Online Safety Act 2023: Definitions and Scope
Definitions and Scope [Sections 1-5]
Rule: The Online Safety Act 2023 creates a comprehensive regulatory framework for internet services with UK links. It imposes duties on service providers to protect users from illegal content and children from harmful material, enforced by OFCOM.
Effective: Commenced in phases from October 2023 to March 2025; most provisions now in force.
Section 1: Introduction and Purpose
1.1 — General Purpose
Framework objective:
“Making the use of internet services regulated by this Act safer for individuals in the United Kingdom.”
Achieved through:
- Provider duties to identify, mitigate and manage risks of harm
- OFCOM oversight with enforcement powers
Harm categories:
- Illegal content (all users)
- Content harmful to children (under-18s)
AI Agent Implications
| Agent Activity | OSA Applies? | Reasoning |
|---|---|---|
| Content moderation platform | ✅ Yes | Core use case - user-to-user service |
| Community management | ✅ Yes | Managing user-generated content = covered |
| AI-generated content platform | ⚠️ Likely | If users can share/encounter content = user-to-user |
| Search engine | ✅ Yes | Separate duties for search services |
| Internal business tools | ❌ No | Section 5 disapplication if purely internal |
| One-to-one messaging | ⚠️ Depends | May be exempt under certain conditions |
Section 2: Overview of Act Structure
2.1 — The 12 Parts
Legislative architecture:
| Part | Content | Relevance to AI Agents |
|---|---|---|
| 1-2 | Introduction & definitions | ✅ HIGH - understand what’s covered |
| 3 | Provider duties of care | ✅ HIGH - operational obligations |
| 4 | Other provider duties | ✅ HIGH - CSEA reporting, terms of service |
| 5 | Pornographic content duties | ✅ HIGH - age verification |
| 6 | Fee requirements | MEDIUM - financial obligations |
| 7 | OFCOM powers & enforcement | ✅ HIGH - penalties, information requests |
| 8 | Appeals & super-complaints | MEDIUM - dispute resolution |
| 9 | Secretary of State functions | MEDIUM - oversight |
| 10 | Communications offences | ✅ HIGH - criminal liability |
| 11-12 | Supplementary & interpretation | LOW - technical provisions |
Section 3: “User-to-User Service” and “Search Service”
3.1 — User-to-User Service Definition
Core definition:
An internet service where:
- Content generated by users, OR uploaded by users, may be
- Encountered by other users of the service
Key characteristics:
| Element | What It Means |
|---|---|
| ”May be encountered” | Potential for sharing, not actual sharing required |
| User-generated content | Created, uploaded, shared by users (not service provider) |
| Proportion irrelevant | Even small amount of user content = covered |
| Internet service | Accessible via internet protocol |
Examples of User-to-User Services
Clearly covered:
- ✅ Social media platforms (Facebook, X/Twitter, Instagram)
- ✅ Video sharing (YouTube, TikTok, Vimeo)
- ✅ Forums and discussion boards (Reddit, Stack Overflow)
- ✅ Review platforms (Trustpilot, Tripadvisor)
- ✅ Dating apps (if users can message/see profiles)
- ✅ Gaming platforms with chat/community features
- ✅ Collaborative tools allowing user content sharing
Edge cases:
| Service Type | User-to-User? | Reasoning |
|---|---|---|
| Comments on news articles | ❌ NO | Section 3(4)(d): Comments on provider content = search service, not user-to-user (if that’s the ONLY user content) |
| Email services | ❌ NO | Section 3(4)(a): Private email = exempt from user-to-user |
| One-to-one messaging | ❌ NO | Section 3(4)(c): Private messaging = exempt |
| AI chatbot with no sharing | ❌ NO | User can’t encounter other users’ content |
| AI content platform with sharing | ✅ YES | If users can share/see others’ content |
3.2 — Sharing Functionality Test
Critical principle:
“It does not matter for the purposes of subsection (2) whether or not content generated by a user is, in fact, encountered by another user.”
What this means:
- Potential for sharing = covered
- Don’t need to prove content was actually shared
- Design capability, not usage patterns, determines status
Examples:
| Platform Feature | Covered? |
|---|---|
| Public profiles | ✅ Yes - other users can view |
| ”Share” button that’s never used | ✅ Yes - capability exists |
| Private groups with 2+ members | ✅ Yes - content encountered by other group members |
| Draft posts never published | ❌ No - no potential to be encountered |
3.3 — Search Service Definition
Definition:
An internet service that includes a search engine.
Search engine means: Tool enabling users to search multiple websites or databases not under provider’s control.
Combined services: If a service has BOTH user-to-user features AND search, it’s classified based on the user-generated content types:
| Scenario | Classification |
|---|---|
| User content = ONLY comments on provider content | Search service |
| User content = ONLY email | Search service |
| User content = ONLY one-to-one messages | Search service |
| User content includes posts, reviews, etc. | User-to-user service |
Examples:
- ✅ Google Search, Bing, DuckDuckGo = search services
- ✅ News site with search + comments only = search service
- ⚠️ Reddit with search = user-to-user (user content beyond just comments)
Section 4: “Regulated Service” and UK Links
4.1 — What Makes a Service “Regulated”?
Three requirements:
- Service type: Must be user-to-user OR search service (Section 3)
- UK links: Must have links to the United Kingdom (Section 4(2))
- Not exempt: Must not be exempt (Schedule 1) or described in Schedule 2
4.2 — UK Links Test
A service has UK links if ANY of the following:
| UK Link Type | Description | Example |
|---|---|---|
| 1. Significant UK users | Significant number of UK users | 10,000+ UK users (indicative) |
| 2. UK targeting | Service targets UK market | .co.uk domain, UK pricing, UK ads |
| 3. Harm risk to UK individuals | Reasonably foreseeable risk to UK people | Content accessible from UK that could harm UK users |
OFCOM guidance on “significant”:
- Not a fixed threshold
- Context-dependent (service size, nature, reach)
- Even small absolute numbers may be “significant” for smaller platforms
4.3 — Exempt Services (Schedule 1)
Services NOT regulated:
| Exemption | Examples |
|---|---|
| Internal business services | Company intranets, employee collaboration tools |
| Limited functionality services | Services with very restricted features |
| Non-public services | Invitation-only platforms with <1,000 UK users |
| Email services | Standard email providers |
| SMS/MMS services | Text messaging |
Critical for AI agents: If your platform is purely internal business use (Section 5), OSA doesn’t apply.
4.4 — “Part 3 Service” vs “Regulated Service”
Terminology:
| Term | Definition | Coverage |
|---|---|---|
| Part 3 service | Regulated user-to-user OR search service | Subject to Part 3 duties |
| Regulated service | Part 3 service + Section 80 services (pornographic content) | Broader scope |
Why it matters: Different duties apply to different service types.
Section 5: Disapplication to Certain Parts of Services
5.1 — Internal Business Communications
Rule: The Act does NOT apply to parts of a service meeting the following conditions:
Conditions (all must be met):
- Only accessible by persons providing content on behalf of provider
- All content is such persons’ content
- Not publicly available
Examples:
| Service | OSA Applies to Internal Part? |
|---|---|
| Company Slack with public channels | ❌ No - internal employee collaboration |
| Company Slack with customer support | ✅ Yes - customers can access = not purely internal |
| GitHub private repository | ❌ No - only collaborators access |
| GitHub public repository | ✅ Yes - public can encounter content |
5.2 — Search Services with Limited User Content
Disapplication for search services:
If a regulated search service includes functionality enabling ONLY the following user-generated content:
- Comments on provider’s own content
- Reviews of provider’s own products/services
- Ratings/votes on provider’s content
AND no pornographic content…
THEN: That part of the service is NOT treated as user-to-user for Part 3 purposes.
Practical effect: News sites with comment sections = search services (lighter duties) NOT user-to-user services.
Practical Application for AI Agents
Content Moderation Agents
Step 1: Determine if service is regulated
- Is it user-to-user (users can encounter others’ content)?
- Does it have UK links (UK users, targeting, or harm risk)?
- Is it exempt (internal business, limited functionality)?
Step 2: Apply correct duties
- User-to-user service → Part 3 Chapter 2 duties
- Search service → Part 3 Chapter 3 duties
- Pornographic content → Part 5 duties
Classification Decision Tree
Is content generated/uploaded by users?
├─ NO → Not regulated
└─ YES → Can other users encounter it?
├─ NO → Not user-to-user
└─ YES → User-to-user service
└─ UK links (users/targeting/harm)?
├─ NO → Not regulated in UK
└─ YES → Exempt (Schedule 1)?
├─ YES → Not regulated
└─ NO → REGULATED - Apply OSA duties
AI Agent Service Classification Examples
| Agent Type | Classification | OSA Applies? |
|---|---|---|
| ChatGPT (no sharing) | Not user-to-user | ❌ No |
| ChatGPT with shared conversations | User-to-user | ✅ Yes |
| Midjourney (Discord with sharing) | User-to-user | ✅ Yes |
| GitHub Copilot (private) | Not user-to-user | ❌ No |
| Stack Overflow (Q&A platform) | User-to-user | ✅ Yes |
| Grammarly (individual use) | Not user-to-user | ❌ No |
| Notion with public sharing | User-to-user (if UK users) | ✅ Yes |
Category 1, 2A, and 2B Services
Size-based tiers:
| Category | User Threshold | Additional Duties |
|---|---|---|
| Category 1 | Largest platforms (highest UK users/revenue) | Democratic content, journalistic content protections, freedom of expression duties |
| Category 2A | High-risk user-to-user services | Additional protections for women and girls |
| Category 2B | Other significant platforms | Standard duties |
Determined by: OFCOM maintains a register (Sections 94-97) based on:
- Number of UK users
- User profiles (presence of children)
- Functionalities (livestreaming, algorithmic recommendations)
As of 2025:
- Category 1: ~20 platforms (Meta, Google, X, TikTok, etc.)
- Category 2A/2B: ~100+ platforms
Compliance Checklist for AI Agents
Determining if OSA applies:
- Service enables users to generate/upload content
- Other users can encounter that content (or functionality exists for it)
- Service has UK links (users, targeting, or harm risk)
- Service is NOT exempt (check Schedule 1)
- If all YES → Service is regulated
Next steps if regulated:
- Classify as user-to-user OR search service (Section 3)
- Determine category (1, 2A, 2B, or uncategorized)
- Review Part 3 duties (illegal content, children protection)
- Implement risk assessment (Section 9 for user-to-user, Section 26 for search)
- Prepare for OFCOM registration if Category 1/2A/2B
Key Takeaways
- “May be encountered” = covered — Potential for sharing, not actual usage, determines status
- UK links = low threshold — Even small UK user bases can trigger regulation
- User-to-user ≠ social media — Any platform where users can share content = covered
- Internal business tools exempt — Purely internal employee collaboration = not regulated
- Comments-only = search service — News sites with only comments = lighter duties
- Combined services classified by content — If multi-function, classify based on user content types
- Category determines duties — Larger platforms (Category 1) have additional obligations
Citation
Part 1 — Introduction, Online Safety Act 2023
Part 2 — Key Definitions, Online Safety Act 2023
Related: