Challenging Ofcom Decisions under the Online Safety Act
The Online Safety Act ("OSA") ushers in a new statutory regime that places significant obligations on companies, grants considerable powers to the designated regulator, Ofcom, and lays the groundwork for further regulation. This year, we have seen the first legal challenge to regulations made under the OSA, and in June 2025 alone, Ofcom launched 9 new investigations.
For in-scope companies, the new regime may have major commercial, operational and legal implications. This is underscored by the prospect of significant financial penalties for non-compliance, and potential for criminal liability of senior corporate officers.
Don't miss a thing, subscribe today!
Stay up to date by subscribing to the latest Public and Regulatory insights from the experts at Fieldfisher.
Subscribe nowCompanies' ability to challenge actions and decisions taken under the OSA is therefore critical. We explore below the principal measures of the OSA, key considerations when reviewing actions taken by Ofcom and the legal avenues for challenge.
Measures that may give rise to legal challenge
The implementation and operation of the OSA will involve a range of regulatory decisions and actions. The areas that are likely to affect businesses most critically, and as such, may give rise to the need for direct engagement with Ofcom or ultimately legal challenge, include:
|
Categorisation as a Category 1, 2A or 2B provider
|
Notices relating to terrorism content or child sexual exploitation and abuse (CSEA) content |
|
Please see below for further details on each of the above measures.
Key issues for companies to consider when assessing any measures taken against them under the OSA will include:
- The reasons provided by Ofcom for taking a certain action (e.g. issuing a notice or imposing a penalty), and whether the rationale is sufficiently explained.
- The factors Ofcom has taken into account in reaching any decision.
- Whether Ofcom has sufficiently understood the nature of the company's operations.
- The nature of the steps that the company is being required to take, and whether those steps are proportionate in relation to the alleged breach.
- The actions or changes being required to the company's operations, including any technology that the company is being required to use and how that technology must be used.
- The period of time for which a company is being required to take a certain action.
- Whether the company has been appropriately afforded the opportunity to make representations to Ofcom, or otherwise whether Ofcom followed the necessary procedural steps.
- Whether the company's fundamental rights have been (or could be) violated, including freedom of expression and privacy.
How can you challenge measures under the OSA?
Most decisions under the OSA will be preceded by multiple stages of engagement between Ofcom and the impacted company, including with opportunities to make formal representations. It is essential that businesses engage fully with Ofcom in order to mitigate legal and reputational risks from the outset. Recourse to legal challenges will often only be permitted by the courts as matter of last resort, rather than as a first opportunity to air grievances.
If a company wishes to challenge measures under the OSA, there are broadly two options. Certain Ofcom decisions can be challenged by an appeal to the Upper Tribunal. This includes categorisation decisions, confirmation decisions, notices relating to terrorism or CSEA content, and penalty notices.
In order to challenge other types of measures under the OSA (e.g. Codes of Practice, secondary legislation or consultations), a company may be able to bring a judicial review challenge in the High Court. In judicial review, a court assesses the lawfulness of a decision or action by a public body. A court will not review the merits of the underlying decision or resolve factual disputes.
Both the Upper Tribunal and High Court must determine claims under the OSA in accordance with standard judicial review principles. The main grounds of challenge are: (1) illegality; (2) irrationality; (3) procedural impropriety; and (4) breach of human rights, including freedom of expression. Judicial review claims must be brought promptly and in any event within three months of the contested decision (procedures may vary in the Upper Tribunal). It will be important for any company considering a legal challenge to assess its options swiftly.
The first legal challenge concerning the OSA has been mounted by the Wikimedia Foundation. Earlier this year, the Foundation filed a judicial review claim challenging the "Categorisation Regulations". These regulations set out the definitions and thresholds above which regulated services become "categorised". The Wikimedia Foundation is arguing that the Secretary of State's decision to make these regulations was unlawful and that, as currently drafted, the regulations could impose extraordinary operational burdens and serious human rights risks. On 11 August 2025, the Court dismissed the claim on all grounds on the basis that the SoS had not acted irrationally in introducing the Regulations, and had undertaken the procedural steps required under the OSA.
What legal remedies are available?
If an appeal to the Upper Tribunal is successful, the Upper Tribunal has the power to quash Ofcom's original decision. This means that the decision is nullified and is treated as invalid from the moment it was made. Where a decision is quashed, it is sent back to Ofcom for reconsideration, typically with corrections to its approach in light of the judgment.
A judicial review claim in the High Court may result in a quashing order (as above), or certain other remedies. These include a mandatory order, requiring the relevant body to carry out its legal duties, or a prohibiting order, preventing the body from acting in a certain manner. In rare cases involving breaches of rights under the European Convention on Human Rights, a claimant may also be awarded damages.
Further details on key measures
|
The OSA provides for a system of categorisation of in-scope companies. These categories determine the level of regulatory obligations that a company must meet. The largest and most influential platforms face the most stringent obligations. For most companies, this categorisation will be a critical reference point for assessing their regulatory responsibilities, and will influence directly how their operations are governed. On 27 February 2025, the "Categorisation Regulations" came into force, which set out the definitions and thresholds above which regulated services become "categorised". These Regulations were recently challenged by the Wikimedia Foundation (the entity behind Wikipedia) on the basis that they were unlawfully made. The claim was ultimately dismissed in the High Court and so the Regulations will come into force in their original draft. In accordance with the Categorisation Regulations, Ofcom will be engaging with providers that meet the specified threshold, in the first instance by issuing draft information notices. Companies that have concerns about their proposed categorisation as a Cat 1, 2A or 2B provider will need to engage with Ofcom promptly. Key issues will centre on whether Ofcom has sufficiently understood the nature of a company's operations and the number of its 'active users'. If a company's concerns persist after regulatory engagement, it may consider mounting a legal challenge against Ofcom's decision. |
|
Notices relating to terrorism content or child sexual exploitation and abuse (CSEA) content |
|
The OSA gives Ofcom the power to require companies to use 'accredited technology' in order to identify and take down "terrorism content" or "CSEA content" (or 'search content' relating to terrorism or CSEA), and otherwise to prevent individuals from encountering such content on their platforms. Ofcom may also require a platform to develop or source technology to deal with CSEA content. A request of this nature from Ofcom may require a company to make significant changes to the design or operation of its services particularly where necessary for the accredited technology to be used effectively. Prior to issuing a notice, Ofcom must go through various steps. This includes commissioning an independent expert report (a 'skilled person's report'), and issuing a 'warning notice' to the relevant provider. Ofcom has also stated that it will engage with the relevant provider early on in the process. If a company receives a notice, key issues for it to consider (which may ultimately give rise to legal challenge) include:
|
|
Breaches of the OSA - provisional notices and confirmation decisions |
|
If Ofcom believes that a company has failed or is failing to comply with certain obligations under the OSA, it may issue a 'confirmation decision'. This will require the company to (i) take certain steps relating to the design or operation of its online services, (ii) pay a penalty or (iii) both. Before issuing a confirmation decision, Ofcom will give a 'provisional notice of contravention' regarding the alleged breach. At this point, the company will have an opportunity to make representations. If a company fails to comply with a confirmation notice, Ofcom may commence court proceedings against the company in order to enforce those obligations. A failure to comply with certain confirmation decisions gives rise to a personal criminal offence. Any concerns about a provisional notice/confirmation decision should therefore be raised as promptly and comprehensively as possible. If a company receives a provisional or confirmation decision, key issues for it to consider (which may ultimately give rise to legal challenge) include: · Ofcom's reasons for the decision; · the nature of the steps that the company is being required to take; · the period of time in which the company must take any steps; and · whether the company has been appropriately afforded the opportunity to make representations to Ofcom, or otherwise whether Ofcom followed the necessary procedural steps. |
|
If a company has failed to comply with certain requirements imposed by Ofcom (including in notices relating to terrorism/CSEA content (see above)), or has failed to pay annual fees under the OSA, Ofcom has the power to issue penalty notices requiring a company to pay:
A company may face penalties of up to £18 million or 10% of the company's qualifying worldwide revenue. A company may also be held jointly and severally liable with other entities within its group (in which case the penalties may be up to 10% of the group's worldwide revenue). If a company receives a penalty notice, key issues for it to consider (which may ultimately give rise to legal challenge) include:
|
|
Pursuant to the OSA, Ofcom is required to consult on a wide range of regulatory measures prior to their finalisation and implementation. Upcoming consultations in 2025 include additional measures relating to illegal harms and the protection of children, and additional duties for categorised services. Participating in consultations provides stakeholders with an opportunity to influence the direction of future regulations. However, if a company believes that Ofcom has improperly conducted a consultation, it may have grounds to bring a legal challenge, triggering the need for the consultation to be re-conducted. This may include, for example, where the consultation document fails to explain the rationale or key considerations behind a particular regulatory proposal, making it difficult for stakeholders to respond properly. |
|
The implementation of various measures in the OSA will be carried out via secondary legislation, Codes of Practice and Guidance. These instruments will be developed and issued by the Secretary of State for Science Innovation & Technology (SoS), and Ofcom. The SoS and Ofcom are granted these powers under the OSA, and accordingly must exercise them in accordance with the limits and procedural requirements set out in the Act. Companies may have grounds to challenge these instruments in certain circumstances, including where:
The claim brought by the Wikimedia Foundation (described above) is the first legal challenge to secondary legislation introduced under the OSA. |
If you would like to discuss any of the issues raised in this blog, please get in touch with our team.
The content of this blog does not constitute legal advice and is provided for general information purposes only. Specific legal advice should be sought before taking any actions based on the content of this blog.
