Image moderation compliance: EU DSA and UK Online Safety Act

What the EU Digital Services Act requires for images

The DSA — Regulation (EU) 2022/2065 — is the EU's horizontal regime for online intermediaries. It applies to hosting services and online platforms offering services to recipients in the EU, regardless of where the provider is established. For platforms that host user-uploaded images, the regulation creates three interlocking duties that have to be implemented in code, not just in policy.

Article 16 is the headline obligation. It requires hosting services to operate a notice-and-action mechanism that lets any individual or entity submit a notice that specific content is illegal. The mechanism must be easy to access, electronic, and must enable a sufficiently precise and substantiated notice. The provider must process notices in a timely, diligent and non-arbitrary way and, when it acts, must produce a statement of reasons under Article 17 that the notifier can read. Article 14 adds clear terms-and-conditions duties; Article 20 adds an internal complaints handling system; Article 15 (and Article 24 for online platforms) requires public transparency reports.

Proactive detection is permitted but conditional. Article 7 clarifies that the use of voluntary investigative measures and own-initiative checks does not by itself disqualify a provider from the liability-shield framework, provided the measures are applied in good faith. Recital 26 of the regulation makes it explicit that automated detection is allowed alongside the required complaints and notice-and-action paths — but where automated tools are used, safeguards, documentation and a human review path are expected. The very large online platforms (VLOPs) designated by the Commission have an additional risk assessment and audit overlay under Articles 34 and 37.

The compliance pattern, in practice, is this: score every upload at the API gate; route by confidence to auto-approve, auto-block, or human review; keep the scored output, the policy threshold, the verdict, and (where applicable) the reviewer's ID in a structured audit log; and aggregate the audit log into the Article 15 transparency report.

What the UK Online Safety Act requires for images

The UK Online Safety Act 2023 imposes safety duties on user-to-user services and search services with a significant link to the United Kingdom. The Act is structured around three principal clusters of duty. Illegal content duties (Section 10) require services to operate systems and processes to mitigate the risk of illegal content appearing on the service and, where it does, to take it down quickly. Child safety duties (Section 12 onwards) apply to services likely to be accessed by children and require age-appropriate measures against content that is harmful to children, including pornography, violent content, and other defined categories. Complaints, terms of service, record-keeping and risk-assessment duties run across all of them.

The Act lists priority illegal content offences in Schedules 5, 6 and 7. For an image-moderation pipeline the practically important ones include child sexual abuse material, terrorism offences, intimate image abuse, threats to kill, fraud indicators, and a number of other categories. Every in-scope service must complete and keep current a written illegal-content risk assessment, must implement proportionate systems and processes to mitigate the identified risks, and must enable users to easily report content and complain about decisions.

Ofcom is the regulator. It issues codes of practice that explain what compliant systems look like in concrete terms; following a code is one route to demonstrating compliance, though not the only one. Ofcom can require information from any in-scope service under its information powers (Section 100 onwards), issue confirmation decisions, and ultimately impose financial penalties of up to 10% of qualifying worldwide revenue or GBP 18 million, whichever is greater. Section 77 transparency duties apply to services that Ofcom has designated as categorised.

The compliance pattern matches the DSA pattern closely. Every upload is scored at the API gate against the priority categories relevant to the service, with stricter thresholds applied where child safety duties are in scope; the borderline output is routed to a trained reviewer; the audit log records both stages. Detailed advice on how the moderation taxonomy maps to specific priority offences belongs in your codes-of-practice mapping exercise with counsel — but the underlying detection architecture is shared.

Side-by-side: DSA vs UK OSA

The duties differ in legal architecture but converge in engineering terms. Both regimes expect a documented hybrid moderation pipeline, both treat automated detection as a proportionality-enhancing tool rather than a substitute for a human review path, and both attach significant financial penalties to non-compliance.

How an automated detection API maps to the three duties

Notice-and-action, proactive detection and transparency reporting look like three separate workflows on paper, but they are all consumers of the same scored output. The detection API runs once per image and writes its result to the audit log; the three compliance workflows read from that same log.

Notice-and-action (DSA Article 16, OSA complaints procedure)

When a user submits a notice that an image is illegal, the backend looks up the image's most recent API score, attaches it to the case, surfaces the relevant policy snippets, and routes the case to a trained reviewer. The reviewer makes a decision; the system produces a statement of reasons under Article 17 (for the DSA) or a complaints decision (for the OSA); the notifier and the uploader are informed. The detection score does not decide the case but it materially shortens triage time and improves consistency across cases.

Proactive detection (DSA Article 7 framing, OSA illegal-content and child-safety duties)

Every upload is scored synchronously at the API gate against the moderation taxonomy that maps to your in-scope priority categories. Confident safe scores auto-approve, confident unsafe scores auto-block, the borderline middle band routes to human review. The proactive layer is the bulk-volume control: well-tuned, it lets the platform stay current with upload traffic while a small reviewer team handles the cases that genuinely need context.

Transparency reporting (DSA Articles 15, 24, 42; OSA Section 77)

The audit log is the source of truth. The detection scores, the policy thresholds applied, the verdicts produced, the reviewer identities (where relevant), the notice references, the appeal outcomes and the timestamps are all queryable as structured data. Annual or designated transparency reports are then a templated read against that table — not a separate data collection exercise.

Code: detection request and audit-record shape

The detection step is one multipart POST that returns scored moderation categories. The audit record is the durable representation of every decision, with enough structure to answer a regulator's information request without further joins. Combine the two and the same scored detection feeds the proactive gate, the notice-and-action triage, and the transparency report.

# Score an image against the moderation taxonomy plus cross-check labels
# in a single multipart request. The scored response feeds both the
# proactive pre-publish gate and the notice-and-action workflow.
curl -X POST https://api.pixicular.com/v1/detect \
  -H "Authorization: Bearer $PIXICULAR_API_KEY" \
  -F "image=@./user-upload.jpg" \
  -F "services=detect-moderation,detect-labels,detect-text"

// Persist the scored response alongside every moderation decision
// so DSA transparency reports and OSA audit responses can be assembled
// directly from the system of record.
type ModerationRecord = {
  imageId: string;
  uploadedAt: string;          // ISO 8601
  apiVersion: string;          // e.g. "pixicular/v1"
  scores: Record<string, number>;
  verdict: "approve" | "block" | "review";
  reviewerId?: string;         // populated when a human ruled
  decidedAt: string;           // ISO 8601
  noticeId?: string;           // DSA Article 16 reference, if any
};

Designing the moderation taxonomy

The DSA and OSA do not prescribe a moderation taxonomy. They prescribe outcomes — that illegal content is detected and addressed proportionately, that complaints are handled consistently, that records are kept. The taxonomy your moderation API uses (nudity, sexual activity, suggestive, violence, drugs, weapons, hate symbols, gore, and so on) is the practical bridge between the legal categories and a vision model's scoring surface.

For a service relying on Pixicular's moderation output the taxonomy is fixed and documented; the configurable part is the threshold per category and the routing policy. For a child safety context, age estimation is often a second signal alongside moderation flags: an image that scores high on suggestive and also returns a low estimated age range is routed differently from the same image with an adult age range. The companion guide on age verification for age-restricted platforms covers that mapping in detail, including the limitations of age estimation as a sole control.

For the introductory framing of what an image moderation pipeline is and where it sits in the wider trust-and-safety stack, the page on what image content moderation is walks through the categories and the pipeline before getting to the regulatory layer.

Common compliance gaps and how to close them

In our experience the gaps that surface in DSA and OSA readiness reviews of image-moderation pipelines cluster into a small number of recurring patterns. They are worth screening for explicitly during integration.

• No structured audit record. Decisions exist as ticket notes or moderator messages rather than as queryable rows tying the scored output to the verdict. Transparency reports and regulator information requests then require ad hoc data engineering each time.
• Automated decisions with no human appeal path. Both regimes expect that an automated decision a user disagrees with can be appealed to a person. A complaints procedure that only reaches a human after the original decision is irreversible is not the complaints procedure either regime contemplates.
• No statement of reasons. Under DSA Article 17 a platform that restricts content must inform the affected recipient with a statement of reasons, including the factual circumstances and the legal or contractual ground. A pipeline that auto-blocks images silently does not meet that bar.
• Thresholds tuned by anecdote, not data. Routing thresholds drift over time as content distributions change. The defensible posture is a documented re-tuning cadence that re-reads precision and recall from the audit log and adjusts thresholds on the basis of measured data.
• Risk assessment treated as a one-off. The OSA child-safety duties and the DSA VLOP duties both contemplate that risk assessments are kept current. A six-monthly review tied to platform feature changes is a more defensible cadence than an annual checkbox.

None of these gaps is solved by a moderation API alone — they are pipeline and governance gaps. The API supplies the scored output that lets you instrument and measure each one.

Penalty exposure and timelines

The DSA has been fully applicable to all in-scope platforms since 17 February 2024; VLOP-specific obligations have applied since the late summer of 2023. Maximum fines are up to 6% of the provider's annual worldwide turnover for breaches of the regulation, with periodic penalty payments available to compel compliance and structural remedies available for repeat or systemic failures.

The UK Online Safety Act received Royal Assent in October 2023 and is being phased into force by Ofcom through 2025 as the relevant codes of practice, guidance documents and transparency regulations are finalised. Maximum fines are up to 10% of qualifying worldwide revenue or GBP 18 million, whichever is greater. Ofcom can also apply for business-disruption measures against persistent non-compliance and, in serious cases, senior managers can be exposed to personal criminal liability for specific information-power offences.

For most platforms the practical question is not the theoretical maximum but the cost of remediation once a regulator opens an inquiry. A documented, hybrid moderation pipeline with an auditable record is what shortens that inquiry. An ad hoc setup is what extends it. See the pricing page for the per-plan AI-operation allowances that fit different upload volumes, and the API documentation for the full request and response schema.

Frequently asked questions