The UK has taken another step in moving online safety compliance beyond content moderation into formal law enforcement reporting. Since 7 April 2026, regulated user-to-user (‘U2U’) services covered by the UK’s Online Safety Act (‘OSA’) must implement systems and processes to report, so far as possible, detected child sexual exploitation and abuse (‘CSEA’) content to the UK’s National Crime Agency (‘NCA’), with commencement for search services expected later. The Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2026 set out the practical reporting steps for how in-scope U2U services must report detected and unreported CSEA content to the NCA, in line with their duties under the OSA.
From Moderation to Mandatory Reporting
This matters because the regulations do more than require platforms to remove CSEA content. They require in-scope U2U service providers to operate systems and processes that secure, so far as possible, that they report detected and unreported CSEA content to the NCA
UK-based providers must report all detected and unreported CSEA content present on their service, while for non-UK providers, the reporting obligation is limited to UK-linked detected and unreported CSEA content.
How the provider becomes aware of the content is irrelevant. Detection may come from user reports, reports from child protection bodies, hash matching for known CSAM, or other proactive measures. At the same time, the reporting duty does not itself require providers to deploy any particular detection technology. The legal trigger is detection, not a standalone obligation to detect.
The UK regime is not intended to require duplicative reporting of the same content. The 2026 regulations’ explanatory note and official guidance state that content that has already been reported to a qualifying foreign body performing corresponding functions, such as the U.S. National Center for Missing & Exploited Children (‘NCMEC’), is not considered “unreported” and should not be reported again to the NCA.
Practical effect
Until now, some services may have treated CSEA removal as the end of the compliance exercise. Ofcom has noted that before this duty to report took effect, some CSEA content was being removed from services without law enforcement ever being made aware of it, potentially reducing opportunities to identify offenders and safeguard victims.
Now, once an in-scope provider detects unreported CSEA content, the question is no longer just whether the content should come down. The provider must now also assess whether the content is unreported and, for non-UK providers, UK-linked, and whether a report to the NCA is required.
Ofcom notes that many US-based services already report to NCMEC and that some non-US services do so voluntarily. In contrast, the UK regime creates a direct domestic reporting obligation to the NCA for in-scope services, subject to the carveout for content already reported to an equivalent foreign agency.
For many providers, the most immediate work will be operational. The 2026 Regulations require registration with the NCA and prescribe how reports must be submitted, what information must be included where available, and related procedural requirements. Providers should review existing moderation and escalation workflows now to make sure detected CSEA content is routed into a process that can support NCA reporting where required.
Providers should resist the temptation to treat this as purely a reporting issue divorced from broader OSA compliance. The OSA requires illegal content risk assessments, and Ofcom’s illegal content codes recommend moderation measures, and, for certain high-risk file sharing and file storage services, automated tools such as perceptual hash matching to identify and remove CSAM quickly. Those measures are independent from the reporting duty, but they will often shape what content is detected and therefore what reporting obligations are triggered.
Takeaway
Removal alone is no longer enough. For UK-based providers, all detected and unreported CSEA content on the service must be reported. Non-UK providers must report detected and unreported UK-linked CSEA content. Providers that already report to NCMEC or another equivalent foreign body should confirm whether that reporting fully covers the content that would be reportable under UK law; if not, they may still have to report to the NCA.
The immediate compliance question is not only whether a service can remove CSEA content quickly. It is whether the service’s systems and processes are built to ensure that detected content is escalated, assessed, and reported where UK law requires it.