Digital regulation | UK Regulatory Outlook May 2026

Online safety and age assurance 

King's Speech 2026 

King Charles III opened Parliament on Wednesday 13 May 2026 with the announcement of 37 bills his ministers would like to pass in this parliamentary session. 

The government made no commitments to introduce any standalone online safety measures, but this does not mean that this area, particularly in relation to protecting children online, is not still a priority for it. The primary reason for no mention is, presumably, because the government's consultation on children's online safety, exploring whether to ban social media for under-16s, restrict addictive features or impose curfews on children's use of the platforms, only closed on 26 May. In addition, the new Children's Wellbeing and Schools Act 2026 contains an obligation for the government to take some form of action once the consultation closes (see more below).  

There are, however, a number of online safety measures woven into a new National Security Bill. This bill will criminalise the creation and sharing of the most harmful violent material online to stop the spread of content that glorifies, trivialises or normalises serious violence. Law enforcement will gain new powers to disrupt individuals encouraging violence online and reduce the circulation and supply of such material. The aim is to do this in a proportionate way to protect freedom of expression and legitimate public-interest activity. 

See this Insight for other announcements in the King's Speech, including in advertising and consumer law and AI. 

UK Crime and Policing Bill enacted 

The Crime and Policing Bill received Royal Assent on 29 April 2026 becoming the Crime and Policing Act 2026 (CPA). It introduces several amendments to the online safety regime in the UK, including banning so-called "nudification" apps. Various "priority offences" have also been added to the Online Safety Act 2023 (OSA), with a particular focus on non-consensual intimate image content: 

• Intimate image takedown duty. Regulated user-to-user services will be subject to a new duty to take down intimate image content within 48 hours of such content being reported to the service. An equivalent duty will apply to regulated search services within the same timeframe, requiring them to ensure that individuals can no longer encounter such content.  
• Personal criminal liability. A person who has received a confirmation decision from Ofcom containing an "intimate image content requirement", but who fails, without reasonable excuse, to comply with that confirmation decision, that is, removing relevant content within 48 hours, will be committing a criminal offence. This would apply to the responsible officers of a regulated provider.  
• New priority offences. The CPA creates several new criminal offences relating to the possession and publication of certain pornographic images and also makes them "priority offences" under Schedule 7 of the OSA. The existing criminal offences of creating, and requesting the creation of, a purported intimate image of an adult, which includes AI-generated images, is also now a priority offence under Schedule 7 of the OSA. 
• Powers to address AI-generated content. The CPA grants the secretary of state new powers to make regulations to amend any provision of the OSA to minimise or mitigate the risks of harm presented by "illegal AI-generated content" and the use of "AI services" (described as an internet service capable of producing AI-generated content, which would encompass AI chatbots) for the commission or facilitation of "priority offences". This includes powers to impose various OSA duties that regulated providers of both search and user-to-user services currently have to comply with in relation to illegal content, as well as other duties.  

The CPA also creates a number of new criminal offences with online safety implications, including criminalising the making or supplying of child sexual abuse (CSA) image-generators, including AI models that have been optimised to create CSA material, and purported intimate image generators (which covers AI deepfakes). See more in the AI section.  

UK Children's Wellbeing and Schools Bill enacted 

The Children's Wellbeing and Schools bill received Royal Assent on 29 April, becoming the Children's Wellbeing and Schools Act 2026. It gives the government powers to make regulations requiring providers of specified internet services to prevent or restrict access by relevant children to such services, or to specified functionalities or features of such services.  

This follows the Lords finally standing down, during the Parliamentary "ping-pong" process that the bill went through, on their amendment for a social media ban for children under 16. The government made minor concessions to the Lords, confirming that "it is a question of how we act, not if" and that, to make this clear, it has changed the statutory requirement on the secretary of state to exercise its powers to regulate, as it considers appropriate once the consultation entitled "Growing up in the online world" has concluded, from "may" to "must".  

In addition, the secretary of state must provide a progress report on its efforts to make further regulations, together with a timeline for making the regulations, within three months of Royal Assent. It must then lay any regulations it has decided to make before Parliament within 12 months. However, the government has said that it intends to "move faster" and that its aim is to do so "by the end of the year".  

The Act also amends the UK GDPR, providing the secretary of state with powers to change the age of consent in relation to the processing of a child's personal data, not to an age lower than 13 years or higher than 16 years. 

The government has also said that, regardless of the consultation outcome, it will "impose some form of age or functionality restrictions for children under 16", and that any consideration of restrictions, such as curfews, will be in addition to that, not instead of it. The government has confirmed that it is "focused on addictive features, harmful algorithmically-driven content and features such as stranger pairing". 

European Commission sets out a common approach for EU-wide age verification technologies 

The Commission has adopted a recommendation on establishing a common framework for EU-wide age verification technologies. Among other things, it recommends that Member States make available, by 31 December 2026, an EU age verification solution, either integrated in the European Digital Identity Wallet or provided as a stand-alone application, or both. The Commission presented its final EU age verification app in April 2026 – see this Regulatory Outlook.  

The Commission also recommends that Member States submit an implementation plan to the Commission by 30 June 2026, and work with their Digital Services Coordinators, other Member States, the Commission, researchers and civil society in the roll-out of their national solutions. 

The Commission will also set up an EU Age Verification Scheme with requirements that providers of proof of age attestations and age verification solutions must meet in order to be added to the EU trusted proof of age attestation providers list or the EU trusted solution list.  

UK Online Safety Act updates  

Ofcom shares its online safety priorities for year ahead 

Following publication of its plan of work for 2026/27, Ofcom has shared further details on its priorities for both implementing and enforcing the OSA. 

Ofcom notes that the OSA is "extremely ambitious", covering over 130 priority offences and more than 100,000 services. It is still implementing parts of the regime while simultaneously addressing new or upcoming legislation and pursuing enforcement action. This means that it has had to make choices about where to concentrate its efforts. 

In relation to implementation, it has published an updated roadmap. As for the new legislation it refers to, for example the new priority offences introduced under the CPA (see above) and any additional measures arising from the government's consultation on children's digital wellbeing, Ofcom notes that "substantial" policy work will be required. As for enforcement, Ofcom has, to date, been concentrating on protecting children by ensuring that pornography sites and other services have effective age assurance measures in place. It now plans to expand its compliance programmes to tackle fraud, child sexual abuse and grooming, focusing on both larger services and smaller but risky ones. Child protection work will continue to take priority, but Ofcom will also focus on countering terrorism and illegal hate, as well as the protection of women and girls online. 

Ofcom announces the addition of 'hash matching' to its illegal content codes  

Ofcom has announced that it is adding a recommendation to its Illegal Content Codes of Practice that certain service providers use automated detection technology ("hash matching") to detect and reduce the spread of illegal intimate images shared online without consent, including explicit deepfakes. This will apply to: 

• Providers of user-to-user services that are high risk for intimate image abuse and either: (i) have as their principal purpose the hosting or dissemination of regulated pornographic content; (ii) are file-sharing and file-storage services; or (iii) have more than 700,000 monthly active UK users. 
• Providers of large user-to-user services that are medium risk for intimate image abuse. 
• Providers of large general search services.  

This new recommendation aligns with the ban on so-called "nudification" tools and the requirement to take down non-consensual intimate images within 48 hours, contained in the CPA (see above), and should, Ofcom says, "make a material difference in protecting women and girls online". 

The amendment to the code is expected to come into force in autumn 2026. Ofcom also intends to announce, at the same time, further safety measures as proposed in last year's consultation, "Pushing platforms to go further". 

UK Media Act updates 

Ofcom publishes draft code of practice for Tier 1 services  

On 1 April 2026, the On-demand Programme Services (Tier 1 Services) Regulations 2026 came into force. They define "Tier 1 services" in the Media Act's new video-on-demand (VoD) services regime as on-demand programme services (ODPS) (and qualifying non-UK ODPS) with more than 500,000 average monthly UK users (see this Regulatory Outlook for background). 

Ofcom has now published for consultation its draft Tier 1 Standards Code. The code includes rules on protecting under-18s, harm and offence, crime, disorder, hatred and abuse, religion, due impartiality and due accuracy, elections and referendums, and fairness and privacy. It is designed to supplement the existing ODPS rules, rather than replace them. The rules essentially impose content standards for Tier 1 services that are broadly comparable to those applicable to traditional, linear broadcasters.  

Ofcom has also published for consultation a new code setting out accessibility requirements for Tier 1 services. It introduces mandatory service access quotas, covering subtitles, audio description and signing, alongside reporting and awareness obligations. 

The deadline for responses to both consultations is 7 August 2026. 

TSS and EPG regulations laid before Parliament 

Under the new online availability and prominence regime introduced by the Media Act, connected TV platforms (referred to as "television selection services" (TSS)) designated by the secretary of state will be required to ensure that PSB TV apps designated by Ofcom, as well as their public service content, are available, prominent and easily accessible. Ofcom published its recommendations to the secretary of state on the designation of TSS in December 2025.  

The government has now laid the Television Selection Services (Designation) Regulations 2026 before Parliament. The TSS regulations, which come into force on 1 July 2026, designate the TSS that will be caught by the new prominence regime. The government has agreed with Ofcom's recommendation to designate 15 TSS.  

Further, the government has laid the Regulated Electronic Programme Guide (Prescribed Description and Transitional Arrangements) Regulations 2026 before Parliament. These regulations, which come into force on 16 June 2026, update the meaning of TV electronic programme guides (EPGs) – the on-screen menus integrated into TVs, set-top boxes and apps – and extend audience protections and accessibility requirements to newer TV guide services. They also close the current loophole in the existing framework to bring into regulation certain TV guide services that previously fell outside regulation.