Quick guide to illegal content risk assessments

Published: 9 November 2023
Last updated: 9 April 2025

Illegal content risk assessments are a legal duty for most services regulated under the Online Safety Act.

The deadline to complete your first risk assessment was 16 March 2025. This duty came into force 16 December 2024.

You must consider how illegal harm could take place on your service

The purpose of conducting a risk assessment is to ensure you have an adequate understanding of the risks to your users encountering illegal content on your service, and if you have a user-to-user service, the risk that the service may be used to commit or facilitate certain priority offences.

It will help you understand how harm could take place, how your service's user base, features and other characteristics could increase the risks, and what safety measures we recommend you put in place to protect people, especially children.

Your assessment must accurately reflect the risks on your service based on relevant information and evidence. You also need to keep it up to date.
 

Our resources to help you complete your illegal content risk assessment

Follow our four-step risk assessment process

Our guidance sets out four steps to help you complete your risk assessment. There is no one-size-fits-all approach, but our guidance can be used by services of all types and sizes.

Step one: Understand the kinds of illegal content that need to be assessed

Activities you'll undetake in this step:

  • identify the 17 kinds of priority illegal content that need to be separately assessed
  • identify whether there is a risk of other illegal content taking place on your service, including relevant non-priority illegal content
  • if you are a user-to-user service, understand how the service may be used to commit or facilitate a priority offence
  • Consult Ofcom's Risk Profiles and identify the risk factors which are relevant to your service for each of the 17 kinds of priority illegal content

Step two: Assess the risk of harm

Activities you'll undetake in this step:

  • separately assess the likelihood and impact of each of the 17 kinds of priority illegal content
  • assess the likelihood and impact of any other illegal content which you have identified as being likely to occur on your service (including non-priority illegal content), using all relevant evidence

For this process, you should: 

  • assess the different ways in which the service is used, including ways which are unintended
  • identify whether there are any specific characteristics or functionalities of the service’s design or operation, not covered in Ofcom’s Risk Profiles, which could increase the risk of harm. Including, but not limited to:
    • user base
    • design features
    • algorithmic systems
    • your business model
    • user protection or risk mitigation measures
    • other relevant aspects of the service’s design and operation, and the way it is used
  • consider the effectiveness of any existing control measures which could impact the level of risk of harm to service users
  • consult the risk level tables, found in our Risk Assessment Guidance, to assign a risk level for each of the 17 kinds of priority illegal content, and any relevant other illegal content - this risk level should reflect risk as it exists on the service at the time of assessment, having had regard to the efficacy of any existing control measures you have in place
  • conclude the assessment of all the risks relating to each kind of illegal content, and the design and operation of the service, to move on to your mitigations in Step 3

You should gather evidence about your service. Our guidance includes a list of evidence that all services should consider. This is also provided in our interactive tool.

Based on this information, you should decide how likely it is that illegal harms could take place on your service and what the impact could be. This will help you decide whether there is negligible, low, medium or high risk of each kind of illegal content on your service. Our Risk Assessment Guidance and Risk Profiles provides more information on how to make these judgements. We have specific guidance on how to assess the risk of child sexual abuse material and grooming.

Step three: Decide measures, implement and record

Activities you'll undetake in this step:

  • consult Ofcom’s Codes of Practice, check which measures are recommended for your service, and decide whether to implement applicable measures to reduce risk of harm to individuals/users, or use alternative measures
  • identify any additional measures that may be appropriate for your service implement all safety measures
  • record the outcomes of the risk assessment

One way to comply with your duties is to implement applicable safety measures set out in Ofcom’s illegal content Codes of Practice for user-to-user services (PDF,900.5 KB) and illegal content Codes of Practice for search services (PDF,693.99 KB), such as measures around content moderation, reporting and complaints, user settings and tools. You must keep a written record of any measures taken or in use as described in Ofcom’s Codes of Practice.

You can also decide on your own measures to comply with the safety duties. The Act refers to this as taking ‘alternative measures’. If you choose to take alternative measures rather than implementing the measures recommended for your service in Ofcom’s Codes of Practice, you will need to keep a record of  those alternative measures and how they amount to compliance with the safety duties.

You can read our quick guide to illegal content Codes of Practice which summarises the safety measures that different services might need to use.

We have provided Record-Keeping and Review Guidance (PDF, 238.96 KB) on what your record needs to include.

Step four: Report, review and update risk assessments

Activities you'll undertake in this step:

  • report on the illegal content risk assessment and measures through appropriate governance and accountability channels
  • monitor the effectiveness of safety measures at reducing the risk of harm to users
  • monitor developing risks and the level of risk exposure after appropriate measures are implemented (also known as residual risk)
  • review and/or update your risk assessment when appropriate, including before making any significant change to any aspect of the service’s design or operation 

We recommend that services report their risk assessment outcomes and online safety measures to a relevant internal governance body. For small services without formal boards or oversight teams, this can simply mean reporting to a senior manager with responsibility for online safety.

To keep your risk assessment up to date, we recommend reviewing it annually. You also need to review your assessment if Ofcom makes a significant change to Risk Profiles. If you are planning to make a significant change to your service, you need to complete a new risk assessment before making the change. Our Risk Assessment Guidance and Risk Profiles covers this in more detail.

Subscribe to updates about online safety

Subscribe to email updates from us. We'll send you updates on any changes to the regulations and what you need to do. You'll also be the first to know about our new publications and research.

Rate this page

Was this page helpful?
Back to top