United Kingdom: Office of Communications released guidance on child sexual exploitation and abuse reporting duty under Online Safety Act

On 12 March 2026, the Office of Communications (Ofcom) published a guidance on the child sexual exploitation and abuse (CSEA) reporting duty established under the Online Safety Act. From 7 April 2026, the duty applies to regulated user-to-user services only, with commencement for search services expected at a later date. Under the duty, in-scope services are required to report all detected and unreported CSEA content to the National Crime Agency (NCA) via the Child Sexual Exploitation & Abuse Industry Reporting Portal, unless reporting to an equivalent foreign agency, regardless of service size or CSEA risk level. UK-based providers must report all detected and unreported CSEA content, while providers based outside the UK must report only UK-linked detected and unreported CSEA content. CSEA content means any content constituting a Schedule 6 offence under the Online Safety Act, including child sexual abuse material and grooming offences. The Online Safety Act also establishes a criminal offence of reporting false information as part of the reporting requirement. The practical steps for compliance, including registration requirements, report formats, timeframes, data retention requirements, and required report contents, are governed by the Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2026. Services already reporting all CSEA content to the National Center for Missing & Exploited Children CyberTipline need not duplicate reports to the NCA, as the National Center for Missing & Exploited Children refers UK-linked reports to the NCA. Non-compliance may result in a penalty of up to 10% of qualifying worldwide revenue or GBP 18 million, whichever is greater.