National Audit Office report on Preparedness for online safety regulation

Ofcom has made a good start in its preparations for implementing a new online safety regime, and must now manage risks around monitoring, scope and financing, according to a new report by the National Audit Office (NAO).

The NAO's report examines whether preparations undertaken by the Department for Science, Innovation & Technology (DSIT) - previously the Department for Culture, Media and Sport (DCMS) - and Ofcom for the implementation of the new online safety legislation are sufficiently advanced.

The government introduced the Online Safety Bill in March 2022, reflecting its objective for the UK to become the safest place in the world to be online. The Bill is now expected to receive Royal Assent in October 2023. The full regulatory regime will be put in place in phases over the two years after Royal Assent.

According to Ofcom, 68% of child (13-17) internet users and 62% of adult (18+) users indicated they have experienced at least one potential online harm in the last four weeks. Harmful content varies, from child sexual abuse material and terrorist content to online fraud and the encouragement of self-harm.

Ofcom estimates its cumulative costs of preparing for and implementing the regime could total £169 million by the end of 2024-25, of which £56 million will have been incurred by the end of 2022-23. The regime is intended to become self-financing through a fee structure. Ofcom estimates that it could need to regulate more than 100,000 services, with the majority interacting with the regulator for the first time.

Ofcom still has lots to do to develop the new regulatory regime. It will need to publish more than 40 separate regulatory documents. It also needs to consider how it will manage public and industry expectations about the regime's impact to provide confidence from the outset. Ofcom must also inform industry about its requirements; ensuring its data requests are co-ordinated and proportionate, and establishing how it will collect feedback, in particular from smaller companies.

The regulator should identify how it will reach the capability and capacity it needs, the NAO recommends. It still needs to recruit more than 100 further online safety staff and has yet to secure the funding it needs for future years.

On monitoring and evaluation, DSIT should work with Ofcom to identify how data collection will support its own evaluation of the effectiveness of regulation once the regime has begun.

And Ofcom will need to ensure its processes for collecting data from service providers and its generation of automated information are of sufficient quality to inform its regulatory duties and enable it to adapt its approach if data shows it is not achieving its aims.

Gareth Davies, Head of NAO, said:

"Securing adequate protection of citizens from online harms is a significant new role for Ofcom, and its preparations to date have been good.

"Ofcom will need to manage several risks in a way that delivers value for money. It will need to move quickly to cover any gaps in its preparations should the scope change between now and implementation.

"And it will need to cover its costs by introducing fees so that the regime becomes self-financing. As ever, access to good quality data will be essential for Ofcom to monitor the compliance of services and to evaluate its own effectiveness and for DSIT to know that the regime is working."