Copy of Section 4.3 of the DIS Code (see pages 8 – 9)
4.3 Methodology used for risk assessment and documentation
(a) If a risk assessment is required under this Code, the provider of the DIS must:
(i) be able to reasonably demonstrate that the provider’s risk assessment methodology is based on reasonable criteria which must, at a minimum, include criteria relating to the functionality, purpose and scale of the DIS (including the extent to which material posted on, distributed using or generated by the service will be available to end-users of the service in Australia and any generative AI features of the service) and, to the extent reasonably relevant, the additional requirements set out in clause 5, and any other criteria that are reasonably relevant for the purposes of determining the risk profile of the DIS under this Code.
(ii) formulate in writing a plan and methodology for carrying out the risk assessment that ensures each risk factor is accurately assessed.
(iii) carry out the risk assessment in accordance with the plan and methodology prepared under clause 5, and by persons with the relevant skills, experience and expertise; and
(iv) as soon as practicable after determining the risk profile of a designated internet service, the provider of the service must record in writing:
(A) details of the determination;
(B) details of the conduct of any related risk assessment; and
(C) sufficient to demonstrate that they were made or carried out in accordance with this clause.
(v) The record must include the reasons for the results of the assessment and the determination of the risk profile.
(vi) The service provider may carry out a single risk assessment covering all relevant categories of material at once, provided that a separate risk profile is assessed for each relevant category.
Prepared solely for the use of current members of the Eros Association.
Eros General Manager January 2026
