UK OSA CSEA Reporting Regs 2026
The Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2026
Statutory instrument implementing section 69 of the UK Online Safety Act 2023, requiring regulated user-to-user service providers (UK and non-UK) to report child sexual exploitation and abuse (CSEA) content to the National Crime Agency under tiered priority-based timeframes.
Jurisdiction
United Kingdom
Enacted
Mar 12, 2026
Effective
Apr 7, 2026
Enforcement
National Crime Agency (NCA); Ofcom enforcement of underlying OSA duties
Statutory Instrument SI 2026/268, made under section 69 of the Online Safety Act 2023, in force 7 April 2026. Commencement of section 69 implemented by SI 2026/262 (Commencement No. 7).
legislation.gov.uk - SI 2026/268Why It Matters
Operationalises statutory CSEA reporting under the OSA, moving the UK from voluntary NCMEC-style reporting to a binding, tiered, time-bound regime backed by criminal liability. Sets a clear compliance baseline for any platform with a UK user-to-user service.
Recent Developments
Made March 12, 2026; in force April 7, 2026. Implements section 69 of the Online Safety Act 2023, replacing the regime established under SI 2025/368 with refined tiered reporting timeframes and harmonised data retention windows. The accompanying commencement order SI 2026/262 brings section 69 into force in coordination with these regulations.
At a Glance
Harms addressed
Who Must Comply
- Regulated user-to-user service providers as defined in Part 3 of the Online Safety Act 2023
- UK-established and non-UK providers with UK link
Obligations fall on:
Safety Provisions
- Mandatory detection and reporting of CSEA content to the National Crime Agency (NCA)
- Three-tier priority system: Priority 1 reportable immediately; Priority 2 as soon as reasonably practicable; Priority 3 without undue delay
- Provider registration with NCA required before first report
- Tiered data retention obligations (1-5 years depending on data category)
- Mandatory response to NCA information requests within 7 days
- Failure to comply is a criminal offence under section 69 of the Online Safety Act 2023
Compliance & Enforcement
Key Dates
Apr 7, 2026
In force date; CSEA reporting duties applicable to all regulated user-to-user service providers
Penalties
criminal liability
View on map
United Kingdom
Focus Areas
Cite This
APA
United Kingdom. (2026). The Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2026.
Related Regulations
UK OSA
One of the most comprehensive platform content moderation regimes globally. Creates specific duties around suicide, self-harm, and eating disorder content for children with 'highly effective' age assurance requirements.
UK AI Approach
Sector-specific, principles-based approach using existing regulators. Five cross-sector principles guide regulatory application rather than horizontal AI legislation.
UK AI Chatbot OSA Extension
Amends the Crime and Policing Bill to bring standalone AI chatbot providers (ChatGPT, Grok, Gemini, etc.) within scope of Online Safety Act illegal content duties, closing the loophole where AI-only chatbots were exempt from OSA.
Malaysia OSA
Requires licensed platforms to implement content moderation systems, child-specific safeguards, and submit Online Safety Plans. Nine categories of harmful content regulated.
Ofcom Children's Codes
Ofcom codes requiring user-to-user services and search services to protect children from harmful content including suicide, self-harm, and eating disorder content. Explicitly covers AI chatbots that enable content sharing between users. Requires detection technology, content moderation, and recommender system controls.
AR HB 1071
Amends Arkansas publicity rights law to explicitly include AI-generated reproductions of voice and likeness. Covers simulated voices and 3D generation.
Last updated May 10, 2026. Verify against primary sources before relying on this information.