$164.5 billion in 2024 revenue. A theoretical maximum fine of more than $16 billion in a single enforcement action. An Ofcom enforcement unit of fewer than 50 people tasked with delivering it.
Those three numbers describe the entire operating logic of Britain’s flagship internet law. Under the Online Safety Act, the UK media regulator can fine Meta 10% of Mark Zuckerberg’s company’s qualifying worldwide revenue. The team inside Ofcom responsible for building, investigating, and issuing those penalties operates with limited resources. That is the entire operational footprint pointed at the largest, most lawyered-up consumer platforms on earth.
The mismatch is not a footnote. It is the central fact of how the law actually works in practice.
Meta is now challenging Ofcom in the High Court over the fee and penalty methodology that produces those headline numbers. The company’s lawyer, Monica Carss-Frisk KC, told the court the regulator’s approach is troubling and results in a handful of companies, such as Meta, bearing the vast majority of Ofcom’s costs. Legal proceedings are ongoing, with a full hearing expected later this year.
What the headline number actually means
The Online Safety Act came into force in 2025. Buried in the penalty section is the formula every compliance officer in Menlo Park, Mountain View and Shenzhen has now memorised: a maximum fine of 10% of qualifying worldwide revenue, or £18 million, whichever is greater.
Meta’s 2024 revenue was approximately $164.5 billion. Ten percent of that figure is more than $16 billion, larger than the combined market cap of most FTSE 250 constituents on any given Tuesday. A single Ofcom confirmation decision could, in theory, take a bite out of Meta worth more than the company’s entire UK headcount cost for a decade.
Alphabet’s exposure is similar. ByteDance, Microsoft, Amazon, Apple, Snap, X, Discord, Telegram all sit inside the same penalty band. The Act gave Ofcom the biggest enforcement hammer any media regulator outside Beijing has ever wielded over American tech.
Then it gave the hammer to a team operating with limited resources.
The resource challenge
Ofcom’s online safety enforcement directorate sits inside its broader online safety group. The unit specifically responsible for opening investigations, issuing information notices, drafting provisional decisions and ultimately signing confirmation notices operates with limited resources compared to the platforms it regulates.
Fewer than 50 people, against the largest content platforms on earth.
To put the asymmetry in human terms: Meta’s policy, legal and government-affairs apparatus is substantial. Its UK-facing legal bench alone is significantly larger than Ofcom’s enforcement team. The regulator is, by headcount, structurally outgunned in every individual case it opens.
That is why the first confirmation decision under the Act has been studied so carefully by every compliance lawyer in the City. The penalty was modest, the target small, the reasoning closely watched. As Latham & Watkins partners noted in their post-mortem of the case, the procedural choreography Ofcom used (information notice, provisional notice, confirmation decision) is the template every future enforcement will follow. Each step takes months. Each step is appealable.
The Telegram problem, in miniature
Consider the most consequential live investigation. In April, Ofcom opened a formal investigation into Telegram over its handling of child sexual abuse material and its compliance with illegal-content duties under the Act. Telegram operates with a famously thin moderation team.
An Ofcom investigation of Telegram means a small team in London exchanging information notices with Telegram’s team, mediated by external counsel on both sides, over a years-long procedural timeline, against the backdrop of an ongoing French criminal case against Pavel Durov. The enforcement bandwidth required for one such investigation is substantial. Ofcom has to run it alongside investigations into recommender systems at TikTok and YouTube, age-assurance compliance across hundreds of pornography sites, illegal-content reviews at Discord and Reddit, and now a High Court defence against Meta.
In May, the regulator condemned TikTok and YouTube after its own research found 73% of UK teens still encountered harmful content through recommender feeds. Both platforms rejected Ofcom’s proposed remediation. There is no mechanism for the regulator to force feed-algorithm changes without going through the full multi-month enforcement pipeline. The clock keeps running while the harm continues.
Why Meta is suing over the fee formula
The High Court case is, on its face, about money. Ofcom’s operating costs for online-safety work are funded by levies on the firms it regulates, and the formula loads most of the bill onto the largest platforms. Meta’s lawyers argue this produces a disproportionate outcome where a handful of US firms subsidise the entire regulatory architecture. But the deeper issue is the methodology itself. Carss-Frisk argued that the calculation of qualifying worldwide revenue is not tied specifically to earnings from UK services, meaning a fine for a UK breach could be calculated against Meta’s revenue in São Paulo, Jakarta and Lagos. A Meta spokesperson told the BBC that penalties should be based on revenues generated in the countries where regulated services operate, while adding that this approach would still allow Ofcom to impose the largest fines in UK corporate history. Epic Games and the Computer and Communications Industry Association are seeking to intervene, and Mr Justice Chamberlain described the issues as being of wide public importance.
If Meta wins or partially wins, the headline maximum penalty drops by an order of magnitude. The $16 billion ceiling becomes something closer to a UK-revenue-derived figure. Still enormous, but no longer existential. The deterrent effect that justifies the small enforcement headcount weakens correspondingly.
The insurance question nobody asks out loud
There is a second pressure release valve that has received almost no public attention. Across European jurisdictions, the question of whether regulatory fines can be insured against, and therefore effectively transferred off the offending company’s balance sheet, remains one of the most contested issues in cyber risk and insurance law. UK courts have historically taken a dim view of insuring deliberate or reckless wrongdoing. The position on negligence-adjacent regulatory penalties is murkier.
For a platform the size of Meta, a $16 billion uninsurable penalty is a board-level catastrophe. For the same platform, a partially insurable penalty calculated against UK-only revenue is a manageable line item. The two scenarios produce entirely different compliance behaviours upstream of any actual breach.
What a small team can actually do
Regulators that work well under resource asymmetry tend to follow a particular playbook. They pick a small number of high-profile cases. They prosecute them slowly and visibly. They publish detailed reasoning so the rest of the market self-regulates against the template. They lean heavily on disclosure duties, where the platform itself has to produce the evidence. And they accept that most violations will go uninvestigated.
This is the structural reality of every modern tech regulator. Resource constraints affect enforcement across jurisdictions, requiring strategic prioritization of cases.
Penalty size on paper is not the same as collected revenue. Clearview AI built a facial-recognition database of more than 30 billion scraped images and has, in practice, ignored the European fines levied against it. A €20 million penalty from Italy’s Garante does not translate into €20 million arriving in the Italian treasury.
The October hearing as a forcing function
What happens in the High Court will reshape the global template. The UK Online Safety Act is the most aggressive online-content regime any English-speaking democracy has yet attempted. Australia, Canada and several US states have been watching closely. If Ofcom’s penalty methodology survives the Meta challenge intact, the 10%-of-global-revenue model becomes the de facto international standard for content regulation. If it doesn’t, every jurisdiction drafting equivalent legislation goes back to first principles.
For the platforms, the calculation is simple. Spend tens of millions on this case to potentially save tens of billions in future exposure. For Ofcom, the calculation is harder. Defending the case ties up senior legal and policy capacity that would otherwise be running the Telegram investigation, the TikTok recommender review, the age-assurance enforcement and the first wave of confirmation decisions against smaller sites that cannot afford to fight.
A small enforcement team cannot be in court and at Telegram and at TikTok and at the age-assurance backlog simultaneously. Something has to slip. The platforms know this. The litigation strategy is partly designed to ensure that the thing that slips is the enforcement against them.
The number to watch
Ofcom has said it will robustly defend its methodology. The regulator’s spokesperson told the BBC the calculation is based on a plain reading of the law.
Whichever way the High Court rules, the more interesting figure is not the theoretical maximum penalty. It is the cumulative total of fines actually levied, collected and not overturned on appeal by, say, the end of 2027. That number, when it arrives, will be the real measure of what the Online Safety Act does. Right now it sits at a few hundred thousand pounds, against a regulated sector measured in trillions.
The gap between a $16 billion headline penalty and an enforcement team of fewer than 50 is not an administrative oversight. It is a political choice dressed up as a legal regime. Parliament wrote a law that sounds like it means to bring American platforms to heel, and then funded it like a mid-sized trading standards office. The deterrent lives in the press release. The enforcement lives in the spreadsheet. One of those two things has to give, and the platforms have already worked out which one it will be.
-1024x683.jpg "Florida Roads Become a Battleground for Illegal Immigration")
