Legionella Compliance: 6 Things the Law Requires Every Business to Do

Legionella is the kind of risk that hides in plain sight. The bacteria live in water systems that almost every building has: hot and cold water, cooling towers, spa pools, showers and air conditioning. When that water is poorly managed and tiny droplets are breathed in, the result can be Legionnaires' disease, a severe and sometimes fatal form of pneumonia. The World Health Organization treats it as a significant public health risk worldwide.

Because the danger is invisible and the consequences are serious, the law does not leave legionella control to good intentions. In the UK, duties under the Health and Safety at Work Act and the Control of Substances Hazardous to Health Regulations, supported by the HSE's Approved Code of Practice, place clear, enforceable obligations on those who run buildings and water systems. The HSE's legionella guidance sets out what that means in practice. Similar duties apply in most countries, which makes this a live issue for any business operating across borders.

Compliance is not complicated once you know what is required. Here are the six things the law expects every business to do, and where expert support makes them straightforward.

1. Appoint someone responsible and competent

The law expects a named, accountable person to take charge of legionella risk, often called the duty holder or responsible person. This is not a box to tick. It means someone with the authority and the competence to make sure controls actually happen, not just exist on paper.

For many businesses, that person leans on outside expertise to fill the competence gap. Qualified health and safety consultants provide the technical knowledge while the business retains accountability. What the law will not accept is an absence of ownership, where everyone assumes someone else is handling it.

2. Carry out a legionella risk assessment

This is the foundation of compliance. The law requires a suitable and sufficient assessment of the legionella risk in your water systems: where the bacteria could proliferate, who could be exposed and how. Without it, every other control is guesswork.

A proper legionella risk assessment identifies the hazards specific to your building, from dead legs in pipework to stored water temperatures, and sets out what must be controlled. It is also not a one-time document. The law expects it to be reviewed and kept current, which brings us to the duties that follow.

3. Put a written control scheme in place and follow it

Identifying the risk is only useful if you act on it. The law requires a written scheme of control that says exactly how the risk will be managed: temperature regimes, flushing of little-used outlets, cleaning and disinfection, water treatment and the management of cooling systems where present.

The scheme must then be implemented consistently, not filed away. This is where many businesses slip, particularly across multiple sites. Pairing expert advice with software that tracks controls and records gives you one consistent scheme everywhere and a live view of whether it is actually being followed.

4. Monitor, inspect and keep records

Legionella control is an ongoing duty, not an annual event. The law expects regular monitoring of the things that keep water safe: temperatures, water quality, the condition of tanks and outlets, and the operation of any treatment. It also expects you to keep records, because if you cannot show what you did, the law treats it as not having been done.

Record keeping is also your protection. In the event of an outbreak or an inspection, documented monitoring is the difference between demonstrating diligence and facing serious consequences. For sectors with high exposure, such as care homes and healthcare, this evidence trail is especially critical.

5. Train and inform the right people

A control scheme only works if the people responsible for it understand what they are doing and why. The law expects those involved in managing legionella to be competent and adequately informed, from the responsible person down to the staff carrying out routine checks.

That means appropriate training, clear procedures and a shared understanding of what good looks like. In high-turnover environments such as hotels and leisure facilities, where seasonal and new staff are common, keeping this knowledge current is a continual task rather than a one-off induction.

6. Review regularly, and after any change

Buildings and water systems change. A new tenant, a refurbishment, a period of low occupancy or an altered use can all change the legionella risk, sometimes dramatically. The law expects the risk assessment and controls to be reviewed regularly and whenever something material changes.

Periods of low or no occupancy are a particular trap, as stagnant water in unused systems is exactly where legionella thrives. Regular health and safety audits test whether your controls still match reality, catching the drift between what the paperwork says and what is actually happening before it becomes a problem. For property and real estate operators managing changing portfolios, this discipline is essential.

The legionella compliance checklist

Run these questions against your building or portfolio. A no answer is a legal gap, not a minor one.

• Have you appointed a named, competent person responsible for legionella? Yes / No
• Is there a current, suitable and sufficient legionella risk assessment for every site? Yes / No
• Do you have a written scheme of control that is actually being followed? Yes / No
• Are temperatures, water quality and systems monitored on a regular schedule? Yes / No
• Are monitoring activities recorded and the records kept and accessible? Yes / No
• Are the people managing and carrying out controls trained and competent? Yes / No
• Is the assessment reviewed regularly and after any change or low-occupancy period? Yes / No
• For multi-site or international portfolios, is every location held to the same standard? Yes / No

If you cannot answer yes with confidence, you have a compliance gap that the law, and an inspector, will not overlook.

Where Arinite fits

Arinite has spent 15+ years helping businesses meet duties exactly like these without the stress of working them out alone. We support 1,500+ businesses across 50+ countries and have helped protect 100,000+ employees, with a 95% client retention rate. Our approach combines practical advice from qualified consultants with software that keeps controls and records visible across every site.

Legionella rarely respects borders, and neither do the businesses we support. As international health and safety consultants, we help organisations hold one high standard across their whole estate, adapted lawfully to each country and aligned with recognised frameworks such as ISO 45001. Our global coverage is built for multi-site and cross-border operations that cannot afford an inconsistent approach.

The quickest way to find out where you stand is a free gap analysis. Our specialists review your current arrangements and tell you plainly what is compliant and what is not. Book your free gap analysis and close the gaps before they find you.