Ofcom publishes children's online safety codes and risk assessment guidance

The question

What measures must in-scope service providers undertake following the introduction of Ofcom's Protection of Children Codes and Guidance (the Codes)?

The key takeaway

In-scope service providers were required to complete their first children's risk assessments by 24 July 2025 and needed to start complying with the Codes from 25 July 2025.

The background

On 24 April 2025, Ofcom published the Codes, as part of the second phase of its three-phase process to implement the Online Safety Act 2023 (the Act) (see the full roadmap here).

All services who provide "user-to-user services" and/or "search services" as defined by Section 3 of the Act were required to complete a Children's Access Assessment by 16 April 2025. The Access Assessment comprised of a two-stage test to determine whether a service or part of a service is likely to be accessed by children. If the Access Assessment determines that children are likely to access the service or part of it, the relevant service provider is deemed to be within the scope of the Codes and must comply with them.

The development

Service providers who are within scope must conduct risk assessments to understand and identify the kinds of content harmful to children, which need to be separately assessed to identify risk factors relevant to the service for each kind of content harmful to children. Based on this information, service providers should then determine how likely it is that children will or may encounter such harmful content and conclude whether their services are at negligible, low, medium or high risk for each kind of content.

Once service providers have identified their risk level, they must consult the Codes and consider the recommended measures to be taken to mitigate and manage those risks for child users.

The Codes take a proportionate approach when recommending measures to be implemented, acknowledging that not all services pose the same level of risk. Different measures in the Codes apply to different types of services, taking into consideration: the type of service provided; the relevant functionalities and characteristics of the service; the number of users the service has; and the outcome of the service's latest children's risk assessment. Additionally, some measures involve using age assurance to ensure safety measures can be implemented without prejudicing adults' right to access legal content in the UK.

Over 40 safety measures have been proposed in the Codes. For both user-to-user and search service providers, measures may relate to governance and accountability of the management of risks relating to children, effective reporting and complaints mechanisms for users, and settings and functionality to provide users with more control over what content they see. However, service providers are not compelled to take the recommended measures set out in the Codes, and instead may take alternative measures which must be sufficient to mitigate and manage risks of harm to children and should be appropriately recorded together with justification of how those measures are considered to fulfil the relevant duties under the Codes.

Some of the most significant measures under the Codes relate to recommender and content moderation systems for service providers, designed to tackle certain categories of content, pursuant to Sections 61 and 62 of the Act. The most harmful is labelled "primary priority content" (PPC), which includes suicide, self-harm, eating disorder content and pornography, and the next is labelled "priority content" (PC), which includes abusive content, hateful content, bullying, violent content, harmful substances and dangerous stunts and challenges. Additionally, the Codes recognise a third category, "non-designated content" (NDC), covering otherwise uncaptured content which presents a material risk of significant harm to an appreciable number of children. Ofcom has indicated that this latter category includes body image and depressive content.

Service providers whose terms of service do not prohibit one or more kinds of PPC should apply content or access controls to ensure that children are "prevented" from encountering PPC, using highly effective age assurance measures to target the content and ensure that it can only be seen by adults. For PC or NDC, service providers are not required to use age assurance mechanisms to exclude this content from children but instead should take swift action to "protect" children from encountering this content, such as giving it lower priority, obscuring, blurring or distorting it, applying overlays or interstitials, or excluding it from content recommender feeds altogether.

Why is this important?

Protecting children from online harm is an obligation all in-scope service providers must keep at the forefront of their minds when deploying their services. If the regulator finds a provider to be non-compliant, it has the power to fine them up to £18m or 10% of their global turnover (whichever is greater) under the Act. In particularly severe cases, Ofcom even has the power to apply for certain sites to be blocked altogether in the UK.

Any practical tips?

In-scope service providers need to be fully aware of the full implications of the new Codes, in particular the risk assessments they need to be undertake. Ofcom has published a number of documents to assist them with undertaking these risk assessments, including its guidance and digital toolkit.