From Royal Assent to Real Enforcement
The UK’s Online Safety Act 2023 received royal assent in October 2023 after years of parliamentary debate, but its most consequential provisions only came into force in July 2025. The first duty that hit adult content platforms was unambiguous: deploy “highly effective age assurance” to prevent minors from accessing pornographic content — or face enforcement action.
Ofcom, the UK’s communications regulator, launched investigations into adult-content providers within days of the July 25, 2025 effective date. By October 2025, it had already published its first Confirmation Decision — a £20,000 fine against 4chan for failing to respond to an information request, marking the first financial penalty under the legislation. A December 2025 enforcement action against an unnamed operator produced a £1 million fine plus £50,000 for information-request non-compliance.
But it was the February and May 2026 fines that signalled Ofcom had shifted from warning shots to sustained enforcement pressure. The penalty against 8579 LLC — £1.35 million for Section 12 violations plus £50,000 for Section 102(8) failures — became the highest single fine in this enforcement strand. Three months later, Youngtek Solutions’ £600,000 penalty confirmed that Ofcom intended to move systematically through the sector.
What “Highly Effective” Actually Requires
Understanding where operators are failing requires understanding what Ofcom actually demands. The regulator does not prescribe a single technology — instead, it publishes a non-exhaustive list of methods it considers capable of meeting a four-criterion test: technical accuracy, robustness against circumvention, reliability, and fairness.
Approved methods include open banking verification, photo ID matching, facial age estimation, and digital identity services. What does not qualify is explicit: self-declaration (“I confirm I am 18”) and simple contractual age restrictions in terms of service are ruled out as categorically ineffective.
The 8579 LLC case illustrates what failure looks like at scale. The company operated multiple adult sites — including crazyporn.xxx, hoes.tube, love4porn.com, and justpornflix.com — and allowed access without any qualifying age-verification gate from 25 July 2025 until at least 19 November 2025. Ofcom’s investigation covered the full portfolio, a deliberate signal that regulators will treat multi-site operators as a single compliance unit. The £1,000 daily penalty imposed after the Confirmation Decision remains in effect until the company achieves compliance.
Youngtek Solutions Ltd operated four adult websites without qualifying age assurance from 25 July until 22 September 2025 — a window of just under two months. Its £500,000 Section 12 penalty was accompanied by a £100,000 Section 102(8) fine because the company provided required information to Ofcom only after the statutory deadline. Ofcom confirmed it would continue monitoring the sites even after the company subsequently implemented age checking, signalling that post-enforcement surveillance is part of the regime.
Suzanne Cater, Ofcom’s enforcement director, stated publicly that “having highly effective age checks on adult sites is non-negotiable” and that companies falling short should expect “significant fines.” The phrase “non-negotiable” is regulatory language of unusual directness — it removes any ambiguity that Ofcom will tolerate partial compliance or phased rollout excuses.
Advertisement
The Enforcement Architecture Behind the Fines
The structure of these penalties is as significant as the amounts. Each case typically combines two charges: a substantive fine under Section 12 for failing to implement age assurance, and a procedural fine under Section 102(8) for failure to respond to statutory information requests. The layered approach means operators face double exposure — once for the underlying safety failure, and again if they are uncooperative during the investigation.
Daily-rate penalties impose a third layer. Ofcom routinely adds £200–£1,000 per day until compliance is achieved or a cap date is reached. For a mid-size operator generating revenue from multiple adult domains, a 60-day daily penalty at £1,000/day adds £60,000 on top of the base fine — not catastrophic, but increasingly uncomfortable as the enforcement wave expands.
As analysed in Alexandros Antoniou’s legal commentary on the inforrm.org platform, Ofcom is applying portfolio-level oversight — launching investigations across all domains an operator controls, rather than treating each site as an isolated case. This makes it structurally impossible for an operator to comply on its most-visited site while leaving secondary domains unverified.
Beyond adult content platforms, Ofcom’s enforcement net is widening. The regulator issued provisional enforcement decisions against 4chan for violations under Sections 9, 10, and 12 — adding illegal content duties to the age-assurance strand. By February 2026, Ofcom had also expanded scrutiny to four additional network operators collectively running 20 adult platforms, including Fapello, Porntrex, XXBrits, and Sun Social Media.
What Platform Operators Should Do Now
The enforcement record makes the compliance map clear. Operators in any jurisdiction that mirrors or will mirror the OSA framework — which includes much of the EU and the Commonwealth — need to treat this as a read-ahead brief.
1. Audit Your Full Platform Portfolio Against the Four-Criterion Test
Do not assess only your flagship domain. As the 8579 LLC case demonstrates, Ofcom will investigate every site in an operator’s portfolio as a single compliance unit. Map every domain you operate that carries content subject to age-assurance duties — this includes secondary sites, test environments with public URLs, and recently-acquired properties. Then run each domain against Ofcom’s four-criterion test: technical accuracy, circumvention robustness, reliability, and fairness. Self-declaration and contractual age restrictions fail all four criteria and should be removed from your compliance argument immediately. Ofcom’s age assurance guidance lists the accepted technology categories; match each domain to at least one.
2. Build an Information-Request Response Protocol Before You Receive One
The £100,000 Youngtek penalty and the £50,000 8579 LLC penalty were not for underlying safety failures — they were for providing information after statutory deadlines. Regulators treat these procedural failures as a distinct category of non-compliance, and they add automatically to base fines. Create a documented escalation path now: who receives a statutory information request, who owns the legal review, what internal SLA applies to the response, and who approves the submission. The timeline from receipt to response is typically short — building this workflow in advance of an investigation is far cheaper than explaining a late response to a regulator already investigating you for an underlying violation.
3. Implement Continuous Compliance Monitoring, Not Point-in-Time Audits
Ofcom’s post-fine surveillance of Youngtek — confirming it will “continue to monitor these sites to ensure that their age checking methods are highly effective” — means that compliance is not established once and forgotten. Age-verification technology degrades or can be circumvented; vendor contracts change; new domains go live. Build a monitoring loop: monthly spot-checks that a live user attempting access without valid credentials is gated, quarterly review of whether your chosen verification vendor still meets Ofcom’s evolving technical accuracy threshold, and an alert mechanism tied to any change in domain configuration. The National Law Review’s analysis of Ofcom’s enforcement strategy notes that enforcement intensity is expected to increase through 2026 — the bar will rise, not stabilise.
4. Monitor Parallel Regulatory Frameworks for Mutual Compliance Opportunities
The UK’s enforcement record is already shaping legislation elsewhere. Australia’s Online Safety Act requires “reasonable steps” to prevent under-16 access, with penalties up to AUD 49.5 million. France’s SREN law mandates age verification for adult sites and social media. The EU is integrating age assurance into Digital Services Act obligations via the EU Digital Identity Wallet “mini wallet” — an interoperable, privacy-preserving verification layer expected to standardise across member states by end 2026. Canada published CAN/DGSI 127:2025, a national age-assurance standard, in August 2025. Operators building a UK-compliant age-assurance stack should evaluate whether the same vendor solution can satisfy Australian “reasonable steps”, French SREN, and the emerging EU digital identity pathway simultaneously — the regulatory overlap is large enough that a single certified implementation may achieve multi-jurisdiction coverage.
The Regulatory Question: Template or One-Off?
The deeper question for policy observers is whether Ofcom’s enforcement model is a transferable template or a UK-specific product of a decade of legislative work. The answer appears to be: both.
The technical definition of “highly effective age assurance” — a four-criterion test with a non-exhaustive technology whitelist — is precise enough that other regulators can adopt it directly. The EU’s Digital Services Act already contains age-verification obligations for Very Large Online Platforms. France’s SREN law, Australia’s Online Safety Act, and Canada’s CAN/DGSI 127:2025 standard all converge on the same requirement: that self-declaration is insufficient and that operators must deploy technically verified age-checking infrastructure.
What is harder to export is the enforcement architecture itself — Ofcom’s capacity to launch 21 investigations within months of a law’s effective date, its willingness to impose daily penalties, and its use of portfolio-level oversight to close the multi-domain loophole. Most regulators outside the UK lack either the staffing or the legal framework to move at that speed. But the direction of travel is clear: the ICO’s separate £14.47 million fine against Reddit in February 2026 for children’s privacy failures — issued under UK GDPR rather than the OSA — shows that multiple UK regulators are independently converging on the same enforcement culture. Regulators elsewhere are watching both the speed and the strategy.
For enterprise operators, the practical implication is that any platform carrying content that a jurisdiction might classify as harmful to minors should now treat age assurance as a baseline infrastructure requirement — not a feature toggle, not a compliance checkbox, and not a problem to solve after receiving a notice. The fines are real. The daily penalties are accumulating. And the regulatory model is spreading.
Frequently Asked Questions
What is “highly effective age assurance” under the UK Online Safety Act?
Under the Online Safety Act 2023, Ofcom defines “highly effective age assurance” as any verification method that meets four criteria: technical accuracy, robustness against circumvention, reliability, and fairness. Accepted methods include open banking verification, photo ID matching, facial age estimation, and digital identity services. Self-declaration — where a user simply clicks a checkbox confirming they are over 18 — does not meet any of these criteria and is explicitly excluded. Operators must implement a qualifying method on every domain they operate that carries adult content.
How does Ofcom calculate its fines under the Online Safety Act?
Ofcom calculates fines based on multiple factors including the severity and duration of the breach, the number of platforms affected, revenue considerations, and the operator’s level of cooperation with the investigation. Fines are then compounded by separate Section 102(8) penalties for information-request failures, and daily-rate penalties — ranging from £200 to £1,000 per day — that accrue until compliance is confirmed. The layered structure means a base fine of £600,000 can grow substantially if an operator does not act quickly after a Confirmation Decision is issued.
Does the Online Safety Act apply to platforms based outside the UK?
Yes. The Online Safety Act applies to services with “links to the United Kingdom” — broadly, services that have UK-based users. 8579 LLC is a US-registered entity; its fine was issued based on the reach of its platforms into the UK market. Operators registered outside the UK but whose platforms are accessible to UK users are within scope and must comply with the same age-assurance duties. This extraterritorial reach mirrors the approach taken by the EU’s Digital Services Act against Very Large Online Platforms, and is a deliberate design choice to close the “register elsewhere” evasion route.
Sources & Further Reading
- Further Reading
- Ofcom fines porn company £600,000 — Ofcom
- Ofcom fines 8579 LLC £1.35 million for failure to gate adult content behind age verification — ThinkBroadband
- Ofcom steps up Online Safety Act enforcement with two further age-assurance fines — inforrm.org / Alexandros Antoniou
- Ofcom fines Kick, threatens 4chan as OSA enforcement steadily dials up — Biometric Update
- Age assurance duties under the Online Safety Act — Ofcom
- Ofcom fines Youngtek Solutions £600,000 for Online Safety Act contraventions — DataGuidance
- Online Age Verification in 2026: Who’s on the Roadmap? — IDScan
- What’s That Coming Over the Hill? Ofcom’s Heavy Fines for Age Assurance Failures — National Law Review
