Illegal content duties under the Online Safety Act

Online safety Illegal and harmful content Information for industry
Published: 18 February 2026
Last updated: 1 April 2026

If an online service you provide, or part of it, is in scope of the Online Safety Act, you have a duty to protect UK users from illegal content on your service.

If you're not sure if the service you provide is in scope of the Act, you can use our Regulation Checker tool to help you understand if it is.

The illegal content duties require providers of relevant services in scope of the Act to:

  1. Carry out an illegal content risk assessment
  2. Put in place protections under the safety and related duties
  3. Comply with the record-keeping and review duties for these activities

You have three months to complete a risk assessment after launching a service that the Act applies to, and will need to keep that risk assessment up to date. You also need to complete a risk assessment before making a significant change to your service.

Our resources to help you comply with the illegal content rules

  • Our Online Safety Act regulatory documents page includes a full list of documents and guidance related to compliance with the illegal content duties, including Ofcom’s risk assessment guidance and Codes of Practice.

  • Our digital toolkit will guide you through how to comply with the illegal content duties. The toolkit will provide you with specific compliance recommendations for your service based on your answers to a series of questions. It will help you to:
    • identify and asses the risks relevant to your service
    • find recommended safety measures to address these risks
    • use templates and checklists, if you need them

Illegal content risk assessment duties

The purpose of conducting a risk assessment is to ensure you have an adequate understanding of the risks to your users encountering illegal content on your service, and if you have a user-to-user service, the risk that the service may be used to commit or facilitate certain priority offences.

Your assessment must accurately reflect the risks on your service based on relevant information and evidence. You also need to keep it up to date.

You need to keep a written record of every risk assessment you carry out. You can use the illegal content duties record-keeping template (ODT, 148 KB) to make a record of your risk assessment.

New priority offences

We are currently consulting on updating our regulatory documents and guidance to include new priority offences introduced by the Government in 2025: encouraging or assisting serious self-harm and cyberflashing. Providers will need to take appropriate steps to keep their risk assessments up to date, when such changes are confirmed, and we recommend they do so as soon as practical after the statement is published this summer. We will update this page when changes are confirmed by the statement.

Follow the four-step risk assessment process

Show all steps

1

Our Risk Assessment Guidance (PDF, 902 KB) sets out four steps to help you complete your risk assessment. There is no one-size-fits-all approach, but our guidance can be used by services of all types and sizes.

Activities you'll undertake in this step:

  • identify the 17 kinds of priority illegal content that need to be separately assessed
  • identify whether there is a risk of other illegal content taking place on your service, including relevant non-priority illegal content
  • if you provide a user-to-user service, understand how the service may be used to commit or facilitate a priority offence
  • consult Ofcom’s Risk Profiles (PDF, 902 KB) and identify the risk factors which are relevant to your service for each of the 17 kinds of priority illegal content

Service providers will need to assess the risk of harm arising from 17 kinds of priority illegal content.

These are:

  • Terrorism
  • Child sexual exploitation and abuse (CSEA)
  • Grooming
  • Image-based child sexual abuse material (CSAM)
  • Child sexual abuse material (CSAM) URLs
  • Hate
  • Harassment, stalking, threats and abuse offences
  • Controlling or coercive behaviour
  • Intimate image abuse
  • Extreme pornography offence
  • Sexual exploitation of adults
  • Human trafficking
  • Unlawful immigration
  • Fraud and financial services offences
  • Proceeds of crime
  • Drugs and psychoactive substances
  • Firearms, knives and other weapons
  • Encouraging or assisting suicide (or attempted suicide)
  • Foreign interference offence
  • Animal cruelty

2

Activities you'll undertake in this step:

  • separately assess the likelihood and impact of each of the 17 kinds of priority illegal content
  • assess the likelihood and impact of any other illegal content which you have identified as being likely to occur on your service (including non-priority illegal content), using all relevant evidence

For this process, you should:

  • assess the different ways in which the service is used, including ways which are unintended
  • identify whether there are any specific characteristics or functionalities of the service’s design or operation, not covered in Ofcom’s Risk Profiles, which could increase the risk of harm. Including, but not limited to:
    • user base
    • design features
    • algorithmic systems
    • your business model
    • user protection or risk mitigation measures
    • other relevant aspects of the service’s design and operation, and the way it is used
  • consider the effectiveness of any existing control measures which could impact the level of risk of harm to service users
  • consult the risk level tables, found in our Risk Assessment Guidance, to assign a risk level for each of the 17 kinds of priority illegal content, and any relevant other illegal content - this risk level should reflect risk as it exists on the service at the time of assessment, having had regard to the efficacy of any existing control measures you have in place
  • conclude the assessment of all the risks relating to each kind of illegal content, and the design and operation of the service, to move on to your mitigations in Step 3

You should gather evidence about your service. Our guidance includes a list of evidence that all services should consider.

Based on this information, you should decide how likely it is that illegal harms could take place on your service and what the impact could be. This will help you decide whether there is negligible, low, medium or high risk of each kind of illegal content on your service. Our Risk Assessment Guidance and Risk Profiles (PDF, 902 KB) provides more information on how to make these judgements. We have specific guidance on how to assess the risk of child sexual abuse material and grooming.

3

Activities you'll undertake in this step:

  • consult Ofcom’s Codes of Practice, check which measures are recommended for your service, and decide whether to implement applicable measures to reduce risk of harm to individuals/users, or use alternative measures
  • identify any additional measures that may be appropriate for your service implement all safety measures
  • record the outcomes of the risk assessment

One way to comply with your duties is to implement applicable safety measures set out in Ofcom’s illegal content Codes of Practice for user-to-user services (PDF, 900.5 KB) and illegal content Codes of Practice for search services (PDF, 693.99 KB), such as measures around content moderation, reporting and complaints, user settings and tools. You must keep a written record of any measures taken or in use as described in Ofcom’s Codes of Practice.

More information about our Codes of Practice and how they relate to the safety duties can be found in the Implementing safety measures section of this page.

You can also decide on your own measures to comply with the safety duties. The Act refers to this as taking ‘alternative measures’. If you choose to take alternative measures rather than implementing the measures recommended for your service in Ofcom’s Codes of Practice, you will need to keep a record of those alternative measures and how they amount to compliance with the safety duties.

We have provided Record-Keeping and Review Guidance (PDF, 238.96 KB) on what your record needs to include.

4

Activities you'll undertake in this step:

  • report on the illegal content risk assessment and measures through appropriate governance and accountability channels – you do not need to share your risk assessment record with Ofcom unless we specifically ask for it or you provide a categorised service
  • monitor the effectiveness of safety measures at reducing the risk of harm to users
  • monitor developing risks and the level of risk exposure after appropriate measures are implemented (also known as residual risk)
  • review and/or update your risk assessment when appropriate, including before making any significant change to any aspect of the service’s design or operation

We recommend that you report your risk assessment outcomes and online safety measures to a relevant internal governance body. For small services without formal boards or oversight teams, this can simply mean reporting to a senior manager with responsibility for online safety.

To keep your risk assessment up to date, we recommend reviewing it annually. You also need to review your assessment if Ofcom makes a significant change to Risk Profiles. If you are planning to make a significant change to your service, you need to complete a new risk assessment before making the change. Our Risk Assessment Guidance and Risk Profiles (PDF, 902 KB) covers this in more detail.

Additional steps for Category 1 and 2A services

Ofcom expects to publish the register of categorised services in July 2026. The providers of services falling into Category 1 or Category 2A will have additional duties relating to their risk assessments.

These duties will create transparency as to how providers of relevant services view the levels of risk they pose to users in the UK.

Additional steps for categorised services

Show all steps

1

In relation to illegal content risk assessments, Category 1 and Category 2A service providers must provide Ofcom with a copy of their risk assessment record as soon as reasonably practicable after making, or revising, such a record.

Our expectations of when providers should take action  

These additional duties will come into effect upon publication of the register of categorised services, which we anticipate in July 2026.

We expect providers of Category 1 and 2A services to supply Ofcom with copies of their latest risk assessment record(s) by October 2026, or, if appropriate, to confirm if we already hold an up to date record(s). This allows providers sufficient time (at least 3 months) to ensure their risk assessment(s) are up to date, following publication of the register.

Reflecting categorisation in updated records

Risk assessment records should reflect how the register has categorised services as user-to-user services, search services, and combined services (where both the regulated user-to-user service and the public search engine of the combined service each meet the relevant categorisation threshold conditions). Therefore, where a provider is responsible for a combined service, it should risk assess each Category 1 and/ or 2B, and each 2A service separately, as relevant, and reflect this in its record keeping. 

Additionally, for combined services, the additional risk assessment duties will apply only to the relevant user-to-user service of the combined service if it is identified as a Category 1 services and/or to the regulated public search engine if it is identified as a Category 2A service. 

Reflecting new priority offences in updated records

As set out in the section above, we expect providers of Category 1 and 2A services to submit their latest risk assessment records to Ofcom by October 2026. By this time, we expect risk assessments and related records to have been updated in line with the service categorisation in the register.  

We also expect records submitted by October 2026 to reflect any changes to our guidance documents and Risk Profiles that are confirmed by the statement on new priority offences, if it is published in July or earlier. You can read the consultation for more information.

How providers can submit records to Ofcom

As noted in our Record-Keeping and Review Guidance (PDF, 261 KB), the record should be sent to Ofcom in electronic format and to an Ofcom email address. Ofcom will contact providers of Category 1 and 2A services to request records and specify where they should be sent. 

2

Category 1 and Category 2A service providers must publish a summary of their most recent illegal content risk assessment in their terms of service (Category 1) or in a publicly available statement (Category 2A). 

The summary must include the findings of the most recent illegal content risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to individuals). 

Our expectations of the content of risk assessment summaries 

Risk levels 

The Act states that summaries of risk assessment findings must include ‘levels of risk’.  

For illegal content risk assessments, our Risk Assessment Guidance and Risk Profiles (PDF, 902.38 KB) is clear that providers should assign a risk level for each of the kinds of priority illegal content and for other illegal content. In summaries, we therefore expect providers to set out the risk level (negligible, low, medium or high) assigned to: 

  • each of the 17 kinds of priority illegal content assessed; and 
  • other illegal content taking place on their service, including any relevant non-priority offences set out in the Register of Risks. 
Nature and severity of risk 

The Act also states that summaries of risk assessments must include findings ‘as to nature, and severity’ of potential harm. Our Illegal Content Risk Assessment Guidance recommends that, to make judgements on the nature and severity of harm, services need to consider: 

  • if individuals on the service have had a materially harmful experience (for example, due to nature of the content and how users may encounter it on the service); 
  • if harm is suffered indirectly by individuals who are not users of the service and how severe the impact of the harm is likely to be for individuals; and 
  • the potential reach of that kind of content and number of individuals that could be impacted.  

In summaries of risk assessments, we encourage providers to draw on their findings about the above points, and any other information they consider important, to comment on their view of the nature and severity of each harm type on their service. We also encourage providers to explain how these findings about nature and severity have informed the ultimate risk level assigned to each harm type.   

Other important information 

In addition to the above, we encourage providers to summarise any other key aspects of the risk assessment that informed the risk levels assigned to each harm type, based on the key elements our guidance recommends they consider. This includes where the provider’s consideration of the following points is important to understanding the risk level assigned for a particular harm: 

  • the separate assessment of the likelihood and impact of a harm, based on evidence (including but not limited to the risk factors identified in Ofcom’s Risk Profiles); 
  • the different ways in which the service is used, including ways which are unintended; 
  • whether there are any specific characteristics or functionalities of the service’s design or operation, not covered in Ofcom’s Risk Profiles, which could increase the risk of harm; 
  • the effectiveness of any existing control measures which could impact the level of risk of harm to service users. 

Sharing findings in these areas is likely to be important to creating transparency around the provider’s understanding of risk levels on the service. 

Our expectations of when providers should take action 

These additional duties will come into effect upon publication of the register of categorised services, which we anticipate in July 2026.  

We expect providers to publish summaries of the findings of their latest risk assessment(s) by November 2026.

As set out in the ‘Provide Ofcom with a copy of the illegal content risk assessment record’ step above, we expect risk assessments and related records to have been updated by October 2026 to reflect how the register has categorised services as user-to-user services, search services, and combined services. We similarly expect risk assessment summaries published by November 2026 to reflect service categorisation. 

We expect summaries published by November 2026 to also reflect any changes to our guidance documents and Risk Profiles that are confirmed by the statement on new priority offences, if it is published in July or earlier. You can read the consultation for more information.

Illegal content safety duties

The illegal content safety duties, and those relating to reporting and complaints, focus on keeping people safe online. It’s about making sure you have the right measures in place to protect people from harm that could take place on your service.

If you are the provider of a user-to-user service, you must:

  • take proportionate steps to prevent your users encountering illegal content
  • mitigate and manage the risk of offences taking place through your service
  • mitigate and manage the risks identified in your illegal content risk assessment
  • swiftly remove illegal content when you become aware of it, and minimise the time it is present on your service
  • explain how you’ll do this in your terms of service
  • allow people to easily report illegal content and operate a complaints procedure

If you are the provider of a search service, you must:

  • take proportionate steps to minimise the risk of your users encountering illegal content via search results
  • mitigate and manage the risks identified in your illegal content risk assessment
  • explain how you’ll do this in a publicly available statement
  • allow people to easily report illegal content and operate a complaints procedure

You can decide for yourself how to meet the specific legal duties; you can apply the measures that apply to your service set out in Ofcom’s Codes of Practice or you can take alternative measures. If you take alternative measures to the ones we recommend, you must also maintain a record of what you have done and how you consider that they fulfil the relevant duties.

Implementing safety measures

Our Codes of Practice set out a range of measures in areas including content moderation, complaints, user access, design features to support and protect users, and the governance and management of online safety risks.

Some measures are targeted at addressing the risk of certain kinds of illegal harms. For example, our Codes of Practice include measures to tackle online grooming. Other measures help to address a variety of illegal harms such as child sexual abuse material (CSAM) and fraud.

The illegal content Codes of Practice include measures in the following areas for user-to-user services:

  • Governance and accountability
  • Content moderation
  • Reporting and complaints
  • Recommender systems
  • Settings, functionalities and user support
  • Terms of service
  • User access
  • User controls 

The Protection of Children Codes of Practice include measures in the following areas for user-to-user services:

  • Governance and accountability
  • Search moderation
  • Reporting and complaints
  • Settings, functionalities and user support
  • Publicly available statements

Your safety measures will depend on your service

The Act is clear that the safety measures that providers put in place should be proportionate. Different measures in the Codes of Practice would apply to different services based on factors such as:

  • the type of service you provide (user-to-user or search);
  • the features and functionalities of your service;
  • the number of users your service has (size); and
  • the results of your illegal content risk assessment.

Some measures will apply to all services. For example, these include naming a individual accountable for online safety compliance and ensuring your terms of service (or publicly available statements) are clear and accessible.

Certain measures may apply to services of differing sizes or risk levels, such as the measures to apply specific automated tools to detect and remove child sexual abuse material from user-to-user services and to ensure that users do not encounter it in or via search services.

In our Codes of Practice, we have defined a large service as a service which has an average user base of 7 million or more per month in the UK. This is equivalent to approximately 10% of the UK population. A user does not need to be registered with the service, or post anything. Just viewing content is enough to count as using that service.

These services may need to put in place more measures, such as providing training for staff working in content moderation.

This is because, generally, providers of large services putting in place these measures will have the most benefits for the most number of users – so it’s proportionate to ask them to do more.

Your illegal content risk assessment must set out if your service has a negligible, low, medium, or high risk of each kind of priority illegal content. These risk levels must accurately reflect the risks on your service.

Some measures apply based on the specific risk level:

  • If your service is low or negligible risk for all kinds of priority illegal content, you are a 'low risk service;' and the minimum number of measures apply.
  • If your service is medium or high risk for one kind of illegal harm, we call it a ‘single-risk’ service, and more measures may apply.
  • If your service is medium or high risk for two or more kinds of illegal harm, we define it as a ‘multi-risk’ service, and further measures may apply.
  • Safety measures focused on specific kinds of illegal harm (like child sexual exploitation and abuse and terrorism offences) only apply to services that are medium or high risk for those specific harms.

Further steps you may need to take to comply

Providers of online services must comply with a range of duties under the Online Safety Act.

In addition to complying with illegal content duties, you will need to:

If you provide a service that publishes or displays pornographic material, you may have further duties to comply with. You can find out more about these on the Adults Only page.

Related content

Online Safety Act compliance guide for providers of online services

Guidance for providers of online services about how to comply with Online Safety Act duties.

Children's access assessment duties under the Online Safety Act

Children’s access assessments are a new assessment that all user-to user-services and search services (‘Part 3 services’) regulated under the Online Safety Act must carry out.

Protection of children duties under the Online Safety Act

Guidance and resources on carrying out a children's risk assessment and putting in place protections under the safety and related duties.