Fact check: What are the penalties for online crimes in the UK?

1. New Online Safety Offences Are Changing the Risk Landscape for Individuals and Platforms

The Online Safety Act 2023 creates offences criminalising behaviours such as cyberflashing, sending false information intended to cause non-trivial harm, and encouraging or assisting serious self-harm, signalling a statutory shift to treat certain harms as crimes rather than only civil or platform-moderation issues ^{[1] [3]}. The Act pairs those criminal offences with a regulatory regime that empowers Ofcom to set safety duties and issue fines to platforms that fail to comply, reflecting a dual approach: criminal sanctions for perpetrators and compliance-driven financial penalties for companies ^{[2] [1]}. This design aims to target both supply of harm and platform enabling.

2. Criminal Sentences Vary Widely: From Short Terms to Life in Extremis

UK criminal law applicable to computer misuse and related harms spans a broad spectrum of maximum penalties: unauthorised access offences can carry up to two years’ imprisonment, while offences causing or risking serious damage, especially where national security is implicated, carry maximums of life imprisonment under interpretations of the Computer Misuse Act and sentencing guidance ^{[4] [5]}. For newer online abuse offences introduced by the Online Safety Act, published materials indicate prison terms of up to five years for specified conduct such as cyberflashing or non-consensual sharing of intimate images, making mid-range custodial sentences the norm for many online abuse convictions ^{[3] [6]}.

3. Corporate Liability: Big Fines and Ofcom’s New Teeth

Under the Online Safety Act the state can impose financial penalties on platforms that fail in their legal duties to mitigate or remove harmful content, with fines up to £18 million or 10% of global qualifying revenue, whichever is higher, positioning regulatory risk as potentially existential for large tech companies ^{[2] [1]}. Ofcom’s expanded remit to enforce safety duties reflects a policy choice to shift responsibility for content moderation from private policy discretion into a statutory compliance framework, raising questions about proportionality, cross-border enforcement, and platforms’ incentives in content removal and appeals ^{[2] [1]}.

4. High-Profile Prosecutions Illustrate Severe Sentencing Where Harm Is Acute

Recent criminal cases demonstrate how traditional criminal law is applied to online-enabled abuse: an October 2025 conviction resulted in an 18-year custodial sentence for a dark web user convicted of multiple child sexual abuse offences including distribution of indecent images and causing children to engage in sexual activity, illustrating the top end of sentencing for egregious online sexual offending ^[7]. Such cases show courts treat child sexual exploitation and facilitation via online means as among the most serious crimes, with sentences reflecting the harm and culpability and reinforcing the message that online modality does not reduce criminal liability.

5. Legal Frameworks and Sentencing Guidance Emphasise Harm and Culpability

Sentencing for cyber offences relies on existing statutory maxima and sentencing guidelines that require courts to calibrate punishment to both the level of harm caused and the offender’s culpability, producing wide variability in outcomes ^{[6] [5]}. The Computer Misuse Act provides offence categories with different maxima — from unauthorised access to unauthorised acts causing serious damage — and judicial guidance explains that aggravating factors such as targeting critical infrastructure or organised offending push sentences higher, while limited technical sophistication and low harm can mitigate ^{[4] [5]}.

6. Where Reporting, Enforcement and Policy Still Leave Gaps

Government strategy documents stress enhanced capabilities and planning to defend against cybercrime, but publicly available summaries indicate policy statements without granular penalties or enforcement metrics, highlighting a gap between strategy announcements and operational transparency about prosecutions, resource allocation, and cross-border cooperation ^[8]. The combination of regulatory fines, criminal sanctions, and prosecutorial successes shows a comprehensive approach, yet practical challenges remain: platform compliance burdens, evidentiary collection for transnational online crime, and ensuring proportionality in enforcement across different offence types ^{[2] [8] [6]}.

7. Bottom Line: Expect Mixed Remedies and Case-by-Case Outcomes

The UK now uses criminal penalties, regulatory fines, and targeted prosecution to deter and punish online crimes; individual offenders face sentences from fines and short custodial terms up to life imprisonment depending on harm, while companies risk substantial financial penalties under Ofcom’s regime ^{[6] [2]}. Differences in maximum penalties reflect the policy aim to match punishment to both the nature of the conduct and the scale of harm, but outcomes depend on statutory classification, judicial assessment of culpability and harm, and the evolving enforcement posture of prosecutors and regulators ^{[1] [5]}.