The safety duties in the OSA require providers to take proportionate steps to mitigate the risk of harm to their users, resulting in high expectations for the largest and riskiest providers to address the risk of harm from illegal content. All services must carry out a suitable and sufficient illegal content risk assessment and, if likely to be accessed by children, a children’s risk assessment. The OSA states that providers will be deemed to be compliant with their safety duties if they adopt the measures in the codes that are relevant to their service – this is known as the ‘safe harbour’. The codes set out the measures that we are satisfied are proportionate. It is not possible within the framework of the OSA to recommend a measure that asks a service to remove all risks. We cannot assess the impact and proportionality of a measure if we do not know what compliance with it would entail. However, we believe that the risk assessment practice outlined in our Risk Assessment Guidance, combined with the governance measures in our codes, will ensure that services cannot ignore significant unmanaged levels of risk. Our guidance sets out steps to help providers understand the inherent risk posed by the functionalities, design and operation of their service, and consider the residual risks faced by users after existing controls. These risk assessments should give firms a comprehensive understanding of all their risks. The corporate governance and accountability measures in our codes will ensure they act on them. Some services may choose to go further to mitigate risks to users.