Quick guide to illegal content risk assessments

Risk assessments are a new legal duty for most services regulated under the Online Safety Act.

We have recently published our Risk Assessment Guidance and Risk Profiles (PDF, 852.72 KB). This page explains what online services will need to do under our guidance.

Services will need to complete an illegal content risk assessment

This duty has come into force from 16 December 2024. You have until 16 March 2025 to complete your first risk assessment.

You’ll need to consider how illegal harm could take place on your service

An illegal content risk assessment should assess how likely it is that your users could encounter illegal content or, if you’re a user-to-user service, how it could be used to commit or facilitate certain criminal offences and what the impact could be. It should help you understand how harm could take place, how your service’s user base, features and other characteristics could increase the risks, and what safety measures you need to put in place to protect people, especially children.

Your assessment should be as accurate as possible. It should be based on relevant information and evidence. The purpose of the assessment is to ensure you understand your risks so you can put in place appropriate safety measures. You also need to keep it up to date.

Follow our four-step risk assessment process

Our guidance sets out four steps to help you complete your risk assessment. There is no one-size-fits-all approach, but our guidance can be used by services of all types and sizes.

Step one: Understand the kinds of illegal content that need to be assessed

You’ll need to:

• identify the 17 kinds of priority illegal content that need to be separately assessed
• identify whether there is a risk of other illegal content taking place on your service, including relevant non-priority illegal content
• if you are a user-to-user service, understand how the service may be used to commit or facilitate a priority offence
• identify the risk factors which are relevant to your service for each of the 17 kinds of priority illegal content

Step two: Assess the risk of harm

You’ll need to:

• separately assess the likelihood and impact of each of the 17 kinds of priority illegal content, using all relevant evidence
• assess the likelihood and impact of any other illegal content which you have identified as being likely to occur on your service (including non-priority illegal content), using all relevant evidence 

As part of this process, you need to:

• assess the different ways in which the service is used, including ways which are unintended
• identify whether there are any specific characteristics or functionalities of the service’s design or operation, not covered in Ofcom’s Risk Profiles, which could increase the risk of harm. Including, but not limited to:
• user base
• design features
• algorithmic systems
• your business model
• user protection or risk mitigation measures
• other relevant aspects of the service’s design and operation, and the way it is used
• consider the effectiveness of any existing control measures which could impact the level of risk of harm to service users
• consult the risk level tables, found in our Risk Assessment Guidance, to assign a risk level for each of the 17 kinds of priority illegal content, and any relevant other illegal content - this risk level should reflect risk as it exists on the service at the time of assessment, having had regard to the efficacy of any existing control measures you have in place
• conclude the assessment of all the risks relating to each kind of illegal content, and the design and operation of the service, to move on to your mitigations in Step 3

You should gather evidence about your service – our Risk Assessment Guidance and Risk Profiles (PDF, 852.72 KB) includes a recommended list including user reports and complaints, for example.

Based on this information, you should decide how likely it is that illegal harms could take place on your service and what the impact could be. This will help you decide whether there is negligible, low, medium or high risk of each kind of illegal content on your service. Our Risk Assessment Guidance and Risk Profiles (PDF, 852.72 KB) provides more information on how to make these judgements. We have specific guidance on how to assess the risk of child sexual abuse material and grooming.

Step three: Decide measures, implement and record

You’ll need to:

• consult Ofcom’s Codes of Practice, check which measures are recommended for your service, and decide whether to implement applicable measures to reduce risk of harm to individuals/users, or use alternative measures
• identify any additional measures that may be appropriate for your service implement all safety measures
• record the outcomes of the risk assessment

One way to comply with your duties is to implement applicable safety measures set out in Ofcom’s illegal content Codes of Practice for user-to-user services (PDF,900.5 KB) and illegal content Codes of Practice for search services (PDF,693.99 KB), such as measures around content moderation, reporting and complaints, user settings and tools. You must keep a written record of any measures taken or in use as described in Ofcom’s Codes of Practice.

You can also decide on your own measures to comply with the safety duties. The Act refers to this as taking ‘alternative measures’. If you choose to take alternative measures rather than implementing the measures recommended for your service in Ofcom’s Codes of Practice, you will need to keep a record of  those alternative measures and how they amount to compliance with the safety duties.

We have provided Record-Keeping and Review Guidance (PDF, 238.96 KB) on what your record needs to include.

Step four: Report, review and update risk assessments

You’ll need to:

• report on the illegal content risk assessment and measures through appropriate governance and accountability channels
• monitor the effectiveness of safety measures at reducing the risk of harm to users
• monitor developing risks and the level of risk exposure after appropriate measures are implemented (also known as residual risk)
• review and/or update your risk assessment when appropriate, including before making any significant change to any aspect of the service’s design or operation 

We recommend that services report their risk assessment outcomes and online safety measures to a relevant internal governance body. For small services without formal boards or oversight teams, this can simply mean reporting to a senior manager with responsibility for online safety.

To keep your risk assessment up to date, we recommend reviewing it annually. You also need to review your assessment if Ofcom makes a significant change to Risk Profiles. If you are planning to make a significant change to your service, you need to complete a new risk assessment before making the change. Our Risk Assessment Guidance and Risk Profiles (PDF, 852.72 KB) covers this in more detail.

Subscribe to updates about online safety

Subscribe to email updates from us. We'll send you updates on any changes to the regulations and what you need to do. You'll also be the first to know about our new publications and research.