Health and Safety Legal Register: 12 Essentials for US, UK and Global Compliance
A health and safety legal register is a documented list of every health and safety law, regulation, standard, and other requirement that applies to a business, together with how the business demonstrates compliance with each one. It is the single artefact that turns "we follow the law" from a claim into evidence. For organisations certified or seeking certification to ISO 45001, the register is not optional: Clause 6.1.3 of the standard explicitly requires the organisation to determine, document, and keep up to date its legal and other requirements.
For US businesses navigating federal OSHA plus 22 state plans, for UK businesses inheriting decades of statute, and for any company operating internationally, the legal register is the spine of the compliance system. Done well, it protects you in inspections, due diligence, insurance renewals, and incident investigations. Done badly, or left out of date, it becomes the document the regulator's lawyer points at first.
Below are the 12 essentials every health and safety legal register should contain, with what each one means in practice across US, UK, and international contexts. Each links to the support behind it. For underlying authority, see US OSHA's laws and regulations portal, the UK Health and Safety Executive, EU-OSHA, the ILO, and ISO 45001.
1. A Clear Scope: Who, What, and Where the Register Covers
Every register must start with a defined scope: the legal entity or entities it covers, the activities performed, the jurisdictions involved, and the sites included. Without scope, the register cannot tell you whether something is missing. For multinationals, the scope statement is where you confirm whether the register covers your US entities, your UK operating company, your European subsidiaries, or all of the above. Chartered Health and Safety Consultants define this scope first, before populating any content.
2. Federal or National Primary Legislation
Every register lists the foundational statute that creates the duty of care in each jurisdiction. In the US, that is the Occupational Safety and Health Act of 1970, administered by federal OSHA. In the UK, it is the Health and Safety at Work etc. Act 1974. In the EU, it is Framework Directive 89/391/EEC, implemented through national law in each member state. The register names the primary statute for every country in scope.
3. Subordinate Regulations and Statutory Instruments
Need Expert H&S Guidance?
Our qualified consultants can help you implement the right health & safety measures for your business.
Below the primary act sits the body of detailed regulations that actually drive day-to-day compliance. In the US, that is the Code of Federal Regulations Title 29 (the OSHA standards, including 1910 for general industry and 1926 for construction). In the UK, it is the body of statutory instruments under HSWA 1974, including the Management of Health and Safety at Work Regulations 1999, COSHH, RIDDOR, DSE, and many others. Each entry should specify the regulation, its scope, and your operational owner.
4. State, Devolved, or Provincial Variations
This is the layer most registers under-cover, and it is where regulators most often find gaps. In the US, 22 state plans cover private sector workers in their states, with standards that can be more stringent than federal OSHA, see OSHA's State Plans page. In the UK, Scotland and Northern Ireland have devolved variations (Northern Ireland has its own HSENI). In Canada, occupational health and safety is provincial. In Germany, the federal Arbeitsschutzgesetz sits alongside DGUV institutional rules. A complete register names each sub-national variation that applies.
5. Sector-Specific Regulations
General H&S law is layered with sector-specific obligations: construction (US 29 CFR 1926, UK CDM 2015), healthcare (bloodborne pathogens, infection control), chemicals (US HazCom, UK COSHH, EU REACH and CLP), food, transportation, and energy each carry their own regime. The register must capture every sector regulation that applies to your activities, not just the generic ones. Health and Safety Audits routinely uncover sector regulations missing from informal registers.
6. International Standards You Have Adopted
If you are certified or aligned to ISO 45001 (occupational H&S management) or ISO 45003:2021 (psychological health and safety), or to ISO 14001 (environment), or to industry standards (NEBOSH, IOSH, OHSAS), those become "other requirements" under Clause 6.1.3 and must appear in the register alongside statutory law. They carry contractual and certification consequences if breached.
7. Contractual and Customer-Imposed Requirements
Many businesses are bound by H&S obligations that are not in any statute: client SLAs, prime contractor flow-down requirements (especially common in US construction and federal work), insurance policy conditions, lender covenants, and parent-company group standards. These belong in the register because they create real, enforceable duties even where the law is silent. A diligence team will check whether you have captured them.
8. The Practical Action Each Requirement Generates
A register that just lists laws is a bibliography, not a compliance tool. Each entry should record what your business actually does to meet that requirement: the policy, the risk assessment, the training, the audit, the inspection, the report, the procedure. This is the column that turns the register from a description into a defence. Health and Safety Consultants and Software build this link as standard, so each legal requirement connects directly to the evidence behind it.
9. A Named Owner and Review Date for Every Entry
Every requirement needs a human owner inside the business, and a review date. Without ownership, items go stale and nobody notices. The review cadence should reflect risk: high-impact regulations and frequently changing areas (fire safety, building safety, chemicals) need shorter cycles; settled, slow-moving law can be reviewed annually. An external chartered competent person provides the qualified second pair of eyes most internal teams lack.
10. A Live Update Process for Changing Law
Law moves. The US sees regular OSHA standard updates and state plan amendments. The UK has seen the Building Safety Act 2022, the Fire Safety Act 2021, and the Fire Safety (England) Regulations 2022 in quick succession. The EU is rolling out updates on chemicals, AI in the workplace, and psychosocial risk. A static register quickly becomes wrong. The register needs a defined process for monitoring legal change and updating entries within a stated window, supported by Health and Safety Consultants whose job it is to track those changes for you.
11. Multi-Country Harmonisation for Global Operations
For businesses operating across borders, the register should not be 30 disconnected national documents. The most defensible model is a single master register with country-specific sections for each operating jurisdiction (US federal plus relevant state plans, UK, France's DUERP and labour code obligations, Spain's LPRL, Germany's Arbeitsschutzgesetz and DGUV, Italy's D.Lgs. 81/2008, the Netherlands' Arbowet). Global Health and Safety Consultants and International Health and Safety Consultants maintain that consolidated view rather than letting it fragment by country.
12. Audit-Ready Export at the Push of a Button
The final test of a legal register is whether it can be produced, on demand, for an inspector, an auditor, an insurer, or a buyer's diligence team. A register stored in a binder or scattered across emails fails that test. A register held in a health and safety software platform passes it: one login, one export, complete and dated. This is now the practical standard for ISO 45001 certified organisations and for any business that has been through serious due diligence.
How the Legal Register Fits the Wider Compliance System
The register is the spine, not the whole skeleton. It connects to (and depends on) the rest of your compliance system:
- A current health and safety policy that points to the register as the source of legal scope
- Risk assessments that reference the specific requirements in the register they help discharge
- Health and safety training records mapped to the regulations that mandate the training
- Independent Health and Safety Audits that test the register's completeness and accuracy
- One platform via Health and Safety Consultants and Software that holds the register and its supporting evidence in one place
For background factsheets on individual topics, see Arinite's factsheets library. For deeper guidance on OSHA topics, see NIOSH research and guidance.
Frequently Asked Questions
What is a health and safety legal register?
It is a documented list of every health and safety law, regulation, standard, and other requirement that applies to a business, together with how the business demonstrates compliance with each one. ISO 45001 Clause 6.1.3 requires certified organisations to maintain one.
Is a legal register a legal requirement?
The register itself is not separately required by statute in most jurisdictions, but the underlying duty to identify and comply with applicable law absolutely is. In practice, a documented register is the most defensible way to evidence that you have done so, and ISO 45001 makes it a certification requirement.
What is the difference between a legal register and a risk assessment?
A risk assessment identifies hazards and the controls applied to them. A legal register identifies the laws and other requirements that apply to the business and the evidence of compliance. They are complementary: the register tells you what the law expects; the risk assessment tells you whether the work is safe in practice.
How often should a legal register be reviewed?
At minimum annually, with continuous monitoring for legal change in between. Higher-risk and fast-moving regulatory areas (chemicals, fire safety, building safety, AI in the workplace) need shorter review cycles.
Can software maintain a legal register?
Yes, and for any multi-country or growing business it is now the practical standard. Health and Safety Consultants and Software combine expert maintenance with a platform that holds the register, its evidence, and its export trail in one place.
How does a legal register work for a multinational?
The most defensible model is a single master register with country-specific sections covering each operating jurisdiction (US federal plus state plans, UK, EU member states, and any other countries), maintained by International Health and Safety Consultants under one consistent methodology.
What happens if a legal register is missing or out of date?
In an ISO 45001 audit, it is a non-conformance that can affect certification. In a regulatory inspection, it weakens the defence that the business identified and met its duties. In due diligence, it shifts negotiating leverage to the buyer. None of those outcomes is necessary.
Turn Your Legal Register into a Position of Strength
A health and safety legal register is one of the highest-leverage documents a business maintains. Built well and kept live, it protects the business from regulators, insurers, buyers, and incidents alike. Built badly or allowed to drift, it becomes the first thing weaponised against you when something goes wrong.
Arinite combines chartered Health and Safety Consultants, purpose-built Health and Safety Consultants and Software, independent Health and Safety Audits, and proven International Health and Safety Consultants capability across 50+ countries and 1,500+ businesses, with 15+ years of experience, 95% client retention, and 100,000+ employees protected.
If you want a legal register that genuinely stands up to scrutiny, in the US, the UK, and every country you operate in, speak to our team. We will show you exactly where your current register stands and what it takes to make it audit-ready.
Written by
Arinite Health & Safety Consultants
Health & Safety Expert at Arinite
