Large tech companies have recently come under close scrutiny from regulators around the world. In particular, those active across the EU and the UK will have to protect their reputation and comply with two recent pieces of legislation: the UK’s Online Safety Act (OSA) and the EU’s Digital Services Act (DSA). While both aim to address similar concerns, they differ in their approach and implications. The question then follows: What should companies do to stay ahead of the regulatory curve and defend their image?

Overview of the two legal frameworks

The OSA seeks to tackle issues relating to harmful content online. The law applies to search services and user-to-user services, that allow individuals to share content online. It applies rules, known as “duties of care”, on a risk-based approach with large or higher-risk online platforms subject to more extensive obligations. The OSA empowers Ofcom to enforce compliance, with fines reaching 10% of global turnover and potential criminal liability for non-compliance.

The focus of the OSA is for tech companies to proactively assess risks of harm to their users and put in place systems and processes to keep them safe online. Yet, businesses don’t have the final picture yet as many of the detailed requirements of the OSA will be set out in secondary legislation and Ofcom codes of practice later this year.

With Ofcom currently carrying out several consultations to draft its guidance on the application of the OSA, it is essential for businesses to engage with the regulator not only to be able to impact the outcome but also to be seen as a constructive player and demonstrate good faith towards customers, investors and the wider public.

On the other hand, the EU’s DSA, which was proposed as a reform to the e-Commerce Directive, addresses issues such as content moderation, online advertising, and the responsibilities of large digital platforms. The DSA introduces obligations for platforms to mitigate risks, including measures to combat illegal content and ensure transparency in advertising practices. Similarly to the OSA, it uses a tiered approach, with Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) having to comply with the most extensive obligations.

How do the two frameworks compare?

There are several similarities and differences between the two laws. They both impose obligations or duties on tech companies using a risk-based approach. Category 1 services will have additional duties compared to Category 2 services in the OSA, just as VLOPs and VLOSEs have more obligations to comply with under the DSA.

The DSA covers a wider range of digital services and illegal content, whereas the OSA has a narrower focus categorising illegal content into general and priority offenses while addressing specific online harms. This means the OSA not only regulates illegal activity but also legal, yet harmful material such as bullying and content encouraging self-harm.

Crucially, enforcement powers of Ofcom include significantly higher fines of up to £18m or 10% of a company’s global turnover and criminal sanctions against senior managers in certain circumstances. Whereas the DSA permits fines up to 6% of global annual turnover.

Effective communication is key

For a tech company navigating the regulatory landscape in the UK, proactive and transparent communication can mean the difference between reputational damage and resilience. Effective engagement and communication strategies can help businesses understand the implications of the legislation, engage with policymakers to positively influence decision-making, and demonstrate their commitment to responsible business practices.

Tech companies should proactively communicate their efforts to enhance online safety and transparency, thereby building trust with consumers and regulators alike. By engaging in constructive dialogue with government agencies, industry associations, and civil society groups, businesses can help to shape regulatory outcomes in a way that balances regulatory objectives with business interests.

Proactive engagement often requires significant time and resources, as well as careful navigation of different interests and priorities to build consensus among business groups. And despite efforts to influence outcomes, there is no guarantee that regulatory decisions will align with the interests of the company.

In addition to proactive engagement, it is also critical for tech companies to develop crisis communication plans to manage reputational blowbacks arising from regulatory potential non-compliance or negative publicity. Crises often require immediate responses, leaving little time for thorough planning, thus increasing the risk of missteps and ineffective communication. By addressing these concerns proactively, businesses can effectively maintain control of the narrative and mitigate the impact of regulatory challenges on their reputation and market credibility.