The Online Safety Act 2023 places a duty on online services to protect children from harmful content. Services likely to be accessed by children must implement age verification or age estimation measures that are 'highly effective' at correctly determining whether a user is a child.
The Act does not prescribe a specific technology. It sets an outcome standard and delegates the detail to Ofcom, which published its final guidance on age assurance in January 2025.
This distinction matters for businesses choosing a verification provider. The question is not which technology sounds most impressive. It is which method your customers will actually complete, while meeting the regulator's standard.
Ofcom's Guidance: What Counts as Highly Effective
Ofcom's guidance evaluates methods against four criteria: technical accuracy, robustness against circumvention, reliability, and fairness. Methods must meet all four to be considered highly effective.
Ofcom published a non-exhaustive list of methods it considers capable of being highly effective. They include: Open Banking (which underpins bank-verified identity), photo ID matching, facial age estimation, mobile network operator age checks, credit card checks, digital identity services, and email-based age estimation.
Methods that Ofcom confirmed are not highly effective include self-declaration of age and online payments that do not require the person to be 18.
The regulatory distinction here is significant. Businesses implementing a method rated as capable of being highly effective by Ofcom can demonstrate compliance with confidence. Methods outside this list carry greater regulatory risk.
For businesses evaluating their options, however, the regulatory rating is only half the picture. The other half is what happens to your customers during the verification process. A method can be technically compliant and still drive users away. See our guide to the hidden cost of verification friction for the commercial data on this.
Enforcement Is Real and Accelerating
Ofcom has moved quickly. Within days of enforcement beginning on 25 July 2025, investigations were opened into dozens of adult sites. The pace has not slowed.
As of February 2026, Ofcom has launched investigations into more than 90 online services and issued six fines for non-compliance. The most recent, announced on 13 February 2026, was an £800,000 penalty against Kick Online Entertainment for failing to put age checks in place to prevent children accessing pornographic content. In December 2025, an adult website operator was fined £1 million for the same failure, with an additional £50,000 fine for not responding to Ofcom's information requests.
Ofcom has also issued provisional non-compliance findings against three further providers, including 4chan, and expanded investigations into four additional companies operating 20 adult sites between them. In January 2026, Ofcom opened formal investigations into X (relating to the Grok AI chatbot) and an AI service called Joi.com, signalling that enforcement now extends beyond traditional adult content to generative AI platforms.
The maximum penalty is 10% of qualifying worldwide revenue. For businesses of any size, non-compliance is an existential risk.
On the first day of enforcement, the Age Verification Providers Association reported their members processed 5.7 million checks. The demand is immediate, sustained, and growing.
Compliance Without Completion Is Not Compliance
The first weeks of enforcement revealed something uncomfortable: technical compliance does not guarantee actual protection.
Within days of enforcement, VPN providers reported extraordinary sign-up surges from UK users. Proton AG reported 1,400 to 1,800% sustained daily increases in UK sign-ups, levels they described as "usually associated with civil unrest". NordVPN reported a 1,000% spike in UK subscriptions. Half of the top 10 UK App Store downloads on 25 July 2025 were VPN or identity verification apps. Comparitech reported a 943% surge in clicks to VPN comparison guides on enforcement day alone. VPN downloads on iOS grew 100% day-over-day for four consecutive days.
This was not a temporary blip. By December 2025, the House of Lords was debating VPN circumvention of age verification requirements. Childnet reported increased VPN use among children in the three months following enforcement, the precise population the legislation was designed to protect.
This pattern carries a direct commercial cost. If a verification method drives users to bypass it rather than complete it, the service is technically compliant but practically unprotected. The verification exists on paper. The users it was meant to reach are accessing content through circumvention tools instead.
For businesses, this creates a second problem beyond regulatory risk. Every user who downloads a VPN to avoid your verification step is a user who has decided your process is not worth completing. That is a customer experience failure with measurable consequences. The data on abandonment rates across different verification methods is covered in our comparison of the four types of age verification.
The Method Matters More Than You Think
All of the methods on Ofcom's list can satisfy the regulatory requirement. But they are not equal in what they ask of your customer.
Photo ID matching requires users to photograph a government-issued document and take a selfie. Facial age estimation uses AI to estimate age from a live image. Both require the user to do something they would not normally do when signing up for an online service. Both create moments of hesitation, privacy concern, and potential abandonment. The VPN surge data above shows what happens when users encounter methods they find disproportionate.
Bank-verified identity asks the user to log into their existing bank account. The bank confirms their age. No documents are photographed, no facial data is captured, no biometric information is collected. The process takes seconds, uses a login the user already knows, and involves an institution the user already trusts.
This is what bank-verified identity means in practice. The regulatory requirement is met. But critically, the user actually completes it.
What Businesses Should Do Now
If your service is likely to be accessed by children, or if you host content that could be harmful to children, the Online Safety Act applies to you. The obligations are live and Ofcom is enforcing.
Three things matter in your response.
First, implement a method from Ofcom's list of those capable of being highly effective. This provides the regulatory foundation. Operating without one is now measurably risky, as the fines issued in the past six months demonstrate.
Second, consider what your chosen method asks of your users. Compliance is the baseline. Completion is what determines whether your business is actually protected, and whether your customers stay or leave. Ofcom has acknowledged that VPNs cannot be blocked under the Act. The only defence against circumvention is a verification method that users are willing to complete.
Third, track the commercial impact. Measure completion rates, abandonment at the verification step, and any change in user acquisition cost. These numbers will tell you whether your compliance approach is working in practice, not just on paper.
FAQ Section
What age verification does the Online Safety Act require?
The Online Safety Act requires services likely to be accessed by children to implement age verification or age estimation measures that are 'highly effective' at determining whether a user is a child. Ofcom's guidance rates specific methods, with Open Banking receiving the designation as capable of being highly effective.
What is the penalty for not complying with the Online Safety Act?
The maximum penalty is 10% of qualifying worldwide revenue. As of February 2026, Ofcom has launched investigations into more than 90 platforms and issued six fines, including an £800,000 fine against Kick Online Entertainment and a £1 million fine against an adult website operator.
What does Ofcom mean by 'highly effective' age assurance?
Ofcom evaluates age assurance methods against four criteria: technical accuracy, robustness against circumvention, reliability, and fairness. Methods meeting these standards receive the 'highly effective' designation. Ofcom published a non-exhaustive list of methods it considers capable of meeting these criteria, including Open Banking, photo ID matching, facial age estimation, and digital identity services.
Is Open Banking approved for Online Safety Act compliance?
Ofcom's January 2025 guidance lists Open Banking as a method capable of being highly effective age assurance. OneID is the UK's leading Open Banking age verification provider, and the only one that is both FCA-regulated and DIATF-certified.
Can users bypass age verification with a VPN?
Ofcom's Chief Executive has acknowledged that the Act cannot prevent VPN use. VPN sign-ups surged by up to 1,800% in the days following enforcement. The most effective defence against circumvention is a verification method that users find proportionate and are willing to complete, rather than one that drives them to seek workarounds.
What is the difference between age verification and age estimation?
Age verification confirms a user's exact age against a trusted data source, such as a bank account or government-issued ID. Age estimation uses technology, typically facial analysis, to predict an approximate age. Both can qualify as highly effective under Ofcom's guidance, but they differ significantly in accuracy, privacy impact, and user experience. See our detailed comparison.
.png)
