PART 1

Citation, commencement, and extent

1.—(1) These Regulations may be cited as the Online Safety (CSEA Content Reporting by Regulated User-to-User Service Providers) Regulations 2025.

(2) These Regulations come into force on 3rd November 2025.

(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.

Interpretation

2. In these Regulations—

“the Act” means the Online Safety Act 2023;

“authorised person” has the meaning given in regulation 7(3);

“API” means an automatic programming interface which can be used to submit reports of CSEA content to the online portal;

“CSEA offence” means an offence specified in Schedule 6 to the Act;

“incident of CSEA content” is content which gives a provider—

“content moderation” means the measures which a provider is required to take to moderate content in accordance with section 10 of the Act;

“CSEA content” means CSEA content(2) as it relates to providers required to report CSEA content by these Regulations;

“online portal” means the online portal managed by the NCA(3) which has been provided for the purpose of enabling an authorised person to send reports of CSEA content to the NCA securely;

“organisation administrator” means the person designated in accordance with regulations 3 and 4 as the organisation administrator;

“platform” means part of the regulated user-to-user service, which the provider has control over;

“provider” means the provider of a regulated user-to-user service(4), which is required by section 66 of the Act to report CSEA content to the NCA;

“work” in the context of telephone numbers and email addresses, means a telephone number or an email address, at which an individual can be contacted during normal working hours.

PART 2Registration with the NCA

Registration of a provider of a regulated user-to-user service

3.—(1) Where a UK provider(5) of a regulated user-to-user service and a non-UK provider(6) of a regulated user-to-user service is required by section 66 of the Act to report certain CSEA content to the NCA, that provider must—

(a)nominate an appropriate person to be the organisation administrator;

(b)require the organisation administrator to register the provider of that service with the NCA and to complete the requirements in regulation 5 for using the online portal to submit reports of CSEA content to the NCA;

(c)require the organisation administrator to supply the details required by regulation 6 whenever a deputy organisation administrator is appointed:

(d)require the organisation administrator to comply with the requirements of regulation 7 and appoint an authorised person, in the case where a person other than the organisation administrator is to make reports of CSEA content to the NCA;

(e)require the organisation administrator to comply with the requirement in regulation 9, when appropriate.

(2) The organisation administrator must be a senior manager or other individual whom the provider considers has the appropriate role within the provider to be able to able to register the provider with the NCA.

Content moderation carried out by another entity or individual

4.—(1) On each occasion where the provider mentioned in regulation 3 has arranged for another entity(7) or individual to carry out the content moderation of the service, the provider must—

(a)inform the NCA of the name of the entity or individual who is to carry out the moderation of the service on behalf of the provider; and

(b)ensure that the entity who is to carry out the content moderation registers with the NCA and nominates an individual to be the organisation administrator; or

(c)ensure that the individual who is to carry out the moderation of the service, registers with the NCA and either carries out the role of organisation administrator or nominates another individual to do this.

(2) If the arrangement notified to the NCA under paragraph (1)(a) of this regulation ceases, the provider must—

(a)notify the NCA that this arrangement has ceased, and either,

(b)nominate an appropriate person to be the organisation administrator, or

(c)comply with the requirement in paragraph (1)(a), to notify the NCA of the name of the entity or individual who is to carry out the moderation of the service on behalf of the provider; and

(d)ensure that the entity, which is to carry out the moderation of the service, registers with the NCA and nominates an individual to be the organisation administrator; or,

(e)ensure that the individual, who is to carry out the moderation of the service, registers with the NCA and either carries out the role of organisation administrator or nominates another individual to do this.

(3) The provider must ensure that the arrangements entered into with the entity or individual to carry out content moderation of the service, require the entity or individual to comply with the requirements in regulations 5, 6, 7 and 9.

Details to be provided on registration of a provider

5.—(1) The requirements referred to in regulation 3(1)(b) are as follows—

(a)where the provider is an entity, the name of that entity, or if the provider is one or more individuals, the name those individuals use (if any) to refer to that provider;

(b)where the provider is a company with a registration number, the registration number;

(c)the organisation administrator’s work email address;

(d)if the entity was formed under the law of a country, the name of that country or if the entity was not formed under the law of any country, the country in which the entity was first established;

(e)where the provider is an entity, the names of any platforms and the website addresses of those platforms which the entity has control over;

(f)where the provider is one or more individuals, the names of any platforms and the website addresses of those platforms which those individuals have control over.

(2) The organisation administrator must also provide their work telephone number.

(3) After the NCA has verified the organisation administrator’s email address, the provider must provide—

(a)the full name of an emergency contact;

(b)the work telephone number of that emergency contact;

(c)the work email address of that emergency contact;

(d)the work address of that emergency contact;

(e)where the reports of CSEA content are to be sent to the NCA by an API, the provider must provide the name, work email address and work telephone number (including the international dialling code) for the point of contact responsible for the API.

Appointment of deputy organisation administrator

6. If another employee or individual is appointed to deputise as an organisation administrator, the provider must provide the NCA with the details of that employee’s work email address and work telephone number.

Appointment of authorised person

7.—(1) The provider must register each employee or individual who is to be authorised to report detected CSEA content to the NCA by supplying the following details to the NCA—

(a)first name;

(b)last name;

(c)work email address;

(d)work telephone number (including international dialling code).

(2) Following the notification of the information in paragraph (1), the NCA will supply that employee or individual with an account on the online portal.

(3) The employee or individual authorised to report CSEA content to the NCA is referred to in these Regulations as the “authorised person”.

Restriction for use of account to report to NCA

8. The provider must ensure that the terms of employment or other contractual arrangements prohibit access to the account which an authorised person has been allocated to report CSEA content to the NCA by any other employee or individual.

Requests from the NCA

9. The provider must respond as soon as possible, or in any event within 7 days, to any request from the NCA about the provider or the reports submitted.

Notification of cessation of reporting CSEA content to the NCA

10.—(1) A provider, who has registered to use the online portal under regulation 3, must notify the NCA, if that provider is required, or decides, to report CSEA content to a foreign agency(8) and will cease to report CSEA content to the NCA.

(2) The provider should give that notification one month or more before the day on which reports will no longer be sent to the NCA.

Definition of “senior manager”

11.—(1) For the purposes of this Part, a senior manager means—

(a)where the provider is an entity, an individual who plays a significant role in—

(i)the making of decisions about how the entity’s relevant activities are to be managed or organised, or

(ii)the actual managing or organising of the entity’s relevant activities, and

may reasonably be expected to be in a position to ensure compliance with the duties under these Regulations;

(b)where the provider is more than one individual, the individual designated by those individuals;

(c)Where the provider is one individual, that individual.

(2) For the purposes of paragraph (1), “relevant activities” means those activities relating to the reporting of CSEA content to the NCA.

PART 3Contents of report

Requirement for providers to report CSEA content

12.—(1) A provider must send a report to the NCA for each incident of CSEA content which the provider has detected as soon as possible in accordance with the requirements of regulation 18.

(2) A provider must send all the information which is required by Schedule 1 where that information is available on the provider’s service at the time of sending the report (“an initial report”).

(3) Where all the information required by Schedule 1 is not available at the time of making the initial report, the provider must make a supplementary report (“a supplementary report”) as soon as possible after the information has been obtained from the provider’s existing information.

(4) Where the provider has notified the NCA that another entity or individual is to carry out the moderation of the provider’s service, the provider must ensure that the arrangements with that entity or individual include a requirement that the entity or individual comply with the requirements of the regulations in Part 3 as to the contents of a report, and Part 4 as to the retention of data.

Requirement for a subsequent report

13.—(1) If a user(9) sending, or a user receiving, CSEA content, which has been included in a report to the NCA, sends that CSEA content to another user and the provider detects that previously detected CSEA content, the provider must make a further report in respect of the user who has forwarded that CSEA content.

(2) In a report mentioned in paragraph (1), the subsequent report should be linked to the unique reference number of the initial report by the provider, where that is available.

Priority assessment

14.—(1) Where the provider has reasonable grounds for judging that the content is CSEA content, the authorised person should (where possible) indicate the priority level of the report on the basis of all the relevant information reasonably available to the authorised person, according to the criteria set out in paragraph (2) of this regulation.

(2) Criteria for priority levels—

(a)Priority level 1: urgent, where there is information which suggests that there is current or imminent risk to a child and the provider believes that a crime is taking place or about to take place, and that a child is in need of immediate safeguarding or there is a threat to that child’s life;

(b)Priority level 2: where there is information which suggests that—

(i)a child is at risk in the near future,

(ii)there are reasonable grounds for inferring that contact offending has taken place, or

(iii)CSEA content has been recently generated, or

(iv)the provider considers that there is a need for swift action to be taken on other grounds.

(c)Priority level 3: where information does not indicate that either priority level 1 or priority level 2 applies.

Formatting requirements

15. The information required under regulation 12, 13 and 14 must comply with the formatting requirements set out in Schedule 2.

Manner of sending reports

16.—(1) The provider must ensure that the report and any information required by these Regulations must be submitted to the NCA using the online portal in accordance with the time required by regulation 18.

(2) Where the provider has notified the NCA of arrangements that have been made with another entity or individual to carry out the content moderation, the provider must ensure that these arrangements include a requirement for that entity or individual to submit the report and any information required by these Regulations to the NCA using the online portal in accordance with the time required by regulation 18.

(3) The authorised person may submit a report to the online portal by using an API or manually.

Data protection requirements

17.—(1) Where the provider is not required to comply with the data protection legislation, the provider, when implementing security measures and policies in accordance with these Regulations, has a duty to comply with the security of processing requirements in Article 5(1)(f) and Article 32 of UK GDPR.

(2) For the purposes of this regulation, “data protection legislation” has the same meaning as in section 3 of the Data Protection Act 2018(10).

Time frame for reporting

18.—(1) Where the provider who has submitted the report has indicated that in their opinion, priority level 1 should apply, the provider must send the report as soon as possible.

(2) Where the provider has not indicated that priority level 1 should apply, that provider must send the report as soon as practicable after making the judgement that the content is CSEA content.

(3) If the provider has not formed an opinion as to which priority level should apply, then the provider must send the report as soon as practicable after making the judgement that the content is CSEA content.

PART 4Data Retention

Data retention requirements

19.—(1) A provider who has sent a report of detected CSEA content to the NCA must retain the following for the period of one year, beginning with the date on which the report is submitted—

(a)the detected CSEA content,

(b)the information supplied in accordance with these Regulations, and

(c)any information which the provider has used to make a judgment that the content is CSEA content in accordance with section 192 of the Act.

(2) The provider must retain for the period of 4 weeks beginning on the day on which the report was submitted to the NCA the relevant data which is associated with the user who uploaded or made or shared the content which constitutes the incident of CSEA content in the report.

(3) For the purposes of paragraph (2), relevant data is data from the two week period ending on the day on which the CSEA offence was committed and includes—

(a)any digital files with content which the user has shared, uploaded or created on the platform;

(b)any digital files with metadata or communications data associated with that content;

(c)any digital files with geo local data in addition to that included in the metadata;

(d)any digital files with chat logs, public and private messages, and public comments created by the user;

(e)any digital files with information about connections with other accounts or attempts with other accounts.

Retention of records for reports

20.Providers must keep records of all their reports for a minimum of five years beginning on the day on which the report was submitted to the NCA.

Regulation 12

SCHEDULE 1CSEA Information to be included in reports

1. Information about the authorised person, who is submitting the report of CSEA content, must be included in the report—

(a)their name;

(b)the name of the entity for which they work;

(c)if the authorised person submitting the report is the provider, that provider’s name;

(d)their work email address;

(e)their work telephone number.

2. The following information about the detected CSEA content, where that information is reasonably available to the provider—

(a)the detected CSEA content;

(b)the method through which the CSEA content was detected;

(c)the platform on which the CSEA content was detected;

(d)whether the report relates to a previous report;

(e)if the report relates to a previous report, the unique reference number of that report, and any previous related reports;

(f)the time that the CSEA content was uploaded;

(g)the date on which the CSEA content was uploaded;

(h)exif data linked to the reported CSEA content;

(i)the URL of the webpage of the reported CSEA content at the point of upload;

(j)the numerical hash value of the detected CSEA content at the point classified as CSEA content.

3. Where the authorised person submitting the report has information available which enables that person to indicate which priority level should apply to the CSEA content in the report, the person should indicate, in their opinion, which priority level is appropriate in accordance with regulation 14.

4. The following information about the user identified by the provider uploading or sending or receiving the CSEA content must be included in the report where that information is held by the provider—

(a)the account username of that user;

(b)the email address of the user;

(c)the recovery email address of the user;

(d)the mobile number of the user;

(e)whether the user’s telephone number has been verified, and if so, the date on which it was verified;

(f)the URL of the user’s profile on the platform where the CSEA content was detected;

(g)the IP address of the user at the time of the upload of CSEA content and any port number associated with that IP address;

(h)the IP addresses used for the user’s account during the three months prior to the report being made, the time and date connected with that IP address and any port number associated with an IP address.

5. Where the provider has any identity documents for a user mentioned in the report, the provider may supply copies of these in the report.

6. Where the provider has other information reasonably available on their service that is relevant to the incident of CSEA content, this may be included.

7. A declaration that all the information reasonably available has been provided.

Interpretation of this Schedule

8. In this Schedule—

“exif data” means exchangeable image file format which is basic level metadata related to when, where and how the reported CSEA content was created;

“IP address” means the internet protocol address of a device on the network;

“port number” means a connection endpoint;

“URL” means the full universal resource locator of the address on the webpage where the CSEA content is being hosted at the time it was detected.

Regulation 15

SCHEDULE 2Formatting requirements

1. Dates must be provided in number format as DD/MM/YYYY.

2. Time must be provided in any international format and the authorised person must select the appropriate time zone for the time recorded by the provider’s system.

3. IP addresses must be formatted in the case of—

(a)an IPv4 address, as four sets of numbers separated by dots;

(b)an IPv6 address, as eight groups of four hexadecimal digits separated by colons.

4. Telephone numbers must include international dialling code applicable to the location of the provider or individual.