How to Do an Illegal Content Risk Assessment
An illegal content risk assessment is the first duty most regulated online services have to meet under the Online Safety Act 2023. It is a legal requirement, not a recommendation, and the deadline to complete it was 16 March 2025.
If your service is in scope and you have not done one, the duty still applies. This guide explains what the assessment covers and how to record it.
What an Illegal Content Risk Assessment Is
The duty sits in section 9 of the Online Safety Act 2023. It requires the provider of a user-to-user service to assess the risk that users will encounter illegal content on the service, and the risk that the service is used to commit or facilitate a priority offence.
The assessment has to be suitable and sufficient, and it has to be kept up to date. Once it is done, the safety duties in section 10 require you to take proportionate steps to reduce the risks you found.
The Priority Illegal Content to Assess
The Act sets out categories of priority illegal content that your assessment must cover. These are the offences Ofcom treats as the most serious.
- Child sexual exploitation and abuse content.
- Terrorism content.
- Fraud and financial services offences.
- Intimate image abuse, including the sharing of private images without consent.
- Encouraging or assisting suicide and self-harm.
- Drugs, firearms and other weapons offences.
- Harassment, stalking and threats, and content that incites hatred or violence.
The Risk Factors You Must Consider
The assessment is about how your particular service works, not a generic checklist. You need to look at the things that make harm more or less likely on your platform.
That includes your user base, how users find and contact each other, and whether content can be posted anonymously. It also includes your functionality, such as private messaging, livestreaming, image sharing and the way your algorithms recommend content.
Your business model matters too, because features that drive engagement can also spread harmful content faster. The aim is an honest picture of where the real risks sit.
Illegal Content Risk Assessment Steps
| Step | What it involves |
|---|---|
| Understand the risks | Use Ofcom's risk profiles to identify which harms are relevant to your service type |
| Assess your service | Judge the likelihood and impact of each kind of illegal content given your functionality and users |
| Decide on measures | Identify proportionate systems and processes to reduce the risks you found |
| Record the assessment | Write down how you carried it out, the findings and the measures, with a date |
| Review | Repeat before a significant change and keep the assessment current |
Keeping Records and Reviewing
You must make and keep a written record of the risk assessment under the record-keeping duty in section 23. The record needs to show how the assessment was carried out and what it found.
You also have to review the assessment and redo it when you make a significant change to the design or operation of your service. A risk assessment that is filed and forgotten will not meet the duty.
What Happens After the Assessment
The assessment is the foundation for the safety duties in section 10. Once you know your risks, you have to put proportionate measures in place to reduce them and to take down illegal content quickly when you become aware of it.
Ofcom has published codes of practice that set out measures it considers appropriate. Following the relevant code is one way to demonstrate compliance.
How Policy Pros Can Help
We help services document an illegal content risk assessment that stands up to scrutiny and links to the measures you actually take. The output is a written assessment, a record you can show Ofcom, and a review schedule.
Online safety risk sits next to your wider security controls, so we align the assessment with your IT security policies and information security policies. For the bigger picture, see our Online Safety Act small business guide.
The duty itself is set out in section 9 of the Act, and Ofcom's illegal content guidance sets out the detail.
Frequently Asked Questions
When was the illegal content risk assessment deadline?
In-scope services had to complete their illegal content risk assessment by 16 March 2025, three months after Ofcom published its illegal harms codes. The safety duties in section 10 followed on 17 March 2025. If you have not done the assessment, the duty still applies.
Which services must do an illegal content risk assessment?
Every regulated user-to-user service with links to the UK must carry one out, and search services have an equivalent duty under section 26. There is no general small-business exemption, although some narrow service types are exempt under Schedule 1.
What does an illegal content risk assessment cover?
It covers the risk that users encounter priority illegal content such as child sexual abuse, terrorism, fraud and intimate image abuse, and the risk that the service is used to commit those offences. You assess this against how your own service works.
Do I have to keep a record of the risk assessment?
Yes. Section 23 requires you to keep a written record of the assessment, including how it was carried out and what it found. You also have to review it and redo it before any significant change to your service.
What happens after the risk assessment is done?
The safety duties in section 10 require you to put proportionate systems in place to reduce the risks you identified and to remove illegal content quickly once you are aware of it. Following Ofcom's codes of practice is one way to show compliance.
