On 2 July 2025, the UK government published a statement of strategic priorities for the Online Safety Act 2023 (OSA), outlining four key priorities for implementation. Among these, 'safety by design' stands out as a fundamental principle – embedding protective measures that should safeguard all users, and particularly children. But what does this mean in practice for online service providers?
Under the OSA, requirements on platforms to protect children using their services vary depending on whether a service hosts 'adult' content ('Part 5 services) or general content (Part 3 services).
Part 3 services
Safety by design requires service providers to implement protective measures from the outset, ensuring that their platforms are built with user protection as a core feature rather than an afterthought.
All Part 3 services are required to carry out a children's access assessment and, if they are likely to be accessed by children, a children's risk assessment. They then need to implement appropriate measures to mitigate the identified risks of harm to children. Ofcom has produced Codes of Practice recommending some safety measures on the basis of the risk profile of a given service. All these assessments and documents are underpinned by the two foundations of protecting children online: "highly effective age assurance" and safety measures.
Highly effective age assurance
Highly effective age assurance is an age assurance process that must fulfil four core criteria:
- technical accuracy – degree to which an age assurance method can correctly determine the age or age range of a user under test lab conditions. Where age estimation is used, providers should employ a 'challenge age approach'. This is similar to what already happens in the 'bricks and mortar' world
- robustness – degree of accuracy in correctly determining the age of a user in actual deployment contexts, accounting for the real-world varying conditions (lighting, backgrounds). Where age assurance relies on identification documents, mobile phone numbers, email addresses, or credit cards, providers must have means of checking that the details supplied belong to the user attempting to access the service
- reliability - describes the degree to which the age output from an age assurance method is reproducible and derived from trustworthy evidence, and
- fairness - describes the extent to which an age assurance method avoids or minimises bias and discriminatory outcomes, ensuring that age assurance methods do not provide outputs with lower technical accuracy for users of certain ethnicities or other protected characteristics.
Ofcom's guidance states that some methods capable of being "highly effective age assurance" include open banking, photo-ID matching, facial age estimation, mobile network operator age checks, credit card checks, email-based age estimation, and digital identity services. Conversely, methods not capable of being highly effective include age verification through payment methods not requiring 18+ status (such as debit cards) and general contractual restrictions prohibiting under-18s from using the service without additional age assurance.
The children's access assessment
All providers of Part 3 services are required to carry out children's access assessments to determine whether a service is likely to be accessed by children. The assessment, broadly, consists of answering the following two steps:
- Step 1: is it possible for children to access your service? According to Ofcom's guidance, services can answer 'no' to this question only if they have highly effective age assurance in place. If the answer to this question is 'yes' then:
- Step 2: are there a significant number of children on the service? Is the service likely to attract a significant number of children (child user condition)?
If the outcome of the children's access assessment is that a Part 3 service is likely to be accessed by children, it must carry out a risk assessment and implement proportionate measures to mitigate the risks of harm identified. The measures that Ofcom has recommended are calibrated to the level of risk and the size of the service.
Ofcom's recommended measures
Ofcom has recommended a comprehensive suite of safety measures that services must implement to protect children, organised into several key categories:
- Governance and accountability: providers must name an individual accountable to the most senior governance body for compliance with safety duties protecting children. Larger or multi-risk services must track evidence of new kinds of harmful content and unusual increases in particular kinds of content harmful to children.
- Content moderation: providers must have systems and processes designed to review and assess content that they have reason to suspect may be harmful to children. This includes preventing child users from encountering primary priority content and protecting them from priority content and non-designated content.
- Reporting and complaints: providers must have systems enabling users to make complaints in a way which will secure appropriate action. For complaints regarding specific content, a reporting function must be clearly accessible in relation to that content.
- Recommender systems: for services at medium or high risk with content recommender systems, providers must ensure that content provisionally indicated as being primary priority content is excluded from relevant users' content feeds.
- User empowerment tools: providers must make options available to block specific user accounts, prevent commenting on posted content, and ensure that users only become part of group chats once they have actively confirmed they wish to join.
- Age assurance: Part 3 services that allow children on their service are, in some cases, recommended to use highly effective age assurance measures to establish which of its users are children and for the purposes of targeting other safety measures at those child users. Highly effective age assurance serves a double purpose: it can help Part 3 service providers claim that there are no children on the service (if they do not allow under-18s on the service) or they can be used as part of certain safety measures.
Part 5 services
Additionally to the highly effective age assurance and safety measures for Part 3 services, the OSA also requires pornographic services (Part 5 services) to prevent access to children by implementing "highly effective age assurance". Unlike for Part 3 services that may choose to use highly effective age assurance as a means of implementing some of the safety measures, Part 5 services are required to restrict access to child users by means of highly effective age assurance.
Ofcom's enforcement programme: a clear signal of intent
The first enforcement actions taken by Ofcom indicate that there is a focus on the protection of children, in particular with regard to Part 5 services. An enforcement programme has been opened specifically targeting pornographic content providers.
Ofcom's enforcement programme aims to protect children from encountering pornographic content by ensuring that providers implement highly effective age assurance. The programme focuses on commercial pornographic websites and services that are most visited by UK users, prioritising those with the highest traffic volumes and greatest potential for child access.
The enforcement programme operates in phases. Ofcom has identified priority services based on traffic data and has begun engaging with providers to assess their compliance with age assurance requirements. Where providers fail to implement adequate measures, Ofcom has indicated it will use its full range of enforcement powers, including business disruption measures such as requiring internet service providers to block access to non-compliant services.
This enforcement programme sends a clear message: Ofcom is taking a proactive and robust approach to ensuring that pornographic services comply with their obligations to prevent children from accessing harmful content. The focus on high-traffic services demonstrates a risk-based approach that prioritises protecting the greatest number of children.
Looking ahead: Ofcom's enforcement priorities
Ofcom's priorities for enforcement have been included in the online safety enforcement guidance and, from what we have seen so far, we'd expect Ofcom will continue its focus on the protection of children online. This is seen as an area with a high potential for serious harm and action is often considered to be in the public interest when children are involved.
The enforcement guidance makes clear that Ofcom will prioritise cases where there is potential for significant harm to children, where there is evidence of systemic failures in child protection measures, and where enforcement action would have the greatest deterrent effect across the industry. The opening of the enforcement programme for pornographic services demonstrates that Ofcom is willing to act swiftly and decisively where children's safety is at stake.
Of course children's online safety is not just a UK issue. Find out about how the EU, Germany and France are tackling children's online safety here.
