As online platforms continue to shape our social, commercial and cultural lives, governments are tightening their oversight of digital services. The UK’s Online Safety Act 2023 (OSA) and the EU’s Digital Services Act (DSA) are two landmark legislative frameworks that share a common objective: to make the internet safer and more accountable.
While both regimes pursue this shared goal, they do so through distinct mechanisms. The OSA focuses on proactive risk management and child protection, while the DSA prioritises transparency, accountability and systemic risk oversight. Understanding these differences is critical for online service providers operating across the UK and EU.
The UK’s Online Safety Act (OSA)
The OSA establishes a new regulatory framework for online safety in the UK, aiming to make the internet safer for users, particularly children. The Act places direct obligations on in-scope online services, including:
- User-to-user services (for example, social media and messaging platforms)
- Search services
- Pornography and other regulated content services
The first set of OSA duties came into force in late 2024, with further obligations to be implemented in phases through 2025 to 2027. Ofcom is the designated regulator and is issuing detailed codes of practice and guidance to support compliance. Following these codes provides a form of safe harbour against enforcement action.
The obligations under the OSA vary depending on a service’s risk profile and user base. Services that are likely to be accessed by children face additional child-safety duties. Services will also be classified into Category 1, Category 2A, and Category 2B, based on user numbers and functionality. These categories will be designated by Ofcom once secondary legislation is finalised.
The EU’s Digital Services Act (DSA)
The DSA forms part of the EU’s broader Digital Services Package, which also includes the Digital Markets Act (DMA). It applies to a wide range of intermediary services, including:
- Mere conduit services (for example, internet service providers and VPNs)
- Caching services (for example, content delivery networks)
- Hosting services (for example, web hosts, cloud providers and social media platforms)
- Online search engines
Providers designated as Very Large Online Platforms (VLOPs) or Very Large Online Search Engines (VLOSEs), meaning those with more than 45 million average monthly active users in the EU, face the most extensive obligations.
The DSA has applied in full since 17 February 2024. The enhanced obligations for VLOPs and VLOSEs took effect four months after designation, which began in mid-2023 for the first group of services.
Key Differences Between the OSA and DSA
- Scope and Reach
The OSA applies to services with a UK link, which can include non-UK companies if their platforms pose a material risk of harm to UK users. This gives the OSA potential extraterritorial effect.
The DSA applies to services with a substantial connection to the EU, such as those based in the EU or those that target or serve a significant number of EU users.
- Cumulative Obligations
Both frameworks scale obligations according to the size and influence of the service.
Under the OSA, Ofcom will categorise services as Category 1, 2A or 2B, triggering different levels of transparency, governance and reporting duties.
Under the DSA, obligations increase progressively from basic hosting services to VLOPs and VLOSEs, with systemic risk assessments and annual audits required at the top tier.
- Content Moderation
The OSA takes a proactive approach, requiring providers to detect and mitigate both illegal content and content harmful to children, using both human and automated moderation systems.
The DSA follows a notice and action model, requiring providers to implement a process for receiving notices and to remove illegal content once notified.
- Transparency and Terms of Service
Both Acts require clear and transparent terms of service, especially in relation to content moderation and complaint handling.
The OSA adds specific requirements for services accessible to children and requires the publication of summaries of risk assessments.
The DSA requires platforms to explain their moderation policies, algorithmic tools and user redress mechanisms. VLOPs and VLOSEs must also publish detailed annual transparency reports.
- Risk Assessments
All OSA-regulated services must carry out risk assessments covering illegal content, children’s safety and user empowerment.
Under the DSA, only VLOPs and VLOSEs must perform risk assessments, focusing on systemic risks to users, public health and democratic processes.
- Enforcement and Penalties
The OSA gives Ofcom significant enforcement powers, including audits, inspections and fines of up to £18 million or 10% of global annual turnover. Senior managers may also face personal liability for certain offences.
Under the DSA, regulators can impose fines of up to 6% of global annual turnover. Enforcement is coordinated across the EU by Digital Services Coordinators, the European Commission and the European Board for Digital Services.
Navigating Dual Compliance
For online platforms operating across the UK and EU, the coexistence of the OSA and DSA means that dual compliance will be an ongoing challenge. Providers must assess their obligations carefully, especially where their services reach users in both jurisdictions.
How We Can Help
Our team advises technology companies, online platforms and digital service providers on all aspects of compliance with the Online Safety Act, the Digital Services Act and related regulatory frameworks.
If your business operates online in the UK or EU, we can help you assess your risk exposure. Please book a free consultation with us.
Image by Freepik
