Every regulated service under the Online Safety Act must conduct an illegal content risk assessment. This is the foundational compliance step — you cannot properly implement your safety duties without first understanding the risks your service presents. Ofcom expects this assessment to be completed, documented, and kept up to date.

This guide walks you through the process. If you have not yet determined whether your service is regulated, or which category it falls into, read our guide on understanding the Online Safety Act first.

What the law requires

Section 9 of the Online Safety Act requires user-to-user services to carry out a "suitable and sufficient" assessment of the risks of illegal content appearing on their service. The assessment must consider the risk of each kind of priority illegal content, how the design and features of the service affect those risks, and how the service is actually used.

Online Safety Act Illegal Content Risk Assessment

Six-step process for conducting mandatory illegal content risk assessments covering 130+ priority offences under the Online Safety Act 2023.

All user-generated content platforms operating in the UK must complete an illegal content risk assessment by 16 March 2025. The assessment must identify how your service could be used to commit or facilitate priority illegal content offences, and must be reviewed annually or when significant changes occur to your service.

Assessment deadline: 16 March 2025
Priority offences covered: 130+ offences in Schedule 7
Review frequency: Annually or when significant changes occur
Retention requirement: Written record available for Ofcom inspection

Ofcom illegal content risk assessment guidance

Understanding priority offences

Your risk assessment must specifically address the priority offences listed in Schedule 7 of the Act. These are the offences that Parliament and Ofcom consider most likely to arise on online services and most harmful to users.

Online Safety Act Schedule 7 priority offences summary

Categories of 130+ priority offences that regulated services must take proactive measures against.

Schedule 7 of the Online Safety Act 2023 lists priority offences reflecting the most serious and prevalent illegal content online. Regulated services must take proactive measures against these offences in their illegal content risk assessments and safety systems.

The list was amended in January 2025 to add encouraging or assisting serious self-harm (section 184 OSA) as a priority offence.

Total priority offences: 130+ offences across multiple categories
Terrorism: Terrorism Act 2000, Terrorism Act 2006 — encouraging terrorism, disseminating terrorist publications
Child sexual exploitation and abuse (CSEA): Sexual Offences Act 2003, Protection of Children Act 1978 — CSEA material, grooming, sexual communication with a child
Hate crime: Public Order Act 1986 — stirring up hatred based on race, religion, sexual orientation, disability, transgender identity
Fraud: Fraud Act 2006 — fraud by false representation, making or supplying articles for use in fraud
Drugs: Misuse of Drugs Act 1971 — supply, offering to supply, production of controlled drugs
Weapons: Firearms Act 1968, Offensive Weapons Act 2019 — sale, supply, possession of prohibited weapons
Immigration: Immigration Act 1971 — facilitating illegal entry, assisting unlawful immigration
Intimate images: Criminal Justice and Courts Act 2015 — disclosure of private sexual photographs without consent (revenge pornography)
Harassment and stalking: Protection from Harassment Act 1997 — harassment, stalking, controlling or coercive behaviour
Self-harm (added January 2025): Online Safety Act 2023, s.184 — encouraging or assisting serious self-harm (maximum 5 years imprisonment)

Online Safety Act Schedule 7 (legislation.gov.uk)

How to conduct your assessment

1

1. Map your service's features and functionality

Document every feature that allows users to create, share, or encounter content. Include direct messaging, public posting, commenting, file sharing, live streaming, profile pages, and any recommendation or algorithmic amplification systems. Note which features allow user-to-user interaction and which are one-to-many.
2

2. Analyse your user base and usage patterns

Gather data on who uses your service and how. Consider the size and demographics of your UK user base, typical usage patterns, whether the service attracts particular communities or interest groups, and whether children are likely to access the service. Review user reports and complaints data if available.
3

3. Assess risks against each category of priority offence

For each category of priority offence in Schedule 7, assess the likelihood and severity of that type of illegal content appearing on your service. Consider both content posted directly and content encountered through search, recommendations, or algorithmic distribution. Document your reasoning, including where you consider a risk to be low.
4

4. Evaluate how your service design affects risk

Assess how specific features of your service increase or decrease risk. For example, end-to-end encryption limits your ability to detect illegal content; algorithmic recommendation may amplify harmful material; anonymity features may increase the risk of abuse. Be honest about design choices that elevate risk.
5

5. Document existing safety measures and identify gaps

Record every safety measure currently in place — content moderation systems, automated detection tools, user reporting mechanisms, terms of service provisions, and staff training. For each risk identified in steps 3-4, assess whether your existing measures adequately address it. Clearly document any gaps.
6

6. Produce a written risk assessment record

Compile your findings into a formal written record. Ofcom's guidance specifies this must include the date of the assessment, a description of the service and its features, the risk analysis for each priority offence category, an evaluation of existing safety measures, identified gaps, and planned remedial actions with timelines.
7

7. Implement safety measures to address identified gaps

Based on your gap analysis, implement additional safety measures. These should be proportionate to the level of risk and the size of your service. Consider Ofcom's codes of practice for recommended measures. Document what you have implemented and when.
8

8. Schedule regular reviews and updates

Your risk assessment is not a one-off exercise. You must review and update it when you make significant changes to your service, when new risks emerge, when Ofcom publishes updated guidance, and at regular intervals (Ofcom recommends at least annually). Document each review even if no changes are needed.

What happens if you get it wrong

Failure to conduct a suitable and sufficient risk assessment is itself a compliance failure. Ofcom can take enforcement action even if no illegal content has actually appeared on your service — the duty is to assess and mitigate the risk, not merely to react after harm occurs.

Ofcom enforcement powers under the Online Safety Act

Enforcement escalation ladder under the Online Safety Act 2023, from information notices to business disruption measures.

Ofcom has a graduated enforcement toolkit under the Online Safety Act 2023. Enforcement actions escalate from information-gathering through to business disruption measures that can restrict access to non-compliant services in the UK.

Information notices (s.103): Ofcom can require services to provide information about compliance, users, and safety measures
Skilled persons reports (s.112): Ofcom can require a service to commission an independent report from a skilled person on compliance
Provisional notice of contravention (s.121): Formal notice that Ofcom considers a service is failing to comply with duties
Confirmation decision (s.122): Confirms contravention and can require specific steps, impose penalties, or both
Penalty notices: Up to 10% of qualifying worldwide revenue or £18 million, whichever is greater
Business disruption measures (ss.130-138): Court orders requiring payment providers, advertisers, or ISPs to withdraw services from non-compliant providers
Technology notices (s.121): Ofcom can require services to use accredited technology to identify and remove specific types of illegal content
Interim service restriction orders: Court can restrict a service before a final determination where there is an imminent risk of serious harm

Enforcement guidance published: 16 December 2024 (took effect immediately)
Penalty qualifying period: Calendar year two years before the charging year
Penalty calculation basis: All circumstances considered to ensure proportionality — 10% QWR is the maximum, not automatic
ISP blocking power: Ofcom can apply to court for an order requiring ISPs to block access to a non-compliant service

Ofcom Online Safety Enforcement Guidance

Practical tips

Start with what you know — your existing user reports, moderation logs, and complaints data are valuable evidence of actual risks
Be proportionate — a small community forum faces different risks from a large social media platform. Ofcom expects your assessment to be proportionate to your service's size and risk profile
Seek specialist input — for complex services, consider engaging legal or safety consultants with OSA experience
Use Ofcom's templates — Ofcom has published risk assessment guidance and templates that provide a structured framework

What to do next

After completing your illegal content risk assessment, you should conduct a children's access assessment to determine whether additional children's safety duties apply, then review Ofcom's codes of practice to ensure your safety measures align with recommended standards.

Official guidance and resources

Ofcom: Illegal content duties and risk assessment guidance (opens in a new tab) ofcom.org.uk
Online Safety Act 2023 — Schedule 7 (priority offences) (opens in a new tab) legislation.gov.uk
Ofcom: Online safety regulatory documents and guidance (opens in a new tab) ofcom.org.uk

Conduct an illegal content risk assessment

Set up content moderation to meet Online Safety Act requirements

Online Safety Act penalties and enforcement powers

Online Safety Act compliance checklist

Tech Sector Compliance Overview

Online Safety Act: duties for online services

What the law requires

Understanding priority offences

How to conduct your assessment

1. Map your service's features and functionality

2. Analyse your user base and usage patterns

3. Assess risks against each category of priority offence

4. Evaluate how your service design affects risk

5. Document existing safety measures and identify gaps

6. Produce a written risk assessment record

7. Implement safety measures to address identified gaps

8. Schedule regular reviews and updates

What happens if you get it wrong

Practical tips

What to do next

Official guidance and resources

Related guides in Digital & Technology

Set up content moderation to meet Online Safety Act requirements

Online Safety Act penalties and enforcement powers

Online Safety Act compliance checklist

Tech Sector Compliance Overview

Online Safety Act: duties for online services

What the law requires

Understanding priority offences

How to conduct your assessment

1. Map your service's features and functionality

2. Analyse your user base and usage patterns

3. Assess risks against each category of priority offence

4. Evaluate how your service design affects risk

5. Document existing safety measures and identify gaps

6. Produce a written risk assessment record

7. Implement safety measures to address identified gaps

8. Schedule regular reviews and updates

What happens if you get it wrong

Practical tips

What to do next

Official guidance and resources