Ofcom Fines Youngtek £600K Under UK Online Safety Act

When the UK's Online Safety Act 2023 finally rolled into operational enforcement in the second half of 2025, the open question was whether Ofcom would actually fine non UK operators. The regulator answered that question repeatedly through the first half of 2026. The May 26, 2026 decision against Youngtek Solutions Ltd is the latest data point: £600,000 in total penalties against a Cyprus registered company running four adult websites accessible from the UK, with the bulk of the fine (£500,000) tied to failure to implement "highly effective age assurance" and the remainder (£100,000) tied to ignoring Ofcom's statutory information requests until well past the deadline. For compliance teams watching the OSA enforcement curve, this is the case that nails down the answer to two practical questions: yes, Ofcom will fine overseas firms; and yes, non cooperation with the investigation gets its own penalty on top.

Key Takeaways

• Ofcom fined Youngtek Solutions Ltd £600,000 on May 26, 2026 across two heads: £500,000 for failing to deploy highly effective age assurance, and £100,000 for failing to respond to Ofcom's statutory information request on time.
• Youngtek operates four adult websites accessible to UK users: empflix.com, imagefap.com, moviefap.com, and TNAflix.com. The company is registered in Nicosia, Cyprus, and was incorporated in 2008.
• The fine is the sixth Ofcom enforcement decision under the Online Safety Act since October 2025, after AVS Group Ltd (£1 million), 8579 LLC (£1.35 million), Kick Online Entertainment SA (£800,000), Itai Tech Ltd (£50,000), and 4chan and im.ge (£20,000 each).
• Youngtek eventually implemented age checks and responded to Ofcom, but only after the statutory deadline had already passed, which is what triggered the additional £100,000 procedural penalty.
• Maximum penalty under the OSA remains £18 million or 10 percent of worldwide qualifying revenue, whichever is higher; Ofcom has not yet imposed a fine anywhere near that ceiling.

What Did Youngtek Do Wrong?

The substantive £500,000 component of the fine relates to a single requirement under Part 5 of the Online Safety Act: providers of services that publish pornographic content and are accessible from the UK must use "highly effective age assurance" to prevent children from accessing that content. The standard, set in Ofcom's guidance, is technology that can reliably distinguish under 18 from 18 and over, not a simple "click to confirm you are 18" tick box. Acceptable forms of age assurance include photo ID checks, facial age estimation, credit card validation against an adult age verified record, and digital identity wallet attestations.

Per Ofcom's enforcement notice, all four Youngtek sites operated through the early enforcement window without any of those measures in place. Visitors from UK IP addresses reached the explicit content with nothing more than a basic landing page disclaimer. That is precisely the configuration the Act was designed to eliminate. George Lusty, Ofcom's director of enforcement, summarized the position publicly: "adult sites must use robust age checks to protect children in the UK from porn online."

Why Did Youngtek Get a Second £100K Penalty?

The Online Safety Act gives Ofcom information gathering powers under Section 100, which the regulator uses to compel regulated services to hand over data about their UK user base, age check arrangements, and revenue. Youngtek did not respond on time. Per the published decision, the company eventually did engage with Ofcom and did eventually deploy age verification on the four sites, but only after the original deadline had passed; the £100,000 procedural penalty is specifically for the missed deadline window.

This is a meaningful precedent for compliance officers. Ofcom is treating procedural cooperation as a separable head of penalty, not just as a mitigating or aggravating factor on the main fine. The implication for any organization that might receive an OSA information request: even if you ultimately comply on the substance, missing the response window has a price tag.

How Does Ofcom Decide These Fines?

Ofcom's published penalty guidelines under the Communications Act 2003, which it now applies to OSA cases, identify eight factors. In rough order of weight:

• Seriousness and duration of the breach.
• Degree of actual or potential harm caused.
• Financial benefits the firm earned from the non compliant operation.
• Preventative measures taken (or not) before Ofcom intervened.
• Whether the breach was deliberate or reckless and whether senior management knew about it.
• Prior compliance history.
• Cooperation with Ofcom during the investigation.
• Precedent from earlier Ofcom decisions.

Two of those weigh disproportionately in OSA cases concerning children's access to explicit content: degree of harm (where Ofcom signals a "child protection premium" in its analysis) and cooperation. Youngtek lost ground on cooperation. Compare with Kick Online Entertainment, which engaged earlier in its own investigation and drew a £800,000 fine for the substantive breach without the separate procedural penalty.

Will Ofcom Actually Collect From a Cyprus Company?

This is the cross border question, and the practical answer is "yes, through more than one route." The OSA gives Ofcom the power to issue business disruption measures against firms that fail to comply, which includes notices to UK based ad networks and payment processors instructing them to cease facilitating the non compliant service. The regulator can also seek judicial assistance from EU member state regulators under reciprocal enforcement arrangements, especially in cases where the firm is registered in an EU jurisdiction such as Cyprus.

In Youngtek's case, the firm chose to pay the fine and bring the sites into compliance rather than test the disruption mechanism. That is consistent with the pattern in the other OSA cases to date: foreign operators that initially ignore the regulator eventually settle once disruption is on the table. For compliance officers planning around the Act, the operational assumption now is that a UK accessible service is in scope regardless of where its corporate registration sits.

What Does This Mean for Other UK Online Services?

Two practical lessons. First, the OSA applies extraterritorially, and Ofcom is willing to push enforcement against firms that have no UK office. Any service that could plausibly be accessed by UK users and that hosts content the Act regulates, which spans adult content, content harmful to children, illegal content, and the wider user to user content surface, should plan as if Ofcom can and will issue fines.

Second, the procedural penalty for ignoring information requests is real, separate, and cumulative. Building a documented process for responding to UK regulator information requests on time is cheap insurance; missing the deadline is expensive insurance.

For privacy and compliance officers watching the broader regulatory enforcement curve, see also the Ofcom big tech child safety risk assessments and platform pushback in May 2026, where YouTube and TikTok declined to commit to algorithmic feed changes. The Youngtek decision will read into those bigger cases as the precedent that Ofcom is willing to fine on principle, not just settle through informal pressure.

What Happens Next?

Two near term outcomes. Ofcom's enforcement queue continues to be loaded with adult content cases because those have the cleanest statutory test under Part 5, but the regulator has been clear that Part 3 cases (illegal content) and Part 4 cases (content harmful to children on general user to user services) are next. The Meta legal challenge to OSA fines tied to global revenue, reported earlier in May 2026, is the case that will set the ceiling on the bigger penalties when it comes; until that case resolves, expect Ofcom to keep building enforcement precedent in the £500K to £1.5M range against smaller firms.

Longer term, the procedural deadline penalty is going to harden into a pattern. Once a regulator gets a clean win on a procedural breach as a separable head of fine, that head appears in every subsequent decision. The cheapest compliance investment for any UK accessible service this year is a working escalation procedure for Ofcom information requests.