Protection of children duties under the Online Safety Act

Online safety Protecting children Information for industry
Published: 18 February 2026
Last updated: 1 April 2026

If children are likely to access all, or part of, an online service you provide, you have duties under the Online Safety Act to protect children from harmful content.

All service providers in scope of the Act must establish whether their service is likely to be accessed by children by completing a children’s access assessment.

If you establish that your service is likely to be accessed by children, you must comply with duties to:

1.    Carry out a children's risk assessment
2.    Put in place protections for children on your service 
3.    Comply with the record-keeping and review duties for these activities

You have three months to complete a children’s risk assessment after launching a service that the protection of children duties apply to, and will need to keep that risk assessment up to date. You also need to complete a risk assessment before making a significant change to your service.

If you conclude that your service is not likely to be accessed by children, you will need to carry out another children’s access assessment in a year (or less in some cases).

Our resources to help you comply with the protection of children rules

  • Our Online Safety Act regulatory documents page includes a full list of documents and guidance related to compliance with the protection of children duties, including Ofcom’s children's risk assessment guidance and Protection of Children Codes of Practice.

  • Our digital toolkit will guide you through how to comply with the protection of children rules. The toolkit will provide you with specific compliance recommendations for your service based on your answers to a series of questions. It will help you to:
    • identify and asses the risks relevant to your service
    • find recommended safety measures to address these risks
    • use templates and checklists, if you need them

Children's risk assessment duties

The purpose of the children’s risk assessment is to improve your understanding of the risk of harm to children on your service.

It will help you understand how children could encounter harmful content, how your service’s user base, features and other characteristics could increase the risk of this happening, and what safety measures you need to put in place to protect children.

Your assessment must accurately reflect the risks on your service based on relevant information and evidence. You also need to keep it up to date.

You need to keep a written record of every risk assessment you carry out. You can use the protection of children duties record-keeping template (ODT, 148 KB) to make a record of your risk assessment.

Follow the four-step risk assessment process

Show all steps

1

Activities you’ll undertake in this step:

  • identify the kinds of content harmful to children that need to be separately assessed, including each kind of primary priority content, each kind of priority content, and any kind(s) of non-designated content that may be relevant to your service
  • consult Ofcom’s Children’s Risk Profiles (PDF, 884.07 KB) and identify the risk factors relevant to your service for each kind of content harmful to children

Content harmful to children

The Act lists a number of kinds of ‘content that is harmful to children’, grouped into three categories.
  
‘Primary priority content’, which includes:

  • pornographic content, and
  • content which encourages, promotes, or provides instructions for:
    • suicide
    • self-harm
    • eating disorders

‘Priority content’, which includes:

  • content which is abusive or incites hatred
  • abuse and hate content
  • bullying content
  • violent content
  • harmful substances content
  • dangerous stunts and challenges content

‘Non-designated content’, which includes types of content that do not fall within the above two categories, and which present a ‘material risk of significant harm to an appreciable number of children in the United Kingdom’.  

The guidance on content harmful to children (PDF, 802 KB) sets out examples of what kinds of content Ofcom considers to be, or not to be, content harmful to children.

You will also need to consider what non-designated content to assess. The Children’s Register of Risks (PDF, 3.66 MB) identifies two kinds of non-designated content: depression content and body stigma content.

Where you provide a user-to-user service and you identify that non-designated content is present on your service then you must notify Ofcom using the following email address: nondesignatedcontent@ofcom.org.uk. Ofcom’s Children’s Risk Assessment Guidance (PDF, 884.07 KB) provides guidance on how to do this.

We have published a list of risk factors – such as features including group messaging and recommender systems - that are most strongly linked to content harmful to children, and identify whether they are relevant to your service. For each risk factor, we explain how it could increase the risk of children encountering content harmful to children. This list of risk factors is called Ofcom's ‘Children's Risk Profiles’.

2

Once you understand content harmful to children and have a list of risk factors from Ofcom, you will need to assess what this means for your specific service.

You should gather evidence about your service. The Children’s Risk Assessment Guidance and Risk Profiles (PDF, 873 KB) explains how you should go about this. It also includes information about how you might consider children in different age groups on your service.

Based on this information, you should decide how likely it is that children could encounter content harmful to children on your service and what the impact could be.

This will help you decide whether your services is negligible, low, medium or high risk for each kind of content that is harmful to children. The Children’s Risk Assessment guidance provides more information on how to make these judgements.

Activities you’ll undertake in this step:

  • separately assess the likelihood and impact of children encountering content harmful to children, using all relevant evidence

For this process, you should:

  • consider the different ways your service is used, including ways which are unintended
  • identify whether there are any additional characteristics or functionalities of your service’s design or operation, not in the Children’s Risk Profiles, which could increase the risk to children. This includes functionalities that present higher levels of risk such as:
    • content recommender systems,
    • features that enable adults to search and/or contact children,
    • predictive search functionalities, and
    • features and functionalities that affect how much children use the service
  • consider the effectiveness of any existing control measures which could impact the level of risk of harm to children
  • consult the risk level tables to assign a risk level for each of the four kinds of primary priority content, each of the eight kinds of priority content, and any kind(s) of non-designated content you have identified for assessment
  • conclude the assessment of all the risks relating to content harmful to children, including the design and use of the service

3

Activities you’ll undertake in this step:

One way to meet your duties is to apply the relevant safety measures set out in Ofcom’s Codes of Practice. This includes measures related to content moderation, reporting and complaints, recommender systems, age assurance, and user tools. You must keep a written record of any measures taken or in use as described in Ofcom’s Codes of Practice.

More information about our Codes of Practice and how they relate to the safety duties can be found in the Implementing safety measures section of this page.

You can also decide on your own measures to comply with the safety duties. The Act refers to this as taking ‘alternative measures’. If you choose to take alternative measures rather than implementing the measures recommended for your service in Ofcom’s Codes of Practice, you will need to keep a record of those alternative measures and how they amount to compliance with the safety duties.

We have provided Record-Keeping and Review Guidance (PDF, 238.96 KB) on what your record needs to include.

4

Activities you’ll undertake in this step:

  • report on the children’s risk assessment and measures through appropriate governance and accountability channels – you do not need to share your risk assessment record with Ofcom unless we specifically ask for it or you provide a categorised service
  • providers of user-to-user services to notify Ofcom of the kinds and incidence of any non-designated content you have identified as present on your service through your children’s risk assessment
  • monitor the effectiveness of safety measures at reducing the risk of harm to users
    monitor developing risks and the level of risk exposure after appropriate measures are implemented (also known as residual risk)
  • review and/or update your children’s risk assessment when appropriate, including before making significant change to any aspect of the service’s design or operation

We recommend that you report your children’s risk assessment outcomes and online safety measures to a relevant internal governance body to review. For small services without formal boards or oversight teams, this can simply mean reporting to a senior manager with responsibility for online safety duties for risk of harm to children.

To keep your children’s risk assessment up to date, we recommend reviewing it annually. You also need to review your assessment if Ofcom makes a significant change to the Children’s Risk Profiles. If you are planning to make a significant change to your service, you need to do a new children’s risk assessment before making the change. The Children’s Risk Assessment Guidance and Risk Profiles (PDF, 873 KB) covers this in more detail.

Additional steps for Category 1 and 2A services

Ofcom expects to publish the register of categorised services in July 2026. The providers of services falling into Category 1 or Category 2A will have additional duties relating to their risk assessments. 

These duties will provide transparency as to how relevant services view the levels of risk they pose to users in the UK.

Additional steps for categorised services

Show all steps

1

Relevant Category 1 and Category 2A service providers must provide Ofcom with a copy of their children’s risk assessment record as soon as reasonably practicable after making, or revising, such a record. 

Our expectations of when providers should take action 

These additional duties will come into effect upon publication of the register of categorised services, which we anticipate in July 2026.  

We expect providers of Category 1 and 2A services to supply Ofcom with copies of their latest risk assessment record(s) by October 2026, or, if appropriate, to confirm if we already hold an up to date record(s). This allows providers sufficient time (at least 3 months) to ensure their risk assessment(s) are up to date, following publication of the register.  

Reflecting categorisation in updated records 

Risk assessment records should reflect how the register has categorised services as user-to-user services, search services, and combined services (where both the regulated user-to-user service and the public search engine of the combined service each meet the relevant categorisation threshold conditions). Therefore, where a provider is responsible for a combined service, it should risk assess each Category 1 and/ or 2B, and each 2A service separately, as relevant, and reflect this in its record keeping. 

Additionally, for combined services, the additional risk assessment duties will apply only to the relevant user-to-user service of the combined service if it is identified as a Category 1 services and/or to the regulated public search engine if it is identified as a Category 2A service.  

How providers can submit records to Ofcom 

As noted in our Record-Keeping and Review Guidance (261 KB), the record should be sent to Ofcom in electronic format and to an Ofcom email address. Ofcom will contact providers of Category 1 and 2A services to request records and specify where they should be sent. 

2

Relevant Category 1 and Category 2A service providers must publish a summary of their most recent children’s risk assessment in their terms of service (Category 1) or in a publicly available statement (Category 2A). 

The summary must include the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children). 

Our expectations of the content 

Risk levels

The Act states that summaries of risk assessment findings must include ‘levels of risk’.  

For children’s risk assessments, our Children’s Risk Assessment Guidance and Children’s Risk Profiles (PDF, 84.07 KB) advises providers to assign a risk level for each kind of content harmful to children. In summaries, we therefore expect providers to set out the risk level (negligible, low, medium or high) assigned to: 

  • each of the 4 kinds of primary priority content harmful to children;  
  • each of the 8 kinds of priority content harmful to children; and 
  • any kind(s) of non-designated content, which is content harmful to children that is not primary priority content or priority content, and is of a kind which presents material risk of significant harm to an appreciable number of children in the UK. 
Nature and severity of risk 

The Act also states that summaries of risk assessments must include findings ‘as to nature, and severity’ of potential harm. 

Our Children’s Risk Assessment Guidance recommends that, to make judgements on the nature and severity of harm, providers need to consider: 

  • if children on the service have had a materially harmful experience (for example, due to the nature of this kind of content and how children may encounter it on the service); 
  • if harm is suffered indirectly by children who are not users of the service and how severe the impact of the harm is likely to be;  
  • the potential reach of that kind of content on the service and number of children that could be impacted; and 
  • how children might be affected by experiencing this kind of content cumulatively on your service. 

In summaries of risk assessments, we encourage providers to draw on their findings about the above points, and any other information they consider important, to comment on their view of the nature and severity of each harm type on their service. We also encourage providers to explain how these findings about nature and severity have informed the ultimate risk level assigned to each harm type.  

Other important information 

In addition to the above, we encourage providers to summarise any other key aspects of the risk assessment that informed the risk levels assigned to each harm type, based on the key elements our guidance recommends they consider. This includes where the provider’s consideration of the following points is important to understanding the risk level assigned for a particular harm: 

  • the separate assessment of the likelihood and impact of a harm, based on evidence (including but not limited to the risk factors identified in Children’s Risk Profiles); 
  • the different ways in which the service is used, including ways which are unintended; 
  • whether there are any specific characteristics or functionalities of the service’s design or operation, not covered in Ofcom’s Children’s Risk Profiles, which could increase the risk of harm; 
  • the effectiveness of any existing control measures which could impact the level of risk of harm to service users. 

Sharing findings in these areas is likely to be important to creating transparency around the provider’s understanding of risk levels on the service.

Our expectations of when providers should take action

These additional duties will come into effect upon publication of the register of categorised services, which we anticipate in July 2026.

We expect providers to publish summaries of the findings of their latest risk assessment(s) by November 2026.

As set out in the 'Provide Ofcom with a copy of the children's risk assessment record’ step above, we expect risk assessments and related records to have been updated by October 2026 to reflect how the register has categorised services as user-to-user services, search services, and combined services. We similarly expect risk assessment summaries published by November 2026 to reflect service categorisation.

Children's safety duties

The children's safety duties, and those relating to reporting and complaints, require online services to use proportionate safety measures to keep children safe online. It’s about making sure you have the right measures in place to protect children from harm that could take place on your service.

If you are the provider of a user-to user service that is likely to be accessed by children, you will need to take proportionate measures to effectively:

  • Prevent children of any age from encountering pornography, suicide, self-harm, and eating disorder content (primary priority content). If your service does not prohibit one or more kinds of primary priority content for all users, you must use highly effective age assurance to prevent children from encountering such content where it is identified on your service.
  • Protect children in age groups judged to be at risk of harm from encountering other harmful content online. This includes content that is abusive or incites hatred, bullying content, violent content, and content which encourages, promotes, or provides instructions for dangerous stunts and challenges, and self-administering harmful substances (priority content), as well as other types of content that present a material risk of significant harm to an appreciable number of children in the UK (non-designated content).
  • Mitigate and manage the risks of harm to children in different age groups identified, using the best available information about the users on your service, in your children’s risk assessment.
  • Mitigate the impact of harm to children in different age groups presented by content that is harmful to children.
  • Explain how you’ll do this in your terms of service.
  • Allow people to easily report content that is harmful to children and operate a complaints procedure.

If you are the provider of a search service that is likely to be accessed by children, you will need to take proportionate measures to effectively:

  • Minimise the risk of children of any age encountering the most harmful search content to children, namely pornography, suicide, self-harm, and eating disorder content (primary priority content).
  • Minimise the risk of children in age groups judged to be at risk of harm from other harmful content from encountering it. This includes content that is abusive or incites hatred, bullying content, violent content and content which encourages, promotes, or provides instructions for dangerous stunts and challenges, and self-administering harmful substances (priority content), as well as other types of content that present a material risk of significant harm to an appreciable number of children in the UK (non-designated content).
  • Mitigate and manage the risks of harm to children in different age groups identified in your children’s risk assessment.
  • Mitigate the impact of harm to children in different age groups presented by content that is harmful to children.
  • Explain how you’ll do this in a publicly available statement.
  • Allow people to easily report content that is harmful to children and operate a complaints procedure.

You can decide for yourself how to meet your legal duties. You can apply the measures that apply to your service set out in Ofcom’s Codes of Practice, or you can take alternative measures. If you take alternative measures to the ones we recommend, you must also maintain a record of what you have done and how you consider that they fulfil the relevant duties. In doing so, you must consider the importance of protecting users’ rights to freedom of expression and of protecting child users from breaches of relevant policy laws.

Implementing safety measures

The Protection of Children Codes sets out a range of measures for user-to-user and search services.

The Protection of Children Codes of Practice include measures in the following areas for user-to-user services:

  • governance and accountability
  • terms of service
  • age assurance
  • content moderation
  • user reporting and complaints
  • recommender systems
  • settings, functionalities, and user support
  • terms of service

The Protection of Children Codes of Practice include measures in the following areas for search services:

  • governance and accountability
  • content moderation (we call this ‘search moderation’)
  • user reporting and complaints
  • search features, functionalities, and user support
  • publicly available statements

Your safety measures will depend on your service

The Act is clear that the safety measures you need to put in place should be proportionate. We recommend different measures for different types of services based on factors such as:

  • the type of service you provide (including user-to-user or search);
  • the number of users your service has (size);
  • the outcome of your latest children’s risk assessment, and what risks have been identified in relation to content harmful to children; and
  • the relevant functionalities and other characteristics of your service that have been shown to pose risks to children (for example whether you have a content recommender system).

Some measures will apply to all services. For example, naming an individual accountable for compliance with the children’s safety duties, ensuring your terms of service (or publicly available statements) are clear and accessible, having a user reporting and complaints process, and some content and search moderation measures.

Your children’s risk assessment must cover the level of risk of child users encountering each kind of content harmful to children on your service. You must assign a risk level - negligible, low, medium, or high –  to each kind of content harmful to children. These risk levels must accurately reflect the risks on your service.

The measures that we recommend will be based on the risk levels assigned:

  • If your service is low or negligible risk for all kinds of content harmful to children, it is a ‘low risk service’ and a core set of measures apply.
  • If your service is medium or high risk for (at least) one kind of content harmful to children, further measures may apply. Some of these measures apply irrespective of which kind(s) of content harmful to children the risk level relates to (e.g. some reporting and complaints measures), whereas other measures only apply if the risk level relates to specific kinds of content harmful to children listed as relevant to the measure (such as suicide content, self-harm content, eating disorder content or bullying content).
  • If your service is medium or high risk for two or more kinds of content harmful to children, we call it a ‘multi-risk’ service and further measures may apply.

Certain measures apply to large services (even if they are low risk), such as undertaking an annual review of risk management activities and provision of training and materials to individuals working in content moderation.

In the Codes of Practice, we have defined a large service as a service which has an average user base of 7 million or more per month in the UK. This is equivalent to approximately 10% of the UK population. A user does not need to be registered with the service, or post anything. Just viewing content is enough to count as using that service. 

Some of the measures involve using highly effective age assurance to determine which users are children, so that you can target appropriate safety measures at children, while respecting adults’ rights to access legal content.

In some cases, providers of user-to-user services will need to use highly effective age assurance to prevent children from accessing the entire service. This is where the principal purpose of a service is to host or disseminate a kind of primary priority content that is harmful to children, such as pornography, or priority content that is harmful to children, such as violent content. 'Principal purpose’ in this context refers to the main activity or objective of the service.

Other user-to-user service providers may need to use highly effective age assurance to target safety measures towards children to protect them from being exposed to harmful content they have identified through content moderation or in children’s recommender feeds. 

Further steps you may need to take to comply

Providers of online services must comply with a range of duties under the Act.

In addition to complying with protection of children duties under the Act, you will need to carry out your illegal content risk assessment, and comply with your record-keeping, safety and related duties for illegal content. Visit the Illegal content duties under the Online Safety Act page for guidance to help you do this.

If you provide a service that publishes or displays pornographic material, you may have further duties to comply with. You can find out more about these on the Adults Only page.

Related content

Online Safety Act compliance guide for providers of online services

Guidance for providers of online services about how to comply with Online Safety Act duties.

Illegal content duties under the Online Safety Act

Guidance and resources on carrying out an illegal content risk assessment and putting in place protections under the safety and related duties.

Children's access assessment duties under the Online Safety Act

Children’s access assessments are a new assessment that all user-to user-services and search services (‘Part 3 services’) regulated under the Online Safety Act must carry out.