Start by deciding scope against Part 3 service type and Section 4 UK links, then run a 90-day operating plan. Complete the illegal-content risk assessment within three months after launch, and reassess before significant changes. Sequence children’s access determination against the 25 July 2025 child-safety duty date, after the 17 March 2025 illegal-content baseline. Keep case records with reviewer, timestamp, reason code, and owner so deadline responses to regulator requests do not depend on reconstruction.
Treat the UK Online Safety Act as operating work now, not a policy debate. The most practical way to reduce uncertainty is to run an auditable implementation plan: make an initial scope call, stand up baseline controls, assign owners, and keep records you can defend if Ofcom asks questions.
For marketplace and platform operators that may be in scope, this is not a law-school exercise. Legal, compliance, finance, product, trust and safety, and risk teams need clear decisions on scope, first assessments, immediate duties, residual-risk sign-off, and record-keeping. Ofcom is the regulator, and it is clear on two points: its assistive tools do not guarantee compliance, and providers may need specialist advice. You still need your own judgment, controls, and evidence trail.
This guide is anchored in the UK context, including cross-border operating models. Ofcom states that duties can apply to services with links to the UK regardless of where the provider is based, including providers outside the UK. The aim here is UK-ready operations for international teams, not a substitute for specialist legal advice on edge cases or disputed scope.
The timeline is already operational. The Online Safety Act 2023 received Royal Assent on 26 October 2023. GOV.UK states that, as of 17 March 2025, platforms have a legal duty to protect users from illegal content online, and that, as of 25 July 2025, platforms have a legal duty to protect children online. Those dates shape what regulators can reasonably expect to see assessed, documented, and escalated.
The rest of this guide follows a risk-based, proportionate approach aligned with Ofcom's framing. You should leave with five outputs:
From day one, document your scope assumptions and keep dated records of who decided what, when, and on what basis. Ofcom says online services have a legal duty to comply with formal information requests, and weak records can quickly turn a manageable inquiry into a larger problem.
The goal is to avoid both overreaction and underreaction. Overreacting wastes effort on the wrong controls. Underreacting can leave you unready and exposed to penalties Ofcom describes as up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. The sections that follow are designed to help you avoid both.
This pairs well with our guide on GST Digital Marketplace Platform Comparison for Australia, Canada, and India.
Define the legal terms first, because your controls depend on them. Under the UK Online Safety Act 2023, Part 3 is about statutory duties of care for providers of user-to-user and search services, not just policy wording.
| Duty area | Trigger/applicability | Separate log |
|---|---|---|
| Illegal content duties | In-scope services; illegal-content risk assessment due within three months after launch | illegal content risk assessment log |
| Child safety duties | Triggered by whether children are likely to access the service | child-access determination log with review triggers |
| Transparency reporting | Applies only to certain regulated services, not all regulated services | transparency-reporting applicability log |
In this regime, duties are operating requirements: assess risk, implement protections, review them, and keep records. If Ofcom asks how risk is managed in practice, policy text on its own is a weak answer.
Keep the duty types separate from the start. Illegal content duties, child safety duties, and transparency reporting are related, but they are distinct obligations with different triggers and outputs:
In practice, this means keeping four records rather than one merged tracker:
Extraterritorial scope is a core term, not a footnote. UK incorporation is not required: Section 4 looks at links with the United Kingdom, including whether the service has a significant number of UK users or whether UK users are a target market.
Treat categorised service status as an early planning variable. Ofcom's categorisation model uses characteristics such as user numbers and functionality, and additional duties can follow from category status. Mark categorisation as an active monitoring item in your evidence pack rather than assuming it will not apply.
Make a scope call early. If UK access appears possible and users can generate, share, upload, or encounter each other's content, treat that as an initial cross-border OSA scope-risk signal and start baseline controls while you verify scope.
That does not mean every globally accessible marketplace is automatically in scope. Run two checks in parallel: whether the service matches an Ofcom-regulated type, especially user-to-user, search, or pornographic content, and whether there are links to the UK, such as a significant UK user base, UK targeting, or UK accessibility with material risk of significant harm to UK users.
A fast first pass should answer four evidence-based questions:
Record concrete evidence for each answer: date of test, product surface tested, and whether one user can encounter another user's content.
| Operating posture | What usually puts you here | What to do now | Review trigger |
|---|---|---|---|
| Likely in scope now | Clear in-scope service-type signal (user-to-user, search, or pornographic content) plus UK-link evidence (UK users, UK targeting, or UK accessibility with material risk of significant harm) | Open a scope memo, assign ownership, and start baseline controls tied to applicable duties | Next scheduled compliance review and each relevant Ofcom roadmap or guidance update |
| Uncertain but plausible | Some UK-link evidence exists, but service type, material harm risk, or categorisation is still unclear | Document assumptions, escalate for counsel review, and continue baseline controls for exposed features | On counsel feedback and each relevant Ofcom update |
| Low-likelihood | No current UK-link evidence and no regulated service-type signal on current features | Keep the rationale on file and monitor product and market changes | Before UK launch, feature expansion, or relevant Ofcom updates |
Use a second checkpoint when categorisation is unclear. Different duties can apply by category, including Category 1, 2A, and 2B, so document the assumption you are using now and trigger counsel review rather than waiting for perfect certainty.
That is the defensible path: make the best supported scope call now, record why, and revisit it as Ofcom implementation milestones and guidance evolve.
We covered this in detail in Foreign Exchange Risk for Platform Operators and the Decisions That Cut FX Exposure.
Treat this as an operating design task, not a policy-writing exercise. Convert each duty into a control you can run, test, and evidence without rebuilding the record later.
Start with three separate lanes: illegal content duties, child safety duties, and transparency reporting. Keep them separate because their triggers differ, their evidence differs, and transparency reporting does not apply to every regulated service.
| Duty area | Trigger or threshold that matters most | Minimum control set to define | Evidence fields to capture from day one | Suggested internal owner |
|---|---|---|---|---|
| Illegal content duties | In-scope service; illegal-content risk assessment due within three months after launch and again before a significant change | Detection channels, moderation actions, triage rules, escalation path, risk-assessment review gate for launches and feature changes | Report source, content type, date/time, risk basis, action taken, reviewer, escalation status, link to risk-assessment version | Trust and safety with legal support; product or operations for feature-specific controls |
| Child safety duties | Service must establish whether it is likely to be accessed by children; if yes, child protections and child-risk assessment apply | Children's access assessment, child-risk assessment, design guardrails, exception handling, reassessment trigger | Access-assessment outcome, rationale, product area affected, protection applied, exception decision, reassessment date | Product plus legal or compliance; trust and safety for enforcement |
| Transparency reporting | Applies only to certain categorised services on Ofcom's public register and then by notice | Data dictionary for reportable fields, notice intake owner, extraction method, signoff and publication process | Counts and descriptions tied to notice items, reporting-system data, content-identification and takedown-process evidence, methodology notes | Compliance or legal for notice response; operations or data for production |
For an in-scope service, the duty is to protect UK users from illegal content. Your inventory should therefore define where illegal content can appear, how it is detected, what actions are available, how edge cases are triaged, and when legal escalation is required.
The timing controls matter. Complete the illegal-content risk assessment within three months after launch, and complete it again before a significant change. If launches or feature changes can ship without that gate, the inventory is not complete.
Capture more than final outcomes. For removals, restrictions, or no-action outcomes, retain the report source, reviewer, timestamp, and reason code linked to the relevant duty so case handling is auditable.
Start with the access determination: establish whether children are likely to access the service. If likely access applies to all or part of the service, your controls should identify affected surfaces, protections applied, and who can approve exceptions.
Use grounded reassessment triggers rather than arbitrary cadences: initial assessment, at least annual reassessment where you concluded children are not likely to access the service, and earlier reassessment where needed. Record both the dated assessment and the next reassessment date.
Where features increase user exposure to user-generated content, document the guardrail and the exception path before release.
Treat transparency reporting as a conditional duty, not a universal one. It applies to certain services on Ofcom's public register of categorised services, and Ofcom issues notices to relevant providers once a year.
Build your fields around reportable topics in Schedule 8, including user-reporting systems and processes for identifying illegal content and taking it down. If your data cannot separate user reports from internal detection or tie actions to category and date, reporting is likely to rely on manual reconstruction.
Assign a named owner to each control. A practical split is legal for obligation interpretation, trust and safety or operations for case handling, product for feature guardrails, and compliance for maintaining the control inventory.
Related: How to Pay Contractors in Colombia: PSE Nequi and DIAN Compliance for Platform Operators.
Use a 90-day sequence as an internal execution plan, not a legal formula. Anchor it to the OSA pressure points that are enforceable in practice: risk assessments, Ofcom information-notice readiness, and evidence quality you can produce on deadline.
Build only what you need to meet current duties and respond to Ofcom clearly. If high-severity gaps are still open after day 60, pause expansion and close those gaps first. That pause is a risk decision, not a statutory OSA step.
| Phase | Owner | Core artifact | Verification checkpoint | Escalation trigger |
|---|---|---|---|---|
| Days 1-30 | Legal with compliance, trust and safety, product | Scope memo, duty map, minimum control set, Ofcom information-response owner list | Confirm UK-user scope assumptions, confirm illegal-content and children's access assessment owners, confirm required evidence fields exist in case records | Scope unresolved, no accountable risk-assessment owner, or records cannot show reviewer and timestamp |
| Days 31-60 | Compliance with operations, product, legal | Tested escalation path, governance cadence, information-notice response procedure, remediation log | Tabletop a statutory information notice, test deadline tracking, signoff path, and completeness review | Inability to produce complete draft responses by deadline, repeated control failures, or unclear senior-manager decision rights |
| Days 61-90 | Compliance, legal, data, executive sponsor | Dry-run reporting pack, evidence quality review, leadership risk summary, categorisation-assumption note | Reconcile sample cases to source data, confirm timestamps and reason codes, confirm categorisation assumptions are documented, confirm leadership summary reflects open risks | Material evidence gaps, manual reconstruction for core metrics, or unresolved high-risk items near notice or reporting windows |
Start by settling scope and duty ownership, not by polishing policy language. You need clear answers to four questions: whether your service is in scope for UK users, where illegal content can appear, whether children are likely to access the service, and who owns an Ofcom information response.
For in-scope services, illegal-content risk assessment and related duties are required, and you must complete a children's access assessment to determine whether child-safety duties apply. If scope or duty assumptions are still uncertain, record the assumption, owner, and review date instead of implying certainty.
Keep minimum controls evidential from day one: report source, content type, timestamp, reviewer, action taken, and reason code linked to the duty. If those fields are unreliable, fix record creation before adding tooling.
Month two is where you find out whether the controls work under deadline pressure. Many OSA duties are ongoing, so this stage should harden reassessment, exception handling, and escalation cadence.
Treat statutory information notices as the main stress test. Ofcom can require information by notice with a deadline; failure to comply can trigger investigation and can be an offence under section 109. Section 110 creates senior-manager exposure where reasonable preventive steps were not taken for that information-offence path, so test that scenario directly.
Run a notice-response drill that forces real ownership, legal signoff, and submission-quality checks. The common failures are fragmented evidence and unclear accountability, not lack of effort.
The final month should prove production readiness, not expand scope. Validate whether your data can support the information you may need to provide under notice, while keeping categorisation assumptions explicit and limited.
Do not overstate categorisation certainty. Category criteria are set in secondary legislation, most in-scope services are expected not to be categorised, and milestone dates can change. Your objective here is to document current assumptions, confirm what you can produce now, and log the gaps that would matter if a notice arrives.
Finish with evidence-quality checks against real cases: timestamps, reviewer IDs, exceptions, and links to the relevant risk-assessment version. End with a factual leadership summary of open high-risk gaps, current scope position, and notice-response readiness.
As you lock your 90-day milestones, map each control to concrete operational signals and audit checkpoints using the Gruv docs.
Assign named owners now, and make escalation event-driven so accountability holds under pressure. Your model can be centralized or federated, but it should always define who owns controls, who owns regulator response quality, and who can make risk decisions when facts are incomplete.
Part 3 duties of care apply to regulated user-to-user and search services, so ownership cannot stop at policy drafting. It should cover day-to-day controls, evidence production, response review, and final decision rights.
| Function | RACI role | What they should own |
|---|---|---|
| Compliance | A/R | Central coordination, duty map, Ofcom notice intake, completeness review, escalation log |
| Legal | A/C | Legal interpretation, external response signoff, privilege decisions, senior management briefings |
| Trust and safety | R | Case handling, incident triage, reason codes, repeat failure tracking |
| Product | R/C | Safety controls in product, design changes, child-access assumptions, remediation delivery |
| Engineering | R/C | Data fields, timestamps, reviewer IDs, access logs, audit support, evidence extraction |
| Risk | C | Residual risk register, threshold setting, board risk summaries |
| Finance | C/I | Penalty exposure, remediation budget, reserve planning, executive pack inputs |
Write escalation triggers as concrete events, not intentions. At minimum, escalate when any of the following occurs:
Treat response quality as a trigger, not just timing. Ofcom can require information by notice, and non-compliance includes incomplete or inaccurate responses as well as missed deadlines. A useful test is simple: for a sample case and mock notice, can you identify the data owner, legal reviewer, executive approver, and submission file immediately?
Document three authorities in one short operating note: who can accept residual risk, who signs external responses, and who must notify senior management and when. Name backups for each role.
Keep the senior-manager path explicit. Ofcom may require you to name a senior manager in an information-notice response, and offence exposure can follow if the entity commits the relevant information-notice offence and the named individual did not take all reasonable preventive steps. That is a reason to document preventive actions clearly, not to diffuse ownership.
Either model can work if handoffs are explicit. Federated structures fail when local teams hold the facts while central teams hold regulator communications and no one owns completeness end to end.
If you centralize, keep one intake point for Ofcom events, one legal signoff route, and one senior-management notification rule, while local or program teams remain responsible for controls and evidence quality. That keeps incidents operationally complex without making accountability ambiguous.
Build your evidence pack now, not when an Ofcom notice arrives. Under section 23 of the UK Online Safety Act (OSA), record-keeping is part of ongoing compliance: written records of risk assessments, measures used to comply, alternative measures where code measures are not used, and regular compliance review.
That is the baseline for defensible operations. Ofcom can request information through a statutory information notice, expects responses to be clear, complete, accurate, and on time, and has audit powers under Schedule 12. Weak evidence chains can make compliance harder to demonstrate, even when policy documents exist.
The law does not require one mandatory bundle by file name, but a practical minimum artifact set helps you produce records quickly and explain them clearly.
A practical minimum set can include:
For each significant safety control, you should be able to pull together in one pass: the current risk assessment, control description, owner, implementation date, last review date, and exception history.
Be precise on transparency reporting. Ofcom states this publication duty applies only to certain regulated services, not all regulated services. If your categorisation is unclear, maintain draft structures and field definitions as preparatory materials.
Traceability is what makes records credible under scrutiny. Each record should carry consistent core fields:
Common defensibility gaps include missing timestamps, decisions without linked rationale, and exceptions that were handled but never documented. A practical test is a quarterly "can we defend this decision" walkthrough on a hard case: risk assessment, chosen measure, rejected alternative, approver, implementation evidence, and later review.
Your evidence pack will often include personal data, so retention and access controls must meet UK GDPR while supporting OSA record-keeping. Storage limitation still applies: do not keep personal data longer than necessary, and use documented retention periods with periodic review.
Security still applies too. Use appropriate controls for sensitive records, such as role-based access, controlled downloads, access logging, and clear rules for when redacted copies can be used instead of raw case data. If legal and operations keep parallel files, define which version is the controlled record.
If you need a deeper privacy design pass, use: GDPR for Marketplace Platforms: How to Handle Contractor and Seller Personal Data Compliantly.
Treat evidence review as a scheduled control, not an aspiration. Section 23 requires regular, ongoing review, even though it does not set your exact frequency.
One practical cadence is monthly evidence-completeness checks and quarterly defensibility walkthroughs. Monthly checks confirm required records exist, are current, and are correctly owned. Quarterly checks verify that a real decision can be defended end to end with contemporaneous evidence, not a reconstructed explanation.
One operating rule is worth enforcing: do not close a high-risk incident or control exception until the record is complete enough for another team to understand and defend the decision without the original decision-maker.
You might also find this useful: EU Digital Services Act for Marketplace Operators.
Treat this as a design decision, not a post-launch check: OSA safety measures must be balanced with users' privacy and freedom of expression.
Ofcom's direction is to put safety by design at the core of the service while balancing harm reduction, privacy, and expression. When a control expands personal-data handling, record the tradeoff at the time of decision.
If a control increases what you collect, how long you retain it, or who can access it, document why that extra processing is needed for the specific risk and duty involved. This is especially relevant for illegal-content duties and, where applicable, child-safety duties.
Use "least intrusive" as your internal rule: if two controls address the same risk to a similar standard, choose the one with less data impact. That is not a standalone OSA legal test, but it aligns with UK GDPR minimisation and DPIA necessity and proportionality expectations.
Use this sequence:
Timing matters: Ofcom says risk assessments should be completed before significant service changes and reviewed at least once a year.
Not every control needs a standalone memo, but controls that broaden collection or intervention should have a short linked note. Keep it operational and specific.
| Field | What to record |
|---|---|
| Duty and risk | Which illegal-content or child-safety duty the control supports |
| Data impact | What extra personal data is collected, exposed, or retained |
| Necessity case | Why existing controls are not enough |
| Proportionality limits | Scope, access limits, retention, review trigger |
| Governance | Internal owner(s) for privacy, safety, and product/legal review |
Country or program differences can be handled through clear internal governance. If a local team requests a stricter or looser setting, record the caveat, reason, affected users, and review date, then route it through your internal approval path.
Do not leave local deviations in chat or ticket history only. Illegal-content duties have applied since 17 March 2025, and child-safety duties since 25 July 2025, so these are live compliance decisions.
Related reading: How to Handle VAT on Platform Fees Across the EU: A Marketplace Operator's Guide.
Treat regulator readiness as an ongoing operating condition, not a later legal task. Under the UK Online Safety Act (OSA), Ofcom can issue statutory information notices, require responses that are accurate, complete, and timely, and use entry, inspection, and audit powers. If that process is missed or mishandled, exposure can include fines of up to 10% of qualifying worldwide revenue or £18 million, whichever is greater, and in serious cases court action to block services.
Handle any Ofcom request like a board-visible incident from day one. One avoidable failure mode is treating a statutory notice like a routine questionnaire, which can leave owners unable to produce dated risk assessments, decision records, or exception approvals quickly enough. Use a simple checkpoint: every submission should map to a named owner, timestamp, and underlying artifact, not just summary slides.
Escalate unresolved high-risk findings that affect notice compliance, evidence integrity, or live illegal-content controls to executives early. Government guidance says senior managers can be criminally liable where they are at fault if a provider fails to comply with Ofcom enforcement notices, but that does not mean every control gap creates criminal sanctions risk.
Add one governance check: could your business clearly identify a senior manager who may reasonably be expected to ensure compliance if required? If decision rights are unclear, fix them before a notice arrives.
Set a board cadence and document it, because the Act does not prescribe one fixed rhythm for every provider. Keep it practical: monthly while high-risk items are open, quarterly when controls are stable, and immediate escalation for any statutory information notice, audit notice, repeated control failure, or missed remediation date.
| Cadence | When to use |
|---|---|
| Monthly | While high-risk items are open |
| Quarterly | When controls are stable |
| Immediate escalation | Any statutory information notice, audit notice, repeated control failure, or missed remediation date |
Keep each board pack short and comparable:
As of 13 October 2025, Ofcom had launched five enforcement programmes and opened 21 investigations into 69 sites and apps. Ofcom's enforcement warning is explicit: "any service which flagrantly fails to engage with Ofcom and their duties under the Online Safety Act can expect to face strong enforcement action."
Keep cross-regime mapping provisional until you confirm the details. Do not assume specific obligations, thresholds, timelines, or clause-by-clause overlap across the UK Online Safety Act (OSA), the Digital Services Act, and the Product Regulation and Metrology Act 2025 without checking them directly.
If you keep an internal matrix, label it as provisional and use it to track unknowns rather than finalized compliance coverage:
Do not present this matrix as complete if key coverage questions are still open. Assign legal or compliance owners to confirm live obligations before you rely on it for regime-specific controls.
Most misses here are operational, not obscure legal interpretation: narrow scoping, paper-only controls, and evidence built too late. If your service can reach UK users, treat UK Online Safety Act (OSA) scoping and controls as a live program, not a legal memo.
| Failure mode | What the article says | Practical response |
|---|---|---|
| Scope by headquarters alone | Incorporation country alone is not a reliable scope decision | Test UK links and service type early, record the conclusion, assign an owner, and set a review date if uncertain |
| Policy text only | Policy language alone is not enough | Map each duty to a control, a named owner, a test method, and retained evidence |
| Late evidence collection | If evidence collection starts only after regulator contact, records are often incomplete | Test key controls on a regular internal cadence, assign one named owner per duty and evidence set, and define escalation thresholds in advance |
Do not decide scope by incorporation country. A service can still be in scope through links with the United Kingdom, including a significant UK user base, even when the operator is based outside the UK.
Treat this as a documented decision process: test UK links and service type early, record the conclusion, assign an owner, and set a review date if uncertain. Do not assume you are out of scope because headquarters is outside the UK, and do not assume every platform is automatically in scope either.
Policy language alone is not enough. OSA compliance expects implemented systems and processes that reduce illegal-use risk, plus illegal-content risk assessment, record-keeping, and related safety duties. Child safety is a separate track that depends on completing a children's access assessment.
Your control standard should be operability: each duty mapped to a control, a named owner, a test method, and retained evidence. Use a regular internal testing cadence and verify that live decisions retain core records such as timestamp, reason, and escalation trail.
Timing matters. Legal duties on illegal content applied from 17 March 2025, and duties to protect children online applied from 25 July 2025. Treating child safety as a later optional phase is a planning failure.
If evidence collection starts only after regulator contact, records are often incomplete. Ofcom investigations have already included alleged failures to complete and keep suitable illegal-harms risk-assessment records, and failures to respond to statutory information requests.
Transparency reporting is another common trap: it applies to certain regulated services on Ofcom's categorised-services register, not all services. Even before categorisation, capture the reporting fields and evidence you would need for regulator queries.
A practical internal fix pattern is simple:
These thresholds are internal governance, not statutory wording, but they prevent routine gaps from becoming enforcement exposure. Penalties can reach up to 10% of qualifying worldwide revenue or £18 million.
For a step-by-step walkthrough, see US Online Marketplace Seller Verification Under the INFORM Consumers Act.
Treat UK Online Safety Act compliance as an operating discipline, not a one-time legal document: assign clear owners, keep evidence current, and define escalation points in writing. Ofcom is explicit that assessments and safety measures must be kept up to date, so this work needs to run continuously across operations, trust and safety, compliance, and leadership.
Do the scope call now and document it. The Act can apply to services outside the UK when they have UK links, so incorporation country alone is not a reliable shortcut. If your scope position is uncertain, record the assumption, explain the rationale, and set a review date.
Then execute the first 90 days against live duty dates for in-scope services: illegal-content duties from 17 March 2025, then child-safety duties from 25 July 2025. Prioritize baseline controls, ownership, and review cadence before deeper tooling refinements.
Test evidence readiness before you are forced to. Ofcom information requests are compulsory, and failure to comply can itself create investigation risk. You should be able to produce the current risk assessment, control ownership, latest review dates, and decision records for known gaps without reconstructing history from scattered messages.
Avoid false finality. Implementation remains phased, and Ofcom still describes remaining steps, including expected late-2026 duties for categorised services. Keep re-scoping points explicit, especially if your service could later be designated Category 1, 2A, or 2B.
Keep enforcement exposure in view: fines can reach 10% of qualifying worldwide revenue or £18 million, whichever is greater. Where categorisation, thresholds, or overlap details are unclear, document assumptions and get jurisdiction-specific legal advice promptly.
Before finalizing rollout across markets, validate coverage and compliance gating assumptions with your team by contacting Gruv.
Yes, it can. The Act can cover services provided from outside the UK where the service has UK links, including where UK users are one of your target markets. Incorporation country alone is not a reliable scope decision.
Start with a documented applicability check, because Ofcom’s guidance is to first check whether the Act applies to your service. If you conclude the service is in scope, begin the illegal-content risk assessment workflow. For an in-scope launched service, the stated window to complete that assessment is three months.
Keep records of your risk assessments and the measures taken to comply. Organize that evidence so you can respond clearly, completely, and accurately by the deadline given.
Prioritize the illegal-content baseline first, then sequence child-safety duties next. The legal duty date for illegal content is 17 March 2025, and the duty date to protect children online is 25 July 2025. Build your plan around those dates so neither duty is deferred.
The headline enforcement risk is financial: fines can reach up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. Executive criminal exposure in the retrieved legislation is narrower and tied to failure to comply with an Ofcom information notice, section 110 linked to section 109(1), not every breach of the Act. Treat any information notice as a senior-level, deadline-critical event.
There is overlap, but not equivalence. The DSA applies in the EU from 17 February 2024 and includes marketplace duties such as trader traceability, while OSA runs on its own UK scope and duty structure. PRMA 2025, dated 21 July 2025 in the enacted text, is framed around products and metrology in the UK, not as an online-content moderation regime.
Escalate when scope or categorisation is genuinely uncertain, especially where thresholds depend on secondary legislation. Also escalate when both UK and EU regimes apply and your control decisions may conflict, or when you receive an Ofcom information notice and cannot confidently produce a complete response by the deadline. Internal teams can triage, but threshold interpretation and cross-regime conflicts should not be improvised.
An international business lawyer by trade, Elena breaks down the complexities of freelance contracts, corporate structures, and international liability. Her goal is to empower freelancers with the legal knowledge to operate confidently.
Priya specializes in international contract law for independent contractors. She ensures that the legal advice provided is accurate, actionable, and up-to-date with current regulations.
Includes 4 external sources outside the trusted-domain allowlist.
Educational content only. Not legal, tax, or financial advice.
Treat this as an operating decision, not a policy exercise. If you own compliance, legal, finance, or risk for a platform, your job is to decide who owns each GDPR duty. You also need to define what evidence must exist, what your team reviews on a recurring basis, and which issues need escalation before a launch or vendor change goes live.
The hard part is not calculating a commission. It is proving you can pay the right person, in the right state, over the right rail, and explain every exception at month-end. If you cannot do that cleanly, your launch is not ready, even if the demo makes it look simple.
Step 1: **Treat cross-border e-invoicing as a data operations problem, not a PDF problem.**