Quick guide to children’s risk assessments: protecting children online

Online safety Illegal and harmful content Protecting children Information for industry
Published: 7 May 2024
Last updated: 24 April 2025

Services likely to be accessed by children will be required to carry out children’s risk assessments under the Online Safety Act.

This duty comes into force 24 April 2025. If you provide a service now, the deadline to complete your first children’s risk assessment is 24 July 2025.

The children’s risk assessment duty is a separate duty to the illegal content risk assessment duty.

All service providers in scope of the Act must:

  1. complete an illegal content risk assessment
  2. establish whether their service is likely to be accessed by children by completing a children’s access assessment
  3. complete a children’s risk assessment if their service is likely to be accessed by children

You must consider the risk of harm to children on your service

The purpose of the children’s risk assessment is to improve your understanding of the risk of harm to children on your service.

It will help you understand how children could encounter harmful content, how your service’s user base, features and other characteristics could increase the risk of this, and what safety measures you need to put in place to protect children.

Your assessment must accurately reflect the risks on your service based on relevant information and evidence. You also need to keep it up to date. 

Our resources to help you complete your children’s risk assessment

Follow our proposed four-step risk assessment process

The Children’s Risk Assessment guidance sets out four steps to help you complete your assessment. There is no one-size-fits-all approach, but our guidance can be used by services of all types and sizes.

Step one: Understand content harmful to children that needs to be assessed

Activities you’ll undertake in this step:

  • identify the kinds of content harmful to children that need to be separately assessed, including each kind of primary priority content, each kind of priority content, and any kind(s) of non-designated content that may be relevant to your service
  • consult Ofcom’s Children’s Risk Profiles and identify the risk factors relevant to your service for each kind of content harmful to children

The guidance on content harmful to children (PDF, 802 KB) sets out examples of what kinds of content Ofcom considers to be, or not to be, content harmful to children.

You will also need to consider what non-designated content to assess. The Register of Risk includes a chapter on two kinds of non-designated content identified by Ofcom.

We have published a list of risk factors – such as features including group messaging and recommender systems - that are most strongly linked to content harmful to children, and identify whether they are relevant to your service. For each risk factor, we explain how it could increase the risk of children encountering content harmful to children. This list of risk factors is called Ofcom's ‘Children's Risk Profiles’.

Step two: Assess the risk of harm to children

Once you understand content harmful to children and have a list of risk factors from Ofcom, you will need to assess what this means for your specific service.

You should gather evidence about your service. The Children’s Risk Assessment Guidance and Risk Profiles (PDF, 873 KB) explains how you should go about this. It also includes information about how you might consider children in different age groups on your service.

Based on this information, you should decide how likely it is that children could encounter content harmful to children on your service and what the impact could be.

This will help you decide whether your services is negligible, low, medium or high risk for each kind of content that is harmful to children. The Children’s Risk Assessment guidance provides more information on how to make these judgements.

Activities you’ll undertake in this step:

  • separately assess the likelihood and impact of children encountering content harmful to children, using all relevant evidence
  • as part of your assessment of likelihood and impact:
    • consider the different ways your service is used, including ways which are unintended
    • identify whether there are any additional characteristics or functionalities of your service’s design or operation, not in the Children’s Risk Profiles, which could increase the risk to children. This includes functionalities that present higher levels of risk such as:
      • content recommender systems,
      • those that enable adults to search and/or contact children,
      • predictive search functionalities, and
      • other features and functionalities which affect how much children use the service
    • consider the effectiveness of any existing control measures which could impact the level of risk of harm to children
  • consult the risk level tables to assign a risk level for each of the four kinds of primary priority content, each of the eight kinds of priority content, and any kind(s) of non-designated content you have identified for assessment
  • conclude the assessment of all the risks relating to content harmful to children, including the design and use of the service

Step three: Decide measures, implement and record

Activities you’ll undertake in this step:

One way to meet your duties is to apply the relevant safety measures set out in Ofcom’s Codes of Practice. This includes measures related to content moderation, reporting and complaints, recommender systems, age assurance, and user tools. You must keep a written record of any measures taken or in use as described in Ofcom’s Codes of Practice.

You can also decide on your own measures to comply with the safety duties. The Act refers to this as taking ‘alternative measures’. If you choose to take alternative measures rather than implementing the measures recommended for your service in Ofcom’s Codes of Practice, you will need to keep a record of those alternative measures and how they amount to compliance with the safety duties.

You can read our quick guide to Protection of Children Codes which summarises the safety measures that different services might need to use.

You will then need to implement all measures to mitigate and manage risks of harm to children and record the outcomes of the children’s risk assessment. We have provided guidance on what your record needs to include.

Step four: Report, review and update risk assessments

    Activities you’ll undertake in this step:

    • report on the children’s risk assessment and measures through appropriate governance and accountability channels
    • providers of user-to-user services to notify Ofcom of the kinds and incidence of any non-designated content you have identified as present on your service through your children’s risk assessment
    • monitor the effectiveness of safety measures at reducing the risk of harm to users
      monitor developing risks and the level of risk exposure after appropriate measures are implemented (also known as residual risk)
    • review and/or update your children’s risk assessment when appropriate, including before making significant change to any aspect of the service’s design or operation

    We recommend that services report their children’s risk assessment outcomes and online safety measures to a relevant internal governance body to review. For small services without formal boards or oversight teams, this can simply mean reporting to a senior manager with responsibility for online safety duties for risk of harm to children.

    To keep your children’s risk assessment up to date, we recommend reviewing it annually. You also need to review your assessment if Ofcom makes a significant change to the Children’s Risk Profiles. If you are planning to make a significant change to your service, you need to do a new children’s risk assessment before making the change. The Children’s Risk Assessment Guidance and Risk Profiles (PDF, 873 KB) covers this in more detail.

    Rate this page

    Was this page helpful?
    Back to top