19 Mar 2024
by Isabel Davies

Illegal Harms Consultation (Online Safety Act) – overview for games companies

Guest blog from Isabel Davies, Senior Associate at Wiggin.

Coming in at over 1600 pages, Ofcom’s online illegal harms consultation is the first of four major consultations expected over the next year on the Online Safety Act (OSA). The consultation contains Ofcom’s detailed draft guidance for risk assessments, illegal content, governance (inc. record keeping and review), content communicated “publicly” and “privately” and enforcement. This guest blog primarily focuses on the risk assessment and illegal content portions of the consultation.

Consultations on the assessments relating to children’s (‘legal but harmful’) harms is expected this spring.

(If you want an introduction to the Online Safety Act, visit the previous blog post on Wiggins' wesbite.)

What are some key terms you should learn before diving in?

Risk Profiles – these are lists of characteristics and features that might be on an online service that may add to the likelihood of there being a certain type of illegal harm on your service (e.g. anonymous user profiles may increase the risk of hate speech). The full profiles are in Appendix A of Appendix 5.

‘Priority’ illegal harms – a list of illegal harms which every service captured by the OSA has to complete a risk assessment for. Volume 2 contains the detail on this.

Register of Risks – this is an overview of the different offences there are for the ‘priority’ illegal harms (more on this below). For example, for ‘controlling or coercive behaviour’ this points to the Serious Crime Act 2015. The register is in Appendix B of Appendix 5.

How is Ofcom recommending that illegal harms are assessed?

Ofcom is suggesting a four-step process for assessing illegal harms:

(1) Understand the harms. Identify how the priority harms (detailed below) may be manifesting on your service and consult the Risk Profiles as part of this. As well as assessing the priority illegal harms, you will need to consider if there are any ‘non-priority’ harms that are relevant to your game.

(2) Assess the risk of harm. This involves considering the likelihood, impact and risk level to your users. To make this assessment, you’ll need to consider:

  • The Risk Profiles (which you’ll have filled out in Step 1) and if there are any features / characteristics on your service not included in the Risk Profiles which may add to risk levels. More details about the risk factors specific to each illegal harm are set out in volume 2.
  • Your core evidence (user complaints, user data, post-mortems of previous issues of harm and any other information you already hold).
  • If you don’t have sufficient core evidence (or if your risk landscape is complex!), you can also consider enhanced evidence (e.g. external experts, consulting with users, product testing).
  • The additional guidance from Ofcom on CSEA and grooming.
  • Any systems / processes in your game that may decrease risk (for example – internal governance, use of proactive technology, how you promote user media literacy).

You will then need to give each harm a ‘low’, ‘medium’ or ‘high’ risk rating – to help assess this there is a risk matrix and risk level table, including specific ones for CSEA and grooming (albeit this is not a definitive criteria).

If you have two or more illegal harms with a ‘medium’ or ‘high’ risk rating, under the current consultation the game would be considered a ‘multi-risk’ service. This will impact the number of recommended mitigation steps in (3) below (as will being a ‘large’ service).

Currently the above assessment process is the same regardless of your service type and size. A ‘large’ service is currently being posited as one with over 7 million monthly active users in the UK – importantly if you’re a ‘large’ service in relation to illegal harms this does not necessarily mean you’re a ‘categorised’ service under the OSA more broadly.

(3) Decide on measures, implement and record outcomes.

Once you’ve assessed the risks, you will then need to consider how you might mitigate these risks (the Ofcom Codes of Practice on terrorism and CSEA may help here).

This will include having: (i) a named person in your company accountable for safety duties; (ii) content moderation that allows for swift takedowns of illegal content; (iii) an easy to find, access and use complaints system; and (iv) clear Terms of Service on these topics.

You will also need to consider record keeping and governance measures (e.g. how will you record all of this information and keep it up-to-date).

(4) Report to relevant governance channels, monitor effectiveness and review. Once the risk assessment is completed and this has been reported internally, the basic rule is that the risk assessments should be reviewed annually. However, it should also be reviewed if the game undergoes a material update or change that may impact the risk assessment, or Ofcom updates its Risk Profiles which also impacts how the risks on your service are assessed.

What are the different (‘priority’) illegal harms and which ones does Ofcom think are most relevant to games?

Video games are seen as particularly relevant for terrorism (as a tool for recruitment), grooming, harassment / stalking / abuse, threatening communications and hate offences. It is worth noting although these five illegal harms specifically flag video games as a service type of risk, every service needs to assess against ALL priority illegal harms in their risk assessment, as well as any “non-priority” offences if there is a particular risk of this on your service.

The full ‘priority’ illegal harms list is as follows.

  • Terrorism offences
  • Child Sexual Exploitation and Abuse (CSEA) – which is broken down into grooming and Child Sexual Abuse Material (CSAM) and should be assessed separately.
  • Encouraging suicide / attempted suicide / serious self-harm
  • Harassment / stalking / threats / abuse offences
  • Hate offences
  • Controlling or Coercive Behaviour (CCB)
  • Drugs and psychoactive substances offences
  • Firearms and other weapons offences
  • Unlawful immigration and human trafficking offences
  • Sexual exploitation of adults
  • Extreme pornography
  • Intimate Image Abuse
  • Proceeds of crime
  • Fraud & financial services offences
  • Foreign interference

In all cases, it’s not just considering whether illegal harms content might appear on your service, but whether your service could be used to commit or facilitate such an offence.

What should you do next?

  1. It’s important to assess whether or not you have sufficient ‘core evidence’ readily available – if not you may not be able to do a sufficient risk assessment (albeit you can move to the ‘enhanced evidence’ if so).
  2. The final illegal harms guidance is not expected until the end of 2024 (at which point companies will have three months to complete their risk assessments). Despite this, it is not a bad idea to consider assessing the risks of your game currently (essentially, do a ‘WIP’ risk assessment) and see where you might have particular issues or mitigation gaps.
  3. If you are a games company likely in the scope of the OSA for illegal harms, it will also likely mean you’ll be in scope for children’s harms too. Therefore, getting started on the illegal harms work now means less of a squeeze at the back end of 2024 / start of 2025.

If you want to read this consultation yourself, where should you start?

If this blog post has whetted your appetite, we would suggest reading the consultation in the following order (excluding the parts relating to search services and enforcement):

  1. Overview – summarises the main themes of the consultation.
  2. A summary of each chapter – gives a high-level summary of the key proposals and the input it wants from stakeholders.
  3. Volume 1 – an overview of how services will be regulated under the OSA and who these services are likely to be.
  4. Annexe 5 – this walks through the process of an illegal harms risk assessment. (There is also further rationale on the risk assessment process in volume 3, below). This also contains the:
  • Risk matrix and risk level table.
  • Risk Profiles in Appendix A.
  • Register of Risks in Appendix B.
  1. Volume 2 – this goes into more detail on the 15 types of illegal harms, including the risk factors of a service specific to each illegal harm.
  2. Volume 5 – this goes into detail on how to actually assess if illegal content is illegal or not. Annexe 10 goes into this in even more detail.
  3. Volume 4 – this covers the illegal content codes of practice. Annexe 7 is also relevant here.
  4. Volume 3 – this covers who a risk assessment should be done by and also discusses record keeping and review (see also: annexe 6).
  5. Annexes 1 – 4 – which compiles the 55 consultation questions.

To learn more about Wiggin, you can visit their website here.

techUK held it's first-ever Tech and Innovation Summit in 2023. The summit was developed to explore the latest advancements in exciting technologies transforming the UK economy. Watch all of the breakout sessions and see our event round up here.

The Tech and Innovation Summit will be returning on 19 June 2024, register for your ticket now.

techUK's gaming activity

Innovation campaign 76 - smaller.jpg


Join us on 16 May for our Exploring the future of Esports webinar.

Esports, or electronic sports, is transforming the way people conceptualise, participate in, and consume both gaming and sports.The panel will feature a range of speakers, including techUK member organisations and wider stakeholders from across the Esports ecosystem. Book your free ticket now.

Join us on April 8 for our Future Visions: Immersive Gaming webinar.

Topics include how immersive tech will transform gaming, the infrastructure this will depend upon, how UK leadership could look, and what UK industry & Government can do to maximise opportunities. Book your free ticket now.

Missed the launch of techUK's emerging gaming technologies activity?

In early January, techUK held our Industries of the Future: Gaming webinar.

This explored the gaming industry of tomorrow, the technologies set to underpin it, and how businesses can prepare to take the lead in these.

Click here to view the recording and event summary.

techUK – Unleashing UK Tech and Innovation 


The UK is home to emerging technologies that have the power to revolutionise entire industries. From quantum to semiconductors; from gaming to the New Space Economy, they all have the unique opportunity to help prepare for what comes next.

techUK members lead the development of these technologies. Together we are working with Government and other stakeholders to address tech innovation priorities and build an innovation ecosystem that will benefit people, society, economy and the planet - and unleash the UK as a global leader in tech and innovation.

For more information, or to get in touch, please visit our Innovation Hub and click ‘contact us’. 

Upcoming Innovation events:

Latest news and insights:

Get our tech and innovation insights straight to your inbox

Sign-up to get the latest updates and opportunities from our Technology and Innovation and AI programmes.


Learn more about our Unleashing Innovation campaign:

Unleashing the Potential of UK Tech and Innovation.jpg


Related topics


Isabel Davies

Isabel Davies

Senior Associate, Wiggin

Isabel’s work spans the breadth of the interactive entertainment industry, including advising video games, esports and digital broadcast businesses. She has particular insight into the mobile and casual gaming markets.

“Having previously worked in-house at Disney Interactive and King in both legal and business development roles, I have experience advising on some of the top titles in the industry on a day-to-day basis. I have a particular focus on regulatory matters (such as consumer law, online safety and child protection), but I regularly advise clients on commercial and intellectual property issues too.

I’m fortunate enough to have worked with a whole range of clients, from small independent developers, global publishers, esports teams and famous streamers. Some of my work highlights include auditing some of the world’s most popular free-to-play games on topics such as online safety and dark patterns, the re-negotiation of a high-value co-development agreement, and advising several games companies on their Children’s Code engagements with the ICO.

Naturally I’m a keen gamer, so outside work can often be found in front of my vibrantly lit PC!”

Prior to joining Wiggin, Isabel was at Purewal & Partners. Isabel has written for a number of publications including GI.biz, Legal Futures and Online Gambling Lawyer. She has also spoken at events such as Pocket Gamer Connects, Campaign Gaming Summit and Konsoll Connects and has guest lectured at several UK universities.

Read lessmore