Last reviewed: April 10, 2026
Jurisdictions covered: UK (primary), EU (comparison)
Reading time: 15 minutes
The Online Safety Act and AI: What Ofcom Can and Cannot Do
In January 2026, researchers at the Center for Countering Digital Hate (CCDH) found that X’s Grok chatbot had generated approximately 3 million sexualized images in 11 days — including an estimated 23,000 depicting children. Ofcom opened an investigation on January 12. The ICO followed with formal investigations into X and X.AI on February 3.
Then Ofcom published something unusual for a regulator: an admission that it could not reach standalone chatbots under its existing powers. The Online Safety Act 2023 covers user-to-user services and search services. A chatbot that interacts one-to-one, does not search the internet, and cannot generate pornographic content falls outside that scope. Grok did not meet those safe-harbor conditions — but the structural gap was exposed.
The government responded on February 16 by committing to bring AI chatbot providers within scope of the OSA’s illegal content duties. By April 8, the mechanism had become clear: Henry VIII clauses inserted into two bills would allow ministers to rewrite up to a third of the Online Safety Act by secondary legislation.
This article covers what the OSA says about AI, where the gaps are, what Ofcom has actually enforced, and what is coming next.
Key Takeaways
- The Online Safety Act applies to AI-generated content on covered platforms — risk assessments must consider AI-generated harms, AI-generated CSAM is prohibited content, and platforms must implement age assurance.
- Standalone AI chatbots currently fall outside OSA scope. Ofcom’s December 2025 explainer confirmed a three-test framework: chatbots that only interact one-to-one, don’t search the internet, and can’t generate pornography are not covered. Grok exposed this gap.
- Ofcom has opened 28 investigations covering 92 services since OSA enforcement began in March 2025. Total confirmed fines exceed £3.77 million. The record single fine is £1.35 million (8579 LLC, March 2026).
- The government is expanding the OSA through secondary legislation. Henry VIII clauses in the Crime and Policing Bill and Children’s Wellbeing and Schools Bill would allow ministers to rewrite significant portions of the Act without full parliamentary debate.
- The House of Lords approved criminal penalties for unsafe AI chatbots — up to 5 years imprisonment (March 25, 2026). The amendment moves to the Commons where the government may reverse it.
What Does the Online Safety Act Say About AI?
The Online Safety Act 2023 (Royal Assent October 26, 2023) is the UK’s primary legislation governing online harms. It applies to two categories of service: user-to-user services (social media, forums, messaging) and search services. Enforcement began with illegal harms duties on March 17, 2025, followed by children’s safety duties on July 25, 2025.
Three provisions are directly relevant to AI:
1. Risk assessments must consider AI-generated harms. Platforms must assess the risk that AI is used to create, share, or amplify illegal content — including deepfakes, AI-generated CSAM, and synthetic disinformation. This is not a standalone AI obligation; it is embedded in the broader risk assessment duty.
2. AI-generated CSAM and intimate images are prohibited content. The Act covers the creation and distribution of AI-generated child sexual abuse material and non-consensual intimate images (including deepfakes). The Data (Use and Access) Act 2025 criminalized the creation of sexually explicit deepfakes from February 6, 2026 — strengthening the OSA’s scope.
3. Transparency and age assurance duties apply to AI content. Category 1 services (those with more than 34 million UK users AND a content recommender system) face enhanced transparency duties. All services with child users must implement age assurance measures. The categorisation register — which formally designates Category 1 and Category 2 services — has been delayed to July 2026. No platform has been formally designated yet.
Penalties: fines up to 10% of qualifying worldwide revenue or £18 million (whichever is greater). Criminal liability for senior managers who fail to respond to Ofcom information notices.
For context on where the OSA sits in the broader UK regulatory framework, see our UK AI regulation map and our guide to existing UK AI laws.
The Chatbot Scope Gap: What the OSA Does Not Cover
On December 18, 2025, Ofcom published an explainer clarifying which AI chatbots fall within OSA scope. The answer depends on a three-test framework:
A standalone AI chatbot is outside OSA scope if it meets all three conditions:
1. It only interacts one-to-one (not a user-to-user service)
2. It does not search the internet (not a search service)
3. It cannot generate pornographic content
A chatbot that fails any of these tests — by enabling user-to-user sharing, searching the web, or generating explicit content — is potentially within scope.
Grok failed test 3 (it generated sexualized images of real people) and arguably test 2 (it accesses web content). But the structural gap remained visible: a chatbot that hallucinates harmful advice, generates disinformation, or produces discriminatory output — but does not generate pornography, search the web, or enable sharing — sits outside the OSA entirely.
This is the gap the government is now moving to close. For chatbot developers today, the practical question is: does your chatbot meet all three conditions? If yes, you are currently outside OSA scope but should prepare for the incoming expansion. If no, you are already covered and Ofcom can investigate.
Ofcom’s Enforcement Record: October 2025 to April 2026
Ofcom is the most active UK regulator on AI-related enforcement by volume. Here is every confirmed enforcement action since OSA enforcement began:
| Date | Target | Action | Fine | Basis |
|---|---|---|---|---|
| Oct 2025 | 4chan | Failure to comply with information notice | £100,000 | OSA s.134 |
| Nov 2025 | 4chan | Further non-compliance | £420,000 | OSA s.134 |
| Jan 2026 | Nudification site (unnamed) | Failure to implement age verification | £50,000 | Illegal content duties |
| Jan 2026 | X (Grok chatbot) | Investigation opened — AI-generated sexualized images including potential CSAM | Pending | Illegal content + child safety |
| Feb 2026 | Adult website (unnamed) | Failure to implement age verification | ~£1,000,000 | Child safety duties |
| Mar 2026 | 8579 LLC | Failure to implement age assurance | £1,350,000 | Record OSA fine |
| Mar 2026 | Kick Online Entertainment | Non-compliance + failure to respond to information notice | £800,000 + £30,000 | OSA s.134 + child safety |
| Apr 2, 2026 | 40+ online services | Legally binding notices demanding revised risk assessments | N/A (compliance orders) | Year 2 enforcement cycle |
Total confirmed fines: Over £3.77 million across 6 fine decisions.
Note on collection: Ofcom does not publish data on fine collection rates. We cannot verify how much of the £3.77 million has actually been collected. 4chan’s total fines of £520,000 are notable given the platform’s history of non-cooperation with regulators worldwide.
The X/Grok Investigation
The X/Grok case is the highest-profile AI enforcement action in the UK. CCDH research (published January 22, 2026) found approximately 3 million sexualized images generated in 11 days, with an estimated 23,000 depicting children. The Internet Watch Foundation (IWF) confirmed AI-generated CSAM on the platform.
X responded on January 14 by removing Grok’s ability to edit images of real people in revealing clothing and implementing Geoblock technology. Ofcom’s investigation remains open. The ICO opened parallel investigations on February 3 — examining lawful basis for the processing and adequacy of design safeguards.
This is the DRCF coordination model under live stress: two regulators investigating the same company under different legal frameworks, with DRCF providing coordination but no enforcement override. For a comparison with how China’s CAC handles AI enforcement through coordinated campaigns rather than parallel proceedings, see our China enforcement tracker.
The Emergency Legislative Response
The government’s February 16, 2026 announcement committed to bringing AI chatbot providers within scope of the OSA’s illegal content duties. The mechanism became clear in April:
Henry VIII clauses in two bills. The Crime and Policing Bill and Children’s Wellbeing and Schools Bill both contain provisions that would allow ministers to rewrite significant portions of the Online Safety Act through secondary legislation — without full parliamentary debate. Professor Lorna Woods (Essex University, OSA Network legal adviser) described this as “basically introducing a third of the Online Safety Act” by ministerial order (TechPolicy.Press, April 8, 2026).
Lords criminal offense amendment (March 25, 2026). The House of Lords approved an amendment creating criminal penalties — up to 5 years imprisonment — for operators of AI chatbots that fail to implement adequate safety measures for children. This amendment now moves to the Commons, where the government may seek to reverse it.
The governance critique. The Henry VIII mechanism is efficient but raises constitutional questions. Secondary legislation faces less parliamentary scrutiny than primary legislation. Using it to expand a major regulatory framework — adding new categories of regulated service, new duties, and potentially new penalties — sidesteps the debate that accompanied the original OSA. Whether this represents pragmatic regulatory agility or democratic accountability shortcuts is an open question.
For chatbot developers, the practical implication is clear: the OSA’s chatbot scope gap is closing. The timeline is uncertain — the Crime and Policing Bill must complete its parliamentary passage — but the direction is not. Developers of standalone AI chatbots should prepare for OSA compliance even if they currently fall outside scope.
Ofcom’s AI Strategy Beyond Enforcement
Enforcement is only part of Ofcom’s AI approach. Three other activities shape the regulatory direction:
Four-paper discussion series (2024-2025). Ofcom published a series exploring AI’s impact on online safety, covering synthetic content generation, AI-enabled targeting, and platform content moderation. These papers informed Ofcom’s strategic approach to AI within the OSA framework.
Joint regulator engagement. Ofcom and the ICO sent a joint letter to Meta, Snap, TikTok, and YouTube (March 12, 2026) regarding children’s safety obligations — including AI-generated content safeguards. Ofcom chairs the DRCF in its current rotation, making it the convening voice on multi-regulator AI coordination.
Children’s Online Experiences consultation (March 2, 2026). DSIT launched “Growing up in the Online World” — a consultation proposing new obligations for online services regarding children, with AI-generated content directly in scope. This feeds into both the OSA’s child safety duties and the broader legislative expansion.
The AI Security Institute covers frontier model capabilities. Ofcom covers what happens when those capabilities reach consumers through online platforms. The two mandates are complementary but distinct — and currently, only Ofcom has enforcement powers.
What Should Platform Operators Do?
1. Determine your OSA scope. Are you a user-to-user service or search service? If yes, you are covered. If you operate a standalone chatbot, apply the three-test framework. If you fail any test, you may be in scope.
2. Complete your risk assessment for AI-generated content. Your illegal harms risk assessment must consider how AI could be used to create or amplify prohibited content on your platform. If you have not updated your risk assessment to address AI-generated CSAM, deepfakes, and synthetic disinformation, do so now. Ofcom’s April 2026 binding notices to 40+ services show this is an active enforcement priority.
3. Implement age assurance. The record £1.35 million fine signals Ofcom’s focus on age verification. If your service is likely to be accessed by children and you have not implemented age assurance measures, this is the highest enforcement risk.
4. Prepare for chatbot expansion. Even if your standalone chatbot currently falls outside OSA scope, the Crime and Policing Bill will likely bring it in. Start building compliance infrastructure now — risk assessments, content moderation systems, age assurance — rather than scrambling after the law changes.
5. Respond to Ofcom information notices promptly. 4chan’s and Kick’s fines included penalties specifically for failing to respond to Ofcom requests. Non-response is a separate offense with its own fine.
6. Monitor the categorisation register. Delayed to July 2026. When it launches, platforms meeting the Category 1 threshold (>34 million UK users + content recommender) will face enhanced transparency duties. Category 2A (>7 million users, search) and Category 2B (>3 million users) create additional tiers.
7. Watch the Crime and Policing Bill. The Henry VIII clauses and the Lords criminal offense amendment are both in parliamentary passage. The final shape of the OSA expansion will emerge from this legislative process.
How Does This Compare to the EU?
| Dimension | UK (OSA + Ofcom) | EU (DSA + AI Act) |
|---|---|---|
| Scope | User-to-user + search services. Standalone chatbots currently excluded | All digital services. AI Act covers all AI systems on EU market |
| AI chatbot coverage | Gap (closing via Crime and Policing Bill) | Covered — AI Act applies to chatbot providers; DSA covers platform hosting |
| Content moderation | Platform risk assessments must consider AI-generated harms | DSA systemic risk assessments + AI Act prohibited practices |
| Penalties | £18M or 10% qualifying worldwide revenue | EUR 6% turnover (DSA) + EUR 35M/7% (AI Act prohibited practices) |
| X/Grok response | Ofcom + ICO parallel investigations (UK) | EU investigation under DSA (separate track) |
| Enforcement body | Ofcom (single regulator for online safety) | National DSA coordinators + AI Office for GPAI |
The UK’s chatbot scope gap does not exist in the EU framework: the AI Act applies to AI system providers regardless of whether the system is a platform, a chatbot, or an embedded service. For multinational companies, the EU standard provides broader coverage — the UK is playing catch-up on chatbot regulation.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. The Online Safety Act’s scope for AI chatbots is actively being expanded through legislation currently before Parliament. Organizations should consult qualified legal counsel. Reg Intel is not a law firm and does not provide legal services.
Last verified: April 10, 2026
Sources
Official Sources
- Online Safety Act 2023
- Ofcom: AI chatbot scope explainer, December 18, 2025
- Ofcom: X/Grok investigation opened January 12, 2026
- ICO: Formal investigations into X/X.AI opened February 3, 2026
- Ofcom: Binding notices to 40+ services, April 2, 2026
- Government: AI chatbot OSA expansion commitment, February 16, 2026
Analysis and Commentary
- CCDH: Grok sexualized images research, The Guardian, January 22, 2026 — 3M images, 23K of children
- TechPolicy.Press: UK seeks more powers under OSA, April 8, 2026
- Inforrm: Ofcom OSA enforcement tracker, March 11, 2026
- BBC: 4chan fines confirmed at £520,000, March 19, 2026
- RPC Legal: Chatbot scope analysis, March 30, 2026
Enforcement Data
- 28 investigations / 92 services (Ofcom Year 1)
- Total fines: £3.77M+ confirmed across 6 decisions
- Record fine: £1,350,000 (8579 LLC, March 2026)
- 40+ services received binding Year 2 notices (April 2, 2026)
- Ofcom does not publish fine collection data
Compare: EU vs UK
For the comprehensive comparison across twelve dimensions — structural divergence, risk classification, the 19 UK regulators vs the EU AI Office, enforcement penalties, the Data (Use and Access) Act 2025, AISI vs the EU AI Office, and a five-step dual-market compliance baseline — see EU vs UK AI Regulation: Precaution vs Innovation Compared (2026).