Online Safety Act Transparency: Responding to Ofcom’s Bespoke Approach

At a glance

• This summer, Ofcom will identify the large online service providers that will be subject to its new ‘categorised services’ regime.
• These categorised services will face additional regulatory requirements with the specific obligations depending on user numbers and service features. Among these, transparency requirements represent the most immediate compliance challenge.
• The first major test is the requirement for categorised services to publish detailed summaries of their risk assessments, a fast-approaching deadline that, unless well managed, could present significant operational and reputational hurdles.
• Ofcom will also issue bespoke, annual ‘transparency notices’ to each categorised service, setting out the scope of transparency reports these services will need to publish each year.
• While Ofcom will ensure these notices are proportionate, it has also been clear that a company’s size and financial resources will be taken into account when considering the information that should be made available.
• A critical, time-limited ‘draft notice’ period offers the only opportunity for companies to challenge the feasibility and scope of Ofcom's requests before they become legally binding.
• It is clear that a historic lack of investment in data capabilities will not be an acceptable excuse for non-compliance. As a result, companies likely to be designated by Ofcom as categorised services should act now to ensure they have the necessary data capabilities and internal governance in place.

Transparency reporting is a central feature of online safety regulation. In the EU, the Digital Services Act (DSA) mandates annual reports on content moderation from many of the services in scope, with more frequent, onerous obligations for the largest services.

In the UK, Ofcom’s new ‘categorised services’ regime will soon apply similar duties to services meeting certain size and functionality thresholds, set out below. However, despite parallels with the DSA, Ofcom's approach is uniquely demanding and requires a UK-specific strategy. The regulator is explicit that it “will not accept other reports, including voluntary reports and reports required under other regulatory regimes, in lieu of transparency reports required by Ofcom”.

1. Understanding Ofcom’s new regime and timelines

Beyond the baseline duties already applying to all user-to-user, search, and pornographic service providers, the UK’s Online Safety Act (OSA) establishes a set of more onerous requirements for categorised services. This regime, as detailed in Figure 1, segments services based on their type, user numbers and functionality.

Figure 1: Categorised services conditions¹ and transparency duties

Categorised services will ultimately be subject to a range of additional duties² following the publication of policy statements, expected in 2027. However, as set out in Figure 2, requirements relating to risk assessments and transparency reporting are particularly urgent. Ofcom has already detailed its expectations for these, making them the most immediate and well-defined compliance challenges for categorised services, and the primary focus of this article. We will explore the implications of other duties in a future update, following the publication of Ofcom’s consultation this summer.

Figure 2: High-level overview of Ofcom’s approach to implementing the categorised services regime, with an emphasis on requirements relevant to risk assessments and transparency reports³

Comparison with the EU Digital Services Act

This tiered approach has clear parallels with the additional requirements imposed on Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs) under the EU's DSA. Both regimes are built on the fundamental principle that services with a wider reach and a higher potential for societal harm should adhere to stricter obligations.

However, the specific requirements differ. While the DSA mandates third-party audits and researcher access, the OSA places a heavier emphasis on bespoke, regulator-driven transparency reporting to hold services accountable.

2. Preparing for new risk assessment requirements

Shortly after the publication of Ofcom’s final register, expected in July 2026, Category 1 or 2A services will be required to submit risk assessments to Ofcom and publish a summary of these – a key transparency requirement.

3. Responding to new transparency reporting requirements

Beyond initial risk assessment disclosures, all categorised services face an annual transparency reporting duty. This legally mandated process requires a standalone report for each categorised service. While there are parallels with the DSA, Ofcom's bespoke approach is fundamentally different and will require a tailored response on the part of each regulated service.

Understanding Ofcom's approach to transparency reporting

At the start of each transparency cycle, Ofcom will issue a specific ‘transparency notice’ to each service, detailing the required information, format, and deadline. Ofcom will develop these notices in consultation with external experts, including civil society and researchers, having formally invited such input in April 2026.

These notices will contain a mix of repeatable ‘core’ and variable ‘thematic’ information. Whilst the exact information to be requested has not yet been confirmed, Figure 3 sets out examples of the kind of information that may be requested.

Figure 3: Areas Ofcom may request information on

While the examples in Figure 3 illustrate some of the matters on which Ofcom may request information, they represent only a small subset of potential topics. Ofcom’s guidance is broad, granting the regulator considerable discretion in developing transparency notices. Providers should therefore be prepared to report on any aspect of their operations relevant to the OSA.

That said, Ofcom will not issue blanket requests. Each notice will be tailored for relevance, considering the service's type, functionalities, and user base. For example, a service without livestreaming functionality would not be asked to report on safety measures specific to livestreaming.

Notices will also be guided by the principle of proportionality, with information only requested where necessary to help Ofcom meet its aims and policy objectives. Ofcom has acknowledged that each service provider may record information differently and may face specific challenges, which it will consider when setting out information requirements. As discussed below, providers will also have the opportunity to make representations to Ofcom about the likely time, cost and effort associated.

The principle of proportionality is a well-established feature of Ofcom's approach across various regimes, yet it does not prevent the regulator from making what might be seen by the recipient of the transparency notice as an onerous request. Where Ofcom deems information necessary to meet its policy objectives, the resulting requirement can still be material. Ofcom’s guidance also notes it may consider what is “reasonable to expect would be available... given [a categorised service provider’s] size and financial resources”. For large, well-resourced companies, a historic lack of investment in data and safety systems will not be an acceptable excuse. Further, since transparency notices will be issued to a range of similar services, we expect Ofcom will consider industry-wide feedback when determining what is and is not proportionate. If a single service claims it is unable to provide data that comparable services can, Ofcom will be unlikely to look favourably on this pushback.

Preparing for transparency reporting requirements

Given the bespoke and demanding nature of this regime, companies should prioritise preparation now.

The key window of opportunity is fast approaching. As outlined in Figure 2, Ofcom will issue a draft transparency notice to each service shortly after designation. This initiates a critical consultation period, offering the only chance for companies to provide written representations and engage with Ofcom on the requirements.

During this stage, companies can raise concerns about data collection feasibility, challenge the scope of requests, or flag commercially sensitive information. Once this period closes and the final notice is issued, the requirements are set in stone. Ofcom is explicit: “once the notice has been formally issued, we do not expect to engage further with providers... because all such issues should have been resolved through the draft notice process”.

Companies should therefore treat the draft notice process as a priority event, allocating sufficient resources to formulate a detailed, evidence-based response. This requires input from a range of teams, including Policy, Legal and Data, given technical capabilities may be the limiting factor. Failure to engage effectively at this stage means accepting the final notice as-is, regardless of the operational or commercial challenges it presents.

Beyond influencing the final notice, companies will need to prepare for the wider challenges of the transparency regime:

• Data Capability is Non-Negotiable: Given requested information can vary year-on-year, services should prioritise flexible data collection. The ability to measure metrics relevant to harm, user interaction with content and safety tool effectiveness will be key. Companies should assess their data and analytics capabilities against the matters Ofcom has indicated it can request information on now. Building these technical capabilities should not be delayed until a notice arrives.
• Consistency is Key: Reporting teams should ensure consistency across jurisdictions, as regulators cooperate and can review international reports. Contradictory data or statements, such as claiming data is unavailable for Ofcom while providing it elsewhere, may trigger scrutiny. This demands robust global alignment between Legal, Policy, and Data teams to ensure all public statements are unified and defensible.
• Governance and Accountability are Paramount: These reports are public statements, not just data submissions. Ofcom expects them to be "properly reviewed and interrogated prior to submission" and "signed off by an appropriately senior accountable person", embedding accountability at the highest levels. Companies need a robust, documented internal process to review and verify the accuracy of the final report, which may sit within a dedicated reporting team.
• Reputation is on the Line: These reports may be scrutinised by the media, civil society, and academics. In addition, from 2028, Ofcom will publish its own annual summaries analysing and comparing reports across the industry. This public comparison with peers will have significant reputational implications for services seen to be falling behind, transforming the transparency report from a compliance exercise into a key strategic communications priority.

4. Conclusion

With Ofcom’s categorisation register on the horizon, companies should place particular priority on incoming risk assessment and transparency requirements given their relative urgency. The bespoke nature of the notices, the critical window to respond to drafts, and the public, comparative nature of the final reports all highlight the strategic importance of getting this right. For categorised services, the time to build the necessary data capabilities, governance frameworks, and communications plans is not when a final notice arrives, but now.

References:

1. Summary of conditions; full conditions can be found here. 
2. Including additional terms of service duties; protections for news publisher and journalistic content, and content of democratic importance; providing user empowerment features; providing user identity verification options; disclosure of information about a deceased child’s use of their platform; and prevention of fraudulent advertising. 
3. Non-exhaustive and focused on the first transparency reporting cycle, based on Ofcom’s public announcements as of May 2026. This does not capture the timings of additional duties coming into force following policy statements nor incoming requirements on the disclosure of information about a deceased child’s use of their platform, expected in late 2026.