UK's Online Safety Act Now Requires File-Sharing Platforms to Scan Uploads. Ofcom Has Already Issued Its First Fine.
New scanning obligations under the UK Online Safety Act took effect on January 8, 2026, requiring file-sharing and file-storage services to detect and remove illegal content. Ofcom has fined one service £20,000 and forced two others to deploy perceptual hash matching. Spring 2026 guidance will define which technologies qualify as compliant.
VaultTools · March 31, 2026
Photo by Tingey Injury Law Firm on Unsplash
Table of Contents
- What the new rules require
- Ofcom’s enforcement actions so far
- What is coming in Spring 2026
- Who is in scope and who is not
- Sources
What the New Rules Require
On January 8, 2026, expanded provisions of the UK Online Safety Act came into force. Under these rules, platforms that allow users to upload, store, or share files must assess their risk of hosting illegal content and implement appropriate technical measures to detect and remove it.
For file-sharing and file-storage services classified as high risk, Ofcom’s Illegal Content Codes of Practice specifically recommend perceptual hash matching. This technique compares uploaded files against databases of known illegal images using cryptographic fingerprints, flagging matches before or after a file reaches the platform’s servers.
The UK government confirmed that “accredited technology” guidance, setting out exactly which scanning systems satisfy the legal requirement, will be published in Spring 2026. Until that guidance is in place, Ofcom is using its existing enforcement and information-gathering powers to assess compliance platform by platform.
Ofcom’s Enforcement Actions So Far
Ofcom launched an investigation in mid-2025 into seven file-sharing services. Two outcomes have since been made public.
The provider of Im.ge was fined £20,000 for failing to respond to two statutory information requests. Ofcom confirmed that if the service remains non-compliant, a daily penalty of £100 will follow. The fine established a principle: procedural refusal to engage with Ofcom’s supervisory process is itself a punishable offence, independent of whether illegal content is found.
The providers of 1Fichier and Gofile engaged constructively under Ofcom’s informal enforcement process and implemented perceptual hash matching solutions. Ofcom cited both cases in its March 2026 industry bulletin as examples of compliant behaviour.
Ofcom also confirmed it is expanding its enforcement focus beyond the initial seven services to cover additional file-sharing providers assessed as high risk.
What Is Coming in Spring 2026
Ofcom has written to the platforms children use most frequently, including Facebook, Instagram, Roblox, Snapchat, TikTok, and YouTube, setting a deadline of April 30, 2026 to report the steps they will take on child safety measures.
The accredited technologies guidance, which will formally define what scanning systems satisfy the Online Safety Act, is due in Spring 2026. Once published, file-sharing services will have a defined technical baseline to meet or face enforcement.
The broader Register of Categorised Services, which will assign specific duty levels to platforms above certain user thresholds, is scheduled for no earlier than Summer 2026.
Who Is in Scope and Who Is Not
The Online Safety Act applies to services that receive files on their own infrastructure and make them accessible to other users or to the platform itself. The key condition is server-side receipt of user files.
Services that process files entirely on the user’s device, without transmitting them to a server, do not receive files in the sense the Act regulates. There is no upload, no server-side storage, and no content for a platform operator to scan or report. The legal obligation does not attach because the technical act the law addresses never occurs.
For the growing category of tools that process documents, PDFs, and images locally in the browser, the Online Safety Act scanning requirement is structurally inapplicable. The same property that protects user privacy, keeping files on the device that created them, also keeps the operator outside the regulatory perimeter that Ofcom is now actively enforcing.
Sources
- Enforcing the Online Safety Act: Ofcom fines file-sharing service £20,000 (Ofcom)
- File-storage and file-sharing: know the online safety risks, the rules, and how to comply (Ofcom)
- Online safety industry bulletin: March 2026 (Ofcom)
- Enforcement programme into file-sharing and file-storage services (Ofcom)
- UK Expands Online Safety Act to Mandate Preemptive Scanning of Digital Communications (MyPrivacy Blog, January 2026)
- Ofcom wants to double down on file monitoring in 2026 (TechRadar)
- Enforcing the Online Safety Act: Ofcom’s £20,000 Fine Signals a Broader and More Procedural Compliance Regime (Preiskel and Co)