In the last month, Ofcom, the regulator tasked with enforcing the UK’s Online Safety Act (OSA), has published guidance enacting requirements under the OSA to carry out illegal harms risk assessments and children’s access assessments. Providers of in-scope services must document an illegal harms risk assessment by March 16, 2025, and a children’s access assessment by April 16, 2025. This alert outlines the steps that in-scope services must take to prepare for these deadlines. For more information on the OSA and its phased implementation, refer to our previous blog post here

Scope

The OSA applies to providers of i) online platforms that allow users to generate, upload, or share content with others (“user-to-user” services), and ii) search services, provided these services target the UK, have a significant number of users there, or otherwise present a material risk of significant harm to UK users. A user-to-user service would include, for example, an online service where users can interact with one another, such as a social media or dating app.

Illegal Harms Duties

Ofcom has now published its guidance on protecting users against illegal harms online, and has submitted its Illegal Harms Codes of Practice to Parliament for approval. Websites, apps, and other services that fall within the scope of the OSA have until March 16, 2025, to complete an illegal harms risk assessment. Subject to approval by the UK Parliament, obligations to comply with the illegal harms duties are expected to be enforceable starting on March 17, 2025.

Ofcom has outlined a four-step process for completing the illegal harms risk assessment (as well providing a toolkit to guide providers through this process):

  1. Identify the kinds of illegal content and activity that may be present on a service. This should take into account Ofcom’s Risk Profiles.
  2. Assess the risk of harm to users for each type of illegal content or activity.
  3. Identify relevant measures to address the identified risk and make a complete record of the risk assessment.
  4. Document the risk assessment, monitor developing risks, and update the risk assessment where appropriate.

The recommended measures for user-to-user services are based on the size and risk of the service. For example, services likely to be accessed by children must adopt additional measures compared to other services. In general, the key measures to comply with the code and guidance include setting targets for the content moderation functions, appointing an individual accountable to the most senior governance body for compliance with illegal content, implementing default safety settings for child users, and establishing a dedicated reporting channel for organizations with fraud expertise (“trusted flagger”) for efficient fraud detection.

Child Safety Duties

In January 2025, Ofcom published its guidance on children’s access assessments and highly effective age assurance. Providers of user-to-user and search services are required to assess whether each of their services is currently used, or is likely to be used, by a significant number of children in the UK. If a provider concludes that its service is likely to be accessed by children, it must carry out a children’s risk assessment and implement safety measures to protect child users. Ofcom will release guidance on children’s risk assessments and how services can protect children from encountering harmful content in April 2025. The deadline for conducting a children’s risk assessment is expected to fall in July 2025 and the obligations to implement mitigation measures to protect children are expected to be enforceable from July 2025.

Providers may only conclude that their services cannot be accessed by children if they have highly effective age assurance in place, in which case they will not be required to comply with the children’s protection duties. This could include photo-ID matching, facial age estimation, and reusable digital identity services. Providers must record the outcome of the children’s access assessment regardless of the findings.

Conclusion

Ofcom has stated that it will not hesitate to take enforcement action against deliberate or flagrant breaches of the OSA starting on March 17, 2025. Later this year, Ofcom will also publish guidance on protecting women and girls online and will impose additional duties on specific services related to transparency.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex digital regulation and privacy compliance in the UK and EU. For more information, please contact Nikolaos Theodorakis or Tom Evans.

Claudia Chan and Matthew Nuding contributed to the preparation of this post.