Penalties For Breaching The UK Online Safety Act

Uploaded on 2025-07-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The UK Office of Communications (Ofcom) has recently published details about how it intends to set the fees and maximum penalties that will apply to the Online Safety Act. The legislation specifies that the costs of Ofcom’s online safety work are to be funded by the technology companies it regulates. This is similar to how Ofcom is funded for its work in the other sectors within its remit, which includes TV & Radio.

While the law came into force with effect from 25th July, Ofcom are still working out the precise details of their regulatory regime, in particular, the likely maximuk level of financial penalties are yet tbe determined, although the process has been outlined.

The Act says that firms’ “qualifying worldwide revenues” (QWR) will be used to focus on the level of fees they will have to pay. When organisations breach online safety rules, they may face financial penalties. The Act provides that QWR is also to be used as the basis for calculating the maximum fines that can be levied.

Ofcom’s Decisions

Ofcom has decided to define QWR as a firm’s global revenue from relevant parts of regulated services, rather than just all revenue that is attributable to the UK, when calculating fees or the maximum penalty for a provider. Ofcom says that it estimates that fees will be equivalent to approximately 0.02%-0.03% of companies’ QWR each year. 

There is also a QWR threshold at which companies are required to pay fees be set at £250m per year, but firms whose annual UK revenue is less than £10m are exempt from the fees regime. The threshold will ultimately be for the Secretary of State for Science, Innovation and Technology to decide, and it considers that any threshold figure within a £200 million to £500 million range could be appropriate. 

Next Steps

To give the fees regime effect, three statutory instruments are required to be considered by Parliament, two of which have been submitted to Parliament already. In addition, Ofcom has formally submitted its advice to the Secretary of State, who will ultimately decide on the threshold for the payment of fees and make the final statutory instrument. 

Now that Ofcom has confirmed its approach, firms should begin actively considering how to calculate QWR. It is clear that Ofcom expects firms to develop a robust approach and to ensure sufficient assurance. 

By starting early and embracing a proactive approach, firms can develop a robust methodology to navigate the complexities of the regulation, mitigate risks, and effectively manage their financial obligations.

If you have any questions about this statement, please contact Ofcom on: osfeesregime@ofcom.org.uk. 

Ofcom     |     SCL     |     Tech UK     |     LexisNexis  |   Deloitte   |   Mondaq

Image: @Ofcom

You Might Also Read:

VPN Demand Surges As British Online Safety Takes Effect:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Why Choosing The Right Business Internet Services Matters
Checking Emails On Holiday Puts You At Risk »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CSA Events

CSA Events

Cloud Security Alliance conducts a series of conferences around the world. This listing provides a link to details of upcoming events.

Industrial Cyber-Physical Systems Center (iCyPhy)

Industrial Cyber-Physical Systems Center (iCyPhy)

The goal of iCyPhy is to conduct pre-competitive research on architectures and design, modeling, and analysis techniques for cyber-physical systems.

Labris Networks

Labris Networks

Labris Networks specializes in DDoS mitigation, NG Firewall, Unified Threat Management, Centralized Management, Regulatory Compliances and SOC/CERT Services.

SysTools

SysTools

SysTools provides a range of services including data recovery, digital forensics, and cloud backup solutions.

Encore Media Group

Encore Media Group

Encore Media Group provide an international enterprise technology event series exploring IoT, Blockchain AI, Big Data, 5G, Cyber Security and Cloud.

Enterprise Ethereum Alliance (EEA)

Enterprise Ethereum Alliance (EEA)

EEA is a member-led industry organization whose objective is to drive the use of Ethereum blockchain technology as an open-standard to empower ALL enterprises.

CYBRScore

CYBRScore

CYBRScore is a premium, performance-based cyber skills training and assessment provider that quantifies a user’s ability to defend a network.

UKsec: Virtual Cyber Security Summit

UKsec: Virtual Cyber Security Summit

Join 100s of UK Cyber Security Leaders Online for Expert Cyber Security Talks, Strategy Insights, Cyber Resilience Tips and More.

Netpoleon Group

Netpoleon Group

Netpoleon is a leading provider of integrated security, networking solutions and value added services.

Intaso

Intaso

Intaso are a boutique head hunting and talent solution firm with specialist Cyber and Information Security expertise.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

Kingston Technology

Kingston Technology

Kingston is a leading global manufacturer of memory and storage solutions including encrypted storage solutions to protect data inside and outside the firewall.

Limes Security

Limes Security

Limes Security GmbH is the leading OT Security expert in the German-speaking region of Europe.

e-Xpert Solutions

e-Xpert Solutions

e-Xpert Solutions is a company specialized in the Information Security field since 2001. Our skills are strong technical expertise and the development of tailor-made solutions.

Cyber and Fraud Centre – Scotland

Cyber and Fraud Centre – Scotland

The Cyber and Fraud Centre – Scotland exists to ensure Scottish organisations are as resilient as they can be against cyber and fraud crime.

COcyber

COcyber

COcyber aims to enhance collaboration between the cybersecurity civilian and defence spheres. It is a two-year project funded by the European Union and it kicked off in July 2024.