The key takeaways
Focus on the core evidence for risk assessments
Ofcom expects that the core evidence should be available to most services. There is no expectation for online services to take disproportionate steps to gather evidence, but there will need to be some attempt to do so in order to reach a level of confidence in understanding their risk.
Ofcom expects that organisations will have some evidence to back up their assessments but acknowledges that this may not be an easy task, since figures available may not be specific to the UK market. Ofcom is not looking for organisations to overhaul the categories of harm that they may already use for content reporting but suggests that they determine which categories ‘best fit’ the offences and risk areas.
The key is to carry out a robust risk assessment acting in good faith. Ofcom recognises that, with time, risk assessments will become more thorough and online service organisations will make improved judgments.
Make a degree of judgment as to the risk level
Ofcom’s guidance is a good starting point, but it is not set in stone. For example, in terms of Ofcom’s default risk tables, there may be many indicators that suggest an online service might be high risk. However, if there is strong countervailing evidence that reduces the risk, an informed judgment of the overall risk level can be made.
Consider risks beyond the 17 priority harms
The list of harms in the risk assessment guidance is not exhaustive. Ofcom expects organisations to consider whether an online service has other features, functionalities, or risks beyond the 17 priority harms. This might include evidence of other illegal content appearing on the service that could give rise to law enforcement or a serious event.
Prioritise the highest-risk harms, especially those targeting children
In all circumstances, Ofcom encourages investment in risk assessment processes and governance, especially involving the safeguarding of children, as this will ensure safety measures are a priority and highlight areas of particularly high risk, such as grooming or child sexual abuse material.
Ofcom also encourages an emphasis on ‘quick win’ measures requiring minimal technical uplift, including those relating to governance and accountability and terms and conditions.
Policy measures are flexible
Policy measures do offer some flexibility around how accountability structures operate within a service, such as their code of conduct. The ultimate aim is to provide effective guidance to online services, with a degree of flexibility.
However, the service must provide a named person accountable to the most senior governance bodies. While this must be a single person, it is for the service provider to determine what they consider the appropriate qualities to be for such person and what constitutes a senior governance body.
Consider combining risk assessments going forward
Whilst Ofcom will continue to have separate risk assessment guidance and codes for the illegal harms and the safeguarding of children (as required by law), it may be open for service providers to combine their assessments going forward, provided any consolidated risk assessments satisfy the basic criteria of what is considered ‘suitable and sufficient’ and the timing requirements.
HEAA is not always required at the point of access to a service
Not all services have to apply highly effective age assurance (HEAA) at the point of access. Access to some services by children (e.g., pornography services) will be prohibited entirely by the end of July 2025, but other services may only need to implement HEAA for certain content depending on the outcome of the risk assessment (subject to the final versions of the children’s safety duties).
There is not a trade-off between privacy and HEAA
Ofcom has been working closely with the ICO to align age assurance under the Online Safety Act and data protection regime. Services must comply with both.
Examples of HEAA are not exhaustive
HEAA applies to a wide range of services, and Ofcom has not been prescriptive as to the exact methods that must be used as this would detract from the high-level, principles-based approach. The guidance is non-exhaustive and non-binding. It is acceptable for an online service to demonstrate that its method of age assurance satisfies the HEAA criteria.
Client Alert 2025-059
