All providers of user-to-user and search services in scope of the Act must establish whether their service is likely to be accessed by children. Service providers must establish this by completing a children’s access assessment.
If you provide a service that came into scope of the Act after 16 January 2025, you have three months to complete your assessment from the first day your service became available to users in the UK.
Our resources to help you carry out a children’s access assessment
- Our Children's Access Assessments Guidance (PDF, 968.02 KB) explains the children’s access assessment duties.
- Our digital toolkit will guide you through how to carry out a children’s access assessment and provide you with compliance recommendations for your service based on your answers to a series of questions.
Children’s access assessment duties
A children’s access assessment is a process for establishing whether a service is likely to be accessed by children. A child is defined in the Act as a person under the age of 18.
Services that do not have highly effective age assurance in place must assess whether children are likely to be on the service or part of the service. This could be because the service, or part of it, has a significant number of users who are children, or because the service is of a kind likely to attract a significant number of children.
Services likely to be accessed by children will have additional duties to protect children online: they will need to also undertake a children's risk assessment and implement safety measures to protect children online.
Follow our two-stage process
Stage one – assess whether it is possible for children to normally access the service or part of it.
You can only conclude that it is not possible for children to access the service if you are using highly effective age assurance, as well as access control measures that prevent users from accessing the service if they have not been identified as adults via the age assurance process. You can conclude that the service is not likely to be accessed by children and record this conclusion. You do not need to go on to complete Stage two.
Stage two - assess if there is a significant number of children who are users of the service and/or the service is of a kind likely to attract a significant number of children.

Stage 1: Is it possible for children to access the service or part of it?
Under the Online Safety Act, ‘children’ means anyone under 18.
You can only conclude that it is not possible for children to access your service if you are using age verification or age estimation (together known as age assurance), which prevents children from normally being able to access that service.
The age assurance should be highly effective. By ‘highly effective’ we mean it must be:
- technically accurate
- robust
- reliable
- fair
There is more detail on what constitutes highly effective age assurance in our Guidance on Highly Effective Age Assurance for Part 3 Services.
Examples of age assurance methods that have the potential to meet the above criteria include:
- photo-ID matching
- facial age estimation
- reusable digital identity services.
Examples of age assurance methods that are not highly effective include:
- payment methods which do not require the user to be over 18
- your terms and conditions say the service is for over 18s only
To ensure that children cannot normally access a service, alongside highly effective age assurance providers need to have access control measures that prevent users from accessing the service if they have not been identified as adults via the age assurance process.
If you have highly effective age assurance and access controls in place, you can conclude that the service is not likely to be accessed by children and record this conclusion. You do not need to go on to complete Stage 2 of the children’s access assessment.
Stage two: The child user condition
If you find in Step 1 that children can access your service or part of it, you must complete Step 2 and consider whether the ‘child user condition’ is met. This is the case if:
- there is a significant number of children who are using the service; and/or
- the service is if a kind likely to attract a significant number of children.
In order to work out whether either or both of these criteria are met, you will need to consider a number of aspects relating to your service which might include the data that you hold about who your users are as well as the nature of the service itself.
It is up to you to decide which criterion to consider first to establish if the child user condition is met. For most service providers it is likely to be a challenge to accurately determine the number of children on a service without using highly effective age assurance. Given this challenge, you may wish to focus on the second criterion – whether the service is likely to attract a significant number of children.
We have suggested a list of factors for service providers to consider as part of stage 2 that might indicate whether a service is of a kind likely to attract a significant number of children:
- Whether the service provides benefits to children;
- Whether the content on a service is appealing to children;
- Whether the design of the service is appealing to children;
- Whether children form part of the service’s commercial strategy.
Even if your service does not actively target children or seeks to limit access to children below a certain age, it may still be of a kind likely to attract a significant number of children.
The Act does not define what is meant by a ‘significant number’ of children. This is likely to depend on the nature and context of the service and should reflect a number or proportion that is material in the context of that service.
Even a relatively small number of children could be significant in terms of the risk of harm. We suggest you should err on the side of caution in making your assessment.
You are required to record the outcome of your children’s access assessment regardless of its findings
All services need to record the outcome of each children’s access assessment.
- If you have highly effective age assurance in place, you can conclude that the service is not likely to be accessed by children and record this conclusion.
- If you go on to stage 2 of the children’s access assessment and conclude that the child user condition is not met (the service is not likely to be accessed by children), you must record the steps taken and the detailed evidence used to reach that conclusion.

Next steps
If your service is likely to be accessed by children, you will need to undertake a children’s risk assessment and implement safety measures to protect children online.
For full details, read our Children’s Access Assessments Guidance. Our guidance includes a template that may assist you in carrying out a children's access assessment.
If you conclude your service is not likely to be accessed by children, you must repeat the assessment within 12 months, or earlier under the specific circumstances detailed in our guidance.
Summary
- All user-to-user and search services must carry out a children’s access assessment by 16 April 2025.
- Service providers should only conclude that they cannot be accessed by children if they have highly effective age assurance.
- If a service provider concludes that the service is likely to be accessed by children, they will need to complete a children’s risk assessment and adopt appropriate safety measures to protect children. We will publish our final Children’s Risk Assessment Guidance in April, and our Protection of Children Codes will come into effect in July.

For a directory of Ofcom publications relevant to online pornography services, head to ‘Adults Only’: what to do if your online service allows pornography.