In brief
- In December 2025, the UK Government elevated two offences to "priority" status under the Online Safety Act 2023 (OSA), encouraging or assisting serious self-harm , and cyberflashing.
- The necessary changes to the risk framework constitute "significant changes" under the OSA, requiring providers to promptly review and update their Illegal Content Risk Assessments, content moderation policies, and content judgement processes to address the risks of the two new harm categories, including revised risk factors.
- In addition to the updated documents published by Ofcom, amendments to the illegal content Codes of Practice will be implemented separately. Providers should also anticipate further regulatory updates in autumn 2026, alongside policy development in relation to the additional new offences and priority offences introduced through the Crime and Policing Act 2026.
Introduction
Ofcom has published a statement on new priority offences under the Online Safety Act 2023 (OSA), providing guidance to tech companies as to the steps they will now need to take in relation to reviewing and updating their Illegal Content Risk Assessments (ICRAs) and taking appropriate steps to comply with Ofcom's updated risk assessment requirements. Providers should now review and update their ICRAs, content moderation policies, and compliance positions across the two new harm categories, and continue to monitor Ofcom's programme of regulatory updates.
The new priority offences
In December 2025, the Government created two new 'priority offences': encouraging or assisting serious self-harm, and cyberflashing. Both were previously non-priority offences. The recategorisation means that regulated online service providers have specific duties in relation to them.
Suicide and self-harm
Ofcom has combined the pre-existing offence of encouraging or assisting suicide with the new offence of encouraging or assisting serious self-harm into a single harm category, and has updated its Risk Assessment Guidance and the Illegal Content Codes of Practice (Codes) to reflect this. The effect of this change is that providers will need to assess the risk of both harms and assign an overall risk level to 'suicide and self-harm'. Further, they will need to take account of relevant measures that specifically apply to suicide content or services at medium or high risk of encouraging or assisting suicide which will now apply to self-harm content and relevant services. However, whilst the offences have been combined in this way, services will be expected to reflect the differences in how the two harms manifest when carrying out their duties.
Ofcom has updated the User-to-User Risk Profile to include the risk factors most strongly associated with suicide and self-harm and added a reference to self-harm in the Search Risk Profile. The Register of Risks suicide and self-harm chapter has also been updated to include additional evidence on how these types of harms manifest online.
Cyberflashing
Cyberflashing has been added as a new, standalone category of illegal harm. The offence under section 66A of the Sexual Offences Act 2003 covers the intentional sending of a photograph or film of genitals for the purpose of causing alarm, distress or humiliation, or for the purpose of obtaining sexual gratification, with recklessness as to whether alarm, distress or humiliation would be caused.
What this means for in-scope service providers
The changes to the risk framework constitute "significant changes" within the meaning of the OSA, triggering the specific legal obligation for providers to review and update their ICRAs, to assess the risks of the new kinds of illegal harms on their service. In particular, providers should now do the following (noting that Ofcom recommends that providers do this as soon as practicable after publication of its statement):
- Consult the updated Guidance: including the Risk Assessment Guidance and Risk Profiles, Illegal Harms Register of Risks, Illegal Content Judgements Guidance (ICJG), and Record-keeping and Review Guidance, all of which have been published alongside Ofcom's statement.
- Update ICRAs: this will involve assessing the risks of suicide and self-harm as a combined harm category, assigning a single overall risk level, and separately assessing the risks of cyberflashing on the service.
- Review content moderation and illegal content judgement processes: the ICJG provides updated guidance on how to assess whether content amounts to either offence.
- Consider the updated risk factors: the updated Risk Profiles include new risk factors directly associated with functionalities such as direct messaging, group messaging, and recommender systems. Providers should consider whether these features increase the likelihood of illegal self-harm or cyberflashing content appearing on their service and reflect this in their risk assessments.
- Consider the updated Codes: as soon as they complete the Parliamentary process and come into force, providers will need to adopt the safety measures set out in the Codes or use other effective measures. Ofcom has published the draft consolidated versions of the User-to-User Code and the Search Code.
- Update record-keeping: to reflect the evidence base required for assessing both suicide and self-harm (as a combined category) and cyberflashing separately.
AI-generated content
Ofcom has confirmed that it is not yet incorporating generative AI into the Risk Profiles or Register of Risks as a specific risk factor, pending a more comprehensive review. However, existing Code measures already apply to AI-generated content shared by users on user-to-user services, and to GenAI services that fall within the scope of the Act. Providers should therefore already be treating harmful AI-generated content as subject to their existing obligations.
Next steps
Ofcom has already published updated versions of the Risk Assessment Guidance and Risk Profiles, Illegal Harms Register of Risk, ICJC and Record Keeping and Review Guidance.
The amendments to the Codes are subject to parliamentary process and will therefore come into force once that process is complete.
More broadly, Ofcom has confirmed that it expects to publish its decisions on user control measures (from its April 2025 Consultation) and additional safety measures (from its June 2025 Consultation) in autumn 2026. Separately, further updates are anticipated following the Crime and Policing Act 2026, which introduces a number of additional new offences and priority offences. Ofcom is scoping the policy work required to respond, and providers should expect further updates to the regulatory framework in due course.
If you require assistance navigating these changes, or understanding the obligations on service providers, please contact a member of our Online Safety team.