Blog

What Ofcom’s Year 1 Reviews Reveal About Year 2 OSA Risk Assessments

Learn what Ofcom’s Year 1 risk assessment reviews mean for platforms and services preparing for Year 2 OSA deadlines.

Hdr online safety risk assessments year 1 reviews year 2 readiness
· 6 minute read

Ofcom’s Year 1 reviews have given platforms and online service providers a clearer view of what Year 2 risk assessments will require under the Online Safety Act (OSA). Following its review of 104 submissions, Ofcom identified substantive concerns about the assessment approach of 11 providers and asked five to reconsider their risk level conclusions. All subsequently submitted revised versions or supplementary information.

As the OSA moves into a more enforcement-focused phase in Year 2, online safety risk assessments can’t just be a one-off, paper exercise. Increasingly, regulators like Ofcom are evaluating whether platforms can clearly demonstrate how risk conclusions were reached, what evidence informed them, who owned the process, and how governance oversight is maintained as services evolve over time.

Ofcom’s Year 1 findings show how wide that gap already is. Resolver’s first Regulatory Readiness session — The Risk Assessment Standard: Maturing Your Approach for Year 2 — brought together Nicole Nolan, Senior Associate in Ofcom’s Governance and Risk Management team, alongside George Billinge of Illuminate Tech (a former Ofcom regulator) and Resolver’s George Vlasto and Natalia Greene to discuss what those findings mean in practice.

For general counsel, compliance, and Trust & Safety teams preparing Year 2 submissions, the session offered a direct look at how Ofcom is evaluating evidence standards, governance maturity, and organizational accountability ahead of the summer deadlines.

The standard for CSAM detection has changed.Learn how Resolver's Athena helps platforms meet regulatory responsibilities.
Learn How

5 findings from Ofcom’s Year 1 OSA risk assessment reviews

Nolan described how Ofcom reviewed 104 Year 1 risk assessments — 72 illegal content risk assessments received in March and 32 children’s risk assessments received in July — totaling more than 10,000 pages of records. The reviews were conducted, in Nolan’s words, “with a view to monitor compliance and consider improvements across the industry in how online safety risk is identified and managed.”

Nolan described Ofcom’s framework as a “risk-based regime” in which assessment, mitigation, and governance function as part of a continuous cycle rather than a periodic reporting obligation.

Under that model, providers are expected not only to identify and assess risks, but also to evaluate whether mitigation measures remain effective, reassess exposure as services evolve, and maintain governance structures capable of reviewing those decisions over time. As Nolan explained, measures applied to mitigate identified risks are then considered in the next risk assessment, including how they reduce risk.

Several recurring weaknesses emerged across submissions:

Infographic comparing year 1 and year 2 online safety risk assessment approaches, showing a shift from static compliance to dynamic governance through evidence-based risk ratings, harm-by-harm assessment, proven controls, named accountability, and ongoing review.

Read on to understand how to build maturity in your risk assessment reports ahead of summer deadlines.

1. Low-risk scores often lacked sufficient evidence

One of Ofcom’s clearest concerns involved providers assigning low or negligible risk scores without sufficiently demonstrating how those conclusions were reached.

Nolan said providers should “err on the side of caution” where risks are unknown or difficult to quantify, especially for services such as encrypted or file-sharing platforms where full visibility into harmful activity may be limited. In those cases, Nolan said Ofcom would expect to see higher risk levels assigned to reflect that lack of evidence and knowledge around the harm.

In several cases, the absence of detected harm was treated as evidence of low risk, rather than as a gap in evidence that warranted a higher precautionary score.

Year 2 expectation: Risk conclusions need clear supporting evidence

For Year 2, Ofcom is making explicit what the evidentiary standard for low-risk determinations has always required. Nolan was explicit: providers are “expected to provide a strong evidence-based justification, especially where risks are assigned as low and negligible.”

That means showing what evidence informed each conclusion, and whether limited visibility was acknowledged and reflected upward rather than used to justify low risk. As Resolver’s Head of Trust & Safety, George Vlasto, noted in the session, a quiet period isn’t evidence of low exposure — a platform may simply have been getting lucky. A low-risk score should be treated as exceptional: a conclusion reached after interrogating the evidence, not a default position justified by silence.

2. Harm grouping created gaps in children’s risk assessments

A distinct pattern emerged specifically in children’s risk assessments: some services grouped similar harms together rather than treating each one individually. Suicide and self-harm content, for instance, appear as a single grouped entry in Ofcom’s Children’s Risk Profiles, reflecting how many services report on them together internally.

The consequence was practical. Nolan mentioned that grouping “made it unclear if they had assessed each harm individually or if some harm types were assessed at all.” In several cases, because harm-specific evidence and controls weren’t provided, risk scores came in lower than the actual risk picture warranted.

Nolan acknowledged the operational reality behind this. Many services report on similar harms together in their moderation processes, and their risk assessments reflected that internal logic. But regulatory records operate under a different standard.

Year 2 expectation: Each harm category must be assessed and evidenced on its own terms

For Year 2, the practical challenge for many organizations is bridging the gap between how harms are managed operationally and how they must be evaluated within a regulatory submission.

Ofcom’s position is unambiguous. Where services group harms for legitimate operational reasons, the record must still show that each harm was considered separately, with individual evidence, harm-specific controls, and distinct risk levels where warranted.

3. Controls were documented, but not fully explained

A third pattern ran through Year 1 submissions: providers listed controls without demonstrating how they actually reduced harm.

Nolan was specific about what was missing. Services described moderation measures, policies, and workflows but failed to explain “their effectiveness or how they reduce specific harms or harm more generally.” The record showed what controls existed. It didn’t show whether they worked.

This matters because of how Ofcom’s framework is designed. Controls aren’t a static checklist — they feed directly back into the next risk assessment, where Ofcom expects providers to demonstrate not just that measures were applied, but how they reduced risk. A control that isn’t monitored can’t meaningfully inform that reassessment.

Year 2 expectation: Controls need to demonstrate how risk is reduced

For Year 2, the record needs to show how each control mitigates a specific harm, how effectiveness is monitored, and how that evidence feeds back into reassessment decisions over time.

The practical implication for compliance and Trust & Safety teams is that moderation operations, evidence collection, and governance review need to be connected — and that connection needs to be visible in the record.

4. Governance ownership and accountability were often absent

Across Year 1 submissions, governance was one of the most consistent gaps. Only 29% of illegal content records included a named responsible individual. For children’s risk assessments, that figure was 44%.

But the issue went beyond a missing name. As Nolan described it, strong governance means “making sure accountable individuals are assigned, that they’re regularly reviewed, and that there is some sort of governance structure within your organization to report up any of those concerns that might be reflected within a risk assessment.” As Resolver’s Natalia Greene noted in the session, that named individual is expected to be accountable to the most senior governance body within the organization for compliance with safety duties.

The record-keeping data showed how far short most submissions fell. Only 56% of illegal content records showed findings reported through appropriate governance. For children’s assessments, that figure was 69% — better, but still leaving nearly a third of providers unable to demonstrate that governance oversight was in place.

Year 2 expectation: Accountability must be documented and demonstrable

An illustration showing a dark blue document with a yellow "verified" seal. Three teal circular icons are linked to the document, representing risk monitoring (eye icon), optimization (sparkles icon), and data management (database icon).For Year 2, Ofcom expects providers to show who is accountable, how risks are reviewed and escalated internally, and how governance oversight operates across functions as the service evolves. This creates a practical challenge for organizations where legal, compliance, product, and Trust & Safety functions operate in silos. 

5. Risk assessments were treated as static exercises

Ofcom’s Year 1 records showed a consistent pattern: assessments completed, filed, and with little indication of how providers intended to keep them current.

Ofcom’s view is that this falls short of the standard. As Nolan put it, “what shows suitable and sufficient risk assessment is a service that is working on this all year round.” The assessment should evolve as the service does: “By updating your risk assessments as things change on your service, as you apply new features, new functionalities, as you see risk levels change through the way that service is being used.” 

Year 2 expectation: Risk assessments must evolve alongside the service

For Year 2, the operational shift is structural. Ofcom expects providers to demonstrate not just that a risk assessment was completed, but that the process behind it is ongoing — with governance structures capable of capturing change, reassigning accountability, and updating conclusions as the service evolves.

Quote ofcom year 2 risk assessment requirements nicole nolan

Ofcom recommends reviewing risk assessments at least annually — and has identified specific triggers requiring earlier reassessment, including significant changes to service design and, most recently, the addition of cyberflashing and encouraging or assisting serious self-harm as new priority offences in December 2025. The summer 2026 deadline is the submission point. The process Ofcom is evaluating runs all year.

Testing the strength of your documentation before submission

Under Ofcom’s published Record-Keeping and Review Guidance, assessments must be contemporaneous rather than reconstructed after the fact. Nolan described what a strong record demonstrates: how risks were identified, how controls work to mitigate them, and the overall credibility of the assessment.

  • Could an external reviewer — someone not involved in the original process — understand how each risk conclusion was reached and why? This is the threshold Ofcom applies when reviewing records.
  • Does the assessment reflect how the service is actually used, not only how it was designed to operate?
  • Is there a named individual accountable for the process, and is that accountability visible to the organization’s most senior governance body?

The summer deadline is the immediate pressure point. Providers that approach Year 2 as an administrative exercise — repeating Year 1 submissions with minor changes — are taking on legal and reputational risk. Ofcom has issued fines for failures to respond accurately and on time, has taken action on the suitability of risk assessments, and has named individual platforms publicly. Ofcom’s published position is clear: what it is looking for is not documentation of risk, but demonstrated understanding of it, and the governance to act on it.

Year 2 submissions are due this summer. If you want an independent view of whether your risk assessment is likely to hold up to Ofcom expectations, we can help.

Book a conversation to see how.

NOTE: This briefing reflects Resolver’s interpretation of Ofcom’s published guidance and Ofcom‑facing regulatory commentary. It is not legal advice and does not represent Ofcom’s views.

 

Discover Resolver's Trust & Safety Intelligence Services

  • Trust & Safety Intelligence

    Resolver provides the adversarial intelligence and strategic advisory required to defuse harm, design safer environments, enforce policies at scale, and stay ahead of global safety regulations.

    Learn more

  • Online Safety Compliance

    Resolver equips you with the intelligence and expertise to stay compliant with confidence.

    Learn more

  • Athena CSAM Detection

    Athena delivers the real-time detection and classification needed to respond to today’s threat landscape and set a proactive, defensible standard of care.

    Learn more

Speak to an Expert

By clicking the button below you agree to our Terms of Service and Privacy Policy.