GettyImages-1362940445_Close+up+using+a+tablet+computer

Illegal content safety duties came into full effect on 17 March 2025, shortly followed by children’s access assessment requirements.

By Gail E. CrawfordFiona M. MacleanAlain TraillCalum Docherty, Edgar Lee, and Amy Smyth

The UK Online Safety Act (OSA) establishes an extensive regulatory framework for providers of online user-to-user services and search services with links to the UK, catching a large number of digital platforms and services. The OSA applies to both UK businesses and non-UK providers that (1) target the UK market, (2) provide services to a significant number of UK users, or (3) are capable of being used by individuals in the UK and there are material risks of significant harm.

The OSA aims to protect children and adults online by phasing in duties of care on covered service providers to prevent the proliferation of online content and activity that is illegal or harmful to children, and to protect against fraudulent advertising. The OSA is a significant evolution of the existing regulatory regime in the UK applicable to online intermediaries, as obligations have moved from being reactive (i.e., notice and takedown) to proactive (i.e., requirements to implement policies/procedures to protect users).

March and April 2025 bring several deadlines for service providers — to complete illegal content risk assessments, children’s access assessments, and comply with related duties of care (safety duties) under the OSA. See Latham’s publication “UK Online Safety Act 2023” for more detail on the OSA and duties of care.

Illegal Content — Risk Assessments and Safety Duties

Under the illegal content safety duties, providers of covered user-to-user services and search services are broadly required to: assess the risks posed to users by any illegal content on their services; implement proportionate measures to prevent users from encountering illegal content and mitigate the risks identified in the risk assessment; swiftly remove illegal content; and mitigate the risk of offences taking place on the service.

By 16 March 2025, service providers must have completed their illegal content risk assessment (ICRA) to assess the risk of users encountering illegal content or of the service being used to commit or facilitate an offence. When preparing an ICRA, service providers must have regard to the Risk Assessment Guidance (which goes hand-in-hand with the Register of Risks) prepared by the OSA regulator, the Office of Communications (Ofcom). Ofcom has published an interactive toolkit and an ICRA template as guides through the process.

From 17 March 2025, Ofcom’s illegal content codes of practice (COPs) will have come into effect, meaning that the illegal content safety duties will be applicable and enforceable from this date. The COPs, together with Ofcom’s summary of decisions on safety measures, set out Ofcom’s recommended measures for compliance with safety duties related to illegal content, and to mitigate risks identified in the ICRA. While the COPs are not binding on providers, adherence to the COPs creates a presumption that the service provider has performed its illegal content safety duties in compliance with the OSA.

The illegal content COPs set out the multiple recommended measures in technical and practical detail. Key measures for user-to-user services include a designated accountable person; effective and resourced content moderation processes; illegal content reporting and complaints mechanisms; updated terms of service to reflect implemented safety measures; plus additional measures for multi-risk1 and large services2 (such as compliance assurance and codes of practice; performance targets for content moderation; and training). Ahead of the illegal content COPs coming into effect, Ofcom launched an enforcement programme on 3 March 2025, to monitor compliance with the IRCA, illegal content, and record-keeping duties. Ofcom states that it expects the programme to run for at least 12 months, during which time Ofcom may initiate formal investigations if it identifies potential non-compliance.

Children’s Access Assessments

By 16 April 2025, all covered service providers must conduct a children’s access assessment (CAA) to determine if their service is likely to be accessed by children in the UK. If a service provider’s completed CAA determines that its service is likely to be accessed by children, or if a CAA is not completed, child safety duties will apply to the service.

The child safety duties include a requirement to complete a child risk assessment, which is separate from, but may overlap with, the ICRA, and implement measures to protect children (e.g., from encountering harmful content). Ofcom is in the process of finalising its Children’s Risk Assessment Guidance and its children’s safety codes of practice to detail its recommended measures for compliance with the child safety duties. The guidance and code are expected to be published in April 2025, meaning that completed children’s risk assessments will be due and the child safety duties will apply from July 2025. Similar to the illegal content COPs, adherence to Ofcom’s child safety COPs creates a presumption that the service provider has performed its child safety duties (e.g., implemented a reporting mechanism and complaints procedure in relation to content that is harmful to children).

This posting was prepared with the assistance of Yinka Ogboye.

  1. Defined by Ofcom as a service that is medium- or high-risk for two or more kinds of illegal harm (as determined by the ICRA for that service). ↩︎
  2. Defined by Ofcom as a service which has an average user base of seven million or more per month in the UK. ↩︎