On 24 April 2025, Ofcom published a statement on the protection of children online (“Statement”). The Statement includes Ofcom’s final Children’s Risk Assessment Guidance (“Guidance”). Publication of the Guidance triggers the deadline for service providers regulated by the Online Safety Act 2023 (“OSA”) to complete their first “children’s risk assessment” (“CRA”)—specifically, 24 July 2025.  The Statement also confirms that the draft Protection of Children Codes of Practice for user-to-user and search services (“Codes”) have been laid before Parliament. Subject to completion of the Parliamentary process, providers must comply with the OSA’s “safety duties protecting children” from 25 July 2025.

Who do the Codes and Guidance apply to?

The Codes and Guidance apply to providers of “user-to-user” and “search” services that are “likely to be accessed by children”, which is determined based on a test set out in the OSA. In-scope providers were required to have completed an assessment—known as a “children’s access assessment”— by 16 April 2025 to determine if their services satisfy this test.

What are the children’s safety duties?

Providers of services that are “likely to be accessed by children” must comply with a range of duties to “protect children’s online safety”. These include duties to prepare a CRA, to take steps to “mitigate and manage”, the risks of harm to children identified in it, and to “operate [their] service using proportionate systems and processes” to protect children from different types of content that are harmful to them, among others. The Codes provide detail on how Ofcom expects providers to comply with these duties.

What are children’s risk assessment duties?

The OSA requires providers of services that are “likely to be accessed by children” to assess “the risk of harm to children in the United Kingdom, in different age groups, presented by content that is harmful to children”. The OSA does not, however, go into detail on how providers should complete their assessments. Instead, the OSA obliges Ofcom, as the OSA’s regulator, to publish guidance for providers on how to complete a CRA. To that end, the Guidance recommends a four-step methodology adapted from Ofcom’s Illegal Content Risk Assessment Guidance (published on 16 December 2024) for providers to follow when completing their assessment. In short, the Guidance recommends that in-scope providers should:

  • understand the content harmful to children that needs to be assessed;
  • assess and assign a risk level to the risk of harm that the relevant content presents to children;
  • identify any measures to implement to address the risk to children, record any measures taken and make a record of the assessment; and
  • ensure children’s risk assessments are kept up-to-date and reported on appropriately.

The Guidance also sets out the “core” evidence that all in-scope service providers should consider when completing their CRA, and the additional “enhanced” evidence in circumstances where the “core” evidence inputs are insufficient to make accurate assessments. 

Ofcom’s Statement also includes links to a range of other documents  providers can use to prepare their CRA, including a Children’s Registry of Risks—which sets out a range of risk factors that Ofcom expects providers to refer to in their CRAs—and Guidance on content harmful to children.

Next Steps

As noted, in-scope providers have until 24 July 2o25 to complete their first CRA and subject to the draft Codes completing the Parliamentary process, they must comply with the OSA’s “safety duties protecting children” from 25 July 2025. Ofcom has a particular focus on protecting children online, and has already opened enforcement programmes into measures being taken by file-sharing and file-storage services to prevent users from encountering or sharing child sexual abuse material and protecting children from encountering pornographic content through the use of age assurance. This is likely to continue to be an area of priority for enforcement.

The Covington team is helping a range of clients with OSA compliance, including preparing risk assessments. Please reach out to a member of the team if you need assistance with preparing a CRA.

This blog was drafted with the assistance of Emilia De Rosa, a trainee in the London office.

Photo of Jane Pinho Jane Pinho

Jane Pinho is co-chair’s Covington’s Entertainment and Media Industry Group and is a partner in the Technology and Communications practice and the International Business Reorganization practice. She has advised international streaming services on their content acquisition strategies, on new product launches and global…

Jane Pinho is co-chair’s Covington’s Entertainment and Media Industry Group and is a partner in the Technology and Communications practice and the International Business Reorganization practice. She has advised international streaming services on their content acquisition strategies, on new product launches and global expansions, and on media regulation and licensing for the past decade.

Jane works with media industry leaders with global operations, including streaming services, video games and interactive entertainment companies, and social media platforms. She has particular experience advising in relation to the creation, acquisition, and distribution of digital content in the UK and Europe, in relation to the multi-territory launch, expansion, monetization and marketing of digital media products and services and in relation to compliance with the UK’s broadcasting, on-demand, video-sharing platform and online safety regimes, representing clients facing regulatory scrutiny. She also has experience advising media and technology companies on UK and EU consumer protection law, including on an investigation by the EU Commission and the Consumer Protection Co-operation Network.

Jane is also a key figure in Covington’s International Business Reorganization practice. She has managed global post-acquisition business reorganizations, pre-sale and pre-spin business separations and tax reorganizations for companies with substantial global footprints for more than a decade.

Read more about Jane Pinho
Show more Show less
Photo of Shona O'Donovan Shona O'Donovan

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies…

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies on complying with EU and UK data protection and e-privacy rules. She regularly defends clients in regulatory investigations and inquiries, and provides strategic advice on incident response. She advises clients on existing and emerging online content laws, including those affecting intermediary services and audiovisual media services. In this context, she regularly advises clients on the intersection between online content and privacy rules.

Shóna also counsels clients on policy developments and legislative proposals in the technology sector, and the impacts of these developments for their business.

In her current role, Shóna gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.

Read more about Shona O'Donovan
Show more Show less