Online Safety Act: Ofcom publishes children's online safety codes and risk assessment guidance

On 24 April 2025, Ofcom published the Protection of Children Codes (the “Codes”) and its Children’s Risk Assessment Guidance (the “Guidance”) under the Online Safety Act 2023 (OSA).

What’s new?

All in-scope user-to-user (U2U) and search services were required to carry out a children’s access assessment by 16 April 2025 to establish if their service is likely to be accessed by children. Those services that are likely to be accessed by children must complete and document a children’s risk assessment by 24 July 2025. Assuming the Codes pass through the Parliamentary process, from 25 July 2025, those services will be legally required to implement either the measures set out in the Codes or adopt other effective measures to protect child users from harmful content.

Ofcom will have the authority to take enforcement action against services that do not comply (for a quick reminder on what the enforcement actions are, read our Law-Now article). In its statement announcing the Codes, it warns: “We are ready to take enforcement action if providers do not act promptly to address the risks to children on their services”.

Fears continue to be expressed that the US-UK trade talks could result in the OSA being watered down. However, parliamentary under-secretary for online safety Baroness Jones of Whitchurch told MPs this week: “The Prime Minister has made it absolutely clear that the Online Safety Act is not up for negotiation”.

What has Ofcom published? A quick guide to the key documents

To support the rollout of its new children’s safety duties, Ofcom has released an extensive package of documents reaching over 1700 pages(!).

Key resources include:

Alongside this, Ofcom is also updating a number of its existing resources on the OSA (such as the online safety toolkits), to take into account the new children’s duties.

Codes for U2U and search services

The Codes apply to regulated U2U and search services that are likely to be accessed by children, with expectations adjusted according to the size, functionality, and risk profile of each service. Services are required to take proportionate steps to protect them from both illegal and legal but harmful content.

Of all the guidance released, Volume 4 is arguably the most important for online services. It lays out over 40 measures that apply to in-scope services. These measures span across different areas, including:

1. Governance and accountability: In-scope services must have a named person responsible for children’s online safety, with a senior body conducting annual reviews of how risks to children are being managed.
2. Age assurance: The riskiest in-scope services are expected to implement highly effective age assurance to identify which users are children in order to protect them from harmful content.
3. Content moderation: All U2U services must have a content moderation function to review and assess suspected content harmful to children and that allows for swift action on such content where it is “currently technically feasible” to take appropriate action.
4. User reporting and complaints: In-scope services must have easy to access and use, and transparent, complaints systems.
5. Recommender systems/algorithms: In-scope services using recommender algorithms and posing medium or high risk of harmful content must configure their algorithms to filter out harmful content from children’s feeds.
6. More user choice and support: In-scope services must allow children to manage group chat invites, block/mute accounts and disable comments on their own posts and provide age-appropriate support materials.

These measures build on the existing measures and Codes designed to protect against illegal harms (for more information on the illegal content duties, read our Law-Now article). They also sit alongside specific requirements for pornography services, which are required to implement highly effective age assurance to prevent children from viewing online pornography.

Additionally, the OSA includes "safe harbour" provisions for in-scope services. By implementing all the recommended measures in the Codes, a service can benefit from a safe harbour, meaning it is treated as complying with the relevant duties to which those measures relate.

What about the Guidance?

The Guidance sets out a four-step process for children’s risk assessments, similar to the process for the illegal harms risk assessment:

Step 1: Understand content harmful to children that needs to be assessed.

Step 2: Assess the risk of harm to children.

Step 3: Decide measures, implement and record.

Step 4: Report, review and update.

The Guidance also explains when a service should review or update its existing risk assessment. This will depend on the specific circumstances of each service but is likely to be necessary:

• At least every 12 months - Regular reviews ensure that the risk assessment remains current and accurately reflects any changes in the service or external environment.
• If Ofcom makes a significant change to its children’s risk profiles - Services must update their risk assessments to reflect any new risk factors or changes identified by Ofcom that are relevant to their operations.
• On a significant change to the service - Any substantial modifications to the design, functionalities, or operation of the service that could impact the risk of harm to children necessitate a new risk assessment.

Further consultation: Illegal harms and user controls

Ofcom also published a consultation in its Volume 6 document of the statement, focusing on expanding the application of user control measures to protect children from illegal harms online. This consultation proposes extending Measures ICU J1 (blocking and muting) and ICU J2 (disabling comments) to smaller U2U services likely to be accessed by children. The aim is to enhance protections against illegal harms such as grooming, encouraging or assisting suicide, hate, harassment, stalking, threats, abuse, and coercive and controlling behaviour.

Key proposals:

• User blocking and muting: This measure would apply to smaller services with user profiles and functionalities like user connections, posting content, and user communication. Services with below 7 million monthly UK users at high risk or between 700,000 and 7 million monthly UK users at medium risk for relevant harms would need to implement these controls.
• Disabling comments: This measure would apply to smaller services with commenting functionalities. Services with below 7 million monthly UK users at high risk or between 700,000 and 7 million monthly UK users at medium risk for relevant harms would need to offer the option to disable comments.

The consultation closes on 22 July 2025.

For more detailed information, please visit the Ofcom website and for a broader outlook on the OSA in 2025, you can read more in this Law-Now article. If you are keen to find out more about the OSA, please contact one of the CMS team.