Skip to main content

Conducting Online Safety Act risk assessments

Best practices that online services can adopt

At a glance
 

  • The UK Online Safety Act 2023 (‘OSA’) introduces new requirements for the significant number of online services in scope. The Act will require companies to build in safety by design and move from a ‘reactive’ to a ‘proactive’ response to online harms.
  • A key element of the new regime is to conduct risk assessments which address how users could be exposed to harmful content.
    All in-scope services will have to carry out an illegal harms risk assessment, a children’s access assessment and, to the extent relevant, a protection of children risk assessment.
  • Pre-existing UK-based video-sharing platforms (‘VSPs’), already regulated under the UK’s VSP regime, also need to carry out risk assessments as part of their transition to the new OSA regime.
  • Ofcom has recently stated that it is ready to launch immediate enforcement action under the new regime if providers do not act promptly to address the risks posed by their services.
  • In this blog we set out best practices that all in scope services can adopt when completing a suitable and sufficient risk assessment. We also identify actions applicable across risk assessments by way of two fictional online service case studies.
  • Online services should be preparing now, given the expected timeline for completion of risk assessments in 2025, starting with completion of the illegal harms risk assessment by mid-March 2025.

1. The OSA
 

The OSA became law on 26 October 2023, with a phased approach to implementation, overseen by Ofcom. The OSA makes online service providers that allow users to share content or interact with each other, and search services, legally responsible for keeping people, especially children, safe online. This includes social media services, online marketplaces, review services, discussion forums and gaming services. Ofcom’s initial analysis suggests that more than 100,000 online services could be subject to these new rules.

All in-scope online services1 have new duties to protect UK users by assessing risks of harm, and taking steps to address them, especially in the form of:

  • Illegal harms risk assessment. Ofcom’s draft guidance sets out 16 kinds of priority illegal harms that online services need to assess separately, including terrorism offences, hate offences and fraud and financial services offences.
  • Children’s access assessment. This requires services to establish whether their service – or part of a service – is likely to be accessed by children.
  • If applicable (i.e. following completion of the children’s access assessment), children’s risk assessment. Ofcom’s draft guidance groups content risks into eight broad categories, including pornographic content, suicide and self-harm content and eating disorder content.

VSPs - transition from the existing regime

The OSA will repeal the existing VSP regime, introduced in November 2020, designed to protect users from videos containing harmful material (Ofcom has described this regime as ‘an effective testbed for how online safety regulation can work in practice2). At the time of writing, there are 19 regulated VSPs in the UK. The position for these pre-existing VSPs is more complicated as since 10 January 2024, they are within a transition period during which they are subject to both the VSP regime as well as specific duties under the OSA regime, such as the requirement to complete the above listed risk assessments. During the transition period, VSPs may not be subject to all of Ofcom’s enforcement powers under the OSA. Ofcom still has powers to regulate and enforce against UK-based VSPs.

Earlier this year, Government set 2 September 2024 as the ‘assessment start date’, marking the start of the six months’x notice period after which the VSP regime can be repealed. This date is also when pre-existing VSP services should have started to prepare for the abovementioned risk assessments of their services, in line with their OSA duties. The VSP regime is likely to come to an end in the first half of 2025, with all pre-existing VSPs fully transitioning to the OSA.

2. Timeline for completion of risk assessments under the OSA
 

Details of the anticipated timeframes for completion of the required risk assessments for all online services within scope of the OSA are set out in Figure 1 below.

Figure 1 – timeline for completion of OSA risk assessments

3. Enforcement


In its recent ‘Implementing the Online Safety Act: progress update3, Ofcom outlined its current position on enforcement, stating (amongst other things) that:

  • The OSA is clear that these obligatory risk assessments must be suitable and sufficient to identify all relevant risks services face.
  • Ofcom is ready to launch immediate enforcement action if providers do not act promptly to address the risks posed by their services.
  • Taking enforcement action, including imposing fines, for failures to comply, will be an early priority for Ofcom.
  • Ofcom expects to publish its final enforcement guidance in December 2024.

The penalty provisions of the OSA are significant, with Ofcom having the power to fine non-compliant companies up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. In extreme cases, it can also prevent a company from doing business in the UK.

4. What best practices can online services adopt when conducting OSA risk assessments?
 

There are a number of overarching objectives that should be an important part of an organisation’s approach to risk management. First, a successful approach should clearly define the organisation’s appetite for risk (often expressed through delegations of authority or investment requirement) and define clear accountability for risk management, aligning risk management to performance management. It is also important to focus effort on risk management activities not just risk appetite. Finally, risk management activities should be integrated into day-to-day business processes, recognising that different types of risk require different risk management approaches (although one activity may address many risks).

From our experience of working with large online platforms on both OSA compliance and EU Digital Services Act compliance, we identify the following five best practices that all services within the scope of the UK’s new online safety regime can adopt when performing the required risk assessments under the OSA. These best practices are set out in Figure 2, below.

Figure 2 – best practices when conducting OSA risk assessments

5. OSA risk assessment case studies
 

Our case studies examine how two fictional online companies operating in the UK - GameWatch and ItemExchange - could comply with their risk assessment duties under the OSA. Both companies are user-to-user (‘U2U’) services, and each has less than a million UK users.

GameWatch is an online service that allows users from the age of 13 to upload and watch streamed video game content. It is currently a VSP, subject to the transitioning VSP regime.

ItemExchange is an online forum for users to buy and sell a range of goods, allowing a range of message content to be shared in the process. It has not been subject to the VSP regime. ItemExchange is considering introducing an AI-enabled tool to help SMEs manage their sales on their platform as well as allow buyers to compare prices of goods across the web.

In Figure 3 below, we set out actions common to both GameWatch & ItemExchange relevant to complying with OSA requirements, including risk assessments. In Figure 4 below, we set out additional and specific considerations that will be required for each company, given their different online service business models.

Figure 3: OSA risk assessment actions common to both GameWatch & ItemExchange

Figure 4: Specific OSA risk assessment actions required by each of GameWatch & ItemExchange

6. Conclusion
 

The OSA signals a new era in how online safety will be regulated in the UK, with risk assessments being an integral part of the new regime. By carrying out these assessments, online services should have a clear understanding of risks of harm to their users and the effective risk management processes they should put in place as a result.

For online services that have not yet prepared to carry out these risk assessments, it is important to start now. By leveraging the abovementioned best practices, services can identify an approach that achieves the required compliance objectives, enhancing confidence and trust among their users in the process.

Footnotes:

1 Additional requirements apply to ‘Categorised Services’- i.e. large online services that meet certain criteria related to their number of users or risk of harm – which we do not cover here.

2 Implementing the Online Safety Act: progress update, 17 October 2024

3 Implementing the Online Safety Act: progress update, 17 October 2024