Practical AI and SaaS for Business

UK Online Safety Act and AI Chatbots

Since February 2026, AI chatbots on UK business websites fall under the Online Safety Act's illegal content duties. Here's what that means in practice, and what Ofcom expects you to have in place.

Last verified: 18 July 2026. References checked against current legislation.

Editorial Perspective

You run a UK ecommerce site with an AI customer-service chatbot handling questions around the clock. The problem: since February 2026 that chatbot is regulated the same way a social platform is, and Ofcom can fine a business up to 10 percent of turnover for getting it wrong. This page explains what actually changed and what to check. No legal background needed. Five minutes.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

If you've already decided an AI chatbot is worth running on your website, whether for customer service, lead capture, or answering common questions, the next thing to work out is whether it now falls under a law that was originally written for social media platforms and search engines.

In short: the UK government confirmed on 15 February 2026 that AI chatbots fall under the Online Safety Act's illegal content duties, closing a loophole that previously let standalone chatbots operate outside the Act's scope. If your chatbot uses a large language model to generate responses (rather than following a fixed decision tree) and meets the Act's service definitions, Ofcom expects a documented risk assessment and harm mitigation measures. Ofcom can fine non-compliant businesses up to 10% of global annual turnover or £18 million, whichever is greater.

What actually changed, and why

The Online Safety Act was built around the idea of user-to-user services and search services, generative AI chatbots run by a single business for its own customers didn't fit either definition neatly. That created a real gap: a large social platform had illegal content duties, but a standalone chatbot answering the same kind of harmful query didn't. Technology Secretary Peter Kyle announced the change specifically to close that gap.

Is your chatbot actually in scope

A UK ecommerce store owner running an AI customer-service chatbot with 12 staff is a useful test case. If that chatbot uses a large language model such as the kind that powers ChatGPT, Claude, or Gemini to generate its responses, it's very likely in scope. A simple scripted decision-tree bot, the kind that just asks "choose an option 1, 2, or 3" and follows a fixed path, is not.

Per Ofcom's own explainer on AI chatbots and online regulation, some narrower chatbots fall outside the Act's scope entirely: ones that only let a person interact with the chatbot itself and no other users, that don't search multiple websites or databases to generate an answer, and that cannot generate pornographic content. A single business's own customer-service bot, built on a mainstream LLM and answering questions from its own website visitors, will usually meet the broader in-scope definition rather than one of these narrow exceptions.

What Ofcom actually expects

The obligations are the same illegal content duties that apply to any other in-scope service: a documented risk assessment covering what harmful or illegal content the chatbot could realistically produce or facilitate, proportionate harm mitigation measures, age assurance where the service could expose children to sensitive content, and ongoing monitoring rather than a one-off check. Ofcom's own enforcement role is to check that businesses have actually done this, not to pre-approve every chatbot before launch.

For most small businesses, this doesn't mean rebuilding the chatbot. It means having a written answer to "what could go wrong here, and what have we done to stop it" before Ofcom or a customer complaint asks the question, not after.

Why this is worth doing properly, not just on paper

The penalty exposure is real and not symbolic: up to 10% of global annual turnover or £18 million, whichever is greater, with the government's own framing making clear that senior managers can carry personal liability where a business has ignored its duties altogether. A business that never checked whether its chatbot is in scope, and never wrote down a risk assessment, is in a materially worse position than one that has, even if neither has ever had a real incident.

What harm mitigation actually looks like day to day

This doesn't mean hiring a full-time moderation team. For a small business, it typically means setting clear boundaries on what the chatbot is allowed to discuss, logging conversations so a pattern of misuse can actually be spotted, and having a simple process for a human to review and act on a flagged conversation rather than leaving the bot to run entirely unsupervised.

A business already running its chatbot through a mainstream vendor, rather than a custom-built model, should also check what safety controls the vendor already provides by default. Many mainstream chatbot platforms include basic content filtering out of the box, but relying on that alone without your own documented assessment is not the same as having done the assessment the Act expects.

What you can do about it

Three practical steps: check whether your chatbot is built on a large language model or a fixed script, since that determines scope; write a short risk assessment covering the realistic ways the chatbot could produce harmful, illegal, or misleading content and what stops it; and check whether the chatbot could expose under-18 visitors to anything requiring age assurance. Ofcom is also expected to publish a further progress statement on the scope of these rules by 29 July 2026, worth checking before treating any specific chatbot's status as fully settled.

This is planning guidance, not a compliance guarantee. Confirm your chatbot's specific status with Ofcom's published guidance or a qualified adviser before relying on any assessment as final.

FAQ

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Does a simple scripted chatbot with fixed menu options fall under the Online Safety Act?

Generally no. The rules target chatbots that use a large language model to generate open-ended responses. A fixed decision-tree bot that only offers pre-written options is a different kind of system and typically falls outside this specific change.

What's the actual penalty if a business gets this wrong?

Ofcom can fine a non-compliant business up to 10% of global annual turnover or £18 million, whichever is greater. The government has also signalled personal liability risk for senior managers in the most serious cases of ignoring the duties entirely.

Do I need to age-verify every visitor who uses my chatbot?

Only where the chatbot could realistically expose a visitor to content that requires age assurance under the Act. A general customer-service bot answering product questions is a different risk profile to one that could produce or facilitate sensitive content.

Is this rule likely to change again soon?

Ofcom is expected to publish a further progress statement on the scope of these rules by 29 July 2026. Check Ofcom's published guidance directly before treating any specific chatbot's status as permanently settled.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Considering an AI agent that does more than answer questions? Here's what UK cyber security guidance says before you give it more access.

Read the Agentic AI Security Guide