Ofcom investigates TikTok age assurance under UK’s Online Safety Act

Ofcom has opened an investigation into TikTok age assurance and the platform’s compliance with child safety duties under the UK’s Online Safety Act.

The investigation will examine whether TikTok uses proportionate systems and processes to prevent children from encountering content classified as harmful under the Act.

Since 25 July 2025, user-to-user services likely to be accessed by children have been required to prevent minors from encountering primary priority content harmful to children. Platforms must also protect different age groups from other forms of harmful material.

Where primary priority content is available, providers must use age-assurance systems that are highly effective at determining whether a user is a child, unless the content is prohibited for all users under the platform’s terms of service.

Ofcom said the investigation follows its review of measures adopted by major platforms and findings from its report on children’s online experiences, which raised concerns about minors encountering harmful content on TikTok.

A separate report on age assurance also suggested that age-estimation models, including those used by TikTok, may have failed to identify a significant proportion of children correctly.

The regulator will assess whether TikTok’s age-assurance measures meet the legal standard of being ‘highly effective’ and whether any shortcomings may have left children exposed to harmful content.

The regulator stressed that opening the investigation does not mean it has concluded that TikTok breached the law. Its first step will be to use formal information-gathering powers to collect and analyse evidence.

TikTok may choose to follow Ofcom’s Protection of Children Codes of Practice or adopt alternative measures. However, any alternative approach must still satisfy the platform’s legal obligations under the Online Safety Act.

If Ofcom identifies failures involving TikTok age assurance or other child protection systems, it could impose a fine of up to £18 million or 10% of qualifying worldwide revenue, whichever is greater.

In the most serious cases, Ofcom can seek a court order requiring third parties, including payment providers, advertisers and internet service providers, to withdraw services from or block access to a platform in UK.

The investigation is expected to take at least three months, with Ofcom planning to publish an update in October 2026.

Why does it matter?

The investigation will provide an early test of how rigorously Ofcom enforces the Online Safety Act’s child protection duties against major platforms. Its outcome could help define what constitutes ‘highly effective’ age assurance and shape industry expectations for protecting minors online.

The case also reflects a broader shift towards holding platforms accountable not only for removing harmful content but for demonstrating that their safety systems work in practice. Any enforcement action is likely to influence how other online services approach age verification and child safety compliance in the UK.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom finalises tougher rules against mobile messaging scams

Ofcom has finalised new rules requiring mobile providers to block, limit and disrupt mobile messaging scams, alongside strengthened guidance to tackle international calls that spoof UK mobile numbers.

The regulator said criminals increasingly use text messages and business messaging services to impersonate friends, companies and public bodies, pressuring victims to transfer money, disclose sensitive information or click malicious links.

Fraud accounted for an estimated 45% of reported crime incidents in England and Wales, with £1.28 billion lost to criminals in 2025. Ofcom also found that 40% of UK mobile users had received at least one suspicious message during the previous three months.

The measures target two main forms of messaging fraud: person-to-person messages sent through SIM cards and mass business messages distributed through commercial messaging infrastructure.

For person-to-person scams, mobile providers must collect intelligence on fraudulent messages, malicious links and phone numbers from customers and anti-fraud organisations. They must use that information to block numbers associated with scammers and stop messages containing malicious links or phone numbers from being delivered across their networks.

Providers must also impose volume limits on pay-as-you-go SIM cards, making it harder for criminal groups to send large numbers of fraudulent messages. The measures complement the government’s proposed ban on SIM farms and commitments made by operators under the Fraud Sector Charter.

Business messaging providers and aggregators must carry out initial and ongoing Know Your Customer (KYC) checks on organisations sending messages and monitor their activity through Know Your Traffic controls.

Providers will also verify alphanumeric sender IDs, which display company names instead of telephone numbers. The checks are intended to prevent scammers from impersonating trusted businesses, delivery services and government agencies.

Where providers identify fraudulent messaging activity, they must investigate its source, apply incident management procedures, and block malicious sender IDs, links and telephone numbers. Companies that fail to carry out appropriate checks may also face regulatory action.

Ofcom has separately strengthened its guidance on international calls that spoof UK mobile numbers. Telecoms companies should withhold the caller ID for calls that appear to originate from a UK mobile number roaming abroad unless they can verify that the number is genuine.

The regulator said spoofing makes overseas calls appear more trustworthy and increases the likelihood that potential victims will answer. However, it cautioned that legitimate organisations may also use withheld numbers, meaning users should continue to assess unexpected calls carefully.

Mobile providers already block more than 600 million suspected scam messages each year, but Ofcom said inconsistent protections across the sector continue to leave consumers exposed.

Consumers can report suspicious calls and messages by forwarding them to 7726, enabling mobile operators to update their fraud-detection and network-protection systems.

Why does it matter?

The new rules shift greater responsibility onto mobile providers to prevent scams before they reach consumers. By requiring stronger customer verification, sender authentication, network-level filtering and SIM controls, Ofcom is moving fraud prevention further upstream rather than relying primarily on users to recognise suspicious messages.

The measures also reflect a broader regulatory trend towards placing more accountability on communications providers to combat digital fraud. If successful, the framework could reduce large-scale messaging scams while serving as a model for other jurisdictions seeking to strengthen telecoms security.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Spain promotes national cybersecurity support helpline

Spain’s National Cybersecurity Institute (INCIBE) has highlighted its free and confidential 017 helpline, which provides specialist advice on digital security issues for citizens, businesses, professionals and educational institutions.

The helpline provides guidance on scams, phishing, identity theft, compromised accounts, social media privacy, cyberbullying, device security and protecting personal information. It also advises on parental controls, online child safety, digital identity management and the safe use of apps and social media platforms.

INCIBE stressed that 017 is a cybersecurity advisory service rather than a reporting channel or technical support line. Specialists explain appropriate reporting procedures, direct users to the relevant authorities where necessary and assess each case individually.

The service is available daily from 8:00 to 23:00 via telephone, WhatsApp, Telegram, an online form and, by appointment, in person at INCIBE’s headquarters in León.

Why does it matter?

As cyber threats become more common, many users need trusted advice before or after an incident rather than only technical assistance or law enforcement support. Services such as INCIBE’s 017 helpline can help individuals and organisations respond more effectively while improving awareness of everyday cyber risks.

The initiative also reflects a broader shift towards strengthening national cyber resilience through public support services. By combining technical, legal and practical guidance in a single point of contact, governments can encourage earlier reporting, better cyber hygiene and more effective responses to digital security incidents.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

UK plans default overnight social media restrictions for teenagers

The UK government plans to introduce default overnight social media restrictions for 16- and 17-year-olds, alongside measures to limit features designed to encourage prolonged platform use.

Social media platforms will be expected to activate overnight restrictions from midnight to 6 a.m. by default for users in this age group. Teenagers will be able to change the settings, but the protections will be enabled automatically.

Autoplay and continuously personalised content feeds will also be disabled by default. The government said these features can encourage prolonged use and reinforce potentially addictive patterns of engagement.

The measures are intended to avoid a sudden reduction in online protections when children turn 16. They complement the government’s previously announced plans to prohibit social media services from being offered to children under 16 from spring 2027.

The proposals follow a government pilot involving more than 300 teenagers and parents across the UK. Participating families said the overnight restrictions became part of their routines and helped improve sleep and concentration.

Technology Secretary Liz Kendall said older teenagers should retain greater independence while continuing to receive protection from features that could negatively affect their wellbeing.

The government also plans additional protections for children using AI chatbots. Proposed measures include encouraging regular breaks for users under 18 and taking action against services that provide dangerous, misleading or unverified mental health advice.

Ministers will work with regulators and other government departments to consider further restrictions, including possible bans on chatbots considered to pose a serious risk to children. Guidance for children, parents and guardians will also be added to the Kids Online Safety Hub.

Schools will strengthen media literacy through Relationships, Sex and Health Education classes covering AI, chatbots, misinformation and harmful online content. From September 2028, media literacy will also be embedded across the National Curriculum, including lessons on AI, data science, source analysis and technological bias.

The first regulations supporting the under-16 social media restrictions are expected to be presented to Parliament by the end of 2026, with implementation and enforcement planned for spring 2027.

Why does it matter?

The proposals reflect a growing shift from focusing solely on access to social media towards regulating how digital services are designed and used. By targeting autoplay, personalised feeds and AI chatbots alongside age-based protections, the government is seeking to address features that may contribute to excessive use and online harms.

If adopted, the measures could further shape debates on youth online safety beyond the UK, reinforcing the trend towards safety-by-design, stronger protections for minors and greater platform responsibility for children’s digital wellbeing.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australia’s eSafety report highlights gaps in child safety measures

Australia’s eSafety Commissioner has published its third transparency report assessing how major technology companies are tackling child sexual exploitation and abuse under the country’s Basic Online Safety Expectations.

The report concludes that significant gaps remain across major platforms, particularly in responding to the growing threat of sexual extortion targeting children and young adults.

The report examines the practices of Apple, Discord, Google, Meta, Microsoft, Snap and WhatsApp, highlighting shortcomings in proactive detection technologies, reporting tools and safety measures. According to eSafety, many platforms in Australia are not fully using available technologies, including language analysis tools capable of identifying coercive scripts used by offenders.

The report also identifies weaknesses in reporting mechanisms across several messaging services and notes that private messaging and video environments remain particularly challenging for detecting sexual extortion and livestreamed child sexual abuse.

Between July and December 2025, eSafety received more than 2,000 complaints relating to sexual extortion, with men aged 18 to 24 accounting for the largest group of victims. Separate research with the Australian Institute of Criminology found that more than one in ten adolescents aged 16 to 18 had experienced sexual extortion, while more than half of victims were first targeted before the age of 16.

The report also notes that Microsoft is currently the only provider using dedicated tools to detect and disrupt livestreamed child sexual abuse during video calls.

While eSafety acknowledged incremental improvements—including Google’s and Snap’s enhanced detection of known child sexual abuse material, Meta’s expanded grooming detection and Discord’s blocking of known child sexual abuse URLs—it argued that much stronger action is still needed.

The Commissioner called for wider deployment of proactive detection technologies, faster responses to victim reports and greater investment in tools capable of preventing abuse before it occurs.

Why does it matter?

The report highlights growing regulatory expectations that online platforms should actively prevent child sexual exploitation rather than rely primarily on user reports. As threats such as sexual extortion become more sophisticated, regulators are increasingly scrutinising whether companies are deploying available technologies to detect and disrupt abuse.

The findings also reinforce a broader shift towards safety-by-design in online regulation. By identifying gaps in detection, reporting and intervention, the report could increase pressure on technology companies to strengthen protections across messaging, social media and video services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

8th meeting – Plenary Session

Discussions on the five pillars of the framework for responsible
State behaviour in the use of information and communications
technologies in accordance with annex C of A/79/214 and annex I
of A/80/257 (continued)
Capacity-building

7th meeting – Plenary Session

Discussions on the five pillars of the framework for responsible
State behaviour in the use of information and communications
technologies in accordance with annex C of A/79/214 and annex I
of A/80/257 (continued)
Confidence-building measures

5th meeting Plenary Session

Discussions on the five pillars of the framework for responsible
State behaviour in the use of information and communications
technologies in accordance with annex C of A/79/214 and annex I
of A/80/257 (continued)
International law