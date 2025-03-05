The first set of duties on sites and apps in scope of the UK’s Online Safety Act 2023 came into force when Ofcom published its illegal harms codes of practice and guidance on 16 December 2024. From that point, providers had three months to carry out a ‘suitable and sufficient’ illegal content risk assessment, in line with Ofcom’s guidance. To put in place appropriate safety measures to protect people, especially children, providers must first understand how harm could take place on their platforms, and how their user-base, features and other characteristics could increase those risks of harm.

Specifically, they must establish how likely it is that users could encounter illegal content on their service, or, in the case of user-to-user services, how they could be used to commit or facilitate certain criminal offences. Providers must also make and keep a written record of their risk assessment, including details about how it was carried out and its findings.

To assess and monitor industry compliance with the illegal content risk assessment duties under the Act, Ofcom has launched an enforcement programme.

A key priority is to scrutinise the compliance of sites and apps that may present particular risks of harm from illegal content due to their size or nature, for example because they have a large number of users in the UK, or because their users may risk encountering some of the most harmful forms of online content and conduct, including child sexual exploitation and abuse, terrorism, hate crimes, content encouraging or assisting suicide, and fraud.

Therefore, Ofcom has issued formal information requests to several services, including the largest social media platforms, as well as smaller but risky sites. They must respond by 31 March.

Ofcom will use the responses to identify gaps in risk assessments and facilitate improvements. It will also use them to further its policy work to develop new measures for its codes of practice.

Providers are required, by law, to respond to any statutory request for information by Ofcom in an accurate, complete and timely way. If any platform does not provide Ofcom with a satisfactory response by the deadline, it will open investigations into individual service providers. It can levy hefty fines on companies which do not comply with its requests.