On 8 May 2026, Ofcom published a significant update on its online safety implementation plans, including a refreshed regulatory roadmap running from March 2026 to May 2027.

In an accompanying article, Ofcom set out three compliance priorities for the year ahead:

1. improving protections for children,
2. tackling illegal hate and terror content, and
3. protecting women and girls online.

These priorities will determine where Ofcom concentrates its supervisory and enforcement resources.

Ofcom acknowledged that the Online Safety Act covers over 100,000 services and more than 130 priority offences. Given that breadth, Ofcom must be selective in how to concentrate its efforts. Ofcom confirmed that factors guiding enforcement decisions include how many people use a service, how serious the potential harm can be, whether users are especially vulnerable, and how services respond when risks are identified.

Ofcom also re-emphasised its willingness to act promptly wherever there appear to be egregious breaches of the Online Safety Act, such as when it opened an investigation into a prominent suicide forum linked with over 100 deaths in the UK, or the probe it launched in January into X over AI-generated sexual deepfakes.

Crucially for the games industry, Ofcom confirmed it directly supervises 40 of the highest-profile services, specifically naming gaming services as a category of supervised services, alongside social media, search, dating, and AI services.

Being grouped alongside social media, search, dating and AI services will be unwelcome news for the games industry. Online safety risks vary significantly not only between games and social media, but also within the games sector itself. An online multiplayer game with limited user-to-user interaction (such as chat between teammates or opponents) presents very different challenges compared to a UGC-rich ecosystem or a massively multiplayer online role-playing game. The games industry’s experience (individually and collectively) when engaging with Ofcom has been productive to date. However, games companies interacting with the regulator will need to invest in educating Ofcom about their specific position in the industry, their offering, their player base, and the unique compliance challenges they face under the Online Safety Act.

Ofcom noted that platforms including Xbox and Steam have already introduced age checks, and highlighted Roblox’s use of age verification to restrict adult-to-child contact. Gaming platforms are firmly on Ofcom’s radar and are expected to demonstrate meaningful progress.

The first duties under the Online Safety Act came into force in March 2025, with child safety duties following in July 2025. Ofcom reports early signs of improvement across the industry, but emphasises that “further attention is needed in 2026 to accelerate progress.”

The investigations and enforcement actions were focused on enforcing highly effective age assurance requirements on pornographic websites and combating child sexual abuse material. As a result of Ofcom’s interventions, the regulator claims that “all the top ten pornography sites in the UK, and most of the top-100, now use age checks to keep children off.”

This flurry of activity means that Ofcom has launched more online safety investigations over the past year than any of its international regulatory peers, and has demonstrated its willingness to use its powers to fine companies up to 10% of qualifying worldwide revenue (or £18 million, whichever is higher) for breaches.

Ofcom’s updated roadmap sets out a month-by-month timeline of regulatory milestones. The dates most relevant to user-to-user services, including games platforms, are:

• April 2026 (Duty to Report CSEA): The Online Safety Act requires all regulated service providers to report all detected and unreported CSEA content present on their services to the NCA. If a service is based outside the UK, the requirement is to report CSEA content that is UK-linked. The duty applies to all regulated user-to-user and search services. Services that already report CSEA content to the National Centre for Missing and Exploited Children’s (NCMEC) CyberTipline should continue to do so.
• May 2026 (Hash Matching): Ofcom plans to set a new technical standard for “hash-matching” to detect intimate images shared without consent and to prevent the upload of known non-consensual intimate images. The new Codes of Practice measures are expected to come into effect in early autumn.
• May 2026 (Technology Notices): Under section 121 of the Act, Ofcom can require providers of user-to-user or search services to use accredited technology to identify and prevent users encountering terrorism and/or child sexual exploitation and abuse (CSEA) content on their service. Ofcom has published its final advice to the Secretary of State and its guidance to providers – once technologies have been approved and accredited by the Secretary of State, Ofcom will then have the power to require in-scope services to use such technologies.
• May–July 2026 (Risk Assessments): Providers may be requested to submit their illegal content and children’s risk assessments to Ofcom, taking account of identified areas for improvement.
• July 2026 (Age Assurance Statutory Report): Ofcom will publish a report by the end of July 2026 assessing how services have used age assurance and how effective it has been for the purpose of complying with their duties under the Act.
• Summer 2026 (Publication of Categorised Services): Publication of the register of categorised services and a consultation on additional duties (including fraudulent advertising, terms of service, user empowerment, and ID verification).
• Autumn 2026 (Updated Codes of Practice): Updated Codes of Practice with additional safety measures, including provisions on AI and automated content moderation tools. Ofcom is also bringing forward its crisis response measure to the summer.
• January 2027 (Use of App Stores by Children Report): Ofcom will publish a report on the use of app stores by children by January 2027. This will assess the role app stores play in children encountering harmful content and evaluate the use and effectiveness of age assurance by app store providers. This will support the Secretary of State in determining whether app stores should be brought into scope of the Act (something every games store should be alive to). In addition to the call for evidence Ofcom published in November 2025, we understand that a number of app stores, including gaming app stores, have been contacted by Ofcom using its statutory powers to request information for the purposes of producing this report.
• 2027 (Transparency Reports): Services on the register of categorised services will be required to publish transparency reports in accordance with the final transparency reporting guidance. Ofcom will publish an update on the timeline for when transparency reports will be required to be published.
• Mid-2027 (Additional Duties for Categorised Services): Final policy statements on additional duties for categorised services, with first mandated transparency reports due by summer 2027.

1. Review Risk Assessments: Ensure that both illegal content and children’s risk assessments are up to date, properly documented, and assign a named individual responsible for compliance. Ofcom may request these assessments between May and July 2026 using its statutory powers. Importantly, Ofcom expects significant improvements from services it reviewed in year 1: it will specifically revisit those services to verify they have acted upon its feedback.
2. Children’s Duties and Age Assurance: If the regulated part of your service (for video games, this often means social user-to-user interactions such as in-game chat, voice comms, and user-generated content) does not deploy highly effective age assurance, you must assume children can access it and comply with the full suite of child protection duties. You can learn more about the age assurance requirements for video games under UK law here.
3. Review Moderation Technology and Reporting Mechanisms: The direction of travel is clear: if your game, game platform, or user-to-user service has the ability for users to send, receive, or encounter images or videos, Ofcom will expect services to deploy hash-matching technology to prevent the sharing of non-consensual intimate images and CSEA. Services should also ensure that they are complying with their duty to report CSEA to the National Crime Agency.
4. Review Consumer-Facing Terms: Consumer-facing documents, such as EULAs, terms of service, privacy policies, and codes of conduct or content guidelines, should all be reviewed and, where necessary, updated to ensure compliance with the Online Safety Act and Ofcom’s Codes of Practice. In particular, services should ensure that users are informed about any prohibited content under the terms, how they are protected from prohibited content, illegal content, and content harmful to children, how to report such content, and how to raise complaints.
5. Women’s and Girls’ Safety: Ofcom has made clear that it will be focusing on improving women’s and girls’ safety online. Games companies should review Ofcom’s guidance on a safer life online for women and girls. Games companies approached by Ofcom should be prepared to demonstrate what steps they have taken to comply with the guidance.

If you’d like any further information, or have any questions about the content of this article or online safety more generally, please do get in touch.