Deadline to carry out risk assessments is fast approaching 8 min read
Certain online service providers must complete a risk assessment and implement required compliance measures by 21 June 2025. This relates to the following types of material:
- child sexual exploitation
- pro-terrorism
- extreme crime and violence (Class 1A material)
- crime and violence
- drug-related material (Class 1B material).
This is required by two industry standards referred to as the Phase 1 Standards:
- Online Safety (Relevant Electronic Services)—Class 1A and Class 1B Material) Industry Standard 2024 (the RES Standard); and
- Online Safety (Designated Internet Services—Class 1A and Class 1B Material) Industry Standard 2024 (the DIS Standard).
In this Insight, we cover who needs to carry out a risk assessment and the obligations that two new industry standards impose.
Key takeaways
- The Phase 1 Standards came into effect on 22 December 2024.
- As soon as practicable, and by no later than 21 June 2025, providers of certain relevant electronic services (RES) and designated internet services (DIS) must conduct their own risk assessment to determine the likely risk of class 1A1 and class 1B2 materials being accessed, generated, distributed or stored using their service.
- The Phase 1 Standards impose a range of obligations depending on the service provider's risk tier (ie Tier 1 (high), Tier 2 (medium) or Tier 3 (low)), or the type of service it is pre-assessed or defined to be if it has a unique risk profile (eg a High impact generative AI DIS or a dating service).
- New regulation of the access and exposure to class 1C3 and class 24 material on service providers is forthcoming. By no later than 28 February 2025, industry bodies will submit the phase 2 industry codes for the eSafety Commissioner (the Commissioner) to assess whether they should be registered under the Act.
- The Government also tabled the statutory review of the Online Safety Act on 4 February 2025. It contains 67 recommendations, most notably: introducing a digital duty of care, raising the civil penalties for non-compliance and empowering the Commissioner with greater investigative, information-gathering and monitoring powers. The Government has not currently proposed any legislation to implement the recommendations, but it is a key area to watch with the federal election looming.
How did we get here?
The Act provides for industry bodies to develop new codes to regulate Class 1 and Class 2 materials. The industry bodies (including the Communications Alliance, Australian Mobile Telecommunications Association, Digital Industry Group, and Interactive Games and Entertainment Association) adopted a two-phase approach to develop these codes.
During phase 1, industry bodies drafted eight codes to regulate Class 1A and Class 1B material. Six of these industry codes were registered in 2023, and they apply to the following sections of the online industry: social media services, app distribution services, hosting services, internet carriage services, equipment providers and search engine services. The other two codes were not registered because the Commissioner was not satisfied that they provided appropriate community safeguards. As a result, the Commissioner developed and registered the RES Standard and DIS Standard.
Development of the phase 2 industry codes have been underway since July 2024, with public consultation concluding on 22 November 2024. These codes are intended to deal with class 1C and class 2 materials, which includes online pornography and other high-impact material.
Phase 1 Standards
The Phase 1 Standards apply to two sections of the online industry—providers of RESs and DISs
| RES | DIS |
|---|---|
|
A service that enables end-users in Australia to communicate with other end-users by:
as well as:
Note: A service that meets the definition of a RES will be required to comply with the RES Standard, regardless of whether it also meets the definition of another industry section.5 |
A service that:
Note: This is a very broad category that includes many apps and websites, as well as file and photo storage services, and some services that deploy or distribute generative artificial intelligence models.6 A DIS is expressly not:
|
The RES Standard and DIS Standard classifies certain service providers as 'pre-assessed' or 'defined' categories. A service provider that falls within either the pre-assessed or defined categories is not required to conduct its own risk assessment. Instead, it is deemed to either fall within a particular risk tier, or it has a unique risk profile such that no specific risk tier is attributed to it.
Service providers that are not captured in the table below must conduct their own risk assessment or default to assigning the service a Tier 1 risk profile.9
| RES Standard | DIS Standard |
|---|---|
|
Pre-assessed category:
|
Pre-assessed category:
|
|
Defined category:
|
Defined category:
|
The risk assessment must be undertaken by a person with the relevant skills, experience and expertise to carry it out.10
The Phase 1 Standards require certain matters to be taken into account, so far as they are relevant to the service, to determine the overall risk tier for it.11 These are summarised below. Depending on the nature of a service and the context it operates in, service providers are likely to have additional risk factors to consider beyond the ones below.
| Applicability to RES or DIS | Matters to be taken into account for risk assessment |
|---|---|
| Both RES and DIS |
|
| DIS only |
|
Obligations that flow from risk assessment
The Phase 1 Standards impose a range of obligations depending on the service provider's risk tier arising from the risk assessment (ie Tier 1, Tier 2 or Tier 3), or the type of service it is pre-assessed or defined to be if it has a unique risk profile (eg Telephony RES, High impact generative AI DIS or dating service).
A high-level summary of the obligations that may be applicable to certain RESs and DISs include:
- Implement, enforce and publish relevant terms of use.
- Ensure that there are systems in place to address circumstances where there is a breach of terms in respect of class 1A and class 1B material, including processes to report such material to an enforcement authority if it represents a serious and immediate threat to a person in Australia.
- Implement a system for disrupting access and distribution of class 1A materials through the RES or DIS.
- Implement a system to detect and remove class 1A materials that is accessible through the RES or DIS.
- Implement reporting arrangements to ensure compliance with the Phase 1 Standards.
- Ensure that features and settings that would minimise the risk of class 1A or class 1B material are incorporated before material changes are made to the service.
- Ensure end-users can effectively control associated communication functions.
- Implement policies, procedures and mechanisms to report or make complaints, and to respond to complaints.
- Notify the Commissioner of proposed changes to the features and functions of the service, unless the change will not significantly increase the relevant risk.
- Cooperate with and report to the Commissioner as required.
What's next?
The Commissioner has stated that no enforcement action will be taken in the first six months of the Phase 1 Standards coming into effect, apart from in exceptional circumstances—eg in response to serious or deliberate non-compliance. The initial focus will be on working with industry bodies and service providers to raise awareness of their obligations under the Phase 1 Standards.13
The Commissioner has a range of enforcement options under the Act to address non-compliance with the Phase 1 Standards. These include:
- a formal warning
- an enforceable undertaking
- an injunction
- an infringement notice
- civil penalty proceedings or a court order requiring a service provider to cease its service.
Notably, failure to comply with the Phase 1 Standards may, currently, result in a penalty of up to $49.5 million.14 Service providers should promptly take proactive measures to ensure they are complying with their obligations under the Phase 1 Standards (including conducting a risk assessment if necessary) to avoid enforcement action by the Commissioner, which may commence from 22 June 2025.
Service providers should also be aware that new regulation of the access and exposure to class 1C and class 2 material is forthcoming. The Commissioner will undertake an assessment of whether the draft phase 2 industry codes meet the statutory requirements when they are submitted for registration, which must be no later than 28 February 2025.
Review of Online Safety Act
On 4 February 2025, the Government tabled the statutory review of the Online Safety Act (the Report). This independent review was initially delivered to the Government in October 2024 and makes 67 recommendations aimed at strengthening Australia’s online safety framework.
Key recommendations in the Report include:
- Legislating a statutory digital duty of care that is intended to place the onus on digital platforms to prevent online harms.
- Raising the civil penalties for breaches of the Act (ie the maximum penalty to be increased to the greater of 5% of global annual turnover or $50 million).
- Empowering the Commissioner with stronger investigative, information-gathering and enforcement powers, such as the power to require certain providers of online service to undertake compliance audits at their own expense.
- Requiring providers of services with the greatest reach or risk to provide an annual transparency report and publish a summarised version on its website.
There is currently no proposed legislation (or timetable for legislation) to implement the recommendations, but the Government has said it will continue to carefully consider all recommendations put forward in the Report and respond in due course. With the federal election looming, the Government's (and Opposition's) response to online safety reform is a key area to watch.
Footnotes
-
Class 1A material is child sexual exploitation material, pro-terror material or extreme crime and violence material.
-
Class 1B material is crime and violence material or drug-related material.
-
Class 1C material is material that describes or depicts specific fetish practices or fantasies.
-
Class 2 material is material that is classified, or would likely be classified, as X 18+, R 18+, Category 2 restricted or Category 1 restricted under the National Classification Scheme. This typically captures online pornography and other high-impact material that includes high-impact nudity, violence, drug use, language and themes.
-
See s5(2) of the RES Standard.
-
See page 3 of the Regulatory Guidance.
-
See s14 of the Act.
-
See s5 of the DIS Standard.
-
See page 17 of the Regulatory Guidance.
-
See s8(3) of the RES Standard and the DIS Standard.
-
See s8(5) of the RES Standard and the DIS Standard.
-
For a DIS, functionality of the service includes whether the service enables end-users in Australia to post or share material (see s8(5)(b)) of the DIS Standard).
-
See pages 64–66 of the Regulatory Guidance.
-
See s146 of the Act. The maximum penalty is five times more for a service provider that is a body corporate, due to the application of s82(5)(a) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth).