Adult-content sites and apps with UK users have needed real age checks at the door since 25 July 2025. For the visitor, that check is the first thing they meet. A few seconds of friction, or a clean confirmation and they are through. For the service owner, it is the line between a compliant operation and an Ofcom investigation. That single moment is where Online Safety Act compliance is now won or lost for many services.
This page covers who the duties actually apply to, what Ofcom counts as a strong enough age check, what enforcement looks like in practice, and how to choose a method your users will complete.
Work out whether your service is in scope, then complete and record a children’s access assessment and a risk assessment. Put proportionate safety measures in place. Where your service carries pornography or content harmful to children, those measures must include highly effective age assurance. Keep written records of every step.
Compliance is a process, not a single product you buy. The Online Safety Act 2023 splits the work across two duty routes. Part 5 covers services that publish their own pornographic content. Part 3 covers user-to-user and search services that allow pornography or other content harmful to children to appear.
For a Part 3 service, the sequence is set out in Ofcom’s Protection of Children Codes. You assess whether children can normally access the service. If they can, you complete a children’s risk assessment, then apply proportionate measures to manage the risks you found. You record each assessment in writing, name a person responsible, and review at least every 12 months and whenever the service changes materially.
For a Part 5 service, the requirement is more direct. Highly effective age assurance has to be in place now, and you should record the method you use and that it meets Ofcom’s criteria.
The age-check duties apply to services that publish their own pornographic content, and to user-to-user or search services that allow pornography or content harmful to children. This is not a blanket rule for every website. Scope depends on the content your service carries and who can normally access it.
A brochure site for a plumbing business carries no relevant content and falls outside the age-check duties. A forum that permits adult material, or a publisher of its own adult content, sits squarely inside them. The duty follows the content and the audience, not the existence of a website.
If your service can normally be accessed by children and carries content that is harmful to them, the Online Safety Act requirements bite. The first practical step is the children’s access assessment, which tells you whether you are in scope at all.
They are already in force. Services publishing their own pornographic content were directed by Ofcom from 16 January 2025 and needed measures fully in place by July 2025. Since 25 July 2025, all sites and apps allowing pornography must run Ofcom’s highly effective age verification checks for UK users. Ofcom is due to report on how well age assurance is working by July 2026.
The phasing ran across 2025. Children’s access assessments were due by 16 April 2025. Children’s risk assessments under the Protection of Children Codes were due by 24 July 2025, with mitigation operational from the following day. The deadlines have passed, so for any in-scope service this is a current obligation rather than a future one.
The July 2026 milestone is a statutory report Ofcom must publish on how services used age assurance and how effective it proved. As of June 2026 it is due but not yet published, so treat it as expected rather than settled.
Highly effective age assurance is an age check Ofcom judges to be accurate, robust, reliable and fair. Ofcom names a set of methods capable of meeting that bar. Self-declaration and ordinary online payment screens do not count. The method has to demonstrably keep children out, not simply ask their age.
Those four criteria, set out in Ofcom’s age assurance guidance of 16 January 2025, are the test every method is measured against. Accuracy is how well the check estimates or confirms age. Robustness is how well it resists circumvention. Reliability is whether it performs consistently. Fairness covers how it treats different users and demographics.
The reason self-declaration fails is straightforward. A tick-box that asks a user to confirm they are over 18 keeps nobody out. The same applies to a standard payment page, which proves a card works rather than confirming an adult is present.
Ofcom recognises seven methods capable of being highly effective: open banking, photo ID matching, facial age estimation, mobile network operator age checks, credit card checks, digital identity services including wallets, and email-based age estimation. The list is non-exhaustive, so other methods can qualify if they meet the four criteria.
The table below sets out what each method asks of the user and where it tends to fit.
|
Method |
What the user does |
Where it fits |
|
Open banking |
Confirms identity through their existing bank in seconds |
High-completion check for banked adults |
|
Photo ID matching |
Uploads a passport or driving licence and a selfie |
Strong assurance where a document is expected |
|
Facial age estimation |
Looks at the camera for an on-device age estimate |
Fast, no document, good for broad audiences |
|
Mobile network operator check |
Confirms an over-18 mobile contract with their network |
Frictionless where a contract is held |
|
Credit card check |
Verifies a UK credit card, which is restricted to over-18s |
Quick for cardholders |
|
Digital identity service (incl. wallets) |
Presents a reusable verified credential |
Reuse across services, low repeat friction |
|
Email-based age estimation |
Analyses the digital footprint of an email address |
Lightweight signal, often paired with another check |
No single method suits every audience. A banked adult clears open banking in seconds, while a younger or unbanked user may need facial age estimation. Offering more than one method, with a sensible fallback, keeps drop-off down while meeting the standard.
Ofcom can fine a provider up to the greater of £18 million or 10% of qualifying worldwide revenue. It has already issued several age-check fines, the largest £1.35 million in February 2026, alongside separate penalties for ignoring information requests. Enforcement is running at portfolio scale, with investigations open into dozens of services.
The fines so far have landed on adult-content operators with weak or absent checks. In at least one case the failure was a photo upload that anyone could defeat, which is why robustness against circumvention sits among Ofcom’s four criteria. The pattern is sustained pressure across many services rather than one-off action.
The financial penalty is only part of the exposure. Ofcom can issue continuing daily penalties and direct a provider to put highly effective age assurance in place, which means the work has to be done regardless. Choosing a method that holds up to scrutiny is cheaper than retrofitting one under direction.
Choose a method that demonstrably meets Ofcom’s four criteria and that your users will actually complete. Weigh effectiveness against circumvention, privacy and data minimisation, accessibility, fairness across devices and demographics, and drop-off. A certified provider offering several methods lets you match the check to your audience rather than forcing everyone down one path.
Use these criteria when you compare options:
As a certified digital verification services provider, OneID covers five of Ofcom’s seven recognised methods, including open banking, photo ID matching, on-device facial age estimation, mobile network operator checks and digital identity credentials. The methods are orchestrated, so a service can offer the right check to each user and keep an audit-ready record of every one. For the person at the door, that often means a confirmation in seconds rather than a document upload they may never finish.
If you are weighing the methods in detail, start with the criteria, then test against your own audience. The right check is the one your users complete and Ofcom would accept.
Only if your service carries pornography or content harmful to children, and children can normally access it. A standard business or brochure site is not in scope. The first step is a children’s access assessment, which tells you whether the age-check duties apply to your service at all.
They are already in force. Services publishing their own pornographic content were directed from 16 January 2025, with full measures by July 2025. Since 25 July 2025, all sites and apps allowing pornography must run highly effective age checks for UK users. Risk-assessment deadlines fell in April and July 2025.
An age check Ofcom judges to be accurate, robust, reliable and fair, and that demonstrably keeps children out. Self-declaration tick-boxes and ordinary online payment screens do not qualify. Recognised approaches include open banking, photo ID matching, facial age estimation and other methods that meet Ofcom’s four criteria.
Ofcom recognises seven methods capable of being highly effective: open banking, photo ID matching, facial age estimation, mobile network operator age checks, credit card checks, digital identity services including wallets, and email-based age estimation. The list is non-exhaustive, so other methods can qualify where they meet the four criteria.
Ofcom can fine a provider up to the greater of £18 million or 10% of qualifying worldwide revenue. It has already issued several age-check fines, the largest £1.35 million in February 2026, plus separate penalties for ignoring information requests and continuing daily penalties where a breach persists.
No. The age-check duties apply to services that publish their own pornographic content, and to user-to-user or search services that allow pornography or content harmful to children. Whether your service is in scope depends on the content it carries and whether children can normally access it.
Choose a provider whose method demonstrably meets Ofcom’s four criteria of accuracy, robustness, reliability and fairness, and that your users will complete. Weigh privacy, accessibility, drop-off and auditability, and favour a certified provider offering several methods so you can match the check to your audience.