The Secretary of State has made the Online Safety Act 2023 (Commencement No. 7) Regulations 2026, appointing 7 April 2026 to commence the duty on regulated user‑to‑user services to report child sexual exploitation and abuse (CSEA) content to the National Crime Agency, alongside the linked offence. The instrument is made under section 240 of the Online Safety Act 2023. (legislation.gov.uk)
Section 66 requires UK providers of regulated user‑to‑user services to operate systems and processes that secure, so far as possible, the reporting of all detected and unreported CSEA content on their service to the NCA. Non‑UK providers must report detected and unreported UK‑linked CSEA content; ‘UK‑linked’ is defined in statute. These reports must meet requirements set in regulations under section 67, including format, method and time frames. (legislation.gov.uk)
The statutory reporting duty also exists for search services in section 66(3)–(4), but this commencement applies to regulated user‑to‑user services only; the search‑service element of the duty is not commenced by this instrument. Providers should therefore assess scope by service type before implementing reporting processes. (legislation.gov.uk)
Section 69 creates a criminal offence where, in purported compliance with the reporting duty in section 66, a person provides information that is false in a material respect, knowing it to be false or being reckless as to whether it is false. Maximum penalty on indictment is two years’ imprisonment or a fine (or both), with summary maxima set for each UK jurisdiction. (legislation.gov.uk)
Extra‑territorial provisions apply. Section 205 confirms that the section 69 offence applies to acts done in the UK or elsewhere. For reporting by non‑UK providers, ‘UK‑linked’ CSEA content is defined to include links based on place of publication, nationality or location of a suspect, or the location of a child victim. (legislation.gov.uk)
Ofcom’s information powers are relevant to this duty. Under section 100, Ofcom may require information to assess compliance with requirements including section 66, and can require real‑time remote demonstrations of systems and algorithms. Ofcom may also require a provider to name a senior manager in response to an information notice. (legislation.gov.uk)
Ofcom can commission ‘skilled persons’ reports under section 104 where needed to assess potential non‑compliance or risks. Section 104(13)(a)(xii) lists ‘reporting CSEA content’ under section 66 as a relevant requirement that may be examined by a skilled person, with costs payable by the provider. (legislation.gov.uk)
Safeguards on compelled statements are set out in section 120: explanations or information provided under Ofcom’s information powers are generally inadmissible in criminal proceedings, except for a prosecution under section 69(1) (false information) and certain other specified offences or where the provider later gives inconsistent evidence. (legislation.gov.uk)
Transparency reporting is also engaged. Schedule 8 allows Ofcom to require providers’ transparency reports to cover measures taken or in use to comply with section 66’s CSEA reporting requirement, via notices issued under section 77. (legislation.gov.uk)
Scope is defined in Part 2 of the Act. A ‘regulated user‑to‑user service’ is a user‑to‑user service with links to the UK that is not exempt under Schedules 1 or 2. ‘User‑to‑user service’ captures services through which user‑generated content may be encountered by other users; combined services with public search engines are identified separately in the Act. (legislation.gov.uk)
Timing matters operationally. Section 66 applies only to CSEA content detected on or after the date the section comes into force; reporting content and record‑keeping parameters are set via regulations under section 67. The NCA confirms that in‑scope providers must use its Child Sexual Exploitation and Abuse Industry Reporting Portal (CSEA‑IRP) for these reports. (legislation.gov.uk)
For compliance teams this creates immediate actions: confirm in‑scope services; embed ‘UK‑linked’ logic in detection and routing; map reporting data to the section 67 specification; assure evidential accuracy to mitigate section 69 risk; and prepare for Ofcom information requests or skilled‑person reviews. Corporate and officer‑level liabilities elsewhere in the Act continue to apply to offences. (legislation.gov.uk)