How to Conduct an Illegal Content Risk Assessment for the Online Safety Act

The Online Safety Act (OSA) places legal responsibility on businesses operating a wide range of online services to keep UK users safe online. All in-scope services (see more information below) with a significant number of UK users or targeting the UK market are covered by the OSA, regardless of where they are based.

One of the first deadlines is for online service providers to complete an illegal content risk assessment by 16 March 2025. In this article, we’ll explain what this means and how your business can comply.

Who needs to comply with the OSA?

The OSA applies to businesses of all sizes, from global corporations to micro-businesses and even individuals who operate online services. If your service allows users to access content generated, uploaded, or shared by others, or if it publishes pornographic content, then you are within the scope of the OSA.

Key categories covered include:

• User-to-user services: platforms where users interact (e.g., online marketplaces, social media, forums, messaging apps).
• Search services: websites or apps allowing users to search other platforms or databases.
• Adult content publishers: platforms displaying or hosting pornographic content.

Completing the illegal content risk assessment

If your business is covered by the OSA, you have several responsibilities. One of these is to complete an illegal content risk assessment by 16 March 2025. This assessment must evaluate the risk of users encountering 17 types of illegal content, including terrorism, hate speech, child sexual abuse, fraud, and encouraging suicide. To assist businesses in meeting this obligation, Ofcom has outlined a four-step process for conducting these risk assessments.

This involves providers: (i) understanding the kinds of illegal content they need to consider in their risk assessment; (ii) assessing the likelihood and impact of encountering these types of content on their service; (iii) deciding what measures to take to mitigate these risks; and (iv) reporting on, reviewing and updating the risk assessment.

Step 1: understand the types of illegal content

The first step is to identify and understand the 17 types of priority illegal content outlined by Ofcom. These include:

• Terrorism
• Hate speech
• Child sexual exploitation and abuse
• Fraud
• Encouraging or assisting suicide

You must also consider other types of illegal content that could appear on your service, even if they are not listed as a priority.

If you are a user-to-user service, understand how the service may be used to commit or facilitate a priority offence, and identify the risk factors which are relevant to your service for each of the 17 kinds of priority illegal content.

Step 2: assess the risk of harm

The next step is to assess the risk of illegal content on your platform. You need to look at both how likely it is that illegal content will appear and what impact it could have. The risk factors from the previous step help, but you should also gather evidence of any harm that has happened on your platform to help you decide the level of risk.

As part of this process, you need to:

• review how your service is used, including any unintended ways.
• identify if there are any features or functions that might increase the risk of harm.
• evaluate how effective your current control measures are in reducing the risk of harm.
• assign a risk level to each type of illegal content, including the 17 priority types.
• finalise the assessment of all the risks related to illegal content and the design and operation of your service.

Step 3: decide measures, implement and record

Based on the risk levels you’ve identified, Step 3 involves determining the safety measures required to address the risks. You need to:

• identify the measures that can reduce the risks associated with each type of illegal content. For this, you must consult Ofcom’s Codes of Practice, and check which measures are recommended for your service.
• decide whether to implement the relevant measures to reduce risk of harm to individuals/users.
• implement the necessary safety measures to mitigate these risks.
• keep a record of the actions you’ve taken, including your risk assessment and the measures implemented.

Step 4: report, review and update risk assessments

You’ll need to:

• report your illegal content risk assessment and the safety measures you’ve taken through the appropriate governance and accountability channels.
• monitor the effectiveness of the safety measures in reducing the risk of harm to users.
• track developing risks and the level of risk exposure (also known as residual risk) after the safety measures are implemented.
• review and update your risk assessment when necessary, especially before making significant changes to the service’s design or operation.

It’s recommended that services report their risk assessment outcomes to an internal governance body. For smaller services without formal boards, this could mean reporting to a senior manager responsible for online safety.

Make sure to review your risk assessment annually to keep it up to date. Additionally, update it if Ofcom revises its Risk Profiles. If you’re planning any major changes to your service, complete a new risk assessment before proceeding.

Consequences of Non-Compliance

Ofcom, the UK’s designated regulator, has the authority to enforce the OSA. If your business fails to conduct proper risk assessments or comply with safety duties, you could face:

• Fines of up to £18 million or 10% of global annual turnover (whichever is greater).
• Criminal liability for senior managers who fail to comply with the OSA.

How can we help?

If you need legal advice on ensuring compliance with the Online Safety Act or assistance with preparing your risk assessment, our experienced team is here to assist.