Notice

Explanatory memorandum: Draft amendments to the Illegal content Codes of Practice for user-to-user services and Draft Amendments to the Illegal Content Codes of Practice for search services

Published 1 June 2026

1. Introduction

1.1 This Explanatory Memorandum has been prepared by the Department for Science, Innovation and Technology and is laid before Parliament by Command of His Majesty.

2. Declaration

2.1 Kanishka Narayan MP, Parliamentary Under-Secretary of State for AI and Online Safety confirms that this Explanatory Memorandum meets the required standard.

2.2 Nicola Spooner, Deputy Director for Online Safety Policy and Regulation at the Department for Science, Innovation and Technology, confirms that this Explanatory Memorandum meets the required standard.

3. Contact

3.1 Max Pumphrey at the Department for Science, Innovation and Technology can be contacted by email at: osaimplementation@dsit.gov.uk with any queries regarding the instruments. Alternatively, the department can be contacted by telephone: 020 7215 5000.

Part One: Explanation, and context, of the Instruments

4. Overview of the Instruments

What do the amendments to the codes of practice do?

4.1 The Online Safety Act 2023 (“the OSA”) imposes duties on providers of regulated user‑to‑user services and search services to take proportionate steps to protect users from illegal content and activity (“the illegal content duties”, sections 10 and 27 of the OSA). A user-to-user service is an internet service if content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service – may be encountered by another user (or other users) of the service. A search service means an internet service that is, or includes, a search engine.

4.2 Section 41 of the OSA requires Ofcom to prepare and issue codes of practice describing recommended measures that providers can take to comply with those duties. Ofcom issued its first illegal content codes of practice for user‑to‑user services and search services in relation to (i) terrorism (ii) child sexual exploitation and abuse (‘CSEA’) and (iii) other illegal content duties in March 2025.

4.3 The amendment to the codes of practice makes a targeted amendment to the codes of practice in relation to other illegal content duties by introducing a new measure in relation to non‑consensual intimate image (NCII) abuse.

4.4 The amendment sets out the recommended measure that relevant services use perceptual hash‑matching and related technical tools to identify and prevent the repeated uploading and sharing of known NCII, reducing reliance on repeated victim reporting once such content has been identified.

Where do the amendments to the codes of practice  extend to, and apply?

4.5 The extent of the instruments (that is, the jurisdiction(s) which the instruments form part of the law of) is England and Wales, Scotland, and Northern Ireland.

4.6 The territorial application of the instruments (that is, where the instruments produce a practical effect) is England and Wales, Scotland, and Northern Ireland.

5. Policy Context

What is being done and why?

5.1 The OSA established a regulatory framework for user‑to‑user services and search services. As part of this framework, the OSA places duties on providers to protect users from illegal content and, in the case of user‑to‑user services, to reduce the risks of illegal activity being facilitated by their services. These are referred to as the “illegal content safety duties” and are set out in sections 10 (user‑to‑user services) and 27 (search services) of the OSA. The purpose of these duties is to require providers to take responsibility for protecting UK‑based users from illegal content and activity encountered on or facilitated through their services.

5.2 The OSA establishes Ofcom as the independent regulator for this regime. Ofcom is responsible for producing codes of practice under section 41 of the OSA and its subsequent amendments, setting out recommended steps that providers can take to comply with their statutory duties. These steps are not mandatory in themselves, and providers may choose alternative measures, provided they can demonstrate equivalent compliance with the duties. However, where a provider follows all relevant measures set out in a code of practice, it will be treated as having complied with the corresponding duties.

5.3 The first Ofcom codes of practice for the illegal content safety duties came into force in March 2025. These comprised two separate instruments: the illegal content Codes of Practice for user‑to‑user services and the illegal content Codes of Practice for search services. Together, these codes introduced a set of core, cross‑cutting safety measures intended to apply across different types of illegal harm, alongside additional measures targeted at specific priority harms such as child sexual abuse material, terrorism and fraud.

5.4 Following the implementation of the first illegal content codes, Ofcom brought forward proposals for additional safety measures across both the illegal content codes and the children’s safety codes. Ofcom launched a consultation on these proposed additional measures in June 2025. The consultation covered a range of interventions intended to strengthen protections against specific harms, including measures addressing abuse facilitated through intimate images shared online without consent.

5.5 There has been significant Government, parliamentary and stakeholder interest in ensuring that platforms take effective action to tackle non‑consensual intimate image abuse, given the serious and often lasting harms experienced by victims. This included a public commitment by the Prime Minister in February to introduce new measures and duties on platforms to address this harm rapidly. In light of this, Ofcom decided to expedite the development of a specific non‑consensual intimate image hash‑matching measure.

5.6 The expedited measures recommend that certain user‑to‑user services and search services use hash‑matching technology to identify and prevent the re‑upload or re‑surfacing of known non‑consensual intimate images. Hash‑matching involves the creation of a unique digital identifier for a specific image, enabling platforms to detect identical images while not requiring human review of every upload. The measures apply to services where the risk of intimate image abuse is assessed as medium or high, with scope and application varying according to service type, size and risk profile. For user‑to‑user services, the measure is focused on services where users can upload or share images, while for search services it targets the repeated surfacing of known abusive material through search results. Smaller services are in scope where the risk of harm is sufficiently high.

5.7 To give effect to this measure, Ofcom has drafted amendments to the illegal content codes of practice for user‑to‑user services and for search services. These amendments consolidate the existing illegal content measures with the new non‑consensual intimate image hash‑matching measure, ensuring that providers can refer to a single, coherent set of recommended steps for complying with their illegal content duties. In line with the statutory process set out in the OSA, Ofcom submitted the draft amendments to the codes of practice to the Secretary of State for laying in Parliament.

What was the previous policy, how is this different?

5.8 Prior to these amendments, the illegal content codes of practice already contained recommended measures for tackling illegal image‑based abuse more generally and for using proactive technology in relation to child sexual abuse material. However, they did not include a specific recommended measure on perceptual hash‑matching for NCII.

5.9 The amendments therefore strengthen the existing regulatory framework by setting clearer expectations around use of hash-matching tools to prevent repeated NCII uploads.

6. Legislative and Legal Context

How has the law changed?

6.1 The OSA established the statutory regulatory framework under which Ofcom must issue codes of practice describing measures recommended for compliance with providers’ illegal content duties. These duties apply to user‑to‑user services and search services under sections 10 and 27 of the Act.

6.2 Sections 49 and 50 of the OSA set out the legal effect of codes of practice. A provider which takes the measures recommended in a code of practice for the purpose of complying with a relevant duty is treated as complying with that duty. A failure to act in accordance with a code of practice does not of itself give rise to legal liability, but a court or tribunal must take account of a provision of a code of practice where it is relevant to a question in proceedings and was in force at the relevant time. Ofcom must similarly take relevant provisions of a code of practice into account when exercising certain statutory functions.

6.3 The amendments to the codes of practice introduce an additional recommended measure relating to the use of hash‑matching technology to prevent the repeated upload and circulation of known non‑consensual intimate images. The amendments do not create new statutory duties, but updates Ofcom’s recommended compliance measures within the existing legislative framework.

Why was this approach taken to change the law?

6.4 This is the only possible approach to making the necessary changes.

6.5 Section 41 of the OSA places a duty on Ofcom to prepare and issue codes of practice and permits the updating of codes of practice for the illegal content duties. Where Ofcom prepares a draft code of practice or draft amendments to an existing code, section 43 of the OSA requires Ofcom to submit the draft to the Secretary of State. Under section 44 of the OSA, the Secretary of State has a limited power to direct Ofcom to modify a draft code of practice for specified public‑policy reasons. In this instance, the Secretary of State has considered the draft amendment and does not intend to issue a direction under section 44. Accordingly, and in line with section 43(2) of the OSA, the Secretary of State is laying the draft amendment to the codes of practice before Parliament for scrutiny.

7. Consultation

Summary of consultation outcome and methodology

7.1 Ofcom consulted on the draft amendments to the Illegal Content codes of practice as a part of a package of proposed amendments in June 2025 (the ‘additional safety measures consultation’).^{[footnote 1]} Ofcom is planning to issue its final decision on this package of amendments in Autumn 2026, but decided to fast-track its decision in relation to the intimate image abuse hash matching measures.^{[footnote 2]}

7.2 There has been a high level of public interest in Ofcom’s additional safety measures consultation, and approximately 50 stakeholders commented on the intimate image abuse hash matching measures. Ofcom has taken into account these comments. Non-confidential consultation responses are published on the consultation website.^{[footnote 3]}

7.3 There was broad support for the proposed measures from a variety of stakeholders. On the other hand, stakeholders raised some concerns, in particular that the use of databases containing unverified hashes (‘unverified’ means that the database operator has not checked that the underlying image is intimate image abuse) could lead to the detection of non-intimate image abuse content.

7.4 The issues raised and Ofcom’s response to them is included in detail in Ofcom’s regulatory Statement ‘Detecting intimate image abuse’ published on 18 May.^{[footnote 4]}

8. Applicable guidance

8.1 Ofcom has published draft Guidance^{[footnote 5]} to assist providers in determining the appropriate proportion of detected content that should be subject to human review. Ofcom was not subject to a duty to produce this guidance but decided to do so of its own accord.

8.2 There is also pre-existing statutory Guidance published by Ofcom under section 193 of the OSA to assist providers in identifying illegal content, including intimate image abuse content (the Illegal Content Judgements Guidance^{[footnote 6]}

Part Two: Impact and the Better Regulation Framework

9. Impact Assessment

9.1 Ofcom has a duty under section 7 of the Communications Act 2003 to carry out impact assessments when preparing a Code under section 41 of the OSA. The assessment must include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.

9.2 Ofcom has discretion as to the substance and form of an impact assessment. The impact assessments for these amendments to the Codes are included in Chapter 3 and Annex 1 of Ofcom’s Statement (i.e. the document published on its website which sets out its reasoning in full).^{[footnote 7]}

9.3 Ofcom has considered how the measures will reduce the risk of harm it has identified and how effectively it will do this. While Ofcom has sought to quantify impacts where feasible, there is a lack of robust quantitative evidence. It is even more challenging to put certain benefits in monetary terms. For example, it is difficult to quantify the social and psychological impacts of intimate image abuse on victims and survivors. While Ofcom has not generally quantified these benefits in monetary terms, it has placed significant weight on such impacts in its decisions.

9.4 Evidence shows that intimate image abuse is a widespread and increasingly prevalent harm. Service providers’ reporting and complaints systems alone, even where providers respond appropriately to all complaints, cannot sufficiently address the harm posed by intimate image abuse.

Impact on businesses, charities and voluntary bodies

9.5 The impact on businesses is that if businesses providing online user-to-user services and search services comply with the measures in the Codes then they are considered to be compliant with the relevant illegal content safety duties to which the measure applies. Service providers can take alternative measures to comply and must keep a record of the measures and explain how the relevant safety duties have been met.

9.6 The impact on business, charities or voluntary bodies will vary depending on whether they provide services within scope of the OSA and whether they identify risks which bring them within scope of the measures. Ofcom’s Statement sets out why it considers this measure to be proportionate, in light of the risk posed by these services. The measure will apply to some smaller services, for example services that are high risk for intimate image abuse content and are file-sharing and file-storage services. The measure will also apply to larger services, for example large general search service providers, which Ofcom concluded are at risk for widespread circulation of intimate image abuse via image search results, regardless of those services’ risk level for intimate image abuse. Ofcom has assessed the impact of the measures for all providers in scope and concluded that the measures are proportionate.

9.7 The Codes may impact small or micro businesses where they are high risk for intimate image abuse, but the approach taken does not include measures that impact small or micro businesses disproportionately. The OSA confers duties on regulated “user-to-user services” and “search services”, regardless of their size. The impact on businesses of any size depends on whether they assess as having risks on their services, as described in the previous paragraph, as well as other relevant criteria, such as hosting certain types of content (such as images and videos). The decision to not exempt small and micro businesses was taken because of the importance of addressing the harm posed by intimate image abuse in the UK.

9.8 There is no, or no significant, impact on the public sector because paragraphs 9 and 10 of Schedule 1 to the OSA exempt services provided by public bodies and services provided by persons providing education or childcare from being regulated. The amendments also do not place additional duties on Ofcom beyond its existing statutory functions, and therefore do not have implications for Ofcom’s funding or wider role.

10. Monitoring and review

What is the approach to monitoring and reviewing the amendments to the codes of practice?

10.1 The approach to monitoring this legislation is that, pursuant to section 47 of the OSA, Ofcom must keep the Codes under review. Ofcom will evaluate compliance with the regime and the impact of its guidance and Codes. Ofcom’s monitoring and evaluation work includes assessing whether its interventions are leading to changes in services’ systems and processes, a safer online life for users, particularly children, and unintended consequences that need mitigation.

10.2 Ofcom’s monitoring and evaluation programme involves establishing an evidence base which would allow us to monitor whether life online in the UK is getting safer and to evaluate to what extent this is due to the impact of the Act. Ofcom will evaluate data from a range of sources, including its own research (such as its Online Experiences Tracker), and data collected from law enforcement, civil society groups, industry and academia.

10.3 It is also important that Ofcom understands the impact of regulation under the OSA in specific areas. This could include, for example, the impact on businesses’ costs, particularly for small and micro businesses.

10.4 Additionally, Ofcom aims to understand the impact of discrete changes made by regulated services on safety outcomes, and will work with services to incentivise them to embed evaluation into their product development. Its Economics Discussion Paper Evaluating online safety measures ^{[footnote 8]} sets out how a widely used evaluation framework could be applied to assess the impact and effectiveness of online services’ safety measures.

10.5 The instruments do not include statutory review clauses; section 47 of the OSA requires Ofcom to keep the Codes under review.

Part Three: Statements and Matters of Particular Interest to Parliament

11. Matters of special interest to Parliament

11.1 None.

12. European Convention on Human Rights

12.1 As the instruments are subject to negative procedure and do not amend primary legislation, no statement is required.

13. The Relevant European Union Acts

13.1 The instruments are not made under the European Union (Withdrawal) Act 2018, the European Union (Future Relationship) Act 2020 or the Retained EU Law (Revocation and Reform) Act 2023 (“relevant European Union Acts”).

---

1. Consultation: Online Safety - Additional Safety Measures ↩

2.  Ofcom fast-tracks decision on measures to block illegal intimate images ↩

3.  Consultation: Online Safety - Additional Safety Measures ↩

4. Statement: Detecting intimate image abuse ↩

5.  Draft Guidance on appropriate proportion of human review for intimate image abuse hash matching ↩

6.  Protecting people from illegal harms online: Illegal Content Judgements Guidance (ICJG ↩

7.  Statement: Detecting intimate image abuse ↩

8.  Evaluating online safety measures ↩