Check how to comply with the illegal content rules

Online safety Illegal and harmful content Information for industry
Published: 16 December 2024
Last updated: 21 January 2025

Our interactive tool will help providers of user-to-user and search services to understand how to comply with the illegal content rules.

This includes your responsibilities to:

  • complete an illegal content risk assessment
  • comply with illegal content safety duties, record-keeping and review duties, and other obligations

Start now

Using the tool to help you comply

Based on your answers to questions asked within the tool, we will provide you with compliance recommendations for your service. When you start using the tool, you'll be given a unique reference code so you can save your progress and return at any time.

The tool can be used alongside our Illegal content duties record-keeping template (DOCX, 3.02 MB) to help you record the necessary information.

When to complete your risk assessment

You must complete your first illegal content risk assessment by 16 March 2025.

If you start a new user-to-user or search service, or change an existing service so that the Act now applies to it, you must complete your risk assessment within three months from when you started or changed the service.

You must take steps to keep your risk assessment up to date. You should review it at least every 12 months to make sure that it still accurately reflects the risks on your service and that the measures you implemented to protect users from harm are effective. If you plan to make a significant change to your service, you must carry out a new risk assessment before making the change.

Meeting the legal requirements remains your responsibility

Using the tool does not guarantee that you are compliant with the Online Safety Act. While Ofcom provides guidance and recommendations, we do not have access to the evidence about risks on your service to ensure you assess them correctly. You are responsible for implementing the safety measures required, meeting your legal duties and keeping the appropriate records. You should seek independent specialist advice if you need it.

It is up to you to decide how you meet your legal duties under the Online Safety Act, but this must include keeping the records required by the law. Most services do not need to send their records to Ofcom but should be aware that we can ask for them at any time.

Keeping your data secure

To give you the most relevant information, we will ask you questions about the features of your service, your users, and the risk levels you have assigned to each kind of illegal content.

We will store this information but it will not be attributed to you or your service. We will use it to understand more about services’ online safety practices in aggregate and to improve our tools in the future.

In future, we may collect identifiable information about online services to send notifications or allow you to access additional resources, but this would always be optional when using this service.

The legal obligations this tool can help you with

These are:

For more detailed information, you can refer to official documents setting out our policies: 

The law requires that your risk assessment is “suitable and sufficient”. Our guidance explains that this means:

  • your risk assessment must include all the elements of an illegal content risk assessment specified in the Act (section 9(5) for user-to-use service providers and section 26(5) for search service providers
  • it should be specific to your service and reflect the risks accurately

The specific elements of the risk assessment are set out in sections 9 and 26 of the Online Safety Act 2023. These include your obligation to:

  • assess the risk of users encountering each of the 17 kinds of priority illegal content and other illegal content, and the risk of a user-to-user service being used for the commission or facilitation of a priority offence
  • take into account Ofcom’s risk profiles in your risk assessmen
  • consider the characteristics of your service: its user base (for example, user numbers, age, languages, groups at risk, and groups increasing risk), functionalities, algorithmic systems (and how easily, quickly and widely they disseminate content), and the business model
  • consider any other relevant aspects of your service’s design and operation, including any existing controls to mitigate harm such as governance, use of proactive technology, measures to promote users’ media literacy and safe use of your service, and other systems and processes which could affect the level of risk; and
  • consider how your service is used – both the intended and unintended ways that people may use your service.

If we suspect that you have failed to carry out a suitable and sufficient risk assessment, then we are able to take enforcement action. Any decision we take regarding enforcement action would be made in line with our Online Safety Enforcement Guidance.

If we decide to open an investigation and find that your service has failed to comply with its duties, we may impose a penalty of up to 10% of qualifying worldwide revenue or £18 million (whichever is the greater) and require remedial action to be taken.

Based on the findings of your risk assessment, you will need to put in place the appropriate safety measures for your service to comply with the illegal content safety duties.

The safety duties for illegal content focus on keeping people safe online. It’s about making sure you have the right measures in place to protect people from harm that could take place on your service.

If you provide a user-to-user service, broadly the illegal content safety duties require you to take proportionate measures to:

  • prevent your users from encountering priority illegal content
  • mitigate and manage the risks you have identified of harm to individuals
  • mitigate and manage the risks you have identified of your service being used for the commission or facilitation of priority offences

You will need to use proportionate systems and processes designed to:

  • swiftly take down any priority illegal content and minimise the time it is present on your service
  • swiftly take down any other illegal content when you become aware of it
  • explain how you’ll protect users from illegal content in your terms of service, and apply these provisions consistently

If you provide a search service, broadly the safety duties require you to:

  • use proportionate systems and processes to minimise the risk of your users encountering priority illegal content, and other illegal content that you know about, in or via search results
  • take proportionate measures to mitigate and manage the risks identified in your illegal content risk assessment
  • explain how you’ll protect users from illegal content in a publicly available statement

In addition, services have duties to allow people to easily report illegal content and operate a complaints procedure.

You can decide for yourself how to meet the specific legal duties, but one way to comply is to use the measures set out in Ofcom’s codes.

Our codes for illegal content set out a range of measures in areas including content moderation, complaints, user access, design features to support users, and the governance and management of online safety risks.

This tool will help you decide which of these apply to your service.

Related content

Statement: Protecting people from illegal harms online

This is the first of Ofcom’s policy Statements that Ofcom, as regulator of the Online Safety Act, will publish as part of our work to establish the new regulations.

Quick guide to illegal content risk assessments

Under the Online Safety Act, most regulated services will have to carry out a risk assessment. Find out what this means for you.

Guide for services: complying with the Online Safety Act

The Online Safety Act makes businesses responsible for keeping people, especially children, safe online. Here’s what you need to know and do now.

Back to top