What maximum fines does the Online Safety Act 2023/2024 allow for corporate breaches?

1. How big is the hammer? The headline fine and what “qualifying worldwide revenue” means

The Act’s single largest civil sanction for corporate breaches is either £18 million or 10% of qualifying worldwide revenue, whichever is greater, which aligns the regime with modern global tech penalties by referencing revenue rather than a fixed cap alone. This formulation appears across regulatory summaries and expert analyses describing Ofcom’s powers, and the 10% measure is specifically tied to a provider’s qualifying worldwide revenue (QWR) rather than narrower domestic turnover, meaning the calculation captures global receipts subject to prescribed adjustments in secondary rules. Government and industry explainers reiterate the upper limit in identical terms, signaling regulatory intent to ensure fines scale with very large, multinational platforms that might otherwise treat a fixed-sterling cap as a cost of doing business ^{[1] [2] [4]}.

2. Where this figure comes from and how commentators describe it

Legal briefings and industry commentary uniformly cite the £18 million or 10% QWR formulation when explaining the Act’s maximum corporate penalty; these sources frame the change as harmonising UK practice with international trends toward turnover-based sanctions. Some sources foreground the £18 million number as the explicit sterling cap while others emphasize the 10% global-revenue test as the operative ceiling for very large firms. The repeated restatement across summaries and practitioner notes shows consensus about the Act’s headline metric, but interpretations vary on whether supplementary guidance and Ofcom’s penalty framework will shift how often and at what scale each limb (fixed sterling amount versus percentage) is applied in practice ^{[5] [1] [2]}.

3. Enforcement beyond fines: criminal liabilities and overlapping sanctions

The Act couples Ofcom’s civil fines with criminal offences for senior managers who obstruct information requests or fail to comply with duties, creating potential personal liability that sits alongside corporate penalties. Separate regulatory regimes remain relevant: breaches involving personal data can trigger Data Protection Act penalties (historically up to 4% of global turnover or a fixed sterling figure), and commentators warn that overlapping enforcement avenues can multiply financial exposure and reputational risk for firms. Analysts and legal firms highlight this layered enforcement architecture as a material practical consideration for compliance budgeting and corporate governance, since the maximum civil fine under the Online Safety Act is not the only significant monetary or criminal consequence companies face ^{[3] [4] [6]}.

4. Divergent interpretations and where sources disagree or add nuance

While sources agree on the headline ceiling, nuance emerges over terms used — some explain the figure as “10% of the company’s annual turnover” while others correctly specify 10% of qualifying worldwide revenue (QWR) — a narrower technical term that can alter calculations for multinational entities. A few legal explainers focus more on criminal sentences in the Act’s new offences rather than the civil fine ceiling, which can create confusion in public summaries that omit the QWR detail. Industry pieces occasionally emphasize the sterling amount as the salient cap for UK-only firms, while regulatory guidance stresses the QWR test for global platforms, revealing an important difference in emphasis that matters for companies depending on their revenue footprint and cross-border operations ^{[5] [1] [2]}.

5. What to watch next: Ofcom guidance and secondary rules that will decide impact

The statutory ceiling is fixed in primary legislation, but practical enforcement will depend on Ofcom’s penalty framework, consultations and secondary rules defining QWR and enforcement processes, which sources indicate are under active development and consultation. Because Ofcom has discretion in applying penalties and because secondary instruments will specify revenue calculations and mitigating/aggravating factors, the ultimate frequency and size of penalties will reflect policy choices and enforcement priorities that emerge during rulemaking and case-by-case decisions. Observers with different agendas — industry groups seeking clarity and lower exposure, and consumer advocates pressing for tougher enforcement — will press Ofcom and ministers as those technical rules are finalised ^{[4] [7] [6]}.