Elevated view of London financial district at dusk

In the next phase of Online Safety Act implementation, children’s safety duties and related codes of practice will come into full effect on 25 July 2025.

By Gail Crawford, Fiona Maclean, Alain Traill, Calum Docherty, Edgar Lee, and Amy Smyth

The UK Online Safety Act (OSA) establishes an extensive regulatory framework designed to protect children and adults online by phasing in duties of care on covered service providers, including duties to prevent the spread of online content and activity that is illegal or harmful to children. The OSA applies to providers of online user-to-user services and search services (both UK providers and non-UK providers with links to the UK), catching a large number of digital platforms and services.

On 24 April 2025, the OSA regulator, the Office of Communications (Ofcom), published its Children’s Risk Assessment Guidance and its Protection of Children Codes of Practice (Codes). The publication of the Codes introduced summer deadlines for providers of services likely to be accessed by children, which must complete children’s risk assessments (CRAs) and implement measures to protect children from online harms before 25 July 2025.

The requirements follow on from March and April 2025 deadlines for all service providers to complete illegal content risk assessments (ICRAs) and children’s access assessments (CAAs), and comply with duties of care (safety duties) related to illegal content. See Latham’s publications UK Online Safety Act 2023 and more recently UK Online Safety Act — Spring 2025 Deadlines for more detail on the OSA and ICRAs/CAAs respectively.

Protecting Children From Harms Online — Risk Assessments and Safety Duties

Covered service providers were required to have completed a CAA by 16 April 2025. If the CAA determined that children are likely to access a service — or if a CAA was not completed — the service provider must conduct a CRA for the relevant service and take steps to fulfil the children’s safety duties by 25 July 2025 when the duties come fully into force.

The CRA is designed to assess the risks of harms to children presented by content on the relevant service, and is separate from (but complements) the ICRA. When preparing a CRA, service providers should review Ofcom’s guidance, including the Children’s Risk Assessment Guidance (which goes hand in hand with the Children’s Risk Profiles and Children’s Register of Risks) and Guidance on Content Harmful to Children.

Service providers must implement measures to address the specific risks identified in the CRA in order to fulfil the OSA’s children’s safety duties. Service providers are required to use proportionate measures to mitigate and manage the risks and impact of harm to children in different age groups. In addition, service providers must operate the service using proportionate systems and processes designed to (i) prevent children from encountering “primary priority” content that is harmful to children (e.g., content promoting self-injury) by using “highly effective” age verification and/or age estimation technologies; and (ii) protect children in age groups judged to be at risk of harm from other harmful content.

The Codes document Ofcom’s recommended measures for compliance with the children’s safety duties. The Codes are not binding on service providers, though adherence to the Codes creates a presumption that the service provider has performed its children’s safety duties in compliance with the OSA. Providers implementing alternative measures must be able to demonstrate to Ofcom how those measures meet OSA standards. The Codes set out various recommended measures including related to age checks, safer algorithms, content moderation, user reporting and complaints systems, terms of service, and governance. There are additional measures for multi-risk1 and large2 services (such as written statements of responsibility for senior managers and an annual review of risk management activities by senior management).

What Service Providers Should Expect

Children’s safety continues to be a regulatory priority in the UK and is one of the key pillars of the OSA. Ofcom has already initiated several investigations into compliance with the OSA’s illegal content safety duties and specific restrictions on pornographic services since those obligations came into force in March 2025. The agency is expected to actively enforce children’s safety duties once in force on 25 July 2025. Providers of services likely to be accessed by children should complete and document their CRAs and consider what, if any, additional measures are required to fulfil their online safety duties in light of the Codes.

This post was prepared with the assistance of Britney Laryea.

  1. Defined by Ofcom as a service that is medium or high risk of two or more specific kinds of content that is harmful to children (as determined by the CRA for that service). ↩︎
  2. Defined by Ofcom as a service that has an average user base greater than 7 million monthly active UK users. ↩︎