What is 'harmful content' and what are the key duties under the Online Safety Act to protect children online?

As part of Ofcom's phased approach and accompanying roadmap to implementation of the Online Safety Act, the duties relating to the protection of children online are being prioritised as part of Phase 2.

In this third chapter of our 'Your questions answered' series relating to the UK Online Safety Act (OSA) we take a look at:

• how the OSA defines 'content harmful to children';
• conducting a children's access assessment;
• conducting a children's risk assessment;
• implementing measures to reduce the risks of harm to children;
• monitoring and reporting; and
• age assurance requirements for regulated providers with primary priority content that is harmful to children.

For the purposes of this chapter and the remaining chapters in this series, we have used the term 'regulated provider' to refer collectively to all online service providers within scope of the OSA. See Chapter 1 for more information on which online services are caught by the OSA.

The information set out in this Chapter 3 is primarily based on the OSA together with Ofcom's:

• Guidance on highly effective age assurance and other Part 5 duties and Guidance on children's access assessments (the Children's Access Assessments Guidance), published on 16 January 2025; and
• draft Children's Safety Codes of Practice and accompanying guidance, published on 8 May 2024 as part of Ofcom's consultation on 'Protecting children from harms online'.

At the time of writing, Ofcom expects to finalise the Codes of Practice for the protection of children in April 2025. According to the Children's Access Assessments Guidance, regulated providers have until 16 April 2025 to complete their first children's access assessment.  

Regulated providers will need to comply with the children's safety duties under the OSA, and Ofcom will commence enforcement against non-compliance, from July 2025. By this time, regulated providers will also need to have completed their children's risk assessments.

What is 'content that is harmful to children'?

For the purpose of the OSA, a 'child' is a person under the age of 18 (OSA s236). The term 'content that is harmful to children' is defined under section 60 of the OSA.

Content that is harmful to children means:

1. primary priority content that is harmful to children;
2. priority content that is harmful to children; or
3. content, not within paragraphs (a) or (b), of a kind which presents a material risk of significant harm to an appreciable number of children in the UK (i.e. non-designated content that is harmful to children).

Primary priority content that is harmful to children

Primary priority content that is harmful to children means content of any of the following kinds:

• pornographic content;
• content which encourages, promotes or provides instructions for suicide;
• content which encourages, promotes or provides instructions for an act of deliberate self-injury; and/or
• content which encourages, promotes or provides instructions for an eating disorder or behaviours associated with an eating disorder.

Priority content that is harmful to children

Priority content that is harmful to children means content of any of the following kinds:

• content which is abusive and which targets any of the following characteristics: race, religion, sex, sexual orientation, disability, or gender reassignment;
• content which incites hatred against people: of a particular race, religion, sex or sexual orientation; who have a disability; or who have the characteristic of gender reassignment;
• content which encourages, promotes or provides instructions for an act of serious violence against a person;
• bullying content;
• content which depicts real or realistic serious violence against a person, or depicts the real or realistic serious injury of a person in graphic detail;
• content which depicts real or realistic serious violence against an animal, depicts the real or realistic serious injury of an animal in graphic detail, or realistically depicts serious violence against a fictional creature or the serious injury of a fictional creature in graphic detail;
• content which encourages, promotes or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else; and/or
• content which encourages a person to ingest, inject, inhale or in any other way self-administer a physically harmful substance or a substance in such a quantity as to be physically harmful.

Non-designated content that is harmful to children

Where a children's risk assessment of a service identifies the presence of non-designated content that is harmful to children, the regulated provider is required to notify Ofcom of the kinds of such content identified and the incidence of those kinds of content on the service. See below for further information on the requirements for the children's risk assessment.

How do you assess if an online service is likely to be accessed by children?

Under section 36 of the OSA, a regulated provider must carry out a children's access assessment of its service on an annual basis and:

• before making any significant change to any aspect of the service's design or operation to which such an assessment is relevant;
• in response to evidence about reduced effectiveness of age verification or age estimation that is used on the service; and
• in response to evidence about a significant increase in the number of children using the service.

Regulated providers have until 16 April 2025 to complete their first children's access assessment. 

The purpose of the children's access assessment is:

• to determine whether it is possible for children to access the service or a part of the service (a regulated provider is only entitled to conclude that it is not possible for children to access a service or a part of it, if it is using effective age assurance); and
• if it is possible for children to access the service or a part of the service, to determine whether those children are of a significant number or whether the service or part of the service is of a kind likely to attract a significant number of users who are children.  

If these conditions are met, then the service will be considered as 'likely to be accessed by children' and the regulated provider must complete a children's risk assessment to identify the risks their services pose to children and take measures to mitigate the risks they identify.

The process for a regulated provider conducting the children's access assessment is split into two stages, and is set out below:

Stage 1: Age Assurance – Is it possible for children to normally access the service?

The regulated provider can only conclude that it is not possible for children to normally access the service, and therefore end the access assessment at Stage 1, where they have highly effective age assurance in place. Where this is the case, regulated providers should keep a written record of the evidence relied upon. Relevant factors when considering the effectiveness of age assurance include technical accuracy, robustness, reliability and fairness (these principles are outlined below).

Stage 2: Child User Condition – If the answer is yes to Stage 1, consider the two following questions: (a) are there a significant number of children who use the service; and/or (b) is the service of a kind likely to attract a significant number of UK users who are children?

If children are normally able to access the service, i.e. there is no highly effective age assurance in place, regulated providers must move onto Stage 2 of the access assessment. The 'child user condition' is met if the answer is yes to either questions (a) or (b). The OSA does not provide a definition of a ‘significant number’ beyond specifying that this can include a number significant in proportion to the number of UK users of that service, and that the intended user base (as opposed to the actual user base) is not relevant. Ofcom guidance confirms that this assessment is highly context specific, and there could be a significant number even if there is a relatively small proportion of children using the service. It is important to consider is whether the proportion is material in the context of the specific service.

Relevant factors can include whether the service provides benefits to children, whether the content or design of the service is appealing to children, and whether children are part of the commercial strategy. Evidence can also be collated from internal, external and independent sources. Regulated providers are encouraged to be cautious in their approach given the intended purpose of the legislation – protecting children.

The regulated provider must keep a written record, in an easily understandable form, of every children's access assessment.

What are the key OSA duties for a regulated provider whose service is likely to be accessed by children?

Children's risk assessment (OSA s11 (u2u services) and s28 (search services))

A regulated provider of a service likely to be accessed by children must complete a 'suitable and sufficient' children's risk assessment. This assessment is separate, and additional, to the illegal content risk assessment described in Chapter 2. The purpose of the children's risk assessment is to improve the regulated provider's understanding of the risk of harm to children on the service and what safety measures the regulated provider must put in place to protect them.

What amounts to a 'suitable and sufficient' children's risk assessment will depend on the size and nature of the service, but as a minimum it must assess the risk of harm (physical or psychological) to children encountering each kind of harmful content (see above for the types of harmful content), taking into account:  

• Ofcom's Children's Risk Profiles which set out relevant risk factors for online services;
• Ofcom's Children's Register of Risk and the characteristics of the service, including the user base, functionalities, algorithmic systems and the business model;
• any other relevant aspects of the service's design and operation; and
• how the service is used (both intended and unintended ways that people may use the service).

The regulated provider should then assign a level of risk of harm to children for each type of content harmful to children by assessing the likelihood of each kind of harmful content being encountered by children and the impact of that content on children.

Mitigate the risks identified in the children's risk assessment (OSA s12 (u2u services) and s29 (search services))

Once a regulated provider has conducted the children's risk assessment, it must decide on the appropriate measures to reduce the risk of harm to children in different age groups. The regulated provider may already have existing control measures in place to address the risk of harm it identifies, or it may require additional measures, such as those identified in the Codes of Practice for the safety of children online. The regulated provider must use age verification or age estimation to prevent children of any age from encountering primary priority content that is harmful to children that the regulated provider identifies on the service, except where the service prohibits that kind of content and that policy applies in relation to all users. Once the regulated provider has decided on the measures, it must implement these measures appropriately.

The regulated provider must keep a written record, in an easily understandable form, of every children's risk assessment and the measures taken, including why it considers that these measures address the risks identified. For further details of the record keeping and review duties of regulated providers, see Chapter 2.

Monitoring and reporting (OSA s11 and s12 (u2u services) and s28 and s29 (search services))

Once the regulated provider has implemented the measures, it must report on the children's risk assessment and measures via the relevant governance channels. Category 1 and 2A regulated providers must provide Ofcom with a copy of their children's risk assessment record and summarise their findings for users (see Chapter 4 (What are categorised services?) for more information on Category 1 and Category 2A services). The regulated provider must continuously monitor the effectiveness of its chosen measures at reducing the risk of harm to children and establish an annual review cycle for the children's risk assessment.

What are the age assurance requirements for regulated providers publishing pornographic content or where other primary priority content is available?

(OSA s81 (regulated provider pornographic content) and s12 (u2u services)

Regulated providers who publish pornographic content must ensure that children are not normally able to encounter such content in relation to a service by age verification and/or age estimation. As noted above, other regulated providers of user-to-user services likely to be accessed by children are required to implement age estimation or age verification on their services to prevent children from encountering primary priority content.

The age assurance must be highly effective at determining, correctly, whether or not the user is a child. To ensure that an age assurance method is highly effective at correctly determining whether or not a user is a child, a regulated provider should ensure that the method is:

1. Technically accurate, based on the degree to which an age assurance method can correctly determine the age or age range of a user under test lab conditions;
2. Robust, based on the degree to which an age assurance method can correctly determine the age of a user in actual deployment contexts;
3. Reliable, based on the degree to which the age output from an age assurance method is reproducible and derived from trustworthy evidence; and
4. Fair, based on the extent to which an age assurance method avoids or minimises bias and discriminatory outcomes.

Some of the examples of 'highly effective' age assurance provided by Ofcom (subject to the above factors being met in the individual context) include open banking, photo-ID matching, facial age estimation, mobile-network operator age checks, credit card checks, email-based age-estimation and digital identity services.

Ofcom has confirmed that self-declaration of age, online payments via Debit cards (where you do not have to be over 18 to obtain one), and general contractual restrictions on using the service as a child (e.g. in terms of use) are not capable of being 'highly effective'