Original Pictures
UK Online Safety Act enforcement overview

UK Online Safety Act: Deepfake and AI Content Rules for Platforms

Definition: The UK Online Safety Act is the platform-safety regime enforced by Ofcom, with illegal-harms codes in force since 17 March 2025 and criminal liability for creating intimate-image deepfakes added in 2026.

TL;DR: Ofcom can fine up to GBP18 million or 10% of qualifying worldwide revenue. The illegal-harms codes took effect 17 March 2025, and the Data (Use and Access) Act 2025 criminalized deepfake creation on 6 February 2026. Ofcom opened an investigation into X over Grok-generated sexual deepfakes in January 2026.

What the Act requires of platforms

User-to-user services must assess illegal-harms risk and put proportionate systems in place to detect and remove illegal content, including intimate-image abuse and certain deepfakes. The codes turn that duty into specific expectations Ofcom audits against. Provenance helps on the verification side: a platform that can check whether content carries a valid signed manifest has a faster, auditable path to triage.

What changed in 2026

The Data (Use and Access) Act 2025 made creating intimate-image deepfakes a criminal offence from 6 February 2026, extending earlier sharing offences to creation. Ofcom signaled it will use its powers: it opened an investigation into X on 12 January 2026 over Grok-generated sexual deepfakes.

How signing and verification fit

The Act is about systems, not a single technology, but a provenance layer gives a platform evidence. Signing first-party content and verifying inbound media against manifests lets a service show Ofcom a documented control rather than a manual judgment, and routes unsigned or altered media into review.

The incident behind this

Ofcom opened an investigation into X on 12 January 2026 over Grok-generated sexual deepfakes, an early test of how aggressively the regulator will enforce the illegal-harms duties against AI-generated content.

Implementation

# Verify inbound media before it enters a feed
curl -X POST https://api.originalpictures.com/v1/verify \
  -H "Authorization: Bearer $OP_KEY" \
  -F "[email protected]"
# returns provenance_score, manifest, watermark, anchor status

Regulatory mapping

RegimeEffectiveBiteWhy it applies
UK Online Safety ActIllegal-harms codes, 17 Mar 2025GBP18M or 10% revenueUser-to-user safety duties
Data (Use and Access) Act 2025 s.1386 Feb 2026Criminal offenceDeepfake creation criminalized

FAQ

Does the Act require C2PA specifically?

No. It requires proportionate systems. Provenance signing and verification are a way to evidence a control, not a named legal requirement.

Who does it apply to?

User-to-user and search services with UK users, regardless of where the company is based, subject to Ofcom's reach.

Where Original Pictures stands today

Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.

Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.

Bottom line: The Online Safety Act is live and Ofcom is enforcing. Sign first-party content and verify inbound media so deepfake triage is a documented control, not a manual guess.

Related


Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.

Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.

Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.