Guide
Conduct an illegal content risk assessment
Step-by-step guide to conducting the mandatory illegal content risk assessment under the Online Safety Act 2023. Covers how to identify risks from Schedule 7 priority offences, assess your service's features, document safety measures, and produce the required written record.
Every regulated service under the Online Safety Act must conduct an illegal content risk assessment. This is the foundational compliance step — you cannot properly implement your safety duties without first understanding the risks your service presents. Ofcom expects this assessment to be completed, documented, and kept up to date.
This guide walks you through the process. If you have not yet determined whether your service is regulated, or which category it falls into, read our guide on understanding the Online Safety Act first.
What the law requires
Section 9 of the Online Safety Act requires user-to-user services to carry out a "suitable and sufficient" assessment of the risks of illegal content appearing on their service. The assessment must consider the risk of each kind of priority illegal content, how the design and features of the service affect those risks, and how the service is actually used.
Understanding priority offences
Your risk assessment must specifically address the priority offences listed in Schedule 7 of the Act. These are the offences that Parliament and Ofcom consider most likely to arise on online services and most harmful to users.
How to conduct your assessment
-
1. Map your service's features and functionality
Document every feature that allows users to create, share, or encounter content. Include direct messaging, public posting, commenting, file sharing, live streaming, profile pages, and any recommendation or algorithmic amplification systems. Note which features allow user-to-user interaction and which are one-to-many.
-
2. Analyse your user base and usage patterns
Gather data on who uses your service and how. Consider the size and demographics of your UK user base, typical usage patterns, whether the service attracts particular communities or interest groups, and whether children are likely to access the service. Review user reports and complaints data if available.
-
3. Assess risks against each category of priority offence
For each category of priority offence in Schedule 7, assess the likelihood and severity of that type of illegal content appearing on your service. Consider both content posted directly and content encountered through search, recommendations, or algorithmic distribution. Document your reasoning, including where you consider a risk to be low.
-
4. Evaluate how your service design affects risk
Assess how specific features of your service increase or decrease risk. For example, end-to-end encryption limits your ability to detect illegal content; algorithmic recommendation may amplify harmful material; anonymity features may increase the risk of abuse. Be honest about design choices that elevate risk.
-
5. Document existing safety measures and identify gaps
Record every safety measure currently in place — content moderation systems, automated detection tools, user reporting mechanisms, terms of service provisions, and staff training. For each risk identified in steps 3-4, assess whether your existing measures adequately address it. Clearly document any gaps.
-
6. Produce a written risk assessment record
Compile your findings into a formal written record. Ofcom's guidance specifies this must include the date of the assessment, a description of the service and its features, the risk analysis for each priority offence category, an evaluation of existing safety measures, identified gaps, and planned remedial actions with timelines.
-
7. Implement safety measures to address identified gaps
Based on your gap analysis, implement additional safety measures. These should be proportionate to the level of risk and the size of your service. Consider Ofcom's codes of practice for recommended measures. Document what you have implemented and when.
-
8. Schedule regular reviews and updates
Your risk assessment is not a one-off exercise. You must review and update it when you make significant changes to your service, when new risks emerge, when Ofcom publishes updated guidance, and at regular intervals (Ofcom recommends at least annually). Document each review even if no changes are needed.
What happens if you get it wrong
Failure to conduct a suitable and sufficient risk assessment is itself a compliance failure. Ofcom can take enforcement action even if no illegal content has actually appeared on your service — the duty is to assess and mitigate the risk, not merely to react after harm occurs.
Practical tips
- Start with what you know — your existing user reports, moderation logs, and complaints data are valuable evidence of actual risks
- Be proportionate — a small community forum faces different risks from a large social media platform. Ofcom expects your assessment to be proportionate to your service's size and risk profile
- Seek specialist input — for complex services, consider engaging legal or safety consultants with OSA experience
- Use Ofcom's templates — Ofcom has published risk assessment guidance and templates that provide a structured framework
What to do next
After completing your illegal content risk assessment, you should conduct a children's access assessment to determine whether additional children's safety duties apply, then review Ofcom's codes of practice to ensure your safety measures align with recommended standards.