Martyn's Law Explained: What UK Businesses Need to Know About the Terrorism (Protection of Premises) Act 2025

The most significant change to UK public protection law in twenty years is now on the statute book and the implementation clock is running. The Terrorism (Protection of Premises) Act 2025, commonly known as Martyn's Law, received Royal Assent on 3 April 2025. Following a 24-month implementation period, enforcement is expected to begin in spring 2027.

The Act is named after Martyn Hett, one of the 22 people killed in the 2017 Manchester Arena attack. His mother, Figen Murray, campaigned for nearly eight years for the legislation that now bears her son's name. The result is a new statutory duty on those responsible for qualifying public premises and events to prepare for the possibility of a terrorist attack and, at larger venues, to take steps to reduce vulnerability.

This guide explains what Martyn's Law is, who is in scope, what duty holders will be required to do, who will enforce it, and how to start preparing now. It is written for UK employers, venue operators, event organisers, and anyone responsible for a publicly accessible premises with a capacity of 200 or more.

What Martyn's Law actually requires

The Act creates a tiered duty on those responsible for qualifying premises and qualifying events. The level of obligation depends on the number of individuals it is reasonable to expect may be present at the same time.

Premises in scope must consist of at least one building, have a capacity of 200 or more people, and be publicly accessible. The sectors covered are broad. Retail, hospitality, entertainment and leisure, places of worship, education, healthcare and public services, transport and infrastructure, and community and event spaces all fall within the scope set out in Schedule 1 of the Act.

The aim, as set out by the Home Office, is to improve organisational preparedness and protective security across the UK by requiring duty holders to consider how they would respond to a terrorist attack. For larger premises, the duty extends to actively considering and, where appropriate, reducing vulnerability.

This is, importantly, a counter-terrorism statute rather than a health and safety statute. But in practice the obligations sit alongside existing duties under the Health and Safety at Work etc. Act 1974 and the Regulatory Reform (Fire Safety) Order 2005. For most businesses, the practical work of compliance with Martyn's Law will integrate with, rather than replace, their existing health and safety arrangements.

The two tiers: standard and enhanced

The Act establishes a tiered approach. Each tier carries different requirements.

Standard tier: 200 to 799 individuals

Standard tier covers premises that might reasonably expect to host between 200 and 799 individuals. The Government has framed these requirements as simple, low-cost activities designed to ensure those working at these premises are better able to reduce harm and save lives in the event of an attack.

Standard tier duty holders will be required to:

• Identify the person responsible for the premises and notify the Security Industry Authority (SIA) of their identity.
• Put in place public protection procedures covering four scenarios: evacuation, invacuation (moving people to safer locations within a building), lockdown, and communication.
• Provide instruction or training to relevant workers on those procedures so staff are equipped to act in the event of an attack.
• Maintain a security plan documenting the above.

The Government has been explicit that standard tier requirements are intended to be achievable without buying in specialist services. For many small to medium venues, that will be the realistic position.

Enhanced tier: 800 or more individuals

Enhanced tier covers premises and qualifying events where 800 or more individuals may be present. The obligations are substantially heavier.

Enhanced tier duty holders will be required to do everything standard tier duty holders do, plus:

• Assess the vulnerability of the premises to acts of terrorism and document that assessment.
• Take reasonably practicable measures to reduce identified vulnerabilities.
• Maintain a more detailed security plan evidencing the assessment and the controls in place.
• Designate a senior individual responsible for the premises and accountable for compliance.

Enhanced tier requirements look much closer to a counter-terrorism management system than a checklist. For large hotels, shopping centres, stadiums, conference venues, and major event venues, this is the level the Act is targeting.

A note on education settings

Education settings receive a special consideration. Early years, primary, secondary and further education premises will sit in the standard tier even where they expect 800 or more individuals to be present. Enhanced duty requirements do not apply to premises used for these forms of education. The reasoning is that schools already operate within an existing framework of safeguarding and lockdown procedures and the Government wants to avoid duplication.

When Martyn's Law comes into force

Royal Assent was granted on 3 April 2025. The Government has committed to an implementation period of at least 24 months from that date, which means enforcement is not expected to begin before April 2027.

This period exists for two reasons. First, the new regulatory function within the Security Industry Authority (SIA) needs to be established, staffed, and ready to operate. Second, those responsible for in-scope premises and events need time to understand their obligations, develop procedures, train staff, and put security plans in place.

The Home Office has now published its statutory guidance under section 27 of the Act, which sets out how duty holders should interpret their obligations. The SIA has also published draft section 12 guidance, which is currently in public consultation and sets out how the regulator itself will discharge its functions. Further guidance is expected during the remainder of the implementation period.

For businesses in scope, the planning window is therefore now. Waiting until 2027 to begin will not leave enough time to design procedures, train staff, and integrate the duties into existing operations.

The regulator and enforcement

The Security Industry Authority (SIA), an arm's length body of the Home Office, has been designated as the regulator. The SIA's new function under the Act includes supporting duty holders, providing guidance, and taking enforcement action where required.

Enforcement powers under the Act include:

• Compliance notices requiring specified action within a defined period.
• Restriction notices that can limit the use of premises.
• Monetary penalties for serious or persistent non-compliance.
• Criminal offences for certain breaches, with personal liability for senior individuals in some circumstances.

The SIA has signalled that its primary intent during early operation will be to support and advise duty holders, with enforcement action reserved for serious or persistent failure. That said, the Act creates real legal exposure for senior individuals in larger venues, and the penalty regime is significant enough that no in-scope business should treat compliance as optional.

Where Martyn's Law overlaps with existing health and safety duties

The honest position is that much of what Martyn's Law requires will look familiar to any business that already takes its health and safety obligations seriously. The four-scenario procedure framework (evacuation, invacuation, lockdown, communication) overlaps with existing fire safety, emergency planning, and lone working procedures. The training duty overlaps with existing duties under the Management of Health and Safety at Work Regulations 1999 for instruction and information.

For most businesses, the practical work of Martyn's Law compliance is not building procedures from nothing. It is reviewing existing procedures, identifying the gaps where they do not cover terrorism scenarios, and closing those gaps in a documented and trainable way. Specifically:

• Fire evacuation procedures become a starting point for terrorism evacuation procedures, with the differences (do not assemble at predictable assembly points, do not return to the building, route away from the threat) clearly identified.
• Invacuation and lockdown procedures, less common in standard fire safety planning, often need to be designed from scratch.
• Communication procedures must address how staff communicate during an incident, how the public are informed, and how the response coordinates with emergency services.
• Staff training integrates terrorism awareness alongside fire warden training, first aid at work, and general health and safety induction.

A well-run business with mature health and safety management is not starting from zero. A business with thin or undocumented health and safety arrangements will find Martyn's Law compliance harder than it needs to be, because the foundations are not in place.

What to do now

Whether or not your premises are in scope, the implementation window is the right time to act. Five practical steps:

1. Determine your scope. Identify every premises and every event your business is responsible for that could fall within the Act. Apply the capacity test (200+, 800+) using a reasonable estimate of how many individuals could be present at the same time. Use the Home Office statutory guidance and the Schedule 1 sector list to confirm.

2. Identify the responsible person for each premises. Standard tier requires the responsible person to notify the SIA of their identity. Enhanced tier requires a designated senior individual. Decide who that is at each site now, and make sure they have the authority and resources to perform the role.

3. Audit your existing procedures. Compare what you already have against the four scenarios (evacuation, invacuation, lockdown, communication). Identify the gaps. A health and safety audit can be expanded to include Martyn's Law gaps without duplicating effort.

4. Plan the staff training. Standard tier duty holders must provide instruction or training. Decide who needs it, what format, who will deliver it, and how it will be recorded.

5. Document your security plan. Standard tier and enhanced tier both require a written plan. Decide who owns the document, where it is kept, how often it is reviewed, and how it integrates with the broader health and safety management system.

For multi-site businesses, particularly retail groups, hospitality chains, multi-academy trusts, and large care providers, the coordination work is the biggest part. Doing this consistently across every site is harder than doing it at one site.

Where a Chartered consultant adds value

Government guidance is explicit that businesses do not need to buy specialist services to be compliant with Martyn's Law. For many smaller standard tier premises, that is a fair description.

Where Arinite's Chartered consultants tend to add real value is in three specific situations:

Integration with existing health and safety management. Martyn's Law obligations sit alongside fire safety, lone working, emergency planning, and training duties. For businesses that want a coherent management system rather than parallel documents that contradict each other, integrating these into one framework saves time and reduces risk.

Multi-site coordination. For businesses with 5, 50, or 500 sites, the question is not whether one site can comply, but whether every site can demonstrate consistent compliance to a regulator. Arinite supports 1,500+ businesses across 50+ countries with exactly this kind of multi-site coordination, with results consolidated in our compliance software so head office has visibility across the portfolio.

Enhanced tier vulnerability assessments. For 800+ capacity venues required to assess vulnerability and reduce it, the work is closer to a structured risk assessment than a checklist. Arinite's Chartered consultants are experienced in structured vulnerability assessment and can support enhanced tier duty holders through the process.

100,000+ Employees Protected. ISO 45001:2018 certified. 15+ years of practice across UK and international clients.

The fastest way to understand where your business stands against Martyn's Law and your wider health and safety obligations is a 30-minute Free Gap Analysis Call. A structured review of your current arrangements, the gaps that matter most, and what to do about them. No commitment.

Book My Free Gap Analysis Call or call +44 (0)20 7947 9581.

Frequently asked questions

What is Martyn's Law? Martyn's Law is the common name for the Terrorism (Protection of Premises) Act 2025. It is named after Martyn Hett, one of the 22 people killed in the 2017 Manchester Arena attack. The Act creates a statutory duty on those responsible for certain publicly accessible premises and events to prepare for and reduce the impact of a terrorist attack.

When does Martyn's Law come into force? The Act received Royal Assent on 3 April 2025. The Government has committed to an implementation period of at least 24 months. Enforcement is therefore expected to begin in spring 2027 at the earliest.

Who is in scope of Martyn's Law? Premises with a capacity of 200 or more people that are publicly accessible and used wholly or mainly for retail, hospitality, entertainment, leisure, worship, education, healthcare, public services, transport, infrastructure, or community and event purposes. Qualifying events with 800 or more individuals also fall within scope.

What is the difference between standard tier and enhanced tier? Standard tier covers premises with a capacity of 200 to 799. The requirements are centred on simple procedures and staff training. Enhanced tier covers premises and events with a capacity of 800 or more. Enhanced tier duty holders must additionally assess vulnerability to terrorism and take reasonably practicable measures to reduce it.

Who is the regulator for Martyn's Law? The Security Industry Authority (SIA), an arm's length body of the Home Office, has been designated as the regulator. The SIA will support duty holders, publish guidance, and take enforcement action where there is serious or persistent non-compliance.

What are the penalties for non-compliance? The Act includes a range of enforcement options: compliance notices, restriction notices, monetary penalties, and criminal offences for certain breaches. Senior individuals in larger venues can face personal liability in some circumstances.

Do I need to hire a consultant to comply with Martyn's Law? No. Government guidance is explicit that businesses do not need to buy specialist services to be compliant. For smaller standard tier premises, in-house compliance is achievable. Businesses tend to engage consultants where Martyn's Law compliance needs to be integrated with wider health and safety management, where multi-site coordination is required, or where enhanced tier vulnerability assessments demand structured methodology.

How does Martyn's Law affect schools? Education settings (early years, primary, secondary, further education) sit in the standard tier even where they expect 800 or more individuals. Enhanced duty requirements do not apply to these settings. The Department for Education has published guidance specifically for education providers.

Does Martyn's Law apply in Scotland, Wales, and Northern Ireland? Yes. The Act applies across the United Kingdom, including in Scotland, Wales, and Northern Ireland.

Where can I find the official guidance? The Home Office has published statutory guidance under section 27 of the Act on GOV.UK. Further guidance and resources are available through ProtectUK, the official counter-terrorism resource for businesses.

---

Further reading: The World's Most Dangerous Countries for Workers, The World's Safest Countries to Work In, and What is COSHH? The Complete UK Guide.