Open
Enforcement Programme to monitor if services are meeting their children’s risk assessment duties under the Online Safety Act 2023.
9 July 2025
Ofcom is today opening a programme of work, or ‘enforcement programme’ to monitor whether providers are complying with their children’s risk assessment and record keeping duties under the Online Safety Act (the “Act”).
The main objectives of this programme are to monitor compliance with the relevant duties in the Act, to monitor how our risk assessment guidance and record keeping guidance are being applied by industry and support the adoption of best practice.
Sections 11, 23, 28 and 34 of the Act.
Ofcom has today opened an enforcement programme to monitor if services are meeting their children’s risk assessment and record keeping duties.
All user-to-user and search services were required to carry out, and keep a written record of, a children’s access assessment by 16 April 2025 to establish whether a service is likely to be accessed by children.
Where a service is likely to be accessed by children, those services must also carry out a children’s risk assessment by 24 July 2025. This is a legal obligation which requires providers to assess the risks of their service associated content harmful to children. Providers must also make and keep a written record, in an easily understandable form, of all aspects of every children’s risk assessment, including details about how the assessment was carried out and its findings.
On 24 April 2025, Ofcom published Children's Risk Assessment Guidance and Children's Risk Profiles to help providers comply with the children’s risk assessment duties. This guidance sets out a four-step risk assessment process, which, if followed, will help providers comply with the children’s risk assessment duties. We also published a Record Keeping and Review Guidance to help providers comply with their record keeping duties. This guidance sets out what is expected of providers in relation to the records of their risk assessments, including the children’s risk assessment.
In line with the children’s risk assessment duties coming into force, we have decided to request records of the children’s risk assessments from a number of providers of in-scope services. We will use the information services provide to identify possible compliance concerns, and to monitor how our children’s risk assessment guidance and record keeping guidance are applied by industry.
We expect this programme to run for at least 12 months, during which time we may decide to open separate formal investigations if we have concerns that a service provider may not be meeting its duties under the Act. We will publish updates on progress at relevant points over this period.