Draft amendments to Illegal content Codes of Practice for user-to-user services
Published 1 June 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at /government/publications/online-safety-act-draft-amendments-to-the-illegal-content-codes-of-practice/draft-amendments-to-illegal-content-codes-of-practice-for-user-to-user-services
Draft of amendments to lie before both Houses of Parliament for the 40-day period in accordance with section 43 of the Online Safety Act 2023, during which time either House may resolve that the draft be not approved.
Draft of amendments prepared under section 41 of the Online Safety Act 2023 and submitted to the Secretary of State in accordance with section 43(1) on 15 May 2026.
Presented to Parliament pursuant to section 43(2) of the Online Safety Act 2023
June 2026
© Ofcom copyright 2026
ISBN 978-1-5286-6521-6
E03610769
1. Preamble
1.1ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý On 24 February 2025 Ofcom issued the Illegal content Codes of Practice for user-to-user services in accordance with section 41 of the Online Safety Act (the Act).[footnote 1]
1.2ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý Ofcom issues the amendments set out in section 2 of this notification in accordance with section 43(4) of the Act.
1.3ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý In the course of preparing the draft of amendments to those Codes, Ofcom consulted the persons mentioned in section 41(6) and (7) of that Act.
1.4ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý In accordance with section 43(2) and (3) of the Act, the draft has been laid before Parliament for the 40-day period, during which time neither House of Parliament resolved not to approve the draft.
1.5ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý The amendments come into force [at the end of the period of 21 days beginning with the day on which they are issued] in accordance with section 43(4) of the Act.
1.6ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý Ofcom will publish the amended code of practice on its website in accordance with section 46 of the Act.
Signed by
Oliver Griffiths Group Director, Online Safety
A person authorised by Ofcom under paragraph 18 of the Schedule to the Office of Communications Act 2002
15 May 2026
2. Amendments
2.1ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý The Illegal content Codes of Practice for user-to-user services are amended as follows.
Amendments to index of recommended measures
2.2ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý In Section 3 (Index of recommended measures), in the appropriate places, insert the following entries
| ICU C11 | [Intentionally blank] | [Intentionally blank] | [Intentionally blank] | [Intentionally blank] |
| ICU C12 | [Intentionally blank] | [Intentionally blank] | [Intentionally blank] | [Intentionally blank] |
| ICU C13 | [Intentionally blank] | [Intentionally blank] | [Intentionally blank] | [Intentionally blank] |
| ICU C14 | Using hash matching to detect intimate image abuse content | Services that enableÌýregulated user-generated contentÌýin the form of photographs, videos or visual images (whether or not combined with written material) to be generated, uploaded or shared, and: a) are at highÌýriskÌýofÌýintimate image abuse, and: i) the principal purpose of theÌýserviceÌýis the hosting or dissemination ofÌýregulated pornographic content; or ii) have more than 700,000 monthlyÌýactive UK users; or iii) areÌýfile-storage and file-sharing services; or b) areÌýlarge servicesÌýat medium or highÌýriskÌýofÌýintimate image abuse. |
Other duties | Section 10(2) and (3) |
Amendments to recommended measures
2.3ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý In Section 4 (Recommended measures), after Recommendation ICU C10 (Detecting and removing content matching listed CSAM URLs), insert
| ICU C11 | [Intentionally blank] |
| ICU C12 | [Intentionally blank] |
| ICU C13 | [Intentionally blank] |
| ICU C14 | Using hash matching to detect intimate image abuse content |
| Ìý | Application |
| ICU C14.1 | This measure applies to aÌýproviderÌýin respect of eachÌýserviceÌýit provides that enablesÌýregulated user-generated contentÌýin the form of photographs, videos or visual images (whether or not combined with written material) to be generated, uploaded or shared, and: a)ÌýÌýÌýÌýÌý is at highÌýriskÌýofÌýintimate image abuse, and: i)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý the principal purpose of theÌýserviceÌýis the hosting or dissemination ofÌýregulated pornographic content; ÌýÌý ii)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý has more than 700,000 monthlyÌýactive United Kingdom usersÌý(see paragraphs 5.7 to 5.10); or iii)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý is aÌýfile-storage and file-sharing service;Ìýor b)ÌýÌýÌýÌýÌý is aÌýlarge serviceÌýand is at medium or highÌýriskÌýofÌýintimate image abuse. |
| Ìý | Key definitions |
| ICU C14.2 | In this Recommendation ICU C14: relevant content means: a)ÌýÌýÌýÌýÌý anyÌýregulated user-generated contentÌýin the form of photographs, videos or visual images (whether or not combined with written material) that: i)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý may beÌýencounteredÌýbyÌýUnited Kingdom usersÌýof the service by means of the service, and Ìý ii)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý is communicated publicly[2]Ìýby means of the service; or b)ÌýÌýÌýÌýÌý any material which, if it were present on the service, would be content within sub-paragraph (a); unverified hash means a hash which is not a verified hash; verified hash means a hash which was determined to be ofÌýintimate image abuse contentÌýat the time the hash was uploaded to a database. |
| Ìý | Recommendation |
| ICU C14.3 | The provider should ensure that, where technically feasible,Ìýhash matching technologyÌýis used effectively (see ICU C14.8) to analyse relevant content to assess whether it isÌýintimate image abuse content. For this purpose, the provider should use: a)ÌýÌýÌýÌýÌýÌýperceptual hash matching technology; or b)ÌýÌýÌýÌýÌý where the providers appropriate set of hashes (as defined in ICU C14.9) does not enable perceptual hash matching for videoÌýcontent,Ìýcryptographic hash matching. |
| ICU C14.4 | In circumstances where: a)ÌýÌýÌýÌýÌý relevant contentÌýmatches with an unverified hash; and b)ÌýÌýÌýÌýÌý either of the following apply: i)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý ifÌýperceptual hash matching technologyÌýis used, it is the first time there has been a positive match with that hash at that configuration of the technology (see ICU C14.8(b)); or ii)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý ifÌýcryptographic hash matchingÌýis used, it is the first time there has been a positive match with that hash; the provider should treat this as reason to suspect that the relevant content may beÌýillegal contentÌýand review the relevant content in accordance with Recommendation ICU C1. |
| ICU C14.5 | Where relevant content matches with a hash in circumstances other than those set out in ICU C14.4, the provider: a)ÌýÌýÌýÌýÌý may, depending on the level of assurance the provider has in the detection outcomes achieved by theÌýhash matching technology, treat the relevant content asÌýillegal contentÌýand swiftly take it down in accordance with ICU C2.3; or b)ÌýÌýÌýÌýÌý should otherwise treat the match as reason to suspect that the relevant content may beÌýillegal contentÌýand review the relevant content in accordance with Recommendation ICU C1. |
| ICU C14.6 | The provider should ensure human moderators review and assess an appropriate proportion ofÌýdetected content, having regard to: a)ÌýÌýÌýÌýÌý the level of assurance the provider has in the detection outcomes achieved by theÌýhash matching technologyÌýand any associatedÌýsystems and processesÌý(as indicated by the ongoing monitoring, evaluation and quality assurance (including human quality assurance) of the performance of the technology); and b)ÌýÌýÌýÌýÌý to the extent thatÌýdetected contentÌýis subject to review for the purpose of Recommendation ICU C1: i)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý the potential severity of the harm to those depicted in orÌýencounteringÌýintimate image abuse content; and ii)ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý the overall impact of an incorrect decision that the relevant content isÌýillegal contentÌýon aÌýUnited Kingdom userÌýwhoÌýgenerated, uploaded or shared the content. |
| ICU C14.7 | For the purposes of ICU C14.3, the provider should ensure that: a)ÌýÌýÌýÌýÌý all relevant content present on the serviceÌýat the time theÌýhash matching technologyÌýis implemented is analysed within a reasonable time; and b)ÌýÌýÌýÌýÌý relevant content that is generated on, uploaded to or shared on the service (or that a user seeks to so generate, upload or share) after theÌýhash matchingÌýtechnologyÌýis implemented is analysed before or as soon as practicable after it can beÌýencounteredÌýbyÌýUnited Kingdom usersÌýof the service. |
| ICU C14.8 | For the use ofÌýhash matching technologyÌýto be effective, it should: a)ÌýÌýÌýÌýÌý use a suitable hash function to compare the relevant content to an appropriate set of hashes (see ICU C14.9 to ICU C14.12); and b)ÌýÌýÌýÌýÌý whereÌýperceptual hash matching technologyÌýis used, be configured so that its performance strikes an appropriate balance betweenÌýprecisionÌýandÌýrecallÌý(see ICU C14.13 to ICU C14.15). |
| Ìý | The set of hashes |
| ICU C14.9 | For the set of hashes to be appropriate, it should: a)ÌýÌýÌýÌýÌý contain hashes of a significant number of original items ofÌýcontent; b)ÌýÌýÌýÌýÌý be proactively updated with reasonable regularity; and c)ÌýÌýÌýÌýÌý be secured from unauthorised access, interference and (to the extent the database is comprised of verified hashes) exploitation (whether by persons who work for that person or are providing a service to that person, or any other person). |
| ICU C14.10 | Where the provider becomes aware ofÌýintimate image abuse contentÌýa hash of which is not included on any database used by the provider, the provider should take reasonable steps to secure that a hash of thatÌýcontentÌýis added to each such database. |
| ICU C14.11 | The provider should take reasonable steps to secure the removal of a hash from any hash database used by the provider where it has determined that the hash is not ofÌýintimate image abuse contentÌý(see ICU C14.12). |
| ICU C14.12 | For the purposes of ICU C14.11, the provider determines that the hash is not ofÌýintimate image abuse contentÌýin any of the following circumstances: a)ÌýÌýÌýÌýÌý the provider views theÌýcontentÌýused to generate the hash and determines it is notÌýintimate image abuse content; b)ÌýÌýÌýÌýÌý the provider otherwise reasonably believes that the hash is ofÌýcontentÌýthat is notÌýintimate image abuse content; c)ÌýÌýÌýÌýÌý the provider viewsÌýdetected contentÌýmatched with the hash usingÌýcryptographic hash matching technologyÌýand determines that thatÌýcontentÌýis notÌýintimate image abuse content; or d)ÌýÌýÌýÌýÌý the provider viewsÌýdetected contentÌýmatched with the hash usingÌýperceptual hash matching technologyÌýand determines that thatÌýcontentÌýis notÌýintimate image abuse content, provided that the provider reasonably believes that there is an exact match between the hash of theÌýdetected contentÌýand the hash included on the database. |
| Ìý | Technical configuration |
| ICU C14.13 | In configuring theÌýhash matchingÌýtechnologyÌýso that its performance strikes an appropriate balance betweenÌýprecisionÌýandÌýrecall, the provider should ensure that the following matters are taken into account: a)ÌýÌýÌýÌýÌý the servicesÌýriskÌýof harm relating toÌýintimate image abuse, reflecting theÌýrisk assessmentÌýof the service and any information reasonably available to the provider about the prevalence of relevant content that isÌýintimate image abuse contentÌýon the service; b)ÌýÌýÌýÌýÌý the proportion ofÌýdetected contentÌýthat is aÌýfalse positive; and c)ÌýÌýÌýÌýÌý the effectiveness of theÌýsystems and/or processesÌýused to identifyÌýfalse positives. |
| ICU C14.14 | The provider should ensure that the performance of theÌýhash matchingÌýtechnology, and whether the balance betweenÌýprecisionÌýandÌýrecallÌýcontinues to be appropriate, is reviewed at least every six months. |
| ICU C14.15 | The provider should ensure that a written record is made of how this balance has been struck in configuring theÌýhash matching technology, including what information has been considered, and information about reviews and steps taken in response. |
| Ìý | Safeguards for freedom of expression and privacy |
| ICU C14.16 | Paragraphs ICU C14.4 to ICU C14.6 and ICU C14.8 to ICU C14.15 of this Recommendation ICU 14 are safeguards to protectÌýUnited Kingdom usersÌýright to freedom of expression and the privacy ofÌýUnited Kingdom users. |
| ICU C14.17 | The following measures are also safeguards to protectÌýUnited Kingdom usersÌýright to freedom of expression and the privacy ofÌýUnited Kingdom users: a)ÌýÌýÌýÌýÌý Recommendations ICU C1 and ICU C2, and where they are applicable, Recommendations ICU C3, ICU C4, ICU C6, ICU C7 and ICU C8 (in relation to content moderation); b)ÌýÌýÌýÌýÌý Recommendations ICU D1 and ICU D2, so far as they relate toÌýappealsÌýor complaints byÌýUnited Kingdom usersÌýandÌýaffected personsÌýif they consider that the provider is not complying with its duties in relation to freedom of expression or privacy; c)ÌýÌýÌýÌýÌý Recommendations ICU D8 or ICU D9 (whichever is applicable), ICU D10 (in relation toÌýappeals) and ICU D12; and d)ÌýÌýÌýÌýÌý Recommendation ICU G1 (terms of service: substance (all services)).. |
Amendments to definitions and interpretation
2.4ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý In Section 5 (Definitions and interpretation), in Table A, in the appropriate places, insert the following entries
| Cryptographic hash matching technology | Technology that detects exact matches to digitalÌýcontentÌýby comparing cryptographic hash values of theÌýcontentÌýagainst a reference database of cryptographic hash values. A match is identified only where the hash values are identical. |
| Hash matching technology | EitherÌýperceptual hash matching technologyÌýorÌýcryptographic hash matching technology. |
| Intimate image abuse content | ContentÌýwhich amounts to an offence: |
|
a)ÌýÌýÌýÌýÌý under section 66B of the Sexual Offences Act 2003 (sharing or threatening to share intimate image or film); or b)ÌýÌýÌýÌýÌý under section 2 of the Abusive Behaviour and Sexual Harm (Scotland) Act 2016 (asp 22) (disclosing, or threatening to disclose, an intimate photograph or film). |
Ìý |
| Regulated pornographic content | Pornographic contentÌýother than content of a type described in section 61(6) of theÌýAct. |
2.5ÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌýÌý In Section 5 (Definitions and interpretation), in Table B, in the appropriate place, insert the following entry
| Pornographic content | |
| See the entry for content regarding the definition of that term. | Ìý |
-
ÌýOfcom,ÌýÌý(24 February 2025).Ìý↩