From today, online services in scope of the UK’s Online Safety Act (OSA, the Act) must be able to demonstrate they’ve assessed the risks their platforms pose to children — and taken action to mitigate them. This legal duty applies to any service that finds it is likely to be accessed by children after completing the mandatory Children’s Access Assessment (CAA). From today (24 July 2025), these services are required to have completed a Children’s Risk Assessment (CRA).

The CRA is central to achieving one of Ofcom's core priorities: creating a safer digital environment for children. It requires regulated service providers to evaluate how their content, features, and design choices might expose children to harm - and to put in place proportionate safety measures in response. In this blog, we break down what the CRA involves, who it applies to, and how services can meet the compliance standard.

Quick Recap: Where the CRA Fits In

‍

To understand the CRA, it’s useful to see how it fits within the broader compliance framework of the OSA.

The first step is the Illegal Harms Risk Assessment (IHRA), which requires all in-scope services to consider how illegal harms may take place on their platform. The deadline for completing the first IHRA was 16 March 2025, and services are required to conduct a new risk assessment on making a significant change to their service.

The second step is the Children’s Access Assessment (CAA), a regulatory requirement for all user-to-user services falling under Part 3 of the Act. The purpose of the CAA is to determine whether children are likely to access your service, either directly or through specific parts of it. If the outcome is yes, your service becomes subject to the children’s safety duties in the Act.

The CRA is the third step. It requires services to go beyond identifying access and assess the specific types of harm children may face on their platform. This includes not only the content itself, but also the systems and features that shape children’s experiences online. The CRA ultimately informs the safety measures providers adopt and how they monitor and adapt them over time.

‍

What is a Children’s Risk Assessment?

‍

A CRA is a comprehensive, evidence-based evaluation of how a service might expose child users to harm. It is a statutory requirement under the OSA for any in-scope service likely to be accessed by children. The goal is to help providers understand the specific risks their platform presents, and what actions they can take to mitigate them.

The assessment must be tailored to each service, considering variables such as user demographics, design features, functionalities, and business model. Services must take into account Ofcom’s Children’s Risk Profiles, which identify features and functionalities that could contribute to risk. (Note: These differ from the risk profiles published alongside Ofcom’s Illegal Content Risk Assessment Guidance. For more, see our blog on Children’s Codes of Practice.)

How to Complete a CRA

‍

All user-to-user and search services that fall under Part 3 of the OSA, and have determined via the CAA that their service is likely to be accessed by children, must complete a CRA.

Within the CRA, services should demonstrate that they have:

• Identified and understood relevant risks;
• Considered how the features of their platform may contribute to those risks;
• Assessed whether current or planned mitigations are effective.

The CRA must reflect the unique characteristics of each service and meet the legal standard of being “suitable and sufficient.” That means it should:

• Identify the types of harmful content (primary priority, priority, and non-designated) children may encounter;
• Refer to Ofcom’s Children’s Risk Profiles;
• Assess how design, features, demographics, and service operations affect the likelihood and impact of harm;
• Evaluate the effectiveness of existing safety controls;
• Consider any foreseeable outcomes — both intended and unintended — of children engaging with the service.

The CRA must address three broad categories of harmful content:

• Primary priority content: the most serious harms, such as pornography or content promoting suicide, self-harm, or eating disorders;
• Priority content: includes bullying, hate speech, and depictions of violence or serious bodily harm;
• Non-designated harmful content: includes content not explicitly defined in the Act but potentially harmful—such as body image-shaming or content promoting depression.

Once a CRA is complete, providers have continuing duties to keep it up to date. They must:

• Review the assessment when Ofcom updates a Children’s Risk Profile;
• Complete a new assessment if they make significant changes to the service;
• Maintain a clear, written record of how the CRA was carried out and what it concluded.

What Now?

‍

A Children’s Risk Assessment isn’t just a tick-box exercise — it’s an opportunity to understand how children engage with your service and where safety interventions are most needed. With the deadline now passed, regulated services should ensure their CRA is complete, robust, and grounded in evidence. Ongoing monitoring and review will be essential as part of compliance under the OSA.

If you need further support, Illuminate Tech's new SaaS platform streamlines the risk assessment process — no legal jargon, no bloated fees. You provide information about your service; we help ensure you're ready for regulation. To find out more, get in touch: hello@illuminatetech.co.uk.

‍