On April 24, 2025, the UK’s Office of Communications, commonly known as Ofcom—the regulator responsible for enforcing the UK’s Online Safety Act (OSA)—issued its Protecting Children from Harm Online Statement. The statement requires online services to conduct and document a children’s risk assessment in accordance with the OSA by July 24, 2025. Services will be required to implement measures to protect children from content that is harmful to them by July 25, 2025.
This alert outlines which services need to comply with the child safety duties, describes the steps that in-scope services must take to meet these requirements, and details the penalties and enforcement actions that noncompliant services may face. For more information on the OSA and its phased implementation, refer to our previous alerts here and here.
Who Do These Duties Apply To?
The OSA applies to providers of i) online platforms that allow users to generate, upload, or share content with others (“user-to-user” services), and ii) search services. Online platforms and search services will fall within scope of the OSA if they target the UK, have a significant number of users there, or otherwise present a material risk of significant harm to UK users.
The child safety duties apply to services that are likely to be accessed by a significant number of children in the UK. Online services need to assess if they meet this threshold, and if yes, to complete a children’s access assessment. The deadline to carry out this assessment was April 16, 2025.
What Is Required?
Providers of user-to-user and search services that have been identified as likely to be accessed by children are required to:
- Assess the risks that are present on their service. The OSA requires providers of in-scope services to carry out an assessment with the aim of understanding the risks presented by a) content harmful to children, and b) the way that their service is designed and used. Ofcom’s guidance recommends services follow a four-step process which involves:
- understanding the kinds of contact harmful to children that need to be identified;
- assessing the risk of harm to children;
- deciding on measures that should be implemented to reduce the identified risks; and
- reporting, reviewing, and updating the assessment regularly.
- Safety measures. The safety measures that a provider must implement to protect children depend on the type of service, its size, the level of risk it poses to children, the type of content it hosts, and its functionalities (e.g., content recommender systems, ability to comment on content). Providers of in-scope services may be required to:
- appoint a senior individual accountable for ensuring compliance with the child safety duties;
- include information in the terms of service specifying whether any proactive technology is used to protect children;
- use highly effective age assurance to prevent children from accessing the service (this is only required for high-risk services);
- establish a robust content moderation system to identify and address content that may be harmful to children;
- allow users to submit complaints easily;
- design content recommender systems to exclude high-risk content (e.g., content that promotes self-harm) from children’s feeds;
- provide children with the option to disable comments on their content; and
- offer users a way to report predictive search suggestions relating to high-risk content (e.g., content that provides instructions for suicide).
Penalties and Enforcement
Ofcom has stated that it is prepared to take enforcement action against providers that fail to promptly address the risks of harm to children on their services. Fines under the OSA can amount to up to £18,000,000 or 10 percent of worldwide revenue (whichever is greater). Ofcom may also seek court orders to block access to services in the UK.
Senior managers of in-scope services can face criminal liability under the OSA if they fail to comply with a confirmation decision—effectively an order to take steps to comply with the OSA—issued by Ofcom in relation to the children’s safety online duties.
Conclusion
Companies offering online services to users in the UK should assess whether they are in scope of the child safety duties and begin preparing to meet the upcoming deadlines.
