UK Online Safety Act: Codes of Practice and Risk Assessment Guidance

Under the UK Online Safety Act 2023 (OSA), providers of regulated user-to-user and search services (service providers) have a raft of new duties, including to keep people safe from illegal harm. The duties are focused on service providers having the right systems in place to protect people from harm that could take place on their services.

On 16 December 2024, the UK Office of Communications (Ofcom), the online safety regulator, published illegal content codes of practice (Codes of Practice) setting out recommended measures for service providers to take in order to ensure they are compliant with their duties under the OSA, as well as risk assessment guidance to assist in assessing how likely users are to encounter illegal content on services and – in the case of user-to-user service providers – how the service could be used to commit or facilitate certain criminal offences and what the impact could be. This is the first binding code of practice issued under the OSA, with more to follow (relating to children’s safety) next spring. Publication of the Codes of Practice starts the clock ticking – three months from now, Ofcom can start enforcing against any noncompliant services, and it has made very clear it will take firm and fast action as necessary.

Below are some key takeaways for you to consider as you prepare to get your business ready to comply with these new duties. The Codes of Practice and risk assessment guidance are only starting points, requiring interpretation and practical application to your particular service. If you need assistance with this not insignificant task, please don’t hesitate to contact Cooley’s online safety team.

Key takeaways

1. Your risk assessment dictates the steps you have to take

   As part of your illegal content risk assessment, you will need to assess whether your service has a negligible, low, medium or high risk for each of the 17 kinds of illegal content that need to be separately assessed. This rating should be as accurate as possible because the recommended measures set out in the Codes of Practice apply based on the level of risk identified.

   So, if your service is low or negligible risk for all kinds of illegal harm, it is a ‘low-risk service’, and the minimum number of measures (i.e., likely those which apply to all service providers) would apply. If your service is medium or high risk for one kind of illegal harm, it is a ‘single-risk’ service, and more measures may apply. If your service is medium or high risk for two or more kinds of illegal harm, it is a ‘multi-risk’ service, and further measures may apply. The Codes of Practice indicate which recommended measures apply to each type of service.

2. Timing

   The duty to complete an illegal content risk assessment came into force on 16 December 2024, so if you are an in-scope service provider, you are required to carry out your risk assessment by 16 March 2025.

   The Codes of Practice have yet to obtain parliamentary approval before they are effective. Provided approval is obtained by 17 March 2025, in-scope service providers will need to start implementing the applicable measures set out in the Codes of Practice or run the risk of enforcement action, resulting in possible fines of up to 10% of global revenue or 18 million pounds (whichever is greater). As stated above, Ofcom has been clear that it won’t be pulling any punches when it comes to taking enforcement action straight away.

3. Do the Codes of Practice differ from previous drafts?

   Some of you may already be familiar with the draft Codes of Practice which were circulated by Ofcom for public consultation last year. The content of the final Codes of Practice remains similar to the previous drafts, subject to a few changes, including the following:

   • The removal of the exemption for smaller file-storage and file-sharing services with less than 70,000 monthly UK users from the list of services having to implement ‘hash matching’ technology to flag child sex abuse material.
   • The removal of the requirement to use keyword detection technology to analyse whether certain content is likely to amount to an offence for fraud.
   • The introduction of a new content moderation measure for all service providers, which obliges services to implement a content moderation function to review and assess suspected illegal content.
   • Requiring large service providers or those providing services at medium or high risk of illegal harm to allow a complainant to opt out of communications following their complaint.
   • Allowing manifestly unfounded complaints (accurately identified as such) to be disregarded from the complaints procedure.

4. What can you do now to prepare?

   For many service providers, given the substantial time and effort required to carry out a risk assessment and implement new compliance measures to mitigate identified harms, we expect preparations may already be underway in your business. If not, however, bearing in mind enforcement will start from late March, the time to delve into your specific obligations under the OSA is right now. The first step is completion of the risk assessment, so appointing a team to carry this out is key.

   Since different measures in the Codes of Practice apply to different services based on various factors, we recommend you carry out a scoping exercise to ensure you’re running the correct assessments. Relevant considerations include:

   • The type of service provided: Different Codes of Practice apply depending on whether you are providing a user-to-user service or a search service.
   • The number of users your service has: The number of monthly active UK users is the criterion used to classify services by size – e.g., a service which has more than seven million monthly active UK users is considered a ‘large service’.
   • The features of your service: Certain measures apply in respect of particular functionalities – e.g., predictive search functionality.

Read Ofcom’s risk assessment guidance to find out more about how to complete your risk assessment. The guidance is lengthy and detailed – if you require support with it, please contact us. As mentioned above, it is important to assess risks accurately, as your risk rating will have an impact on the measures that you must put in place to protect against those risks.  

It is possible to take alternative measures to the ones recommended in the Codes of Practice; however, if you choose to do this, it is important that you maintain a record of what you have done and how you consider the alternative measures to provide equivalent protection. Given the uncertainty involved in assessing whether your alternative measures are adequate and the risk of significant penalties if you get this wrong, we recommend seeking expert advice if you decide to adopt this approach.

Ofcom is set to launch a tool to help service providers check how they can comply with illegal content duties. Given this isn’t yet available, we recommend using the tool as a final step in your compliance efforts to confirm that the risks you’ve identified and changes you’ve made are the right ones.

We recommend that the team responsible for ensuring compliance with the OSA sets up a process which allows the risk assessment to be updated on an ongoing basis to reflect any changes to the design and operation of your service, as well as any further codes or guidance published by Ofcom in 2025.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.