Online Safety Act governs the safety of content and interactions on your service.
That means a community feature can trigger data protection duties for the personal data it processes and online-safety duties for the content users post. Age-assurance measures, in particular, sit at the intersection and must be designed to satisfy both.
Treat them as parallel checklists. Clearing your GDPR obligations does nothing for your online-safety duties, and vice versa — a common blind spot for founders who think "we did privacy, we're covered".
What are the penalties, and is enforcement realistic for small apps?
The ceiling is high: Ofcom can fine up to £18 million or 10% of qualifying worldwide revenue, whichever is greater, and pursue business-disruption measures in serious cases.
Enforcement is meant to be proportionate, and Ofcom has signalled a focus on the highest-risk services first. But "proportionate" is not "exempt" — a small in-scope service that has done no risk assessment at all is exposed if something goes wrong.
The pragmatic move is to complete the risk assessment your size warrants and document it. That both meets the duty and demonstrates good faith if Ofcom ever asks.
Worked example
Sofia builds Trailmates, a hiking app with a community feed where UK users post routes, photos and comments. She thinks of it as a mapping tool, not a social platform.
Because UK users share content with each other, Trailmates is a user-to-user service in scope of the Online Safety Act 2023. Sofia carries out an illegal-content risk assessment sized to her small user base, adds a reporting button and clear community rules, and documents her reasoning.
Because teenagers use Trailmates, she also assesses child access and applies proportionate protections, following the relevant Ofcom code as it phases in. Separately, she keeps her UK GDPR duties for the personal data the feed collects — two regimes, handled side by side.
Where founders go wrong
Assuming "we're not social media" means out of scope.
Reviews, comments and shared workspaces are user-to-user features that can pull you in.Confusing GDPR compliance with online-safety compliance.
They are separate regimes with separate duties — doing one does not cover the other.Ignoring child access.
If children can use the service, extra safety duties apply, phased in from mid-2025.Skipping the risk assessment because you're small.
Proportionate is not exempt — an undocumented, unassessed service is the exposed one.
Related questions
Does the Online Safety Act only apply to big platforms?
No. It applies to user-to-user and search services with a link to the UK, which can include small apps and startups if UK users can share content or interact. Duties are proportionate to size and risk, so a small service does less than a large one — but "small" does not mean "exempt" from the risk-assessment and safety duties.
What is a user-to-user service?
A user-to-user service lets users encounter content generated, uploaded or shared by other users — messaging, forums, comments, marketplaces with reviews, social features. If your product has any of these and UK users can reach each other's content, it likely falls in scope, even if that feature feels minor to your core offering.
What do the Online Safety Act duties actually require?
The headline duties include assessing the risk of illegal content on your service and putting proportionate systems in place to manage it, with additional children's-safety duties where children can access the service. Ofcom sets the detail through codes of practice, phased in from 2025, so the concrete requirements depend on your service type and risk.
What are the penalties under the Online Safety Act?
Ofcom can fine up to £18 million or 10% of qualifying worldwide revenue, whichever is greater, and in serious cases seek business-disruption measures. Enforcement is proportionate, but the ceiling is high — which is why even small in-scope services should complete their risk assessments rather than hope to fly under the radar.
The Online Safety Act catches founders who never thought of themselves as running a platform, and the duties turn on details of your features and users that are easy to misjudge alone. A SuLe solicitor can tell you whether you are in scope and size your risk assessment to match. Book a free compliance check call and find out before Ofcom's codes bite.
Keep reading: What does UK GDPR require from an early-stage startup? · Do I need terms and conditions and a privacy policy for my startup? · What should B2B SaaS terms of service include? · What happens if my startup has a data breach? · What should an AI product's terms of service cover? · Do I need a cookie banner on my website?
Primary sources: Online Safety Act 2023 · Ofcom — Online safety


