Regulatory expectations for online safety are evolving rapidly. Platforms serving UK users must now comply with the Online Safety Act (OSA) while maintaining a safe and trustworthy ecosystem.
At Tremau, we recently had an insightful discussion with Bird & Bird and Ofcom on the OSA risk assessmentIt refers to the process of identifying, analyzing, and evaluating the severity and probability of risks and threats associated with business or product development, deployment, and maintenance. In the context of the DSA, very large online platforms are required to annually assess the systemic risks stemming from the design, functioning or use of the platforms, including any actual or foreseeable... More framework, exploring best practices, challenges, and practical compliance steps. With just 1 month left until the risk assessment deadline, where do you stand? Here’s what you need to know—and how to get started efficiently.
Understanding Risk Assessment in the OSA Framework
At the heart of Ofcom’s risk assessment framework are two critical data sources that help platforms gauge the likelihood and impact of specific harms:
- Core Inputs – Internal data sources such as flagged content, user reports, and moderation trends.
- Enhanced Inputs – External sources like industry reports, expert consultations, and regulatory guidelines, providing a broader context for risk evaluation.
Since no two platforms face the same risk landscape, a one-size-fits-all approach won’t work. The key is to know your platform, understand the unique risk factors and structure your assessment accordingly.
Pro Tip: Start by analyzing your platform’s user base, moderation systems, and design choices to understand how risks manifest in your ecosystem. Conduct internal walkthroughs, clarify roles and responsibilities, and examine existing data points to identify key risk areas.
Key Lessons from Other Regulated Sectors: What Can You Learn?
1. Governance & Oversight Matter
Regulatory Expectation: The UK Codes of Practice mandate that senior governing bodies must review risk assessment results, ensuring clear accountability.
This isn’t just a box-ticking exercise—strong governance provides crucial oversight. Leaders should challenge assumptions, ensure access to the right information at the right time, and drive strategic risk management.
2. Data-Driven Risk Assessments
Other industries rely on historical data, predictive modeling, and scenario analysis for risk management. Similarly, online platformsAn online platform refers to a digital service that enables interactions between two or more sets of users who are distinct but interdependent and use the service to communicate via the internet. The phrase "online platform" is a broad term used to refer to various internet services such as marketplaces, search engines, social media, etc. In the DSA, online platforms... More can apply data-driven strategies to assess and mitigate risks.
- Leverage existing data reports—engage Trust & SafetyThe field and practices that manage challenges related to content- and conduct-related risk, including but not limited to consideration of safety-by-design, product governance, risk assessment, detection, response, quality assurance, and transparency. See also: Safety by design More (T&S) and content moderationReviewing user-generated content to ensure that it complies with a platform’s T&C as well as with legal guidelines. See also: Content Moderator More teams to access reports they already monitor (daily, weekly, and monthly).
- Define data parameters clearly—ensure transparency in time span, justification, and user demographics.
- Assess risks relative to total platform activity—for meaningful insights, track:
- Total content shared on the platform
- Total reported content
- Total detected harmful content
- False positives vs. false negatives (if available)
- For bigger platforms, build risk models that track user behavior, content patterns, and harm indicators over time.
Why does this matter? The more you dissect data across jurisdictions, the better you understand whether issues are localized or systemic. In the absence of external benchmarks, trend analysis across time and regions becomes essential.
3. Stress-Test Your Risk Assessment
How confident are you in your risk classification?
Low-risk classifications attract scrutiny—if you categorize a risk as low, ensure:
- Your data substantiates that claim with clear, documented evidence.
- You have proactive mitigation measures aligned with the identified threat level.
High-risk areas require clear action plans—mitigation measures should be well-defined, specific, and actionable.
Are Alternative Compliance Measures Feasible?
Ofcom allows businesses to implement alternative compliance measures, but only if they can justify them. Many companies are still in the discovery phase, but as you refine your internal processes, consider:
- Distinguishing between gaps in documentation and actual missing practices—some measures may exist but lack formalization. Draw up a plan to standardise them into policies and Standard Operating Procedures (SOPs).
- Focusing on high-impact risks first—when resources are limited, allocate efforts based on harm severity.
Demonstrating Best Efforts to Manage Risk
Demonstrating best efforts to manage risk is key. Effective risk management does not mean eliminating risks entirely but ensuring they are prevented, detected, and appropriately responded to.
To effectively manage risks, organizations must distinguish between proactive risk control measures and reactive risk responses. Here’s how they differ:
Risk Control (also called Risk Treatment or Risk Mitigation)
- Focuses on reducing the likelihood of risks occurring or minimizing their impact if they do occur.
- Includes preventive controls (to stop risks from occurring) and detective controls (to identify risks when they happen).
Risk Response
Involves decisions made after a risk has been identified and analyzed to determine the appropriate action. The response could be:
- Avoidance – Eliminating the risk entirely (e.g., discontinuing a risky platform feature).
- Reduction/Mitigation – Implementing controls to minimize the risk (e.g., stronger moderation policies).
- Sharing/Transfer – Offloading the risk through insurance, outsourcing, or third-party partners.
- Acceptance – Acknowledging the risk and monitoring it proactively when avoidance or mitigation isn’t feasible.
The Right Mindset: Embrace Continuous Improvement
The first year of OSA compliance will have a steep learning curve, but the governance framework is designed to help iterate and refine risk models over time.
How far along are you? The deadline is closing in fast—start now!
Compliance Isn’t Just a Requirement—It’s a Business Advantage
Think of this not as a compliance exercise, but as a value driver for your business!
- Boost user trust – Strengthen credibility and foster long-term customer loyalty.
- Attract advertisers – AppealIn the content moderation space, an appeal is a process whereby a user who is impacted by a company's decision can contest the decision by requesting it to be reviewed. The company's decision can range from disabling a user account, to denying access to certain services. This can involve requesting a review of the decision by another party within the... More to brands that prioritize responsible and transparent partnerships.
- Future-proof operations – Stay ahead of regulatory changes and evolving industry standards.
Final thoughts
With just 1 month, now is the time to assess, refine, and implement your risk assessment strategy. Take a data-driven, governance-led, and proactive approach to ensure compliance—and turn it into a competitive advantage.
🚀 Need guidance on your OSA compliance journey? Get in touch with our Policy and Advisory team: Agne Kaarlep (agne@tremau.com), Haneen Qarout (haneen@tremau.com), Toshali Sengupta (toshali@tremau.com).