What Fediverse Service Providers Need to Know

The Online Safety Act (OSA) is now in force in the United Kingdom. Enforced by Ofcom, the UK’s communications regulator, the Act introduces a new set of legal duties for online services. Its stated purpose is to reduce online harm, particularly exposure to illegal content and material harmful to children, while safeguarding users’ rights to express themselves freely and access legal content.

If you operate a decentralised platform, the OSA may feel daunting. But for most community-run services, especially those that do not serve children and take steps to prohibit illegal material, compliance is both achievable and proportionate.

This post offers clarity, context, and practical advice for Fediverse administrators aiming to meet their obligations without sacrificing their independence or community values.

Disclaimer: This article is intended for informational purposes only. It is not legal advice. Platform operators are encouraged to seek independent legal counsel if they are unsure about their obligations under UK law.

What is the Online Safety Act?

The OSA imposes legal duties on online platforms that are accessible in the UK. These include:

• Preventing the distribution and amplification of illegal content (for example, terroristic material, child sexual abuse content, incitement to violence or hate),
• Protecting children from content that is harmful, even if not illegal, and
• Publishing terms of service and offering user redress for reported harms.

Ofcom, as regulator, is required by law to act proportionately. According to the UK Government’s official response to a public petition calling for the Act to be repealed:

“Proportionality is a core principle of the Act and is in-built into its duties. As regulator for the online safety regime, Ofcom must consider the size and risk level of different types and kinds of services when recommending steps providers can take to comply with requirements.”

“Once providers have carried out their duties to conduct risk assessments, they must protect the users of their service from the identified risks of harm. Ofcom’s illegal content Codes of Practice set out recommended measures to help providers comply with these obligations, measures that are tailored in relation to both size and risk. If a provider’s risk assessment accurately determines that the risks faced by users are low across all harms, Ofcom’s Codes specify that they only need some basic measures…”

These basic measures include:

• Easy-to-find, understandable terms and conditions,
• A complaints tool backed by a process for responding to reports of illegal content,
• The ability to remove content that is illegal or violates your rules,
• A named individual responsible for compliance who can be contacted by Ofcom if needed.

(Source: UK Government Petition Response, July 2025)

Why Regulation (Even Imperfect Regulation) Matters

The OSA was developed in response to real-world harms, including grooming, abuse, extremist content, and hate speech. These forms of harm disproportionately affect marginalised and vulnerable users. The law is far from perfect. Regulation is often blunt, shaped with large platforms in mind, and implemented unevenly. But it is still an attempt to make digital spaces safer and more accountable.

The individuals working at Ofcom are thoughtful and well-intentioned, for the most part working to create a safer internet. They did not write the law, but they are empowered to enforce it.

Jaz attended TrustCon 2025, where Ofcom, along with many other national internet safety regulators, had a strong presence. He met with representatives, attended sessions, and had informal conversations about how the regulator views decentralised services.

Ofcom understands that independent platforms serve community needs and do not necessarily pose the same systemic risks as profit-driven networks. Their message was consistent: low-risk, volunteer-run services are not the focus of enforcement. If you are operating in good faith, acting proportionately, and keeping your community safe, you are already on the right path.

Practical Compliance Steps for Fediverse Operators

If you run a small to medium service and neither host illegal content nor serve children, here is a straightforward path to compliance:

1. Complete an Illegal Harms Risk Assessment

This is the cornerstone of your legal duty. You must assess your platform for risks related to illegal harms. For most Fediverse instances, this risk is low, and that is acceptable, so long as you document that conclusion.

You are not required to publish your risk assessment, but doing so can demonstrate transparency and good faith. You can adapt these published examples:

• Neil Brown (UK-based technology lawyer and self-hosting Fediverse provider) has shared six assessments he’s completed
• toot.wales is a UK-based Mastodon service that has published their Illegal Harms Assessment.

2. Prohibit Illegal Content in Your Rules

Your rules, community guidance, or terms of service should explicitly ban illegal material. These are the “priority illegal content” items:

• Terrorism
• Child Sexual Exploitation and Abuse (CSEA)
  • Grooming
  • Image-based Child Sexual Abuse Material (CSAM)
  • CSAM and CSEA URLs
• Encouraging or assisting suicide
• Hate
• Harassment, stalking, threats and abuse
• Controlling or coercive behaviour
• Drugs and psychoactive substances
• Firearms, knives or other weapons
• Human trafficking
• Unlawful immigration
• Sexual exploitation of adults
• Extreme pornography
• Intimate image abuse
• Proceeds of crime
• Fraud and financial offences
• Foreign interference
• Animal cruelty

Additionally, prohibit “other illegal content” (Ofcom’s “non-priority illegal content”), and consider prohibiting “bullying content, eating disorder content, self-harm content or suicide content” as well, even if you do not allow children on your service. These types of content are not necessarily illegal for adults, but they are listed in the OSA as priority content harmful to children. If your service is or may be accessed by children, you should take additional steps to mitigate exposure to these materials.

Guidance and example language on these harms can be found by exploring the Actors, Behaviours, and Content sections of the IFTAS Connect Moderator Library.

Example community rules are available:

• OnlineSafetyAct.co.uk example policies
• toot.wales Community Guidelines

3. Respond to User Reports

You must offer users a way to report illegal content. Most Fediverse platforms feature a “report content” and/or “report account” function. This meets the need. If not, this could be a web form or a support email address. What matters is that you respond and take appropriate action. If you are using moderation tools common in Mastodon or other Fediverse software, your instance likely already supports the necessary report functions.

There is no requirement to proactively monitor or scan content for small, low-risk services.

4. Nominate a Contact for Ofcom

Your service or web site should name an individual, or a role such as compliance lead, who can respond to regulatory enquiries. Make sure Ofcom knows who to email if they have questions. This could be a general email like admin@yourdomain.social, as long as someone reliably monitors it. Listing this in your Terms of Service and on your website will help regulators find the right point of contact.

If you get contacted by Ofcom, contact IFTAS, we will be happy to help small and medium Fediverse providers.

5. Publish Clear Terms of Service

Your terms of service should be understandable, accessible, and reflect your moderation approach and safety measures. There are several reliable resources to help you build or adapt yours:

• OnlineSafetyAct.co.uk ToS Template: developed by Neil Brown, a UK-based lawyer who has contributed many helpful resources to the sector
• toot.wales Terms of Service: a practical example adapted from Neil Brown’s copyleft terms
• Sample Fediverse Terms for Registered Users: detailed example maintained by Neil Brown, suitable for decentralised platforms
• Terms of Service for Everyone: predates the OSA but helpful guidance for Fediverse providers from the Law Office of August Bournique

IFTAS can support operators (in a non-legal advisory capacity) in reviewing and tailoring these documents to suit the needs of their communities.

6. Consider Whether Children Are Likely to Use Your Service

For the purposes of the OSA, “child” means a person under the age of 18. If your service does not target children and does not host a significant number of children, your duties regarding child safety are more limited.

The OSA guidance is clear:

“Services that do not have highly effective age assurance in place must assess whether children are likely to be on the service…”

Here’s the Child Access Assessment:

Most general-purpose Fediverse platforms can truthfully state:

1. They do not have a significant number of child users.
2. Their service is not of a kind likely to attract a significant number of children.

If you can truthfully answer no to both Stage 2 questions, your child access assessment is done.

This reasoning should be documented in your risk assessment. There is no official number for what constitutes “significant”, because while there are numbers like 700,000 UK children and 7 million UK children variously quoted, if 99 of your 100 users are children, that is also significant. Regulations are never as simple as you might like them to be.

Most likely if you are a small, low-risk Fediverse provider, you do not have a significant number of children using or wanting to use your service. If you do…

What If Your Service Does Serve or Attract Children?

If you operate a service that is designed for or significantly used by children, or if your platform offers features likely to attract children, your responsibilities under the OSA are more complex. In these cases, you are likely to require highly effective age assurance measures, as well as specific protections against harmful but legal content.

Some considerations for these platforms include:

• Age Assurance: You must implement robust methods to estimate or verify users’ ages. This may include self-declaration combined with additional signals, third-party tools, or parental consent mechanisms.
• Content Filtering: Platforms should consider technical and policy-based approaches to limit children’s exposure to high-risk content, even if that content is legal.
• Child-Friendly Design: Interfaces, terms, and moderation systems should be understandable to children. Ofcom is expected to publish further guidance under its Children’s Safety Code of Practice.
• Parental and Guardian Support: Provide mechanisms for parents or guardians to report concerns or manage a child’s access to your service.

Platforms in this category should seek specialist guidance, from a legal or child safety expert, as the requirements are stricter and the regulatory expectations higher. To put it simply, if you want to run an internet service for children in the UK, you are going to need a lawyer.

In Summary

Compliance with the Online Safety Act does not mean giving up autonomy or radically changing how you operate. It means documenting your risks, being clear about your rules, and responding responsibly to reports of illegal behaviour. This is something most responsible Fediverse administrators are already doing.

By taking a few proportionate steps, you can quickly show both legal compliance and a commitment to community care. You protect yourself and your users, and you strengthen your community’s resilience.

Here’s what that looks like in practice:

1. Using one of the available examples if needed, conduct a harms assessment.
2. Prohibit illegal content.
3. Respond to reports, take it down when it’s reported to you.
4. Publish a contact for Ofcom (and other regulators) to find you if needed.
5. Using one of the available examples if needed, publish a clear terms of service.
6. Assess how likely it is that you host or will host a significant number of children.

If you are a small, low-risk service, this is probably four to eight hours of effort. This is not a get-out-of-jail-free card, but it is a good faith first step effort that you can use to demonstrate to Ofcom (or others) what you are doing to consider safety on your service.

IFTAS is here to support you. If you are acting in good faith and prepared to demonstrate that with basic documentation, then you already have the most important protections in place. If Ofcom ever asks, you will have a clear and reasonable explanation, grounded in public guidance and community safety principles. IFTAS maintains a closed community group for active volunteer moderators, if you’re not a member, request an account today.

Resources

• https://www.ofcom.org.uk/siteassets/resources/documents/online-safety/information-for-industry/illegal-harms/illegal-content-codes-of-practice-for-user-to-user-services-24-feb.pdf?v=391889
• https://onlinesafetyact.co.uk/
• https://russ.garrett.co.uk/2024/12/17/online-safety-act-guide/
• https://buttondown.com/indie-and-community-web-compliance-/archive/
• https://connect.iftas.org/library/legal-regulatory/online-safety-act/
• https://connect.iftas.org/groups/legal-regulatory-workgroup/forum/legal-compliance/ (members only)

Please Note

1. Jaz-Michael King, Director of IFTAS, is also the administrator of the toot.wales service, and it is for this reason their resources are listed above. If you have made your Assessments, Terms of Service, Community Guidance/Rules public, specifically to address OSA, please let us know so we can add them to this page and the Moderator Library. Any and all shared policies and documents should be considered advisory, and represent a best-faith effort to share how others are approaching this issue. The inclusion of toot.wales is not an endorsement of one service over another. All shared materials are presented to support community learning and replication.
2. This page (and IFTAS Connect’s resources page) will be updated as and when we get feedback on the above. If you think we’ve made an error or feel we need to clarify something, please contact Jaz directly: https://mastodon.iftas.org/@jaz

Alt...

Navigating the UK Online Safety Act

Age verification is creating an information desert.

The Online Safety Act sets every UK user to child as default.

Teenagers? Blocked. Adults? Content denied unless we do age checks with unregulated companies.

It's not just porn! News on Gaza and Ukraine is being scrubbed from view, threatening #freedomofexpression as well as #privacy ⛔

https://www.404media.co/uk-users-need-to-post-selfie-or-photo-id-to-view-reddits-r-israelcrimes-r-ukrainewarfootage/

#OnlineSafetyAct #onlinesafety #OSA #palestine #gaza #ukraine #reddit #ageverification #ageassurance #censorship #ukpolitics #ukpol

Musing on various posts, blog posts, and news reports about the #OnlineSafetyAct recently.

* it is incorrect that "no-one was talking about this until this month". Some of us - not many, for sure, but still - have been working on this for quite some time, and trying to help people get to grips with it.

* it is unhelpful to blame people for not knowing about it until recently. People have busy lives, and there is a lot going on right now. People had no reason to think that they might need to check for a significant new regulatory imposition on their tiny server.

* no, it is not just about porn. Porn might be behind recent publicity, but porn is one facet of the Act.

* it is not all Ofcom's fault. Parliament carries a lot of responsibility here, and fixes entail changing the law.

Torys: *pass the online safety act*

Labour: If you oppose this legislation you are an extreme porn loving pedo

Reform: This is a bit shit isn’t it. We should repeal it

Labour: *frantic pointing at farage* PEDO!!!

Torys: This is a bit shit. Who thought this was a good idea?

#ukPolitics #ukClusterfuck #BusinessAsUsual #OnlineSafetyAct

@openrightsgroup @jim and if you have a problem with this law the Technology Minister will call you a 'paedo'

The language of the Playground, how apt.

#OnlineSafetyAct #PeterKyle #UKPOL #UKPOLITICS

The Technology Minister Peter Kyle, who really likes AI and let's it arrange his life for him, believes everyone who has a problem with this shitty new law is 'Jimmy Savile'

It's a spectacular win they're handing Nigel Farage, isn't it?

#Labour #PeterKyle #JimmySavile #NigelFarage #Farage #OnlineSafetyAct

It's not just Farage he labelled as a Peado, I mean who cares about that fash wanker, it's the fact he was implying ANYBODY who has a problem with this shitty law is a Peado....

https://news.sky.com/story/politics-latest-starmer-labour-badenoch-reshuffle-farage-12593360

#NigelFarage #PeterKyle #OnlineSafetyAct #Porn #UKPOL #UKPOLITICS

The state of British Politics today.

Don't fix the Climate, don't stand up to Fascism, just ban Porn and call everyone a Paedo, then the only response we're allowed is from a Racist who is just jumping on this issue for votes.

No serious debate, no adults in the room, just liars, frauds, bigots and grifters.

Remember, it's not just Farage he's calling a Peado, it's you and me too, anybody that likes Porn. We're all evil....

#OnlineSafetyAct #PeterKyle #NigelFarage #Labour

Alt...

Top minister refuses to apologise and doubles down ~~ % on Farage-Savile comment Cabinet minister Peter Kyle has doubled down on his accusation that Nigel Farage is "on the side" of predators, ike the late Jimmy Savile, for his opposition to the Online Safety Act that entered force last week. In case you missed it, Kyle claimed to Wilfred Frost on Sky News Breakfast that Farage's opposition to the Online Safety Act meant he was "on the side" of "extreme pornographers® who target children online. He said: "We have people out there who are extreme pornographers, peddling hate, peddling violence. Nigel Farage is on their side. "Make no mistake about it if people like Jimmy Savile were alive today, he'd be perpetrating his crimes online. And Nigel Farage is saying that he's on their side” After the Reform UK leader demanded an apology from the senior politician for his "disgusting’ comment, Kyle doubled down. He wrote on X: "If you want to overturn the Online Safety Act you are on the side of predators. It is as simple as that" In response to that post, Farage wrote: "If this act is to protect children, why are you setting up an elite police unit to monitor comments on asylum hotels?" This is a reference to reports that a special team of police officers is monitoring social media to spot early signs that civil unrest could be developing

Instead of putting smutty mags on the top shelf and in plain wrappings, the #OnlineSafetyAct is the equivalent of locking every adult out of the shop just in case they want one.

Oh yes, and anyone who might voice an opinion the English government of corrupt Stalinists doesn't like is now safely blocked from the shop too.

Lights are going out across the Net for UK users.

Age verification is driving sites to shut down, geo-block the UK or restrict features and content.

In trying to tackle to worst of the Net, it's harming the best.

🗣️ ORG Exec Director, @jim

#OnlineSafetyAct #onlinesafety #OSA #ageverification #ageassurance #freedomofexpression #digitalrights #censorship #ukpol #ukpolitics

I'm thinking and planning on advocating for the Fediverse a lot more due to the UK Online Safety Act. I think it might be best to write it all down as a part not only some flyers that I can get printed and hand out to many people.

This will come with a page on my company website to showcase and explain further why & how they can join the Fediverse.

#Fediverse #OnlineSafetyAct #UKGov #UKOnlineSafetyAct #UKVerify #IDVerify

For ORG's 20th birthday, we've partnered with NordVPN to offer a special gift for new members 🎁

20 people who join ORG this summer will get a one year NordVPN subscription of their choice! That's privacy in the palm of your hands.

Join ORG today ⬇️

https://www.openrightsgroup.org/join/

#VPN #privacy #onlinesafety #ORG20 #onlinesafetyact #digitalrights

Alt...

Become an ORG Member – Join now to bag 1 of 20 free NordVPN subscriptions

@nixCraft Especially so if you live in the UK! If you live in #UK you are now at a significantly increased risk of these #phishing attacks, mostly thanks to the British government and it's #onlinesafetyact

Another casualty of the UK Online Safety Act: all interactive fiction (inc traditional parser text adventures) games stored at http://ifarchive.org are currently geoblocked to UK users. IFTF folks are trying to work out a solution, but there is no clue how long that might take. IFArchive holds 30+ years worth of generally amateur/free IF games - a vast number. Including my own. Which I can't play online right now. Not that I want to but it's ironic! #interactiveFiction #OnlineSafetyAct #games

The #OnlineSafetyAct has well and truly kicked off in the UK.

Just a few minutes after the Online Safety Act went into effect, there was a surge in #vpn downloads.

Today, the governing #Labour Party is reportedly exploring banning VPNs 🤦🏻‍♂️

Here are the countries that currently the use of VPNs are either fully or partially restricted:

Alt...

Countries that currently the use of VPNs are either fully or partially restricted

Stand and deliver. Your data or your rights!

The UK Online Safety Act has created new opportunities for cyber criminals to scam and exploit people by building its house on sand.

The age assurance industry must be regulated now!

Sign our open letter ⬇️

https://action.openrightsgroup.org/sign-open-letter-dsit-regulating-age-assurance

#onlinesafetyact #onlinesafety #ageverification #ageassurance #privacy #dataprotection #ukpolitics #ukpol #agegating #censorship

It’s not just that UK users have to face age verification checks with multiple uncertified providers.

People are being forced to open up accounts on the particular platform they’re trying to access at the same time.

The UK Online Safety Act has stimulated a data mining industry for the benefit of commercial interests.

#onlinesafetyact #onlinesafety #ageverification #ageassurance #privacy #dataprotection #ukpolitics #ukpol #agegating #censorship

The UK Online Safety Act has ushered in a market for age verification without regulating the industry 🤷‍♂️

Millions of UK users have to trade their sensitive data to access information or support that’s deemed ‘harmful’.

We compromise our digital rights with no regulatory standards for privacy or security.

#onlinesafetyact #onlinesafety #ageverification #ageassurance #privacy #dataprotection #ukpolitics #ukpol #agegating #censorship

An age wall has gone up online in the UK!

Chunks of the Internet are blotted out as ‘harmful’, not just porn.

That is unless we surrender our privacy to any number of unregulated age verification providers.

ORG’s @JamesBaker took part in the BBC Debate ⬇️

https://www.bbc.co.uk/news/resources/idt-bfe8d0c8-c977-483c-a074-c15fafb654e8

#onlinesafetyact #onlinesafety #ageverification #ageassurance #privacy #dataprotection #ukpolitics #ukpol #agegating #censorship

Finally Finished the PDF for the UK Online Safety act and why Fandoms like the Thomas The Tank Engine one should join the Fedverse.

Give it a read, love little bits of feedback and feel free to share this just give me credit where you can.

https://www.canva.com/design/DAGuTUqsh_g/i7ZOqH2crDqa9BCkVISncQ/view?utm_content=DAGuTUqsh_g&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h00b725e523

#TTTE #ThomasTheTankEngine #Fandom #Fandoms #OnlineSafetyAct #UKGov #UKOnlineSafetyAct #IDVerify #Fediverse #SelfHosting

@neil This is a circular argument, surely? Sites that host legal content which falls under the scope of the #OnlineSafetyAct and which use geoblocking are tacitly encouraging use of VPNs to get around age checks and the content is therefore illegal.

So we finally see the real reason for the #OnlineSafetyAct - censorship and finally creating a use case for the hordes of dodgy LLMs.

> The government has also told the BBC it would be illegal for platforms to [host, share or permit content that encourages use of VPNs to get around age checks.]

I wonder what offence(s) who said this had in mind?

https://www.bbc.co.uk/news/articles/cn72ydj70g5o

#OnlineSafetyAct

“In trying to ‘protect’ [children], we risk pushing them toward greater danger.”

Inevitably people will try to bypass age verification checks for UK users.

Young people "may inadvertently expose themselves to greater online harms." They'll be exposed to dodgy sites, malware and creeps in less moderated spaces. How is that safe?

🗣️ ORG's @JamesBaker.

https://www.huffingtonpost.co.uk/entry/porn-age-verification-check-advice-parents_uk_6881ea8de4b0d55a3f196462

#ageverification #onlinesafetyact #onlinesafety #privacy #ukpolitics #ukpol #ageassurance

If you're defending the Online Safety Act and simping for MasterCard bc "but I like this censorship" then kindly GTF out of my life and off my timeline. I don't vibe with Fashs or Lashs.

#OnlineSafetyAct #Mastercard

Currently writing up a PDF on why I think the TTTE Fandom should move over to the Fediverse as well as I will change it to work with most Fandoms in the future.

#TTTE #Fandom #OnlineSafetyAct

Making Bracelets are now illegal in the UK

Website: https://kandipatterns.com/

#UKGov #OnlineSafetyAct #UKOnlineSafetyAct #UKVerify #IDVerify

Alt...

If you live in the United Kingdom, this block is the result of new legislation which leaves us temporarily unable to operate in the UK due to the risk of fines. We are required to comply with a long list of demands, some of which are too expensive or complicated to implement for such a small website so we have been left with no choice but to block UK users.

How many hundreds of thousands of UK citizens are now having all their internet traffic inspected and monetised by Christ-knows who?

We warned government and Ofcom about this and they ignored us.

They need to face the reality of this, and the consequences.

Tell your MP about this today. https://writetothem.com

#OnlineSafetyAct

ProtonVPN has overtaken Yoti (an age verification app) on the Apple App Store free apps chart to move into first place.

Apps at ranks 4, 5 and 6 are all VPNs.

4 and 5 are absolutely sketchy no-name VPNs from “Mobile Jump Pte” and “Free VPN LLC.”

This is fine.

#OnlineSafetyAct

Alt...

1 ProtonVPN 2 Yoti 3 ChatGPT

Alt...

4 is some sketchy VPN app 5 is NordVPN 6 is another sketchy VPN

At a cafe today, saw/heard a group of teenagers using the wifi. One of them obviously went to a site with new OSA age challenge; after brief (mild) profanity, consensus of group was just to log in using parent's photo (already on phone) & date of birth. Total delay, not more than a couple of minutes, including craic among the group.
#Anecdata #OnlineSafetyAct #NotFitForPurpose

@derickr youngest told me this morning that a lot of the #OnlineSafetyAct age verifications can be #rickrolled (bypassed with a Rick Astley img) which is both hilarious and sums up this idiocy perfectly.

#OnlineSafetyAct #KeithSez #UK

https://piefed.social/post/1078583

The petition against the online safety act is hitting 170k. I’ve not seen a petition reach such numbers in a long time. https://petition.parliament.uk/petitions/722903 I would encourage people to also sign up and support campaigns working on this issue > https://www.openrightsgroup.org/join/ #onlinesafetyact #privacy

A website getting hacked and losing 13,000 “verification photos and images of government IDs” in the same week the age verification nonsense comes into force for the #OnlineSafetyAct is fitting. Because that’s what we will see a whole lot more of… to protect the children.

https://www.nbcnews.com/tech/social-media/tea-app-hacked-13000-photos-leaked-4chan-call-action-rcna221139

With the UK Government cracking down on things, I really do want to just leave the few socials I do use for Personal use (not this), it all just needs verification and I've been using them for years.

#UKGov #OnlineSafetyAct #UKOnlineSafetyAct

Now that the Online Safety Act is being felt, who has/plans to…

#onlineSafetyAct #AskFedi

I have a question for the great UK legal minds of the Fediverse...

Does Yammer count as a regulated user-to-user service under the Online Safety Act?

The 'provider' of Yammer in my mind is Microsoft, which means it doesn't appear to be exempt as an 'internal service' under Schedule 1. Am I interpreting that wrong, or is this a potential risk for pretty much all users of O365 in the UK now?

#OnlineSafetyAct #uklaw