Reporting obligations, penalties, and practical guidance by jurisdiction.
Legal obligations vary depending on where your platform operates.
United States
Under 18 U.S.C. § 2258A, electronic communication service providers and remote computing service providers must report apparent CSAM to NCMEC's CyberTipline as soon as reasonably possible after obtaining actual knowledge. This includes CSAM, child sex trafficking (§ 1591), and enticement of a minor (§ 2422(b)), following the REPORT Act amendments signed into law in May 2024.
Report with all available content and metadata at the time of submission. Then delete the content from your systems immediately. Do not retain CSAM on your infrastructure. In many jurisdictions, possessing it - even for preservation purposes - is itself a criminal offense.
Knowingly and willfully failing to report carries fines of up to $600,000 on a first offense (or $850,000 if you have 100M+ MAUs), and up to $850,000 / $1,000,000 on subsequent offenses.
In practice, reporting limits your liability significantly. It is always in your favor to report. Providers are shielded from civil and criminal liability for actions taken in good faith under their reporting obligations.
NCMEC is effectively the global clearinghouse for CSAM. They route reports to the correct jurisdiction, and add confirmed content to the most widely used hash databases, which prevents further spread.
United Kingdom
Avoid operating in the UK if you can.
The Online Safety Act 2023 is the most aggressive and poorly constructed online regulatory regime in the world. While it includes CSAM-specific obligations like hash-matching and reporting to the NCA, the problems go far beyond child safety. The Act attempts to regulate "content harmful to children" and "legal but harmful" categories across every user-to-user and search service with UK users - regardless of where the company is based. Neither category is defined in the legislation. What constitutes "harmful" is left entirely to Ofcom's interpretation, which can change at any time and has no fixed standard a platform can build to.
The UK legal system does not work like the US. Legislation is written vaguely by design, with the expectation that courts and regulators will interpret it over time. The OSA is a particularly severe example. Key obligations are defined in broad, subjective terms, and the codes of practice that give them practical meaning are still being written and revised by Ofcom. You are not complying with a fixed set of rules. You are complying with a regulator's evolving interpretation of intentionally ambiguous law.
Ofcom has broad and expanding enforcement powers, with fines of up to £18 million or 10% of qualifying worldwide revenue - structured to be existential for small platforms. They can update codes of practice, expand required safety measures, and issue technology notices compelling platforms to develop or deploy detection tools - including in end-to-end encrypted environments. Ofcom has demonstrated repeatedly that it will not act in good faith on enforcement. The compliance surface is open-ended, and the regime is built for non-compliance - not because platforms refuse to engage, but because the obligations are subjective enough that Ofcom can always find you lacking.
The Act introduces personal criminal liability for senior managers and corporate officers - defined broadly to include directors, managers, secretaries, and anyone purporting to act in such a capacity. Under Section 186, if an offense by the company is committed with the consent or connivance of an officer, or is attributable to their neglect, that individual is personally liable. This includes failure to comply with Ofcom's child safety enforcement notices, which carries up to two years' imprisonment. Ofcom can also compel named senior managers to attend interviews under caution. This is a regime that can put your executives in a UK prison for failing to satisfy obligations that Ofcom itself is still defining.
The duty to report detected CSAM to the National Crime Agency has been in force since November 2025. The NCA's reporting portal did not go live until April 2026. Ofcom indicated it would exercise discretion on enforcement during the gap - but the legal obligation existed regardless. If you report everything to NCMEC, the legislation states you do not need to duplicate reports to the NCA. In practice, expect Ofcom to scrutinize whether "everything" truly means everything.
If you must operate in the UK, budget accordingly and retain UK regulatory counsel permanently. Our recommendation is to not be in scope at all.
If you are not UK based and have no meaningful UK traffic, block UK IP addresses entirely. Be aware that Ofcom has taken the position that VPN usage by UK residents can keep you in scope regardless - meaning no platform on earth can fully guarantee it is outside their jurisdiction.
European Union
The EU's regulatory picture is in flux. The Digital Services Act (DSA) already requires platforms to remove illegal content (including CSAM) upon becoming aware of it, and imposes transparency reporting obligations. A dedicated CSA Regulation has been under negotiation since 2022. As of early 2026, trilogue negotiations continue, and the regulation's final shape - particularly around mandatory detection orders - remains unresolved.
The temporary ePrivacy Directive derogation that allowed voluntary CSAM scanning in messaging services expired in April 2026. Whether platforms retain legal cover for voluntary detection in interpersonal communications is currently unclear.
If the CSA Regulation passes in its current Council form, expect mandatory risk assessments, reporting obligations to a new EU Centre, and potential fines of up to 6% of annual worldwide turnover. Plan for it, but don't build to it yet - the text is not final.
Canada
Under the Mandatory Reporting Act (S.C. 2011, c. 4), any person providing an internet service to the public must report CSAM-related URLs or IP addresses to the Canadian Centre for Child Protection (C3P). If you have reasonable grounds to believe your service is being used to commit a child pornography offense, you must also notify law enforcement as soon as feasible.
Penalties are modest - up to $10,000 for repeat violations - but the obligation is clear.
Australia
The Online Safety Act 2021 gives the eSafety Commissioner broad authority over platforms with Australian users. Mandatory industry codes require social media, messaging, file-sharing, and gaming services to proactively detect, remove, and disrupt CSAM. The eSafety Commissioner can issue removal notices and enforce compliance with civil penalties. Non-compliance with broader online safety obligations can result in fines up to A$550,000 per violation for platforms.
A note on NCMEC for non-US companies. Even if you are not a US-based provider and have no legal obligation to report to NCMEC, we strongly recommend that you do. NCMEC operates the largest and most effective global clearinghouse for CSAM reports. They will route your report to the appropriate jurisdiction regardless of where you or the content originate, and they will add confirmed material to the hash databases used by platforms worldwide. Reporting to NCMEC is the single most impactful thing you can do to prevent the further spread of a specific piece of content.
A note on preservation. Some jurisdictions require you to preserve CSAM and associated data for a set period after reporting. In practice, our advice is universal: include everything you have in the report itself, then delete the content from your platform immediately. Do not retain CSAM on your infrastructure. NCMEC has the content. Law enforcement can obtain it from NCMEC. Seek situation specific legal advice if preserving.