The kids are alright? Ofcom publishes final children's codes under the Online Safety Act

On 24 April 2025, Ofcom announced that it has finalised its child safety measures applicable to online platforms regulated under the OSA (‘in-scope providers’ or ‘providers’). The Children’s Codes of Practice (the ‘Codes’), which were first published in May 2024 and then revised in December 2024 (see our explainer article on the previous drafts here) have now been placed before the UK Parliament, and subject to final approval, will apply to in-scope providers from 25 July 2025. 

Key changes

The final Codes largely build on the measures outlined in the draft Codes and also “complement” specific requirements to prevent children from encountering inappropriate adult content online (see our explainer article on how pornography providers are regulated under the OSA here). Importantly, in-scope providers that have already already carried out or are in the process of carrying out children's risk assessments, will be grateful to hear that the previous 4-step structure for these assessments has now been confirmed by Ofcom. 

However, certain notable amendments have been made, including to give providers the choice whether to exclude illegal priority content from children's feeds (as opposed to lowering its degree of prominence as was originally proposed), to suggest more age-differentiated online experiences, in recognition of the evolving capacities of children as they age (rather than blanket measures to protect all children irrespective of their specific age), and to outline new measures on how providers should identify and assess the risk of harm presented to children by non-designated content on their service(s). 

This means that the final Codes now include more than 40 practical measures for in-scope providers to consider implementing to ensure the security of their service(s) for children, including measures which:

1. ensure child users are shown safer feeds;
2. ensure effective age checks are implemented where relevant (see our more detailed article on age assurance measures here);
3. allow for “fast action” to review, assess and (if need be) takedown harmful content;
4. provide more control for children online e.g., by allowing them to indicate what content they don’t like, to easily decline group chat invitations and to easily disable comments on their own posts (among others);
5. implement quick, frictionless reporting and complaint routes - including by making Terms of Service comprehensible to children; and 
6. create a strong child protection governance framework e.g., all services must have a named person who is accountable for children’s safety.

The measures listed in the Codes are recommendations only and in-scope providers can choose to comply with the child safety obligations of the OSA using alternative measures; however, providers that use the measures listed in the Codes will benefit from ‘safe harbour treatment’ meaning that they will be treated as complying with these duties and Ofcom will not take any enforcement action against them in respect of the OSA’s child safety duties. 

Next steps

An in-scope provider which has assessed its service is “likely to be accessed by children” now has until 24 July 2025 to complete its children’s risk assessment. Importantly, Ofcom may request this, so businesses should be able to justify the accuracy of the information in its assessment - especially given Ofcom’s recent enforcement action against TikTok and OnlyFans for failing to respond accurately to RFIs - see our previous article here). 

All this means that, from 25 July 2025, in-scope providers should apply the risk mitigation measures set out in the Codes or alternative measures which are equally effective, noting that Ofcom will then be able to enforce against providers which fail to comply. We note that Ofcom in its press release on this topic, specifically called out its ability – in very serious cases – to apply for a court order to prevent a site or app from being available in the UK. This reference indicates that protecting children online is an area where Ofcom is likely to use its most stringent enforcement powers.

For more information on Ofcom’s enforcement powers and the OSA more generally, check out The Safety Net.