The Online Safety Act: Illegal Harms Codes officially in force, focus now on children

The question

What are service providers’ new obligations under Ofcom’s new Codes of Practice on Illegal Harms and its Age Assurance and Children’s Access Guidance?

The key takeaway

Under Ofcom’s Codes of Practice on illegal harms, user-to-user and search services providers must implement safety measures from 17 March 2025 onwards which must be tailored and proportionate to the results of their illegal content risk assessment and the specifics of the service provided. Notably, all providers are expected to name an individual who will be held accountable for online safety compliance and ensure that terms of services and publicly available statements on illegal harms are coherent and accessible to the public.

Moreover, in-scope service providers must carry out annual assessments, the first of which is due by 16 April 2025, to gauge whether their services are likely to be accessed by children. This assessment is measured against two metrics: (1) existing age assurance systems and (2) whether child user conditions are met. Those whose services are assessed to be at an increased likelihood of being accessed by children will fall under Ofcom’s final Code of Practice on the Protection of Children which is due to be was published in on 24 April 2025 following which they must carry out a risk assessment by 24 July 2025.

The background

On 24 February 2025, Ofcom published its Codes of Practice on Illegal Harms, as necessary under the Online Safety Act 2023 (OSA) which requires providers of regulated user-to-user and search services to implement safety measures set out in the Codes from 17 March 2025 onwards to protect their users from illegal content and activity.

The aim of the Codes is to impose obligations on service providers to mitigate the risk of users (whether adults or children) from encountering certain types of content and to remove that content as soon as the provider becomes aware of it to minimise its exposure to users. The relevant illegal content has been categorised into “priority” and “non-priority” offences under the Codes, and priority offences include content which relate to terrorism, hate offences, child sexual exploitation and abuse, human trafficking and more. RPC’s Commercial Snapshots previously reported on the compliance implementation phases here.

Furthermore, in order to comply with child protection provisions under the OSA, Ofcom published its Statement on Age Assurance and Children’s Access alongside three guidance documents on 16 January 2025. As part of the provisions, “in-scope” service providers are required to carry out an annual assessment to ascertain whether children are likely to use their services based on their existing age assurance systems. If the assessment determines that a service is likely to be accessed by children, that service will be subject to the obligations set out in the Protection of Children Codes of Practice, as mentioned above.

The development

Ofcom’s Codes of Practice on Illegal Harms

The completion of the risk assessment (the deadline for which has now passed) allows providers to assess the level of risk they are exposed to in respect of each category of “offences” set out in the Codes, thereby allowing providers to consider where to focus their resources to ensure compliance with the Codes as appropriate.

Measures that providers are expected to implement under the new Codes will be dependent on various factors which require ensuring proportionate compliance. These factors include: the type of service provided (ie user-to-user or search); the available features and functionalities of the service; the results of their illegal content risk assessment which should have been completed by 16 March 2025; and the number of service users. Services which have a user base of 7 million or more per month in the UK are deemed to be a “large” service and are therefore expected to invest more resources into compliance than smaller services.

Helpfully, the Codes of Practice provide recommended measures for common aspects of services for in-scope providers, such as content moderation, complaints, user access, design features to support and protect users, as well as the governance and management of online safety risks. However, service providers are able to design and implement their own alternative measures, provided that those measures are recorded with justification of how they are considered to fulfil the relevant duties under the Codes.

Age Assurance and Children’s Access

By 16 April 2025, in-scope service providers must consider whether their service or a part of their service is likely to be accessed by children. This assessment is framed as a two-stage test:

1. Is it possible for children to normally access the service?

1. (a) Are there a significant number of children who are users of the service, and (b) Is the service of a kind likely to attract a significant number of children? These are known as “the child user condition”.

Stage 1

When assessing the first stage, it can only be concluded that it is not possible for children to access the service if highly effective age assurance measures are in place to ensure that access to the service is provided only to those users who have been identified as adults.

Ofcom’s Guidance on Highly Effective Age Assurance, provides examples of suggested highly effective age assurance systems such as digital identity verification, facial age estimation and email-based age estimation. Ofcom has also identified methods which are not highly effective including general contractual restrictions such as terms & conditions and disclaimers/warnings that a user must be over 18 to access a service; verification through online payment methods such as debits cards which do not require card holders to be at least 18; and self-declarations of age where evidence of age is not a requisite. Notably, the method must be robust, technically accurate, reliable, and fair whilst catering to children of all ages and needs.

Stage 2

If during the assessment, a provider finds out it does not fulfil the criteria for highly effective age assurance, then it must carry out a second-stage assessment based on whether the child user condition is met (see Section 4 of the Ofcom’s Guidance on Children’s Access Assessments).

Although the OSA does not define what a “significant number” is (presumably because it is relative to the size of the service provider’s user base), providers must be prudent in their assessment considering the legislation’s stringent children protection requirements. Some non-exhaustive indicative factors to consider include whether the service benefits and/or appeals to children; whether children form part of the service’s business model/growth plans/commercial strategy; and evidence from internal and/or external sources that children are using the service eg through complaints or market research. If neither criterion is met, then the service will be deemed unlikely to be accessed by children and those service providers will not be required to carry out a children’s risk assessment as per the Protection of Children Codes of Practice. However, providers are expected to carry out this assessment at least every 12 months or earlier if it is found that there has been a significant increase in child users; reduced age assurance efficacity; and/or if there are significant changes to the service.

Why is this important?

Ofcom’s new Codes of Practice have been a long-time coming, and we anticipate that Ofcom will not hesitate in making requests for information pursuant to their powers under s.100 OSA 2023 if they suspect that service providers have not complied. If the regulator finds a provider to be non-compliant, under the OSA, it now has the power to fine them up to £18 million or 10% of their global turnover (whichever is greater). In particularly severe cases, Ofcom even has the power to apply for certain sites to be blocked altogether in the UK, though Ofcom itself has accepted that this is a “nuclear” option. Therefore, it is vital for providers to stay informed of their new obligations to ensure compliance as the regulator publishes new guidance in its staged implementation of the OSA’s provisions this year.

Any practical tips?

To ensure compliance post their illegal content risk assessment, providers of user-to-user and search services should familiarise themselves with the Codes of Practice and make use of the extensive guidance and tools on Ofcom’s website. Importantly, providers are advised and are required to keep a record of their risk assessments and the measures they implement, and well as to diligently monitor the efficacity of each measure.

As should be clear, the wide ambit of the OSA and its Codes is not simply relevant to the largest digital platforms. Even smaller enterprises whose primary businesses are not in relation to the provision of user-generated content can find themselves within scope. It is therefore important for all businesses to consider whether they may be obliged to conduct the risk assessments identified above.

Spring 2025