Skip to content

HSE inspections up 47% - HSE carried out over 13,200 workplace inspections in 2024/25.

Blog/HEALTH & SAFETY

Legionella Risk Assessment: What It Is, the Law, and Who Needs One

A
Arinite Health & Safety Consultants
June 20, 2026
20 min read
Legionella Risk Assessment: What It Is, the Law, and Who Needs One

Legionella is a risk that many organisations underestimate, precisely because it is invisible. Unlike a blocked fire exit or an unguarded machine, the bacteria that cause Legionnaires' disease grow silently in water systems, and the first sign of a problem can be a serious or fatal illness.

Legionnaires' disease is a severe form of pneumonia caused by inhaling small droplets of contaminated water containing Legionella bacteria. It can be fatal, particularly for older people and those with weakened immune systems, and outbreaks linked to poorly maintained water systems have caused deaths and led to significant prosecutions. The bacteria thrive in water systems held at the wrong temperatures, where water stagnates, or where conditions allow them to multiply, conditions that exist in the water systems of ordinary offices and commercial buildings, not just cooling towers and industrial plant.

The law treats this seriously. Duty holders who fail to assess and control Legionella risk face enforcement and prosecution, and in 2024/25 the HSE secured over £33 million in fines across its enforcement activity, with water safety failures among the matters that attract serious penalties.

A Legionella risk assessment is the foundation of controlling this risk and meeting the legal duty. Health and Safety Consultants help duty holders assess and manage Legionella risk properly, protecting people and demonstrating compliance.

1. What Legionella and Legionnaires' Disease Are

Understanding the hazard is the starting point for understanding the assessment.

Legionella bacteria: Legionella are bacteria found naturally in environmental water sources such as rivers and lakes, usually in low numbers. The problem arises when they enter and multiply in artificial water systems, the hot and cold water systems, cooling towers, and other water sources found in buildings, where conditions can allow them to reach harmful concentrations.

Legionnaires' disease: When water containing Legionella is dispersed as a fine spray or aerosol, from a tap, shower, cooling tower, or similar, and inhaled, it can cause Legionnaires' disease, a potentially fatal pneumonia. Related, milder illnesses include Pontiac fever. Those most at risk include people over 45, smokers, heavy drinkers, and those with weakened immune systems or existing respiratory or kidney disease.

Where the risk arises: Legionella multiply where water is stored or recirculated at temperatures between roughly 20 and 45 degrees Celsius, where water stagnates, where there is sediment, scale, rust, or biofilm to feed on, and where aerosols can be created and inhaled. Common risk sources include hot and cold water systems, cooling towers and evaporative condensers, spa pools, and any system that creates a breathable spray.

Why ordinary buildings are at risk: Crucially, these conditions are not confined to industrial sites. The hot and cold water systems of ordinary offices and commercial buildings, particularly where parts of the system are little used (creating stagnation) or temperatures are not properly controlled, can harbour Legionella. This is why the duty reaches so many organisations.

Legionella risk assessment is a clear legal duty, set out across general health and safety law and specific guidance.

The Health and Safety at Work Act 1974: The Health and Safety at Work Act 1974 places general duties on employers and those in control of premises to ensure, so far as is reasonably practicable, the health and safety of employees and others who may be affected, which includes the risk from Legionella.

The COSHH Regulations 2002: The Control of Substances Hazardous to Health Regulations 2002 treat Legionella as a hazardous biological agent, requiring duty holders to assess the risk and put controls in place. This is the specific regulatory basis for the Legionella risk assessment.

The Approved Code of Practice L8: The HSE's Approved Code of Practice and guidance, "Legionnaires' disease: The control of Legionella bacteria in water systems" (known as ACoP L8), sets out what duty holders must do to comply. An Approved Code of Practice has special legal status: while following it is not the only way to comply, a duty holder who has not followed it and cannot show equivalent compliance may be found at fault.

HSG274: The supporting technical guidance HSG274 provides detailed practical guidance on assessing and controlling Legionella risk in different types of system.

The duty in summary: Duty holders must identify and assess the risk from Legionella, prepare a scheme to prevent or control it, implement and manage that scheme, keep records, and appoint a competent person to take responsibility. The HSE provides guidance on Legionella for duty holders.

3. Who Is the Duty Holder?

Identifying who carries the legal duty is essential, because the obligation falls on specific people.

Who the duty falls on: The duty to assess and control Legionella risk falls on the "duty holder," which includes employers, those in control of premises, and those with responsibilities for premises, for example through a tenancy or maintenance contract. In practice this means:

  • Employers in respect of their workplaces
  • Landlords in respect of premises they let, including the water systems they are responsible for
  • Those in control of premises, such as building owners, managing agents, and facilities managers

The shared-responsibility reality: As with fire safety, responsibility in multi-occupied buildings can be shared. A building owner or managing agent may be responsible for the central water systems and common parts, while a tenant employer may have responsibilities for systems within its own demised area. The duties must be understood and coordinated, and a common mistake is for each party to assume the other has it covered.

The office and commercial tenant: An office-based business occupying part of a building should not assume Legionella is entirely the landlord's concern. Depending on the arrangements and what systems fall within its control, the tenant may carry duties of its own, particularly for any water outlets, such as taps, showers, or kitchen facilities, within its space. Clarifying this is part of a proper assessment.

Appointing a responsible person: The duty holder must appoint a competent person, sometimes called the "responsible person," to take day-to-day responsibility for managing Legionella risk. This connects to the wider competent person duty under health and safety law.

4. What a Legionella Risk Assessment Covers

A Legionella risk assessment systematically examines a building's water systems to identify where Legionella risk arises and what controls are needed.

What the assessment examines:

The water systems: A survey of the hot and cold water systems and any other relevant systems (cooling towers, spa pools, and similar where present), mapping how water is stored, heated, distributed, and used.

Temperatures: Whether hot water is stored and distributed hot enough, and cold water kept cold enough, to inhibit Legionella growth, since the bacteria multiply in the intermediate temperature range.

Stagnation: Whether there are little-used outlets, dead legs (sections of pipework where water stagnates), or infrequently used parts of the system where water sits and bacteria can multiply.

System condition: Whether there is scale, sediment, rust, or biofilm that can harbour and feed bacteria.

Aerosol creation: Where the system creates breathable sprays, showers, spray taps, cooling towers, that could disperse contaminated water.

Who is at risk: The people who could be exposed, including any especially vulnerable individuals.

Existing controls: What management and control measures are already in place.

The output: The assessment identifies the level of risk, the points in the system where risk arises, and the control measures needed, recorded as a clear assessment with an action plan. Where risk is identified, it informs the written control scheme that the duty holder must then implement and manage.

5. Who Can Carry Out a Legionella Risk Assessment?

A Legionella risk assessment must be carried out by someone competent, and given the technical nature of the hazard, competence here is specific and important.

The competence requirement: ACoP L8 requires that the risk assessment is carried out by a competent person with the necessary skills, knowledge, training, and experience to understand water systems and Legionella risk. This is a more specialised competence than general health and safety knowledge, requiring understanding of water system design, the conditions that promote Legionella growth, and the relevant standards.

Can a duty holder do their own? For the very simplest premises with minimal water systems, a suitably informed duty holder might assess the risk using HSE guidance. For most premises, however, particularly those with more complex water systems, cooling towers, or higher-risk populations, a competent Legionella risk assessor is needed to ensure the assessment is genuinely adequate.

Why competence matters here especially: Legionella risk is technical and the consequences of getting it wrong are severe, up to and including fatal illness. An assessment that misses a dead leg, fails to identify inadequate temperature control, or overlooks a stagnation risk leaves people exposed to a potentially deadly hazard, and the duty holder exposed to prosecution. The specialised nature of the risk makes competent assessment particularly important.

The professional route: For most duty holders, engaging competent professionals to carry out the Legionella risk assessment, as part of broader Health and Safety Consultants support, ensures the assessment is genuinely adequate and provides the documented competence that compliance requires. Arinite's Legionella service provides exactly this.

6. The Written Control Scheme

A Legionella risk assessment is the foundation, but where it identifies a risk that needs controlling, the duty holder must go further and implement a written control scheme.

What the control scheme is: Where the assessment identifies a foreseeable Legionella risk, ACoP L8 requires the duty holder to prepare a written scheme for preventing or controlling that risk, and to implement and manage it. The scheme sets out how the risk will be controlled in practice.

What the control scheme typically includes:

  • An up-to-date description of the water system, often including a schematic diagram
  • The control measures to be applied, such as temperature control (keeping hot water hot and cold water cold), regular flushing of little-used outlets, and keeping the system clean
  • The monitoring to be carried out, such as temperature checks and inspections, and how often
  • The records to be kept
  • Who is responsible for each task
  • What to do if the controls are not effective

Implementing and managing it: The scheme is not a document to be filed but a live management regime. The control measures must be carried out, monitored, and recorded, and the scheme reviewed and updated as needed. This ongoing management is where many duty holders fall short, having an assessment but not genuinely implementing and maintaining the controls.

The connection to wider management: Managing a Legionella control scheme, with its recurring monitoring tasks, checks, and records, benefits from systematic management, including the Health and Safety Consultants and Software that track recurring tasks, flag those due, and maintain the records that demonstrate compliance.

7. How Often Should a Legionella Risk Assessment Be Reviewed?

Legionella risk assessment, like the underlying risk, is not static, and keeping the assessment current is part of compliance.

The review requirement: ACoP L8 requires the risk assessment to be reviewed regularly and whenever there is reason to believe it may no longer be valid. There is no single fixed interval mandated, but the duty to keep it current is clear, and a common benchmark is to review at least every two years, and sooner where circumstances warrant.

When review is needed:

  • Changes to the water system: Alterations, additions, or removal of parts of the system
  • Changes to the building or its use: Refurbishment, change of use, or changes in occupancy
  • Changes in occupancy patterns: For example, parts of a building becoming little used, creating stagnation, a real consideration where hybrid working has reduced office occupancy
  • When controls are not effective: If monitoring shows the control measures are not keeping the risk in check
  • After a case or outbreak: Any suspected or confirmed case linked to the premises
  • Periodically regardless: To confirm the assessment remains valid

The hybrid-working consideration: A specific and current point for office buildings: reduced occupancy from hybrid working can lead to water systems and outlets being used less, increasing stagnation and Legionella risk. Buildings that changed occupancy patterns may need their Legionella risk reassessed, an often-overlooked consequence of the shift to hybrid work.

Managing review: As with all assessments, tracking when review is due, and ensuring the recurring monitoring tasks within the control scheme are carried out, benefits from systematic management and software support.

8. Legionella Risk in Offices and Commercial Buildings

Because the office, technology, and finance sectors, and commercial premises generally, often assume Legionella is not their concern, this deserves specific attention.

The misconception: There is a widespread assumption that Legionella is a risk only for industrial sites, hospitals, or buildings with cooling towers and spa pools. In fact, the hot and cold water systems of ordinary offices and commercial buildings can harbour Legionella, and the duty to assess applies to them.

Why offices are at risk: Office buildings have hot and cold water systems serving kitchens, toilets, showers (increasingly common in buildings with end-of-trip facilities), and other outlets. Where temperatures are not properly controlled, where there are little-used outlets or dead legs, or where occupancy is intermittent, Legionella can multiply. Spray taps and showers can then create the aerosols that cause infection.

The hybrid-working factor again: The reduction in office occupancy from hybrid working has heightened this risk in some buildings, as reduced use leads to water stagnating in systems and outlets, exactly the condition Legionella favours. This is a live, current consideration for office-based employers and the managers of commercial buildings.

The shared-building point: Office tenants should clarify, as part of a proper assessment, which water systems fall within their responsibility and which the building owner or managing agent controls, and ensure the risk is assessed and managed across the boundary, not assumed to be the other party's concern.

The practical conclusion is that office, tech, and finance employers and commercial building managers should not dismiss Legionella, it is a genuine, if often overlooked, duty that applies to their premises.

9. Legionella Within Wider Health and Safety Management

Legionella risk assessment is a specialist assessment, but it works best as part of a coherent approach to health and safety, not as an isolated obligation.

Part of the risk assessment picture: Legionella risk assessment is one of the specific assessments a duty holder needs, alongside the general workplace risk assessment, fire risk assessment, and others. A coherent approach ensures all the necessary assessments are identified and managed together.

Connection to COSHH: Because Legionella is treated as a hazardous biological agent under the COSHH Regulations 2002, Legionella assessment connects to the broader management of substances hazardous to health, addressed by Arinite's COSHH support.

Connection to policy and the competent person: The duty holder's arrangements for Legionella should be reflected in the health and safety policy, and the competent person overseeing health and safety ensures Legionella is managed alongside other risks.

Connection to audit: Independent Health and Safety Audits verify that Legionella risk is being managed, that the assessment is current, the control scheme implemented, and the monitoring carried out, as part of assessing the organisation's overall management of health and safety.

The system view: Managed as part of a coherent health and safety management system, overseen by a competent person and supported by software that tracks the recurring monitoring tasks, Legionella risk is controlled reliably and demonstrably, rather than being an isolated assessment that, once filed, is forgotten until a problem arises.

10. Legionella and Water Safety for International Organisations

For organisations operating across borders, Legionella and water safety carry an international dimension, because the requirements and standards vary by jurisdiction.

Legionella is a global risk: Legionella bacteria and the disease they cause are not confined to any one country, and most developed jurisdictions have requirements relating to Legionella and water safety, though the specific regulations, standards, and approaches differ.

Different national frameworks: The UK's ACoP L8 and HSG274 regime is one approach; other countries have their own regulations, standards, and guidance for controlling Legionella in water systems, sometimes with different temperature requirements, monitoring regimes, and documentation. A UK assessment satisfies UK requirements but not necessarily those of other jurisdictions.

The multinational challenge: An organisation with premises in multiple countries must ensure Legionella and water safety are managed to each jurisdiction's requirements, while maintaining consistent group standards for protecting people, wherever they are.

Coordinated international support: International Health and Safety Consultants help multinational organisations manage Legionella and water safety, alongside the full range of health and safety risks, across all their locations, meeting each country's requirements while maintaining consistent group standards, often within an ISO 45001 framework, with Health and Safety Consultants and Software providing consolidated visibility of compliance across countries.

11. Common Legionella Compliance Failures

Understanding the common failures helps duty holders manage Legionella risk properly and avoid the pitfalls that lead to exposure.

No assessment at all: The most basic failure, duty holders, particularly office and commercial tenants, who do not realise the duty applies to them and have never carried out a Legionella risk assessment.

Assuming it is someone else's responsibility: In multi-occupied buildings, each party assuming the other has it covered, leaving the risk unassessed at the boundary between landlord and tenant responsibility.

Assessment without control: Carrying out a risk assessment but never implementing or maintaining the written control scheme it requires, so the risk is identified but not actually controlled.

Controls not monitored: Having a control scheme on paper but not carrying out the recurring monitoring, temperature checks, flushing of little-used outlets, that keeps the risk in check.

No records: Failing to keep the records that demonstrate the assessment, the control scheme, and the monitoring, leaving no evidence of compliance.

Stale assessment: An assessment that no longer reflects the building, particularly after changes to the water system or occupancy, including the reduced occupancy of hybrid working.

Inadequate competence: An assessment carried out by someone without the specialist competence to identify Legionella risk properly, missing significant hazards.

The solution: Proper Legionella management, a competent assessment, a written control scheme genuinely implemented and monitored, records kept, and the assessment reviewed, avoids all of these. This is what professional support delivers.

12. How Arinite Delivers Legionella Risk Assessment

Arinite provides Legionella risk assessment and water safety support as part of comprehensive health and safety services to over 1,500 businesses across the UK and 50+ countries, with a 95%+ client retention rate.

Arinite's Legionella service:

Competent risk assessment: Legionella risk assessments carried out by competent professionals with the specialist knowledge of water systems and Legionella risk that ACoP L8 requires, genuinely adequate to the premises and its systems.

Control scheme support: Helping duty holders prepare, implement, and manage the written control scheme the assessment requires, turning assessment into genuine, ongoing control.

Clarifying responsibility: For office and commercial tenants in multi-occupied buildings, clarifying which water systems fall within the organisation's responsibility and ensuring the risk is assessed and managed across the boundary.

Review and ongoing management: Keeping assessments current through scheduled review and on change, including the occupancy changes that hybrid working brings, and supporting the recurring monitoring the control scheme requires.

Health and Safety Consultants and Software: Software that tracks the recurring monitoring tasks, flags those due, and maintains the records that demonstrate Legionella compliance.

Integrated with wider support: Legionella managed as part of a coherent approach alongside COSHH, fire risk assessment, policy, and independent Health and Safety Audits, overseen by a competent person.

International Health and Safety Consultants: Legionella and water safety across 50+ countries, meeting local requirements while maintaining consistent group standards.

Named clients including Bell Rock Capital, Figma, Akamai, SUSE, Nikon, Shutterstock, Hearst, IPG, and B&Q rely on Arinite for Legionella risk assessment and the wider management of their health and safety obligations.

Frequently Asked Questions

What is a Legionella risk assessment?

A Legionella risk assessment is a systematic evaluation of a building's water systems to identify and control the risk of Legionella bacteria, which cause Legionnaires' disease, a potentially fatal pneumonia. It examines the water systems, temperatures, stagnation, system condition, aerosol creation, and who is at risk, and identifies the control measures needed.

Yes. The duty arises under the Health and Safety at Work Act 1974 and the Control of Substances Hazardous to Health Regulations 2002, with the detailed standard set out in the HSE's Approved Code of Practice L8 (ACoP L8) and guidance HSG274. Duty holders must assess and control Legionella risk in their water systems.

Who is responsible for Legionella risk assessment?

The duty falls on the "duty holder," which includes employers (for their workplaces), landlords (for premises they let), and those in control of premises (building owners, managing agents, facilities managers). In multi-occupied buildings, responsibility can be shared and must be coordinated. Office tenants should not assume it is entirely the landlord's concern.

Does my office need a Legionella risk assessment?

Very likely yes. The hot and cold water systems of ordinary offices and commercial buildings can harbour Legionella, and the duty to assess applies to them, not just to industrial sites or buildings with cooling towers. Reduced occupancy from hybrid working has heightened the risk in some office buildings by causing water to stagnate, making assessment all the more important.

Who can carry out a Legionella risk assessment?

It must be carried out by a competent person with the specialist skills, knowledge, training, and experience to understand water systems and Legionella risk, a more specialised competence than general health and safety knowledge. For most premises, a competent professional assessor is needed to ensure the assessment is genuinely adequate, given the technical nature and serious consequences of the risk.

How often should a Legionella risk assessment be reviewed?

It must be reviewed regularly and whenever there is reason to believe it is no longer valid, a common benchmark being at least every two years and sooner where circumstances change, such as alterations to the water system, changes in building use or occupancy (including reduced occupancy from hybrid working), ineffective controls, or a suspected case.

Taking the Next Step

A Legionella risk assessment is a legal requirement and a genuine protection against a potentially fatal but invisible hazard that exists in the water systems of ordinary offices and commercial buildings, not just industrial sites. Getting it right, with a competent assessment, a control scheme genuinely implemented and monitored, and the assessment kept current, protects people and meets a serious legal duty. Getting it wrong, or assuming it does not apply, leaves the duty holder exposed.

Assess your position: Take our Health and Safety Quiz to evaluate your compliance, including water safety.

Discuss your premises: Book a free Gap Analysis Call with an Arinite consultant to understand your Legionella and wider health and safety obligations.

Arrange a Legionella risk assessment: Contact Arinite to arrange a competent Legionella risk assessment for your premises, anywhere in the UK and beyond.

Arinite provides Legionella risk assessment, Health and Safety Consultants, and Health and Safety Audits services to over 1,500 global businesses across the UK and 50+ countries. Key external resources: HSE guidance on Legionnaires' disease | Approved Code of Practice L8 | Control of Substances Hazardous to Health Regulations 2002 | Health and Safety at Work Act 1974 | OSHCR consultant register

Share this article
HEALTH & SAFETY
A

Written by

Arinite Health & Safety Consultants

Health & Safety Expert at Arinite

More Articles

Related Articles

Health and Safety Risk Assessment: A Complete Guide
HEALTH & SAFETY

Health and Safety Risk Assessment: A Complete Guide

June 20, 2026
20 min read
Health and Safety Training: A Complete Guide for Employers
HEALTH & SAFETY

Health and Safety Training: A Complete Guide for Employers

June 19, 2026
19 min read
Health and Safety Companies: What They Do, How to Choose One, and What to Look For
HEALTH & SAFETY

Health and Safety Companies: What They Do, How to Choose One, and What to Look For

June 19, 2026
20 min read
Free Resources

Health & Safety Factsheets

Download our comprehensive library of expert guides, checklists, and templates.

Browse Library
Get Professional Help

Need Expert H&S Advice?

Our qualified consultants are ready to support your specific business needs.

020 7947 9581Contact Us