If you’re deploying a public-facing AI chatbot in the UK, the Online Safety Act may apply — but for most internal business bots it doesn’t. Here’s how to tell in 2026, cited to Ofcom and gov.uk. (dgm implements osFoundry as an independent partner. General information, not legal advice.)

What the Act covers

The Online Safety Act 2023, regulated by Ofcom, applies to “user-to-user” and “search” services with UK links. The question for AI is: does your chatbot form part of such a service?

When a chatbot is (and isn’t) in scope

Per Ofcom’s guidance, a chatbot is generally out of scope if:

  • users only interact with the bot itself (no other users);
  • it does not search multiple sites or databases; and
  • it cannot generate pornographic content.

A chatbot is more likely to be in scope where it connects users to each other, functions as a search service across many sites, or could produce regulated content. AI-generated content is caught by Part 3 illegal-content and child-safety duties mainly where it’s user-generated (shared between users) or search content.

The practical takeaway

For most businesses, an internal assistant (helping staff retrieve knowledge, draft, or answer queries) is out of scope — there’s a single user interacting with the bot, no user-to-user element. A public-facing service that connects users or searches broadly needs an assessment. Don’t assume either way — check the specific deployment.

Duties and timelines

In-scope services must assess risks and put proportionate safety measures in place. Key dates:

  • illegal-content duties from 17 March 2025;
  • children’s-safety duties (including highly effective age assurance) from 25 July 2025.

Ofcom has also issued an open letter to providers on generative AI and chatbots.

Enforcement

Ofcom can fine up to 10% of qualifying worldwide revenue and, in the worst cases, seek business-disruption or blocking orders. So for in-scope services, this is not optional.

Where osFoundry and dgm fit

dgm builds chatbots with safety controls appropriate to the deployment — content filtering and guardrails, human escalation, and audit logging — on osFoundry, and helps you assess whether a given deployment is in scope. For internal assistants (the common business case), the priority is usually data protection and accuracy rather than the OSA; for public-facing bots, safety duties come into play. Data control via self-hosting or an EU region (osFoundry publishes US/EU/JP regions, not a UK one).

dgm is an independent integration partner with zero integrations so far, and not a law firm. Confirm scope with legal advice and Ofcom guidance. To scope a safe chatbot deployment, book a consultation with dgm.