Guide
Children's safety duties under the Online Safety Act
Comprehensive guide to the children's safety duties under the Online Safety Act 2023. Covers what triggers the duties, risk assessment by age group, the categories of harmful content affecting children, age assurance requirements, Ofcom's children's codes of practice, and how the OSA intersects with the ICO's Children's Code.
When children's safety duties apply
If your children's access assessment concludes that children are likely to access your service — which applies to the vast majority of regulated services — you must comply with the full suite of children's safety duties under Part 3 of the Online Safety Act. These duties are among the most demanding in the Act, reflecting Parliament's priority of protecting children online.
The duties apply in addition to (not instead of) your illegal content duties. You must protect children from both illegal content and content that is legal for adults but harmful to children. This means operating two parallel safety regimes for different user groups.
The children's access assessment
The children's safety duties are triggered by the outcome of your section 37 access assessment. If you have not yet conducted this assessment, do so before proceeding.
Children's risk assessment
Once you have determined that children are likely to access your service, you must conduct a children's risk assessment. This is separate from (and in addition to) your illegal content risk assessment.
The children's risk assessment must consider:
- Risks by age group — the Act recognises that a 7-year-old faces different risks from a 15-year-old. You must assess risks for different age ranges, not treat all under-18s as a single group. Ofcom's guidance identifies key age brackets and the types of harm most relevant to each.
- Content risks — harmful content that children may encounter, including material related to self-harm, suicide, eating disorders, pornography, bullying, and violence
- Contact risks — the risk of harmful interactions between adults and children, including grooming, sexual exploitation, and abuse
- Conduct risks — harmful behaviour by children themselves, including bullying, sharing intimate images, and exposure to radicalisation
- Service design features — how your service's algorithms, recommendation systems, direct messaging, anonymity features, and content sharing tools specifically affect children's risk exposure
Categories of harmful content for children
The Act identifies specific categories of content that are designated as harmful to children, even where they are not illegal. These are the "primary priority" and "priority" content categories:
- Primary priority content harmful to children — pornographic content, content promoting self-harm or suicide, content promoting eating disorders, and content that is abusive or incites hate
- Priority content harmful to children — bullying content, content depicting serious violence, content promoting dangerous challenges, content facilitating substance abuse, and content promoting gambling
You must take proportionate steps to prevent children from encountering this content on your service. What counts as "proportionate" depends on your service's size, risk profile, and the effectiveness of available measures.
Age assurance requirements
A central element of children's safety compliance is implementing effective age assurance. This means deploying systems that can distinguish between child and adult users, enabling you to apply content restrictions and safety measures appropriately.
What if your service is Category 1?
Category 1 services face additional children's safety obligations beyond those applying to all regulated services. These include enhanced transparency reporting on children's safety measures, additional duties around algorithmic recommendation systems that may expose children to harmful content, and stricter requirements for content moderation response times for content affecting children.
If you operate a Category 1 service, you should engage specialist legal advice on the full scope of your additional duties, as they are significantly more onerous.
Ofcom's children's safety codes of practice
Ofcom is developing detailed codes of practice specifically for children's safety. These codes will set out practical steps that services should take to comply with their duties. Following the codes provides a "safe harbour" — if you can demonstrate compliance with the code, you are treated as meeting your legal duties.
Key areas the codes are expected to cover include:
- Minimum standards for age assurance technology
- Content moderation requirements specific to children's content harms
- Design features that should be restricted or modified for child users
- Reporting and transparency requirements
- Record-keeping obligations
Intersection with the ICO Children's Code
If children access your service, you almost certainly need to comply with both the OSA children's safety duties and the ICO's Age Appropriate Design Code (commonly called the Children's Code). These regimes are complementary but distinct.
The key differences are:
- OSA children's duties focus on content safety — preventing children from encountering harmful material
- ICO Children's Code focuses on data protection — ensuring children's personal data is processed appropriately and their privacy is protected by design
In practice, many measures (such as age assurance, privacy-by-default settings, and restricted profiling) serve both regimes. You should design your compliance programme to address both simultaneously.
Record-keeping and evidence
You must maintain comprehensive records of your children's safety compliance, including your children's access assessment, children's risk assessment, the safety measures you have implemented, how you selected and evaluated your age assurance technology, any incidents involving children's safety, and how you responded.
Ofcom may request these records during an investigation. Failure to maintain adequate records weakens your position and may itself constitute a compliance failure.
What if things go wrong
If you become aware of a children's safety incident — such as a child encountering primary priority harmful content, or a grooming attempt — you should take immediate action to protect the child and any others at risk, preserve evidence for law enforcement if the incident involves illegal content, review your safety measures to understand how the incident occurred, and update your risk assessment if the incident reveals new or previously underestimated risks.
Depending on the nature of the incident, you may also have reporting obligations to law enforcement (particularly for child sexual exploitation material) and to Ofcom.
What to do next
If you need to implement age assurance as part of your children's safety compliance, read our guide on implementing age assurance for practical steps on choosing and deploying the right technology. For the foundational compliance step, ensure you have completed your illegal content risk assessment.