Quick guide to illegal content risk assessments

Risk assessments are a new legal duty for most services regulated under the Online Safety Act.

We’re currently consulting on our draft guidance for illegal content risk assessments. This page explains what online services will need to under our draft guidance.

We are consulting on our proposals, so this information could change

This page:

• summarises proposals we are consulting on – we will update this information when final documents are in place;
• is only meant to introduce your online safety duties – our guidance will set out your legal responsibilities in full.

Most services will need to do an online safety risk assessment in future

This duty will come into force once Ofcom has finalised our guidance on illegal content risk assessments, which we expect to do in Autumn 2024. From then, you’ll have three months to complete your first assessment.

You don’t need to do anything right now, but we’ve suggested some steps to help you get ready.

You’ll need to consider how illegal harm could take place on your service

An illegal content risk assessment should assess how likely it is that your users could encounter illegal content or that your service could be used to commit criminal offences, and what the impact could be. It should help you understand how harm could take place, how your service’s user base, features and other characteristics could increase the risks, and what safety measures you need to put in place to protect people, especially children.

Your assessment should be as accurate as possible. It should be based on relevant information and evidence. The purpose of the assessment is to ensure you understand the risks so you can put in place appropriate safety measures. You also need to keep it up to date.

Follow our proposed four-step risk assessment process

Our draft guidance sets out four steps to help you complete your risk assessment. There is no one-size-fits-all approach, but we propose that these steps can be used by services of all types and sizes.

Step one: Understand the harms

You’ll need to:

• Identify the illegal harms that need to be assessed
• Take into account a list of risk factors we have published

Our draft guidance sets out 15 kinds of priority illegal harms that you need to assess separately. You may also consider other illegal content that could appear on your service.

We have published a draft list of risk factors – such as features like image sharing or livestreaming – that you need to consider if they apply to your service. For each risk factor, we explain how they could increase the risk of harms covered by the Act (such as terrorism offences). These lists are called Ofcom’s ‘risk profiles’.

Step two: Assess the risk of harm

You’ll need to:

• Consider any other characteristics  of your service that may increase or decrease risks of harm
• Assess the likelihood and impact of each kind of harm
• Assign a risk level for each kind of illegal harm
• Consider additional guidance on the risks of certain harms

Once you understand the illegal harms and have a list of risk factors from Ofcom, it’s time to assess what this means for your specific service.

You need to consider any other characteristics that may increase or decrease risks of harm including user base, design features, algorithmic systems, your business model, any user protection or risk mitigation measures, and other relevant aspects of the service’s design and operation, and the way it is used. You should gather evidence about your service – our draft guidance includes a recommended list including user report and complaints, for example.

Based on this information, you should decide how likely it is that illegal harms could take place on your service and what the impact could be. This will help you decide whether each kind of illegal harm is low, medium or high risk. Our draft guidance provides more information on how to make these judgements. We have also proposed specific guidance on how to assess the risk of child sexual abuse material and grooming.

Step three: Decide measures, implement and record

You’ll need to:

• Decide on the appropriate online safety measures  for your service to reduce risk of harm to individuals
• Consider any additional measures that may be appropriate on your service to protect people
• Implement all safety measures
• Record the outcomes of the risk assessment

Next, you need to decide how to address the risks you have identified – this is part of your related safety duties under the Act. One way to meet your duties is to apply the relevant safety measures set out in Ofcom’s codes of practice (currently subject to consultation), such as measures around content moderation, reporting and complaints, default settings and user tools.

You will then need to implement all measures to mitigate and manage risk and record the outcomes of the risk assessment. We have provided draft guidance on what your record needs to include.

Step four: Report, review and update risk assessments

• Report on the risk assessment and measures via relevant governance channels
• Monitor the effectiveness of mitigation measures
• Review (and update) your risk assessment

We recommend that services report their risk assessment outcomes and online safety measures to a relevant internal governance body. For small services without formal boards or oversight teams, this can simply mean reporting to a senior manager with responsibility for online safety.

To keep your risk assessment up to date, our proposals recommend reviewing it annually. You also need to review your assessment if Ofcom makes a significant change to risk profiles. If you are planning to make a significant change to your service, you need to do a new risk assessment before making the change. Our draft guidance covers this in more detail.

For full details, you can read our draft guidance on illegal content risk assessments and respond to our consultation. If you have views on our proposals, we’d love to hear from you.

In future, we’ll also be consulting on our proposed approach to children’s risk assessments, which applies to some services.