What X Agreed To
On 15 May 2026, Ofcom published a statement announcing that X (formerly Twitter) had committed to three concrete obligations under the UK Online Safety Act. X will review suspected illegal hate and terrorist content reported through its dedicated UK tool within 24 hours on average — calculated as a mean over rolling three-month periods — with a backstop requiring 85% of such reports to be reviewed within 48 hours. X will also submit quarterly performance data to Ofcom for 12 months, and will withhold UK access to accounts determined to be operated by or on behalf of proscribed terrorist organisations.
These are not aspirational pledges. X's failure to meet the agreed thresholds now gives Ofcom a documented baseline against which to open formal enforcement proceedings. Ofcom Director Oliver Griffiths described the commitments as "a step forward, but there's a lot more to do" — language that signals continued scrutiny rather than closure.
The Violence That Forced the Issue
The commitments did not emerge from a general compliance review. They were triggered by a series of antisemitic attacks that exposed the gap between X's stated moderation policies and their real-world effect.
On 2 October 2025 — Yom Kippur — Jihad al-Shamie drove a car into worshippers outside the Heaton Park Hebrew Congregation in Manchester, then attacked them with a knife before being shot by police. Two men, Melvin Cravitz and Adrian Daulby, were killed. Greater Manchester Police recorded that antisemitic hate crime tripled in the three weeks that followed. Civil society organisations told Ofcom they had alerted X to illegal content amplifying and celebrating the attack, but could not determine whether those reports were received or actioned at all.
The violence escalated further. On 29 April 2026, a suspect linked to an Iran-affiliated group stabbed two Jewish men in Golders Green, north London. Across March and April 2026, approximately ten attacks on Jewish schools, synagogues, and charities in London involved arson, explosives, and chemical devices. The UK government raised the national threat level from substantial to severe and declared an antisemitism emergency. X's failure to close the reporting feedback loop — leaving expert organisations unable to confirm whether their alerts had been processed — is directly and specifically addressed in the new commitments.
The Online Safety Act's Enforceable Scope
The Online Safety Act 2023 — enacted in October 2023, with illegal harms duties enforceable from 17 March 2025 — requires platforms to conduct risk assessments, remove illegal content promptly, and design their services to reduce the risk that criminal activity propagates through them. Covered categories include racially or religiously aggravated public order offences and terrorism content, precisely what is at issue here. Ofcom's enforcement tools are substantive: fines up to £18 million or 10% of qualifying worldwide revenue, whichever is greater, and authority to direct internet service providers to block non-compliant services.
Separately, a formal investigation launched on 12 January 2026 into X's Grok AI chatbot — focused on whether Grok generated non-consensual intimate imagery and child sexual abuse material in violation of the same illegal harms duties — adds a concurrent compliance pressure on X. The hate-content commitments and the Grok investigation are distinct proceedings, but together they mark a more assertive enforcement posture from Ofcom than anything previously directed at the platform.
The strongest case for these powers deserves honest engagement before raising concerns. Hate speech and terrorist incitement have documented offline victims, as Manchester and Golders Green demonstrated. UK law has long criminalised incitement and religiously aggravated public order offences; applying those prohibitions to digital platforms extends settled statutory law to new infrastructure rather than inventing novel restrictions. Platforms with significant UK market power that fail to assess and mitigate content driving physical harm are not purely free-speech actors — they are passive amplifiers of violence, operating at scale.
Where the Proportionality Questions Sit
Those points accepted, the concerns about this specific deal are real and should be stated plainly.
The 24-hour mean is measured over rolling three-month periods, which means a small number of very slow reviews can drag the average without triggering a technical breach. The 85%-within-48-hours backstop allows 15% of reported items to sit in queue beyond two days without any violation occurring — potentially thousands of pieces of content daily. And Ofcom has no real-time visibility into X's internal systems; it relies entirely on data that X itself produces and submits.
More fundamentally, these commitments are not contained in a formal statutory notice with specified remedies. They are a negotiated undertaking, published unilaterally by the regulator. If X misses quarterly targets, Ofcom must still open a formal investigation, allow X to respond, and reach a provisional decision before any penalty lands — a process the regulator acknowledges takes "typically months." Quarterly data is valuable intelligence, but it is not self-executing compliance.
What Would Make This Deal Matter
The commitments Ofcom secured are more concrete than most regulatory negotiations with large platforms produce. The 24-hour mean, the 85% backstop, and 12 months of quarterly reporting create a documented compliance record Ofcom can act on. The account-restriction requirement for proscribed terrorist organisations closes a gap X had not addressed voluntarily, and the expert-engagement commitment addresses the specific failure — the silent reporting black hole — that Ofcom's investigation surfaced.
What would transform this from a bilateral regulatory deal into genuine structural accountability is public disclosure of the quarterly performance data. If X's metrics — the percentage of reports reviewed within 24 hours, within 48 hours, and account restrictions applied — are published rather than merely submitted to Ofcom, civil society organisations and independent researchers can verify compliance without waiting for a regulator to act. The Online Safety Act gives Ofcom real teeth. Making the quarterly data public is how those teeth get used.