Ofcom crisis response protocol: what the Online Safety Act codes ask of platforms
In short: The Ofcom crisis response protocol, published on 9 June 2026, adds two measures to the Online Safety Act 2023 codes of practice. In-scope user-to-user services should prepare and apply a written crisis protocol, and large services should open a dedicated channel for law enforcement. The measures are recommended, not yet in force, and must clear a Parliamentary process first.
When illegal content spreads fast online during a crisis, such as a livestreamed terror attack or disorder fuelled by posts inciting violence, a platform’s ordinary moderation may not keep up. Ofcom’s answer, set out in its crisis response protocol statement of 9 June 2026, is to tell the largest and highest-risk services what to put in place before that moment arrives. The measures sit inside the illegal content and child safety codes under the Online Safety Act 2023. They are recommended steps, not a new standalone duty, and that distinction carries the analysis.
What the Ofcom crisis response protocol changes
The Ofcom crisis response protocol amends two codes of practice issued under section 41 of the Online Safety Act 2023: the Illegal Content Codes of Practice and the Protection of Children Code, both for user-to-user services. It confirms a measure first floated in a June 2025 consultation, and follows evidence that posts inciting violence fuelled the disorder after the 2024 Southport murders. Ofcom has split the single proposed measure into two.
The codes describe how providers can meet the substantive safety duties in the Act: the illegal content duties in section 10 and section 27, and the children’s safety duties in section 12 and section 29. Ofcom defines a crisis as “an extraordinary situation in which there is a serious threat to public safety in the United Kingdom”, highly likely to have resulted from, or to cause, a sharp rise in relevant illegal content or content harmful to children. A crisis need not be UK-wide, and an overseas event can qualify where it threatens public safety here. Ofcom declined to widen the definition to environmental disasters, pandemics or misinformation, on the ground that those sit outside its remit under the Act or do not generate illegal content as the Act defines it.
Recommended measures, not a new duty
The codes recommend measures; they do not create fresh obligations. Under section 49 of the Online Safety Act 2023, a provider that adopts the recommended measures is treated as complying with the underlying safety duty. This is the safe harbour at the centre of the OSA framework. A provider that does something else keeps the duty but loses the safe harbour, and must show Ofcom that its alternative reaches the same outcome.
The alternative route is demanding. Section 49(5) requires a provider taking it to have particular regard to freedom of expression and to the privacy of users. Section 49(6) tells Ofcom to weigh whether the alternative measures extend across the whole service and carry equivalent safeguards. The code therefore offers a certainty that the alternative route does not.
Two design choices in the statement matter in practice. Providers should treat any public statement notice issued under a Secretary of State direction, under section 175 of the Act, as a further indicator that a crisis may be occurring. That notice is not determinative. The determination of whether a crisis is occurring on a given service stays with the provider: neither Ofcom nor the Secretary of State can declare a crisis on a platform’s behalf. Ofcom’s investigation into X, the most prominent enforcement action yet under the Act’s illegal content duties, shows how seriously the regulator now takes the duties these codes sit beneath.
Who is in scope, and what they must put in place
The crisis protocol measure reaches further than the law enforcement channel. The protocol applies to large user-to-user services that are medium risk, and to services of any size that are high risk, of a priority illegal harm such as terrorism, hate, harassment, stalking, threats and abuse, or foreign interference. It applies on the same basis to services likely to be accessed by children that are at medium or high risk of priority content harmful to children, including abuse, hate and violent content. The dedicated law enforcement channel applies to large services only. Search services are out of scope, because Ofcom found they do not amplify illegal content during a crisis in the way user-to-user services do. A generative AI service can be caught where it operates as a user-to-user service and meets the size and risk tests.
In scope, the requirements are specific. A provider should prepare a written protocol setting out the indicators it will monitor, a mechanism to review those indicators, and a cross-functional crisis team senior enough to act. It should deploy that team as soon as reasonably practicable once it judges a crisis to be occurring or likely, run systems to mitigate the surge in content, and, once the crisis ends or after 90 days, record a post-crisis analysis that captures key decisions and tests whether the protocol still works. Ofcom can request that analysis. Working out whether a service is in scope, and at what risk level, is the first question for any provider: see our platform terms and policies and investigations and enforcement support pages.
| Measure | What it requires | Who is in scope |
|---|---|---|
| Crisis protocol (ICU C15 / PCU C11) | Prepare and apply a written protocol: monitoring indicators, a review mechanism, a senior cross-functional team, prompt deployment, mitigation systems, and a 90-day post-crisis analysis. | Large user-to-user services at medium risk, and services of any size at high risk, of a priority illegal harm or priority content harmful to children. |
| Law enforcement channel (ICU C16 / PCU C12) | Open a dedicated channel by which law enforcement can pass crisis-related information, supporting faster, coordinated action. Not a substitute for routine legal process. | Large user-to-user services only, at medium or high risk of a priority illegal harm or priority content harmful to children. |
Viewpoint
The alternative-measures route is where the real work sits. A large platform that already runs a mature incident process may prefer to map its existing playbook to the duty rather than adopt Ofcom’s wording line by line. Section 49 permits that, but it puts the burden on the provider to prove equivalence, and Ofcom decides whether the alternative reaches across the whole service. In our experience advising regulated operators, that burden is more onerous than it first appears, because it has to be discharged during a live crisis, not reconstructed afterwards. Two points to watch. The determination stays with the provider, even where a section 175 notice has issued, so a clear internal trigger matters more than any external signal. And the protocol is only the operational layer: it sits on top of the illegal content risk assessment and the section 10 and section 12 duties, which remain the substantive test. A provider with a tidy protocol but no risk assessment underneath it has not complied. Ofcom’s further additional safety measures, due in autumn 2026, are likely to push in the same direction.
Frequently asked questions
Does the Ofcom crisis response protocol apply to my service?
The protocol measure applies to large user-to-user services at medium risk, and to services of any size at high risk, of a priority illegal harm or of priority content harmful to children. The separate law enforcement channel applies to large services only. Search services are excluded. A generative AI service can fall in scope where it functions as a user-to-user service.
When does the Ofcom crisis response protocol take effect?
Not yet. The measures sit in draft consolidated codes submitted to the Secretary of State. Under section 43 of the Online Safety Act 2023, the draft must be laid before Parliament; if neither House objects within 40 days, Ofcom issues the code and it comes into force 21 days later. The timing depends on Government and Parliamentary scheduling.
What counts as a crisis under the Online Safety Act?
Ofcom defines a crisis as an extraordinary situation in which there is a serious threat to public safety in the United Kingdom, highly likely to result from, or to cause, a significant increase in relevant illegal content or content harmful to children. It can be local or regional, and an overseas event can qualify where it threatens public safety in the UK.
If you are assessing whether your service is in scope of the Ofcom crisis response protocol, or mapping an existing incident process to the Online Safety Act codes, Bratby Law advises online service providers on what compliance requires. Contact Rob Bratby.
