Ofcom has made a good start in its preparations for implementing a new online safety regime, and must now manage risks around monitoring, scope and financing, according to a new report by the National Audit Office (NAO).

The NAO’s report examines whether preparations undertaken by the Department for Science, Innovation & Technology (DSIT) – previously by the Department for Digital, Culture, Media and Sport (DCMS) – and Ofcom for the implementation of the new online safety legislation are sufficiently advanced.

The government introduced the Online Safety Bill in March 2022, reflecting its objective for the UK to become the safest place in the world to be online. The Bill is now expected to receive Royal Assent in October 2023. The full regulatory regime will be put in place in phases over the two years after Royal Assent.

According to an Ofcom survey in 2022, 68% of child (13-17) internet users and 62% of adult (18 and older) internet users indicated they had experienced at least one potential online harm in the four weeks before the survey. Harmful content varies, from child sexual abuse material and terrorist content to online fraud and the encouragement of self-harm.

Ofcom estimates its cumulative costs of preparing for and implementing the regime could total £169 million by the end of 2024-25, of which £56 million will have been incurred by the end of 2022-23. The regime is intended to become self-financing through a fee structure. Ofcom estimates that it could need to regulate more than 100,000 services, with the majority based overseas, and interacting with the regulator for the first time.

Ofcom still has lots to do to develop the new regulatory regime once the Bill becomes law. It will have to publish more than 40 separate regulatory documents. It also needs to consider how it will manage public and industry expectations about the regime’s impact to provide confidence from the outset. Ofcom must also inform industry about its requirements; ensuring its data requests are co-ordinated and proportionate, and establishing how it will collect feedback, in particular from smaller companies.

The regulator should identify how it will reach the capability and capacity it needs, the NAO recommends. It still needs to recruit more than 100 further online safety staff and has yet to finalise the funding it needs for future years.

On monitoring and evaluation, DSIT should work with Ofcom to identify how data collection will support its own evaluation of the effectiveness of regulation once the regime has begun.

And Ofcom will need to ensure its processes for collecting data from service providers and its generation of automated information are of sufficient quality to inform its regulatory duties and enable it to adapt its approach if data shows it is not achieving its aims.

“Securing adequate protection of citizens from online harms is a significant new role for Ofcom, and it has made a good start to its preparations.

“Ofcom will need to manage several risks in a way that delivers value for money. It will need to move quickly to cover any gaps in its preparations should the scope of the legislation change further between now and implementation. It will be regulating over 100,000 bodies, most based overseas, which have not been regulated by Ofcom before.

“And it will need to cover its costs by introducing fees so that the regime becomes self-financing. As ever, access to good quality data will be essential for Ofcom to monitor the compliance of services and to evaluate its own effectiveness and for DSIT to know that the regime is working.”

Gareth Davies, the head of the NAO

Read the full report

Preparedness for online safety regulation

Latest press releases