By 24 July 2025, all platforms, sites and apps in scope of Part 3 of the UK's Online Safety Act 2023 (OSA) that have identified they are likely to be accessed by children following the completion of a Children's Access Assessment (CAA) must complete a Children's Risk Assessment (CRA) to comply with their OSA duties. Providers should be aware that the duty to complete a CRA is separate to the duty to complete an Illegal Content Risk Assessment (ICRA).
What services are in scope?
All Part 3 Services that have identified in their CAA a likelihood that their service will be accessed by children are in scope of the requirement to complete a CRA under the OSA.
Part 3 Services are those which are either:
- User-to-user services: where content is generated, uploaded to, or shared on the service by a user, and may be encountered by another user or users of the service; or
- Search services: services that are or include a search engine, or have the ability to search websites, databases or other aspects of a service.
What needs to be assessed?
The requirement for a CRA is set out in the OSA. However, the process and form of the assessment are dictated by guidance issued by Ofcom on 7 May 2025. Ofcom's guidance follows the same four -stage method, that it advises is followed, when completing an ICRA:
- assess the content on the service which may be harmful to children
- assess the level of risk of harm that the content is likely to have on children
- identify and implement measures to address the risks identified
- ensure that appropriate reports and monitoring are completed
Stage 1: Assessment of harmful content
In the first stage, consideration must be given to the type of content on the service. Ofcom's guidance identifies three categories of content that may be harmful:
- Primary Priority Content, which includes content that relates to
- pornography;
- suicide;
- self-harm; or
- eating disorders.
- Priority Content, which includes a range of content including that which:
- is abusive;
- incites hate;
- encourages violence;
- depicts violence; or
- encourages substance abuse.
- Non-designated Content, which includes all other content which presents a material risk of significant harm to children, such as:
- content which creates body stigmas; and
- content that promotes depression.
The CRA must assess each category of content separately and consider how the assessed service may be used harmfully and the level of risk posed. The CRA should consider Ofcom's Children’s Register of Risks and Guidance on Content Harmful to Children, which will assist in identifying risk factors.
Stage 2: Assessment of the risk of harm to children
This stage involves using evidence to assess and assign a level of risk to each category of content based on the likelihood and impact of children encountering the content.
This stage should consider the different ages of children that may access the service and the differing levels of harm they may face. Ofcom has created a series of Children's Risk Profiles as part of their guidance on CRAs. These Children's Risk Profiles should be used to assess harm when completing a CRA and contain a series of risk factors and content that Ofcom considers to be indicative of harm to children. This stage of the CRA may involve considering additional factors and characteristics not contained in the Children's Risk Profiles that may increase the risk of harm. Services should also consider the existing measures in place which may mitigate harm.
Stage 3: Identification and implementation of measures
In stage three, services should consider how they may mitigate the risk to children and identify measures that can be taken to comply with the children's safety duties in the OSA. The Protection of Children Codes (Codes) offer some measures recommended by Ofcom based on a Service's size, functionality and risk level. Where a service complies with all the applicable measures in the Codes, it will be considered to have complied with its OSA duties.
Services should also consider if there are additional measures that can be taken to reduce risk and implement them as needed.
Stage 4: Reporting and monitoring
Once a CRA is completed, services must report on the outcome to senior risk management to ensure appropriate internal governance.
Where services are a Category 1 or 2A service, they must also share a copy of their CRA with Ofcom, as soon as is practicable after completion or revision. Category 1 and 2A services are typically large providers, with more than seven million UK users and either user to user content, a content recommender system, or are a search service.
Services are also required to report non-designated content identified on the service to Ofcom and provide details and examples of the content.
The effectiveness of measures implemented will also need to be monitored and adjusted where necessary. The outcome of monitoring should assist with keeping the CRA up to date, as it will need to be reassessed on an annual basis, or where there is a significant change to the service, which could impact the CRA that has already been carried out. Significant changes include adjustments to the service's design or operation, new evidence regarding the risk of harm to children or new evidence of an increase in the number of children using the service.
When must CRAs be completed?
For services that are already in operation and in scope of the obligation to complete a CRA, the assessment must be completed by 24 July 2025. Providers have been encouraged to begin the assessment process well in advance of the deadline to allow sufficient time for any required changes to be made.
For services that come into scope of the obligation to complete a CRA (whether due to a change in the service or due to the launch of a new service), a CRA must be completed within the first three months of operation.
What is the penalty for non-compliance?
If an appropriate CRA has not been carried out, Ofcom may use its powers to investigate and could impose a penalty of up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. Ofcom may also require remedial action to be taken.
Ofcom recently set out its plans for enforcement under the OSA, and has begun to announce investigations that it is undertaking as a result of these plans. It is expected that Ofcom will continue to actively enforce compliance. Mishcon de Reya has advised several clients on compliance with the OSA, as well as the commercial and practical implications that it poses and is available to assist. Please contact a member of our Online Safety Team if you wish to discuss this further.