Online Safety

UK Online Safety Act: Ofcom launches its first consultation on illegal harms

Published on 21st Nov 2023

A picture is emerging of how to tackle the illegal harm duties as regulator sets out detailed draft guidance and codes of practice

Green code on smartphone and laptop screens

The long-awaited Online Safety Act (OSA) finally became law last month. This mammoth legislation represents one of the world's most ambitious attempts yet to regulate online service providers and make the online world a safer place. (Read our overview of the OSA.)

Ofcom has now published its first consultation under the OSA, launched on 9 November, which focuses on services' duties to protect users from illegal content.

In keeping with the sprawling nature of the OSA itself, Ofcom has not scrimped on the word count – its consultation documents run to over 1600 pages including the annexes. What is the consultation's scope and some of the key themes that emerge from it?

Scope of the consultation

The consultation covers many themes under the broad heading of illegal harms. These include how services should assess and mitigate the risks of illegal harm; how they should judge whether or not content is illegal; and how Ofcom intends to use its information gathering and enforcement powers.

It includes draft guidance on:

It also includes draft illegal content codes of practice for user-to-user services and search services. These will be of particular interest to regulated services because the OSA states that if a provider takes the measures described in a code of practice, they are to be treated as complying with the relevant duty.

Risk-based approach

Ofcom's draft guidance suggests that it will consider harms within a matrix of likelihood of harm vs impact of harm. With that in mind, it proposes to divide services up into larger services (those which have an average user base greater than 7 million per month in the UK) and smaller services (everyone else).

These broad size categories will then be sub-divided into three:

  • Low risk – services assessed as being low risk for all kinds of illegal harm.
  • Specific risk – services assessed as being medium or high risk for a specific kind of harm for which particular measures are proposed.
  • Multi risk – services that face significant risks for illegal harms.

Different measures are recommended for services within these different categories, with the most onerous measures only applying to larger and/or higher risk services. Ofcom observes that while there is sometimes a correlation between size and risk, in the case of some harms (such as grooming) small services can still pose a high risk of harm.

Risk assessments and the priority harms

In its draft risk assessment guidance, Ofcom has grouped the "priority" illegal content defined by the OSA into 15 kinds of illegal harm:

  • terrorism offences;
  • child sexual exploitation and abuse offences, including grooming and child sexual abuse material;
  • encouraging or assisting suicide (or attempted suicide) or serious self-harm offences;
  • harassment, stalking, threats and abuse offences;
  • hate offences;
  • controlling or coercive behaviour offence;
  • drugs and psychoactive substances offences;
  • firearms and other weapons offences;
  • unlawful immigration and human trafficking offences;
  • sexual exploitation of adults offence;
  • extreme pornography offence;
  • intimate image abuse offences;
  • proceeds of crime offences;
  • fraud and financial services offences; and
  • foreign Interference offence.

All services also need to assess the risk of harm from relevant non-priority offences appearing on the service.

Once the final version of the risk assessment guidance has been published, services will need to undertake a robust and comprehensive illegal content risk assessment. Ofcom has proposed a four-step process which it recommends providers follow when assessing the risk of illegal content on their services:

  • Understand the harms
  • Assess the risk of harm
  • Decide measures, implement and record
  • Report, review and update risk assessments.

What will providers be asked to do?

Ofcom has proposed 34 measures which regulated user-to-user services should take to comply with the illegal harms duties (with some measures only applying to the larger or higher risk services). A similar number of measures are proposed for search services.

Some of the more notable measures include the following:

  • All services must name a person accountable to the most senior governance body for compliance with illegal content duties and reporting and complaints duties.
  • Various record keeping and review requirements, including a requirement to undertake a compliance review at least once a year.
  • All user-to-user services' content moderation systems or processes must be designed take down illegal content swiftly. Search services' systems and processes must be designed so that illegal search content is deprioritised or deindexed for UK users.
  • Certain services must set internal content or search moderation policies and performance targets and must resource their content or search moderation function to give effect to these.
  • All services must have complaints processes which are easy to find and use for customers. Indicative timeframes for considering complaints should be sent to complainants, and appropriate action should be taken to deal with complaints in accordance with Ofcom's proposed content or search moderation recommendations.
  • User accounts should be removed if there are reasonable grounds to infer they are run by or on behalf of a terrorist group or proscribed organisation

This is far from an exhaustive list. Ofcom has published a set of tables setting out all of the measures for user-to-user and search services, and specifying the categories of service for which it is proposed these measures will apply.


Ofcom has also set out its proposed approach for the use of its information gathering and enforcement powers. It expects to use its powers to issue statutory information notices regularly from the outset of the regime. It does not anticipate using its other information gathering powers (such as skilled person reports and powers of entry, inspection and audit) as often – these will typically be reserved for more serious cases.

Ofcom states that it will take a reasonable and proportionate approach to the exercise of its enforcement powers, and expects to prioritise only serious breaches in the early stages of the regime, to allow services a reasonable opportunity to come into compliance. However, it warns that all services should expect to be held to full compliance within six months of the relevant safety duty coming into effect.

Why this matters

The consultation documents contain a great deal of food for thought. For the first time, a picture is emerging of what compliance with the OSA will look like in practice. Both providers and campaigners should also be reassured at the level of detail which Ofcom has provided.

The deadline for responses to the consultation is 5pm on Friday 23 February 2024. Osborne Clarke's specialist team is available to support organisations who wish to respond to the proposals.


* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?