InsightOSA

Key Considerations for the Online Safety Act’s Children’s Access Assessment

Learn how to conduct a Children’s Access Assessment under the Online Safety Act. Understand key stages, risks, and compliance requirements in this quick guide.

By Tremau T&S Research Team

  • 04/14/2025

With just two days left until the 16 April deadline, platforms regulated under the UK’s Online Safety Act 2023 (OSA) need to act fast. If your service is User-to-User (U2U) or search-based, you must complete a Children’s Access Assessment.

In this blog, we walk through what a Children’s Access Assessment involves, why it matters, and key considerations to keep in mind.

What is a Children’s Access Assessment?

Under the OSA, platforms active in the UK must conduct a Children Access Assessment to determine whether a service is likely to be accessed by users under 18. If it is, you are required to complete a Children’s Risk Assessment and comply with extra safety duties under the Act.

Even if children are not a part of your target audience, you must still conduct the Access Assessment. While some companies may have done similar work under the Information Commissioner’s Office Children’s Code, this is a separate legal requirement with its own criteria. Ofcom, the UK online safety regulator, released guidance on OSA Children’s Access Assessments, which can be viewed here.

Stage 1: Can Children Access Your Service?

Stage 1 of the Children’s Access Assessment focuses on accessibility—specifically, whether or not children can access your platform and what evidence supports that.

Most platforms have some form of passive age assurance , such as a clause in the Terms of Service setting the minimum age of use. However, to claim that your service is not accessible by children, you must provide appropriate evidence. Ofcom will only consider evidence from age assurance methods that it considers ‘highly effective’ for this portion of the Assessment (below, we give you a better overview of what this means).

Stage 2: Are Children Likely to Use Your Service?

Here, the question shifts from accessibility to usage and appeal : Are a significant number of children likely to be users of your service? And/or is your service likely to attract children by nature of its functionalities, design, and purpose?

Ofcom refers to these two questions as the “child user condition.” Companies must ultimately be able to demonstrate that neither condition is true in order to be excused from conducting a Children’s Risk Assessment during this Assessment cycle.

Key Points to Keep in Mind

1. Before you begin: Know Your Platform

A well-informed Children’s Access Assessment starts with a solid understanding of your own service. If you have already carried out an Illegal Content Risk Assessment under the OSA, you have likely laid the groundwork–now it’s time to build on it. Ofcom expects providers to demonstrate a clear and evidence-based understanding of how their platform works, who can access it, and who is actually using it.

This means you should already have a detailed grasp of details such as:

  1. User Sign-Up Journey – what does the onboarding process look like? What information is collected at each stage, and are there any barriers to entry for underage users?
  2. Access Controls – which parts of your service are publicly accessible, and which are gated? What user information (if any) is required to access each area?
  3. Age Assurance Measures – What age verification or estimation steps are in place, and what stage(s) of the user journey triggers them?
  4. Available Data Points – What existing data can you harness to understand your user base, including signals that might indicate the presence of users under the age of 18?

2. Intent Isn’t Evidence: You still need to prove that children aren’t using your service

Even if your service is not specifically designed for children or may not seem appealing to them, you are not exempt from responsibility. If you cannot provide solid evidence that a significant number of children are not using your service, you are required to conduct a Children’s Risk Assessment.

3. What counts as a “significant number of children?”

Ofcom’s guidance doesn’t set a specific threshold. Ofcom states that the determining factor is whether children represent a significant portion of your UK user base. Even a small number of child users could be sufficient, depending on the nature and context of your platform. Ofcom commissioned research into how minors bypass age verification on major social media and the results support the idea that, even if your service has a count of child-owned profiles, these numbers may not reflect reality. As a result, Ofcom recommends taking a cautious approach, in line with the Act’s high expectations for children’s protection.

4. Only “Highly Effective” age assurance methods will count

In Stage 1, Ofcom will only accept the claim that a service isn’t accessible to children if they use highly effective age assurance methods. This means that they should be technically accurate, robust, reliable, and fair. A non-exhaustive list of effective assurance methods includes mobile network operator age checks, credit card checks, digital identity services, and certain age estimation methods. Read Ofcom’s age assurance guidance for more.

Importantly, if you don’t complete your Children’s Access Assessment, or if your age assurance evidence isn’t robust enough, you will automatically be considered likely to be accessed by children.

ADVISORY

Decoding Children’s Risk Assessments

Following the Children’s Access Assessment, our Trust & Safety team is ready to help your service meet the new obligations under the Online Safety Act.

Final Considerations

As platforms finalize their Children’s Access Assessments, it is important to remember that compliance under the Online Safety Act is an ongoing process rather than a one-time task. Companies should proactively prepare for the online safety act risk assessment stage that follows, ensuring that evidence and documentation remain clear, accurate, and up to date. With the online safety act deadline approaching quickly, regulated services must not only meet immediate obligations but also establish long-term strategies to safeguard children online and reduce future regulatory risks.

Looking ahead

If the OSA applies to your service, you have likely already completed your Children’s Access Assessment, but compliance doesn’t stop there.

Following Ofcom’s planning, Children’s Risk Assessments are due in July 2025.

Need support on what’s next? Our team has supported a wide range of digital services with OSA compliance and is ready to navigate the upcoming requirements.

Reach out to us with your questions–we’re here to support you at every step.

*The cover of this article has been generated by AI.