The Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2025
These regulations mandate that UK online service providers of regulated user-to-user services report child sexual abuse and exploitation (CSEA) content to the National Crime Agency (NCA).
Providers must register with the NCA, designating an organisation administrator and potentially an authorised person for reporting.
The regulations specify the information to be included in reports, their formatting, submission methods (API or manual), and urgency levels based upon risk assessment.
Data retention requirements for both CSEA content and associated user data are also outlined.
Arguments For
Improved Child Safety: The regulations aim to enhance the protection of children by ensuring swift reporting of child sexual abuse and exploitation content to law enforcement.
Enhanced Law Enforcement Capabilities: Streamlined reporting procedures provide the NCA with more efficient access to crucial evidence, facilitating investigations and prosecutions.
Increased Accountability for Online Platforms: The regulations hold online service providers accountable for their role in preventing and addressing child sexual abuse and exploitation on their platforms.
Legal Basis in Online Safety Act 2023: The regulations derive their authority from the Online Safety Act 2023, providing a clear legal framework for reporting requirements.
Arguments Against
Implementation Challenges: Ensuring consistent implementation across various online platforms and jurisdictions may prove challenging, requiring significant technical and logistical resources.
Potential for Overreach: The broad scope of the regulations might lead to unintended consequences, such as the misidentification and reporting of non-abusive content, increasing the workload on the NCA and affecting freedom of expression.
Compliance Costs: Meeting the regulations' requirements may impose significant financial burdens on online service providers, particularly smaller companies.
Data Privacy Concerns: The collection and retention of user data necessitates robust data protection measures to ensure compliance with data protection legislation and prevent breaches.
The Secretary of State makes these Regulations, in exercise of the powers conferred by sections 67(1) to (4), 224(1)(a)(i) and (b) of the Online Safety Act 2023[1].
The Secretary of State has consulted the NCA and OFCOM and such other persons as the Secretary of State has considered appropriate as required by section 67(5) of the Online Safety Act 2023.
The Secretary of State created these regulations using powers granted by the Online Safety Act 2023.
Before doing so, consultations were held with the National Crime Agency (NCA), Ofcom, and other relevant individuals, as the Act requires.
PART 1
Citation, commencement, and extent 1.
(1) These Regulations may be cited as the Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2025.
(2) These Regulations come into force on 3rd November 2025.
(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
This part details the title, effective date, and geographical scope of the regulations.
The regulations are effective November 3rd, 2025 and apply across the UK.
Interpretation 2.
In these Regulations—
“the Act” means the Online Safety Act 2023;
“authorised person” has the meaning given in regulation 7(3);
“API” means an automatic programming interface which can be used to submit reports of CSEA content to the online portal;
“CSEA offence” means an offence specified in Schedule 6 to the Act;
“incident of CSEA content” is content which gives a provider—
(a) reasonable grounds to infer that a user has committed all elements of an offence in Schedule 6 to the Act, and
(b) no reasonable grounds to infer that the user has a defence to that offence;
“content moderation” means the measures which a provider is required to take to moderate content in accordance with section 10 of the Act;
“CSEA content” means CSEA content[2] as it relates to providers required to report CSEA content by these Regulations;
“online portal” means the online portal managed by the NCA[3] which has been provided for the purpose of enabling an authorised person to send reports of CSEA content to the NCA securely;
“organisation administrator” means the person designated in accordance with regulations 3 and 4 as the organisation administrator;
“platform” means part of the regulated user-to-user service, which the provider has control over;
“provider” means the provider of a regulated user-to-user service[4], which is required by section 66 of the Act to report CSEA content to the NCA;
“work” in the context of telephone numbers and email addresses, means a telephone number or an email address, at which an individual can be contacted during normal working hours.
This section defines key terms used throughout the regulations.
It clarifies the definitions of 'the Act' (Online Safety Act 2023), 'authorised person,' application programming interface (API), CSEA offense, 'incident of CSEA content' , 'content moderation', 'CSEA content', 'online portal,' 'organisation administrator', 'platform,' 'provider,' and 'work' contact details.
PART 2 Registration with the NCA
Registration of a provider of a regulated user-to-user service 3.
(1) Where a UK provider[5] of a regulated user-to-user service and a non-UK provider[6] of a regulated user-to-user service is required by section 66 of the Act to report certain CSEA content to the NCA, that provider must—
(a) nominate an appropriate person to be the organisation administrator;
(b) require the organisation administrator to register the provider of that service with the NCA and to complete the requirements in regulation 5 for using the online portal to submit reports of CSEA content to the NCA;
(c) require the organisation administrator to supply the details required by regulation 6 whenever a deputy organisation administrator is appointed:
(d) require the organisation administrator to comply with the requirements of regulation 7 and appoint an authorised person, in the case where a person other than the organisation administrator is to make reports of CSEA content to the NCA;
(e) require the organisation administrator to comply with the requirement in regulation 9, when appropriate.
(2) The organisation administrator must be a senior manager or other individual whom the provider considers has the appropriate role within the provider to be able to able to register the provider with the NCA.
This part outlines the registration process for online service providers with the NCA. Providers must appoint an organisation administrator, register with the NCA, and follow procedures for utilising the online portal.
The organisation administrator must be a senior figure within the provider's organisation.
Content moderation carried out by another entity or individual 4.
(1) On each occasion where the provider mentioned in regulation 3 has arranged for another entity[7] or individual to carry out the content moderation of the service, the provider must—
(a) inform the NCA of the name of the entity or individual who is to carry out the moderation of the service on behalf of the provider; and
(b) ensure that the entity who is to carry out the content moderation registers with the NCA and nominates an individual to be the organisation administrator; or
(c) ensure that the individual who is to carry out the moderation of the service, registers with the NCA and either carries out the role of organisation administrator or nominates another individual to do this.
(2) If the arrangement notified to the NCA under paragraph (1)(a) of this regulation ceases, the provider must—
(a) notify the NCA that this arrangement has ceased, and either,
(b) nominate an appropriate person to be the organisation administrator, or
(c) comply with the requirement in paragraph (1)(a), to notify the NCA of the name of the entity or individual who is to carry out the moderation of the service on behalf of the provider; and
(d) ensure that the entity, which is to carry out the moderation of the service, registers with the NCA and nominates an individual to be the organisation administrator; or,
(e) ensure that the individual, who is to carry out the moderation of the service, registers with the NCA and either carries out the role of organisation administrator or nominates another individual to do this.
(3) The provider must ensure that the arrangements entered into with the entity or individual to carry out content moderation of the service, require the entity or individual to comply with the requirements in regulations 5, 6, 7 and 9.
If a provider outsources content moderation, they must inform the NCA and ensure the external entity or individual also registers with the NCA and either acts as or appoints an organisation administrator, complying with all relevant regulations.
Changes in these arrangements must also be reported to the NCA.
Details to be provided on registration of a provider 5.
(1) The requirements referred to in regulation 3(1)(b) are as follows—
(a) where the provider is an entity, the name of that entity, or if the provider is one or more individuals, the name those individuals use (if any) to refer to that provider;
(b) where the provider is a company with a registration number, the registration number;
(c) the organisation administrator’s work email address;
(d) if the entity was formed under the law of a country, the name of that country or if the entity was not formed under the law of any country, the country in which the entity was first established;
(e) where the provider is an entity, the names of any platforms and the website addresses of those platforms which the entity has control over;
(f) where the provider is one or more individuals, the names of any platforms and the website addresses of those platforms which those individuals have control over.
(2) The organisation administrator must also provide their work telephone number.
(3) After the NCA has verified the organisation administrator’s email address, the provider must provide—
(a) the full name of an emergency contact;
(b) the work telephone number of that emergency contact;
(c) the work email address of that emergency contact;
(d) the work address of that emergency contact;
(e) where the reports of CSEA content are to be sent to the NCA by an API, the provider must provide the name, work email address and work telephone number (including the international dialling code) for the point of contact responsible for the API.
This regulation specifies the information providers must give the NCA upon registration.
This includes details about the provider itself (name, registration number, country of origin), the organisation administrator's contact information, details of the platforms they control, and the contact information for an emergency contact.
If using an API to report, details of responsible personnel must also be provided.
Appointment of deputy organisation administrator 6.
If another employee or individual is appointed to deputise as an organisation administrator, the provider must provide the NCA with the details of that employee’s work email address and work telephone number.
If a deputy organisation administrator is appointed, the provider must provide their work email and telephone number to the NCA.
Appointment of authorised person 7.
(1) The provider must register each employee or individual who is to be authorised to report detected CSEA content to the NCA by supplying the following details to the NCA—
(a) first name;
(b) last name;
(c) work email address;
(d) work telephone number (including international dialling code).
(2) Following the notification of the information in paragraph (1), the NCA will supply that employee or individual with an account on the online portal.
(3) The employee or individual authorised to report CSEA content to the NCA is referred to in these Regulations as the “authorised person”.
Providers must register each individual authorised to report CSEA content to the NCA, providing their name and contact details.
The NCA will then provide these individuals with an online portal account.
These individuals are defined as 'authorised persons'.
Restriction for use of account to report to NCA 8.
The provider must ensure that the terms of employment or other contractual arrangements prohibit access to the account which an authorised person has been allocated to report CSEA content to the NCA by any other employee or individual.
Providers must ensure that access to the NCA reporting account is restricted to the designated authorised person; other employees or individuals should be prohibited from using it.
Requests from the NCA 9.
The provider must respond as soon as possible, or in any event within 7 days, to any request from the NCA about the provider or the reports submitted.
Providers are required to respond, within seven days maximum, to any requests made by the NCA regarding the provider's operations or submitted reports.
Notification of cessation of reporting CSEA content to the NCA 10.
(1) A provider, who has registered to use the online portal under regulation 3, must notify the NCA, if that provider is required, or decides, to report CSEA content to a foreign agency[8] and will cease to report CSEA content to the NCA.
(2) The provider should give that notification one month or more before the day on which reports will no longer be sent to the NCA.
If a provider stops reporting to the NCA, for example because they report to a foreign agency, they must notify the NCA at least one month in advance.
Definition of “senior manager” 11.
(1) For the purposes of this Part, a senior manager means—
(a) where the provider is an entity, an individual who plays a significant role in—
(i) the making of decisions about how the entity’s relevant activities are to be managed or organised, or
(ii) the actual managing or organising of the entity’s relevant activities, and
may reasonably be expected to be in a position to ensure compliance with the duties under these Regulations;
(b) where the provider is more than one individual, the individual designated by those individuals;
(c) Where the provider is one individual, that individual.
(2) For the purposes of paragraph (1), “relevant activities” means those activities relating to the reporting of CSEA content to the NCA.
This section defines 'senior manager' for the purpose of Part 2.
For entities, a senior manager is someone heavily involved in decision-making or management related to CSEA reporting.
For individual providers, it's the provider themself.
For multiple individuals, it is the individual they designate.
PART 3 Contents of report
Requirement for providers to report CSEA content 12.
(1) A provider must send a report to the NCA for each incident of CSEA content which the provider has detected as soon as possible in accordance with the requirements of regulation 18.
(2) A provider must send all the information which is required by Schedule 1 where that information is available on the provider’s service at the time of sending the report (“an initial report”).
(3) Where all the information required by Schedule 1 is not available at the time of making the initial report, the provider must make a supplementary report (“a supplementary report”) as soon as possible after the information has been obtained from the provider’s existing information.
(4) Where the provider has notified the NCA that another entity or individual is to carry out the moderation of the provider’s service, the provider must ensure that the arrangements with that entity or individual include a requirement that the entity or individual comply with the requirements of the regulations in Part 3 as to the contents of a report, and Part 4 as to the retention of data.
This part details the requirements for reporting CSEA content.
Providers must submit a report for each incident, including all available information from Schedule 1.
If information is missing, a supplementary report is required.
If content moderation is outsourced, the provider must ensure compliance with Part 3 and 4 by the external entity or individual.
Requirement for a subsequent report 13.
(1) If a user[9] sending, or a user receiving, CSEA content, which has been included in a report to the NCA, sends that CSEA content to another user and the provider detects that previously detected CSEA content, the provider must make a further report in respect of the user who has forwarded that CSEA content.
(2) In a report mentioned in paragraph (1), the subsequent report should be linked to the unique reference number of the initial report by the provider, where that is available.
If CSEA content previously reported to the NCA is re-shared by a user, a further report must be created.
Where possible, it should be linked to the initial report's unique reference number.
Priority assessment 14.
(1) Where the provider has reasonable grounds for judging that the content is CSEA content, the authorised person should (where possible) indicate the priority level of the report on the basis of all the relevant information reasonably available to the authorised person, according to the criteria set out in paragraph (2) of this regulation.
(2) Criteria for priority levels—
(a) Priority level 1: urgent, where there is information which suggests that there is current or imminent risk to a child and the provider believes that a crime is taking place or about to take place, and that a child is in need of immediate safeguarding or there is a threat to that child’s life;
(b) Priority level 2: where there is information which suggests that—
(i) a child is at risk in the near future,
(ii) there are reasonable grounds for inferring that contact offending has taken place, or
(iii) CSEA content has been recently generated, or
(iv) the provider considers that there is a need for swift action to be taken on other grounds.
(c) Priority level 3: where information does not indicate that either priority level 1 or priority level 2 applies.
Providers must assess the urgency of the reported CSEA content.
Priority levels are assigned based on the risk to the child, with level 1 representing imminent danger.
The assessment should be based on all reasonably available information.
Formatting requirements 15.
The information required under regulation 12, 13 and 14 must comply with the formatting requirements set out in Schedule 2.
Reports must adhere to the formatting guidelines outlined in Schedule 2.
Manner of sending reports 16.
(1) The provider must ensure that the report and any information required by these Regulations must be submitted to the NCA using the online portal in accordance with the time required by regulation 18.
(2) Where the provider has notified the NCA of arrangements that have been made with another entity or individual to carry out the content moderation, the provider must ensure that these arrangements include a requirement for that entity or individual to submit the report and any information required by these Regulations to the NCA using the online portal in accordance with the time required by regulation 18.
(3) The authorised person may submit a report to the online portal by using an API or manually.
Reports and associated information must be submitted to the NCA through the online portal, as per the timelines in regulation 18.
If moderation is outsourced, the same requirements apply to the external party.
Reports may be submitted via API or manually.
Data protection requirements 17.
(1) Where the provider is not required to comply with the data protection legislation, the provider, when implementing security measures and policies in accordance with these Regulations, has a duty to comply with the security of processing requirements in Article 5(1)(f) and Article 32 of UK GDPR.
(2) For the purposes of this regulation, “data protection legislation” has the same meaning as in section 3 of the Data Protection Act 2018[10].
Providers must comply with data protection requirements for security of processing, as outlined in Article 5(1)(f) and Article 32 of the UK GDPR, unless already subject to data protection legislation (defined in section 3 of Data Protection Act 2018).
Time frame for reporting 18.
(1) Where the provider who has submitted the report has indicated that in their opinion, priority level 1 should apply, the provider must send the report as soon as possible.
(2) Where the provider has not indicated that priority level 1 should apply, that provider must send the report as soon as practicable after making the judgement that the content is CSEA content.
(3) If the provider has not formed an opinion as to which priority level should apply, then the provider must send the report as soon as practicable after making the judgement that the content is CSEA content.
The timeline for reporting depends on the priority assessment.
Priority level 1 reports must be sent immediately.
Others should be sent as soon as possible after the judgement that content is CSEA, within a reasonable timeframe.
PART 4 Data Retention
Data retention requirements 19.
(1) A provider who has sent a report of detected CSEA content to the NCA must retain the following for the period of one year, beginning with the date on which the report is submitted—
(a) the detected CSEA content,
(b) the information supplied in accordance with these Regulations, and
(c) any information which the provider has used to make a judgment that the content is CSEA content in accordance with section 192 of the Act.
(2) The provider must retain for the period of 4 weeks beginning on the day on which the report was submitted to the NCA the relevant data which is associated with the user who uploaded or made or shared the content which constitutes the incident of CSEA content in the report.
(3) For the purposes of paragraph (2), relevant data is data from the two week period ending on the day on which the CSEA offence was committed and includes—
(a) any digital files with content which the user has shared, uploaded or created on the platform;
(b) any digital files with metadata or communications data associated with that content;
(c) any digital files with geo local data in addition to that included in the metadata;
(d) any digital files with chat logs, public and private messages, and public comments created by the user;
(e) any digital files with information about connections with other accounts or attempts with other accounts.
This part sets out data retention policies.
Providers must keep CSEA content, related information supplied to the NCA, and any information used to make the CSEA judgement for one year.
User data associated with the incident must be retained for four weeks, including data from the two weeks preceding the offense.
Retention of records for reports 20.
Providers must keep records of all their reports for a minimum of five years beginning on the day on which the report was submitted to the NCA.
Records of all reports submitted to the NCA must be maintained by providers for a minimum of five years.
SCHEDULE 1 CSEA Information to be included in reports
Regulation 12
1. Information about the authorised person, who is submitting the report of CSEA content, must be included in the report—
(a) their name;
(b) the name of the entity for which they work;
(c) if the authorised person submitting the report is the provider, that provider’s name;
(d) their work email address;
(e) their work telephone number.
2. The following information about the detected CSEA content, where that information is reasonably available to the provider—
(a) the detected CSEA content;
(b) the method through which the CSEA content was detected;
(c) the platform on which the CSEA content was detected;
(d) whether the report relates to a previous report;
(e) if the report relates to a previous report, the unique reference number of that report, and any previous related reports;
(f) the time that the CSEA content was uploaded;
(g) the date on which the CSEA content was uploaded;
(h) exif data linked to the reported CSEA content;
(i) the URL of the webpage of the reported CSEA content at the point of upload;
(j) the numerical hash value of the detected CSEA content at the point classified as CSEA content.
3. Where the authorised person submitting the report has information available which enables that person to indicate which priority level should apply to the CSEA content in the report, the person should indicate, which priority level is appropriate in accordance with regulation 14.
4. The following information about the user identified by the provider uploading or sending or receiving the CSEA content must be included in the report where that information is held by the provider—
(a) the account username of that user;
(b) the email address of the user;
(c) the recovery email address of the user;
(d) the mobile number of the user;
(e) whether the user’s telephone number has been verified, and if so, the date on which it was verified;
(f) the URL of the user’s profile on the platform where the CSEA content was detected;
(g) the IP address of the user at the time of the upload of CSEA content and any port number associated with that IP address;
(h) the IP addresses used for the user’s account during the three months prior to the report being made, the time and date connected with that IP address and any port number associated with an IP address.
5. Where the provider has any identity documents for a user mentioned in the report, the provider may supply copies of these in the report.
6. Where the provider has other information reasonably available on their service that is relevant to the incident of CSEA content, this may be included.
7. A declaration that all the information reasonably available has been provided.
Interpretation of this Schedule
8. In this Schedule—
“exif data” means exchangeable image file format which is basic level metadata related to when, where and how the reported CSEA content was created;
“IP address” means the internet protocol address of a device on the network;
“port number” means a connection endpoint;
“URL” means the full universal resource locator of the address on the webpage where the CSEA content is being hosted at the time it was detected.
Schedule 1 lists the information required in CSEA content reports.
This includes details about the authorized person submitting, the detected content (including metadata), its location and time of upload, information regarding the involved user (username, email, phone number, IP addresses), and a declaration that all available information is being shared.
It also defines terms such as 'exif data,' 'IP address,' 'port number,' and 'URL.'
SCHEDULE 2 Formatting requirements
Regulation 15
1. Dates must be provided in number format as DD/MM/YYYY.
2. Time must be provided in any international format and the authorised person must select the appropriate time zone for the time recorded by the provider’s system.
3. IP addresses must be formatted in the case of—
(a) an IPv4 address, as four sets of numbers separated by dots;
(b) an IPv6 address, as eight groups of four hexadecimal digits separated by colons.
4. Telephone numbers must include international dialling code applicable to the location of the provider or individual.
Schedule 2 specifies the formatting requirements for reports.
Dates must be DD/MM/YYYY, times in any international format with timezone specified, IPv4 and IPv6 addresses in their standard formats, and telephone numbers with international dialling codes.
EXPLANATORY NOTE (This note is not part of the Regulations)
Section 66 of the Online Safety Act 2023 (“OSA”) requires certain providers of regulated user-to-user services to report child sexual abuse and exploitation content (“CSEA content”) to the National Crime Agency (“NCA”). If these providers are already reporting CSEA to a body which is exercising functions similar to the NCA, then this content is not required by section 66 to be reported to the NCA.
CSEA content is defined by section 59 of the OSA as content which amounts to an offence specified in Schedule 6 to the OSA.
Part 2 of these Regulations require providers who are required to report CSEA content to the NCA to register with the NCA. Where those providers have entered into arrangements with another person to moderate the content on the providers services, then that person is also required to register with the NCA.
Part 3 of these Regulations require certain information to be included in the reports made by those regulated user-to-user service providers to the NCA. The Regulations also specify the manner in which reports of CSEA content must be sent to the NCA and the format in which these reports must be sent. The Regulations also request providers to assess the urgency of the report and to send the report to the NCA in accordance with certain timeframes depending on any assessment of urgency.
Part 4 of these Regulations require the providers to retain records of reports made to the NCA, and to retain certain information about the users who are associated with a report.
Schedule 1 to these Regulations sets out the information required to be included in the reports to the NCA. Schedule 2 to these Regulations contains formatting requirements for the reports.
A full impact assessment has been published in relation to the Online Safety Act 2023 and copies can be obtained from the UK Government website at: https://assets.publishing.service.gov.uk/media/6716222b9242eecc6c849b09/Online_Safety_act_enactment_impact_assessment.pdf or from the Department for Science, Innovation and Technology at 100 Parliament Street, London SW1A 2BQ, United Kingdom.
This explanatory note summarizes the regulations' key aspects: the legal basis in the Online Safety Act 2023, the registration requirement for providers and their content moderators, detailed specifications for report content and submission, urgency assessment criteria, and data retention policies.
It also refers to a published impact assessment.