Tandem laws expand UK online safety regime with new duties, criminal liability and government powers
Published on 3rd June 2026
Crime and Policing Act amends OSA while Children's Wellbeing and Schools Act empowers restrictions on social media
At a glance
The Crime and Policing Act introduces a 48-hour takedown duty for intimate images and personal criminal liability for those who fail to comply.
New offences target intimate image AI generators and child sexual abuse material generators, applying to both individuals and companies.
The Children's Wellbeing and Schools Act paves the way for a possible ban on children's social media access, with government action expected within months.
Two pieces of legislation enacted in April have added new duties, criminal offences and government powers to the UK's online safety framework. Both laws arrive as public pressure for a ban or restrictions on children's access to social media continues to mount.
The Crime and Policing Act 2026 (CPA), which received Royal Assent on 29 April, addresses a range of online safety concerns on the legislative and regulatory agenda, including the non-consensual sharing of intimate images and harms generated by artificial intelligence (AI). It also introduces personal criminal liability for failing to comply with an Ofcom confirmation decision relating to intimate images. Meanwhile, the Children's Wellbeing and Schools Act 2026 (CWSA), which was also enacted on 29 April, empowers the government potentially to introduce a ban or restriction on children's use of social media.
Non-consensual intimate images
The CPA introduces a new duty into the Online Safety Act 2023 (OSA) requiring providers of regulated user-to-user services to take down content that is the subject of an "intimate image content report" within 48 hours of receiving it. The same obligation applies to regulated search services, which must ensure that individuals can no longer encounter search content that is the subject of an intimate image content report within the same timeframe.
The CPA also gives the secretary of state powers to designate "trusted flaggers", which are persons authorised to make intimate image reports to platform and internet access service providers, to assist providers in deciding whether content constitutes intimate image content.
The secretary of state can also establish an "intimate image register", for which fees may be payable by regulated providers and duties imposed to take down content recorded on the register and prevent users from encountering that content. The secretary of state can also introduce penalties of up to £3 million for non-compliance.
Where Ofcom issues a confirmation decision that includes requirements relating to intimate image content, such as a requirement to remove such content within 48 hours, the person to whom that decision is given commits a criminal offence if they fail to comply with it.
Priority offences
The CPA creates several new criminal offences relating to the possession and publication of certain pornographic images and also makes them "priority offences" under schedule 7 of the OSA. The existing criminal offences of creating and requesting the creation of a purported intimate image of an adult, which includes AI-generated images, will also become priority offences. Regulated services will therefore be obliged to prevent such content from appearing on their services, as well as remove it once identified.
AI chatbots
A "legal loophole" currently exists in the online safety regime, whereby, as Ofcom has confirmed, AI chatbots do not fall within the scope of the OSA if they meet three criteria: they only allow users to interact with the chatbot itself rather than with other users, in other words, they are not user-to-user services; they do not search multiple websites or databases when generating responses, in other words, they are not search services; and they do not generate pornographic content.
The government has previously committed to closing this loophole and the CPA now gives the secretary of state powers to amend the OSA to address risks of harm presented by "illegal AI-generated content" and the use of "AI services" (described as internet services capable, whether in whole or in part, of producing AI-generated content, thereby encompassing AI chatbots) to commit or facilitate priority offences. The government could, therefore, extend a range of existing OSA duties currently applicable to user-to-user and search services to providers of "AI services".
Ban on 'nudification' tools
The CPA introduces new criminal offences of making, adapting, possessing, supplying or offering to supply child sexual abuse (CSA) image-generators and generators of purported intimate images.
These image generators are described as a "thing" made or adapted for use to create, or facilitate the creation of, CSA images, or as a program, service or "information in electronic form" used to create, or facilitate the creation of, purported intimate images of a person (which includes AI deepfakes).
The CSA image-generator offence is aimed at, among other things, combating AI models that have been optimised to generate CSAM. While AI-generated CSAM is already illegal to make, possess and distribute in the UK, such fine-tuned models are not currently caught by existing legislation. The purported intimate image-generator offence is aimed at, among other things, so-called "nudification" tools, which allow the user to generate AI deepfake images. Both new offences apply to corporate bodies as well as individuals.
The CPA also creates a standalone offence of online facilitation of child sexual exploitation and abuse. This targets those who carry out a "relevant internet activity", which includes providing, maintaining, moderating or administering an internet service with the intention of facilitating such abuse.
The existing criminal offence targeting "paedophile manuals", which prohibits the possession of any item that contains advice or guidance about the sexual abuse of children, is amended to include pseudo-photographs and AI-generated prohibited images to ensure consistency between the treatment of real CSAM and AI-generated equivalents.
Children's access
Whether to introduce an Australian-style ban on children's access to social media remains a pressing question for online safety. The government's consultation on children's wellbeing online, which closed on 26 May, sought views on a broad range of options around age-based access controls and restrictions on potentially harmful platform features.
These included setting a minimum age for children to access social media; applying measures, such as minimum ages, restrictions on features and functionalities, or time limits on children's use of AI chatbots; changing the digital age of consent under the UK General Data Protection Regulation; restricting functionalities and design features that encourage excessive device use by children, such as infinite scrolling, autoplay, "likes" and comments, alerts and push notifications, and content recommender algorithms; and applying age restrictions to features such as live streaming, the ability to send nude images or videos, disappearing content, location sharing and connecting or talking to strangers.
The CWSA confers powers on the government to make regulations requiring providers of specified internet services to prevent or restrict access by children to their services, or to particular functionalities or features of their services. It states that the secretary of state "must" (not "may") exercise these powers as it considers appropriate following the conclusion of the consultation. The secretary of state is also required to deliver a progress report on its efforts to make the regulations, accompanied by a proposed timeline, within three months of Royal Assent. The secretary of state must then lay before Parliament, within 12 months, any regulations decided upon. Notwithstanding these statutory deadlines, the government has said that it intends to "move faster" and aims to take action "within months".
Osborne Clarke comment
The CPA represents the most significant expansion of the UK's online safety regime since the OSA became law. Regulated providers must now put in place additional operational compliance measures. Several of its provisions respond directly to emerging online harms, including the creation of non-consensual intimate images and AI-generated harms. While the new legislation introduces new duties for the former, it only lays the groundwork for regulating "AI services", including chatbots, through the OSA. Nevertheless, it signals that additional regulation is coming and providers of relevant services will be monitoring developments closely.
As for the much-debated potential ban on social media for children, public pressure is growing on the UK government to act. The online safety minister, Kanishka Narayan, is currently in Australia to "bring the lessons Australia has learned back with me to inform our next steps". The government has also published some preliminary analysis of responses received to its consultation, showing that 89% of parents and carers support a legal requirement for social media to have a minimum age of access. However, the government received 70,000 responses in total, so the final analysis and the government's next steps is still at least a couple of months away. Ofcom, meanwhile, has confirmed that its priorities for online safety this year include strengthening protections for children, tackling illegal hate and terror content and safeguarding women and girls online from intimate image abuse.
