Martyn's Law Report by Thornton Tomasetti

Introduction to Martyn’s Law

Background and Purpose

Martyn’s Law is a direct legislative response to the devastating Manchester Arena attack in May 2017 where an improvised explosive device was detonated inside the arena killing 23 people (including the attacker). This was the deadliest terrorist attack on UK soil since the 2005 London bombings. The Act’s inception was significantly influenced by the persistent advocacy of Figen Murray whose son Martyn Hett was among the victims. The fundamental objective of the legislation is to elevate public safety by strengthening the preparedness and protective measures of PALs and events across the United Kingdom against the threat of terrorism.

Historically, a critical void existed within the UK’s legal framework regarding specific mandates for counter-terrorism protective security and preparedness, a stark contrast to the well-established legal requirements governing health and safety or crime prevention. Notwithstanding the existing Duty of Care to the public under UK health and safety legislation, Martyn’s Law will enforce more effort on event and public space protection, it directly addresses this gap, fulfilling a government commitment to bolster National Security. The Act imposes a legal requirement on those responsible for designated premises and events to proactively consider their response protocols in the event of a terrorist attack. For higher capacity venues, this extends to implementing concrete measures aimed at reducing vulnerability. The legislation aims to establish clear lines of responsibility and foster robust protective security practices ranging from straightforward measures, for example bag searches, to more comprehensive holistic security strategies for complex venues.

Legislative Status and Implementation Timeline

The Terrorism (Protection of Premises) Act 2025 achieved Royal Assent on Thursday, 3rd April 2025 officially cementing its status as law. Subsequently, an implementation period of at least 24 months is

Martyn’s Law: An Overview of Business Impact and Compliance Requirements

anticipated before the Act fully comes into force, with enforcement expected in April 2027. This extended timeframe serves a dual purpose, it allows the Security Industry Authority (SIA) to establish its new regulatory functions and provides responsible persons with ample opportunity to comprehend, prepare and budget for their newly introduced obligations. During this preparatory phase the Home Office is committed to publishing statutory guidance which will be instrumental in assisting duty holders in interpreting the legislative requirements. Training will also be available through the Competent Persons Scheme (CPS) that aims to upskill and professionalise the Counter Terrorism Protective Security and Preparedness sphere. This guidance will be pivotal in helping businesses accurately determine whether they fall within the Act’s scope and what appropriate measures they need to implement.

The existence of a 24-month implementation period underscores a significant expectation, that businesses should not perceive this period as a delay in action but rather as a critical window for strategic planning, resource allocation, and phased implementation of new security protocols before enforcement occurs. The underlying governmental perspective is that compliance will be a substantial undertaking for many entities, and any deferral of preparation could lead to a hurried, potentially inadequate, and ultimately non-compliant approach once the Act becomes fully enforceable.

Scope and Applicability: Is Your Business Affected?

Defining “Publicly Accessible Locations” and “Qualifying Events”

Martyn’s Law has broad applicability 1 , encompassing a wide array of premises and events across the UK that are accessible to the public. This includes diverse physical spaces such as entire buildings, portions of buildings, collections of buildings, or a combination of buildings and other land.

1 There are also exclusions such as certain transport premises and Government buildings.

For premises to fall within scope, they must be primarily or entirely used for one or more specific activities outlined in Schedule 1 to the Act. These activities span a comprehensive range of sectors including hospitality (restaurants, shops, hotels, pubs), healthcare, education, entertainment venues (nightclubs, theatres, cinemas), community halls, leisure facilities, sports grounds, libraries, museums, galleries, and transport stations. Qualifying events are subject to a specific set of criteria. An event is in scope if it occurs at specified premises (which can include open land or land with buildings not already classified under the enhanced tier), is accessible to the public, is reasonably anticipated to host at least 800 individuals simultaneously and incorporates mechanisms for checking entry conditions, such as ticket verification, invitation checks, pass validation, or registration for free events. Notably, private gatherings like weddings or private office parties are generally excluded if they do not involve public access through ticketed entry or invitation. For events, the “responsible person” is defined as the entity or individual who exercises control over the premises for the specific purpose of that event. For instance, if a company organises a concert in a public park and assumes control of that designated area for the duration of the event, that company becomes the responsible person and thus through vicarious liability, the MD/CEO of said company.

The Tiered Approach: Standard Duty vs. Enhanced Duty Premises/Events

The Act employs a tiered compliance framework thus ensuring that security measures are appropriate to the specific activities conducted and the anticipated number of individuals present and proportionate to the identified threat. This approach acknowledges that reasonably practicable measures will vary significantly depending on the unique circumstances of each premises or event.

Standard Tier (200-799 Capacity). This tier applies to premises where the expected occupancy, including staff, is between 200 and 799 individuals at any given time even if only occasionally. The requirements

200+ people = basic safety duties.

800+ people = full security plan required.

for this tier are based on simple, low-cost activities, primarily involving time investment rather than significant physical alterations or equipment purchases. The focus is on establishing public protection procedures for staff to follow, encompassing protocols for evacuation, invacuation (moving people to a safe internal location), lockdown, and effective communication strategies.

Enhanced Tier (800+ Capacity). This tier is applicable to premises or events where 800 or more individuals are reasonably expected to be present simultaneously. Beyond the procedural requirements of the standard tier, enhanced duty premises and events must implement additional public protection measures aimed at reducing vulnerability to terrorist attacks. Examples of such measures include undertaking a security risk assessment and developing a security plan and procedures for monitoring the premises and its immediate vicinity (e.g., through Video Surveillance Systems (VSS)), controlling movement of individuals (e.g., access control, bag checks, physical barriers), and safeguarding sensitive information that could be exploited by adversaries. A mandatory requirement for this tier is the documentation of all procedures and measures which must be submitted to the SIA along with an assessment detailing how these measures reduce vulnerability. Furthermore,

if the responsible person is not an individual (e.g., a corporate entity), a “Designated Senior Individual” (DSI) must be appointed to oversee compliance.

The following table provides a clear comparison of the requirements for Standard and Enhanced Tier premises and events:

Primary Focus

Key Requirements

Low-cost, time-based activities; procedures for staff

Notify SIA, Public Protection Procedures (Evacuation, Invacuation, Lockdown, Communications)

Procedures + physical measures to reduce vulnerability

Notify SIA, Public Protection Procedures, Public Protection Measures (monitoring, access control, physical security), Document procedures/ measures for SIA, Appoint Designated Senior Individual Security training of staff and exercising

Physical Measures Required No Yes, as reasonably practicable

Table 1: Comparison of Standard and Enhanced Tier Requirements under Martyn’s Law

Examples of In-Scope Premises and Events

The scope of Martyn’s Law is extensive covering a diverse range of public settings. In-scope premises include, but are not limited to, supermarkets, shopping centres, hotels, cafés, restaurants, pubs, theatres, conference centres, places of worship, schools, universities, non-exempt transport hubs, hospitals, childcare facilities, most sports grounds, exhibition halls, and other public conference venues or venues for hire.

Qualifying events can include music events held in parks or fields that require ticket purchases and anticipate over 800 attendees. Similarly, Criterion

events hosted in premises not typically open to the public but expecting over 800 registered attendees or events at standard tier premises (such as a shop) that host a weekend concert with 800+ ticketed attendees would also fall within scope. As noted, for events, the responsible person is the entity that has control of the premises for the specific purpose of that event.

Exclusions and Nuances

Certain premises or events may be excluded from the Act’s scope. These typically include premises with existing government regulation and/or protective frameworks or open-access areas where there are no ticket restrictions unless they host a qualifying event. Events held for purely personal attendance reasons such as weddings or private office parties are generally excluded if they are not considered PALs.

A complicating factor for some venues is the potential to “straddle tiers.” This occurs when a venue’s capacity fluctuates, or its usage changes meaning it may need to comply with both standard and enhanced duty obligations at different times. For instance, a venue might operate as a standard tier premises for daily activities but host an enhanced tier event on a specific occasion. Furthermore, in multi-occupancy sites such as a shopping centre with various tenants where multiple entities share “control” collaborative efforts will be necessary to ensure all respective duties are fulfilled. The tiered approach of the Act, which is based on expected capacity and qualifying activities implies that a business’s compliance obligations are not static. The mention of venues potentially “straddling tiers” and the need to consider the “circumstances of the event” indicates that compliance is a dynamic process. It is not solely about a fixed building capacity but requires a flexible assessment of how the space is utilised and the number of people present at any given time. This necessitates those businesses particularly those with varied event schedules or adaptable layouts implement a dynamic compliance framework. This involves regularly reviewing event schedules and anticipated attendance figures to ensure that the

requirements of the correct tier are consistently met for each specific activity. Such an approach demands robust internal processes for event planning and an ongoing requirement for security assessment, wider organisational resilience is key.

Key Obligations for Responsible Persons Identifying the “Responsible Person” and “Designated Senior Individual”

Under Martyn’s Law the onus of compliance falls upon the “Responsible Person” defined as the individual or entity that exercises “control” over the premises or event. This designation can apply to a property owner, an occupier, or an event organiser depending on the specific circumstances of control.

For enhanced duty premises or qualifying events, an additional layer of responsibility is introduced. If the responsible person is not an individual (e.g., a corporate body or organisation) they are mandated to appoint a “Designated Senior Individual” (DSI). The DSI’s primary function is to ensure that the responsible person adheres to the legislative requirements. This role is crucial in engaging senior management in the decision-making processes related to the Act’s obligations thereby embedding counterterrorism preparedness at the highest levels of organisational governance. Core Requirements for All In-Scope Businesses

A fundamental initial step for all responsible persons regardless of their tier is to notify the Security Industry Authority (SIA) that they are or have become responsible for premises falling within the scope of the Act. This notification is crucial for establishing accountability and ensures that the organisation receives pertinent updates, resources, and compliance information from the regulator. Responsible persons are also required to notify the SIA when they are no longer in control of the premises.

A cornerstone principle underpinning all requirements within Martyn’s Law is “in so far as reasonably practicable”. This concept is not unique to Martyn’s Law it is a well-established principle found in other UK regulatory regimes such as Fire Safety and Health and Safety. It dictates that the responsible person must consider their specific circumstances including the nature of the premises or event, the activities conducted therein and the resources available to them when determining what measures are appropriate, achievable and reasonable. This approach fosters a tailored and proportionate response to security risks.

The repeated emphasis on the “reasonably practicable” principle should not be misconstrued as an opportunity for inaction. Instead, it represents a call for proportionate, risk-based decision-making. The parallel drawn with Health and Safety law suggests a similar legal interpretation that the extent of risk must be weighed against the costs and resources required to mitigate it. This implies that businesses cannot simply assert that a measure is not “reasonably practicable” without providing robust, documented justification. Such justification must demonstrate a thorough consideration of all available options and resources. Therefore, responsible persons are not only obligated to implement measures but also to clearly demonstrate and justify their choices particularly why certain measures were adopted or omitted based on a transparent assessment of risk, available resources and proportionality. This necessitates meticulous record-keeping of risk assessments, decisionmaking processes and resource allocation which will be vital during any inspections conducted by the SIA. The post incident audit test would be, could they have done more given the available resources, was what they were provided fair and what would be reasonably expected of a responsible duty (of care) holder.

Specific Duties for Standard Duty Premises

For premises falling under the standard tier the primary obligation is to implement appropriate public protection procedures that staff can follow in the event of a terrorist attack occurring at or in the immediate vicinity of

the premises. These procedures are designed to be simple and low-cost with the main investment being the time dedicated to their development and implementation.

Key procedures that must be in place include evacuation which involves safely guiding people out of the premises; Invacuation, the process of moving individuals to a safe internal area within the premises; Lockdown, which entails securing the premises to restrict or prevent an attackers entry and communications, ensuring effective methods for alerting and guiding individuals on the premises. It is important to note that unlike the enhanced tier there is no requirement for standard duty premises to install physical security measures or alter the physical structure of the premises.

Additional Duties for Enhanced Duty Premises and Events

Enhanced duty premises and qualifying events carry more extensive obligations. Beyond the public protection procedures required for standard tier premises they must implement appropriate public protection measures. These measures are designed to actively reduce the vulnerability of the premises or event to terrorist acts and to minimise the risk of physical harm if an attack occurs. These measures encompass a combination of processes, people-led initiatives, and physical security mitigations.

Examples of such enhanced measures include comprehensive monitoring of the premises and its immediate vicinity often involving Video Surveillance Systems (VSS), controlling the movement of individuals into, out of, and within the premises through measures like access control, bag checks and metal detectors; implementing perimeter security and conducting vehicle checks 2 . A critical duty for enhanced tier entities is the thorough documentation of all public protection procedures and measures. This documentation must include an assessment of how these measures reduce vulnerability and/or the risk of harm and it must be provided to the SIA. Furthermore, this documentation must be kept up

2 One of the key findings of the Manchester Arena enquiry reports www.gov.uk/government/collections/manchester-arena-inquiry-reports was the need to protect the “grey space” by ensuring clear ownership and collaboration with partners and neighbors to support joint security efforts.

to date with any revisions submitted to the SIA within 30 days. Enhanced duty premises are also required to maintain an ongoing review of their public protection measures to ensure their continued effectiveness, appropriateness and proportionality.

Operational, Financial, and Legal Impact on Businesses

Operational Adjustments

Martyn’s Law will necessitate significant operational adjustments for in-scope businesses. A primary change involves the development and integration of new public protection procedures such as evacuation, invacuation, lockdown, and communication protocols into existing daily operations and emergency plans.

A substantial operational impact will stem from the mandatory requirement for comprehensive staff training and awareness programmes. This training must equip staff with the ability to recognise potential threats, identify suspicious behaviour, and respond effectively in various scenarios. For enhanced tier premises the integration of physical security measures like VSS, advanced access control systems and routine bag checks will require operational modifications potentially including the creation of new security roles or the re-allocation of existing personnel. The administrative burden will also increase due to the requirement to meticulously document all procedures 3 and measures and to submit these to the SIA. Finally, businesses, particularly those operating in multioccupancy sites or regularly hosting events will need to cultivate and maintain collaborative relationships with neighbouring businesses, local authorities, and emergency services to ensure a coordinated response in critical situations.

Financial Considerations

The financial implications of Martyn’s Law vary significantly between tiers. While the requirements for standard tier premises are designed to be low-cost primarily involving time spent on developing and implementing procedures, enhanced tier premises may incur considerable costs due to the mandate for physical security measures.

This could necessitate substantial investment in security technologies such as metal detectors, advanced scanners, comprehensive VSS and robust access control infrastructure. Although free government-provided training programs like Action Counter Terrorism (ACT) and See, Check and Notify (SCaN) are available, businesses may still face costs associated with developing internal training programmes or enrolling specialised personnel in paid external courses. Increased security measures might also lead to higher staffing costs either through the hiring of additional security personnel or the re-allocation of existing staff to security-focused roles. Furthermore, business sales involving premises affected by Martyn’s Law will require enhanced due diligence to ensure full compliance, potentially adding to transaction costs.

The “reasonably practicable” principle, which is central to the Act, directly influences financial considerations. This principle implies a necessary cost-benefit analysis. While standard tier costs are minimal, enhanced tier venues face “considerable” costs. This indicates that businesses must strategically allocate their budgets, prioritising measures that offer the greatest reduction in risk relative to their expenditure. The objective is not to spend indiscriminately but to spend effectively and in a demonstrable manner. Therefore, financial planning for Martyn’s Law compliance must involve a detailed audit of existing security infrastructure, a comprehensive risk assessment to pinpoint specific vulnerabilities and a clear budgeting process for any necessary upgrades or new implementations. Businesses should first explore official government guidance and free resources to optimise spending and provide a robust justification for their “reasonably practicable” approach.

Legal Implications

Martyn’s Law introduces significant new legal obligations for operators of publicly accessible premises and events. Responsible persons now bear a clear duty of care to protect staff, customers, and visitors from terrorist attacks.

Failure to comply with the Act’s provisions post the implementation period, may, result in severe civil sanctions including compliance notices, restriction notices (which could lead to the temporary closure of enhanced tier premises or prohibit an event) and substantial monetary penalties. For standard tier premises the maximum penalty is £10,000 while for enhanced tier premises or events the maximum penalty can reach £18 million or 5% of global revenue. Daily penalties can also be imposed for ongoing non-compliance up to £500 per day for standard tier and £50,000 per day for enhanced tier.

Beyond civil penalties serious or persistent non-compliance can lead to criminal offences. These include failing to comply with an information notice, providing false or misleading information or obstructing the SIA. Individuals found guilty of such offences may face imprisonment and/or a fine. Crucially, for enhanced tier premises, senior officers including the Designated Senior Individual may be held personally liable for prosecution if an offence is committed by the responsible person with their consent or connivance.

The introduction of criminal offences and the potential for senior officer liability, particularly for the Designated Senior Individual, signifies a profound shift in the liability landscape. This moves beyond purely organisational responsibility to encompass individual accountability within corporate structures. This development mirrors trends observed in other regulatory domains such as corporate manslaughter or data protection. It implies that non-compliance is no longer merely a financial risk for the company; individuals in leadership positions could face personal legal consequences. This necessitates a robust corporate governance

framework specifically addressing Martyn’s Law compliance. Boards and senior management must actively engage with and oversee security protocols rather than simply delegating them. The DSI role becomes a key position requiring adequate authority, resources and clear reporting lines to effectively ensure compliance thereby embedding counter-terrorism preparedness at the highest level of organisational decision-making.

Avoiding Unnecessary Consultancy Costs

A notable aspect of the government’s approach to Martyn’s Law compliance is its explicit stance that premises and events are not required to engage external consultants to achieve compliance. The statutory guidance is specifically designed to empower duty holders to make their own assessments regarding scope, tier classification and the necessary steps to meet the requirements.

Steps to Achieve Compliance

Initial Assessment: Determining Scope and Tier

The foundational step for any business is to conduct a thorough selfassessment to determine if its premises or events fall within the scope of Martyn’s Law and if so which tier (Standard or Enhanced) applies. This assessment requires a careful evaluation of expected capacity and the nature of qualifying activities. Businesses operating multiple premises should conduct a comprehensive portfolio audit to identify all in-scope locations and safely exclude those that do not meet the criteria. It is also crucial to thoroughly understand that all mandated measures must be “appropriate and reasonably practicable” for the specific circumstances of the premises or event.

Conducting Comprehensive Security Risk Assessments

A security risk assessment is a mandatory duty for both tiers, with the enhanced tier attracting a more in-depth requirement. This assessment is designed to identify potential terrorism-related risks, vulnerabilities

and relevant attack methodologies. The scope of the assessment should be holistic covering potential vulnerabilities and threats that could arise before, during and after an event. It must also specifically assess how proposed public protection procedures and measures will effectively reduce vulnerability and/or the risk of harm. Businesses can undertake these assessments using internal suitably qualified and experienced resources or by engaging professional security consultancy services or by training internal teams to perform the evaluations. Selecting an external partner to undertake an SRA provides an independent review, which may potentially strengthen a post incident audit. Regular review and practice of these risk assessments such as annually with monthly discussions, or when there is a significant change in operation of an event, change in threat or technology are essential to ensure their continued relevance and effectiveness.

The following table outlines key elements that should be included in a comprehensive security risk assessment:

Developing and Documenting Public Protection Procedures and Measures

Once the risk assessment is complete businesses must develop public protection procedures tailored to their specific tier via a security plan. Standard duty premises require clear procedures while enhanced duty premises necessitate more extensive procedures coupled with deliverable measures. Core procedures must encompass Evacuation, Invacuation, Lockdown, and Communications. For enhanced tiers this means incorporating measures such as monitoring systems (e.g., VSS), robust access control (e.g., bag checks, metal detectors), and other physical security mitigations.

All procedures and measures along with a clear assessment of how they contribute to risk reduction must be meticulously documented. For enhanced tier premises this documentation is mandatory for submission to the SIA and must be kept up to date with any revisions submitted within 30 days. Based on the findings of the risk assessments a detailed security plan should be developed and maintained outlining risk management strategies, governance and accountability, organisational structure, composition of the security team and roles and responsibilities of persons with a security responsibility plus mitigation efforts and comprehensive emergency response protocols. This plan requires regular review and updates to remain effective.

Implementing Security Measures (Physical and Procedural)

The implementation of security measures must be proportionate to the identified vulnerabilities and threats. For enhanced tier premises this may involve investing in and deploying physical security infrastructure such as metal detectors, scanners, bag check stations, video surveillance systems, access control, and security fencing. Beyond physical installations it is crucial to ensure that all documented procedures are actively put into practice and thoroughly understood by all relevant staff members.

Essential Staff Training and Awareness Programmes

Security training will become a legal requirement under Martyn’s Law. The primary objective of such training is to equip employees with the necessary knowledge and skills to recognise potential threats such as suspicious behaviour, understand terrorist tactics, respond effectively (e.g., by locking doors, or identifying safe routes) and competently implement emergency procedures. Key training areas should include general threat and security awareness, specific emergency response 4 procedures, first aid, and clearly defined roles within incident response plans.

Several programmes can assist in fulfilling this requirement:

■ Action Counter Terrorism (ACT) Training: A free external me focused on general counter-terrorism awareness.

■ See, Check and Notify (SCaN) Training: A free external programme available in a specialised version for Line Managers and designed to enhance vigilance and reporting of suspicious activities.

■ Internal Training Programmes: Businesses can develop tailored in-house sessions to address site-specific security awareness and emergency response procedures.

■ Paid External Training: Consideration should be given to specialised courses from external providers for staff with additional security responsibilities or those acting as first responders.

■ Competent Persons Scheme: To upskill and professionalise the Counter Terrorism Protective Security and Preparedness sphere.

Training should be conducted regularly with frequent repetitions and practical drills to ensure high retention rates, build staff confidence, and maintain capability in emergency situations.

4 to escalating security alerts/levels.

The following table details recommended staff training programmes:

Programme Type

Action Counter Terrorism (ACT) Training

Description

Free external programme provided by official government sources.

See, Check and Notify (SCaN) Training Free external programme including a specialised version for line managers.

Internal Training Programmes Tailored in-house sessions specific to the premises or event.

Key Learning Outcomes

Recognising suspicious activity, understanding common terrorist methods.

Identifying and reporting suspicious activities, enhancing general vigilance.

Site-specific security awareness, emergency response procedures (Evacuation, Invacuation, Lockdown, Communications).

Paid External Training Specialised courses from external providers for targeted personnel.

Competent Person in the Workplace (CPIW) Training

The UK National Counter Terrorism Security Office (NaCTSO) and the Home Office are developing an official scheme called the Competent Person in the Workplace

Table 3: Recommended Staff Training Programmes for Martyn’s Law Compliance

Advanced security measures, first aid, leadership in security incidents, Personal Emergency Evacuation Plans.

To upskill and professionalise the Counter Terrorism Protective Security and Preparedness sphere.

Establishing Communication Channels with Authorities

Effective communication is a cornerstone of robust security. Businesses must establish clear and efficient communication channels with local emergency services. This also entails active collaboration with local authorities and national police forces, leveraging resources such as the ProtectUK platform and the National Protective Security Authority (NPSA) website in order to gain additional information and knowledge on counter-terrorism best practices.

Integrating Martyn’s Law with Existing Safety Frameworks

Martyn’s Law is designed to standardise aspects of event security and enhance overall protective security and organisational preparedness. It is not intended to operate in isolation but should be seamlessly integrated with existing duty of care responsibilities and crime prevention frameworks. For smaller venues this integration might simply involve adding counter-terrorism specific responses for example lockdown procedures, to their already mandated fire plans; larger, more complex venues will require a more holistic and integrated approach. Businesses should review and update their existing emergency plans such as general emergency plans, evacuation procedures, and Personal Emergency Evacuation Plans (PEEPs), to explicitly incorporate counter-terrorism specific responses.

While existing laws were deemed insufficient for directly addressing counter-terrorism protective security the principle of “reasonably practicable” aligns with established regimes like fire and health and safety. This indicates that Martyn’s Law while introducing new specific requirements is not meant to be a separate regulatory silo. Instead, businesses are encouraged to integrate these new duties into their established safety management systems. This approach allows for a holistic compliance strategy where existing documentation and training modules can be updated and expanded rather than creating entirely separate systems. This integration leads to more efficient compliance processes and contributes to a more coherent and robust overall safety and security culture within the organisation, security is a business enabler.

Fostering a Culture of Security and Preparedness

Ultimately effective compliance with Martyn’s Law extends beyond mere procedural adherence it necessitates cultivating a pervasive culture of security and preparedness throughout the organisation. Senior management particularly the Designated Senior Individual bears a critical responsibility in leading and championing this culture. Employee

engagement is vital encouraging staff to be vigilant, recognise and report suspicious behaviour. Fostering an environment where staff feel comfortable asking questions about security protocols is also crucial for building confidence and awareness. For standard tier premises transparency is encouraged through public disclosure informing and reassuring employees, visitors and the public about the security measures and emergency response plans via internal communications, signage, external communications, security messaging and public announcements. Additionally, visitors should be educated on security protocols 5 and procedures upon their entry to the facility for example on issued tickets or on the website when booking.

Enforcement and Penalties for Non-Compliance Enforcement Powers and Sanctions

To effectively discharge its regulatory duties the SIA will be vested with significant enforcement powers. These include the authority to inspect premises (typically with prior notice), conduct interviews with staff and gather necessary information to assess compliance levels. In instances of serious or persistent non-compliance the SIA is empowered to take enforcement action through the issuance of civil sanctions. These include compliance notices, which mandate specific corrective actions and restriction notices. Notably, restriction notices are specifically applicable to enhanced duty premises and qualifying events and can result in the temporary closure of premises or the prohibition of an event from taking place.

The tiered and escalating nature of the penalties, ranging from civil sanctions to substantial monetary fines and even criminal charges with personal liability for senior individuals signals a clear governmental intent to ensure stringent adherence to the Act particularly for larger venues with a higher potential impact in the event of an attack. While the response to

5 For example - no bag policy.

non-compliance is expected to be proportionate implying that smaller voluntary organisations might face lesser penalties significant commercial entities will likely be held to the full extent of the law. This escalating risk profile underscores the critical need for businesses to implement robust, well-documented compliance efforts and to proactively engage with the guidance provided by the SIA.

Resources and Further Guidance

Official Government Guidance (Home Office, ProtectUK)

To assist duty holders in navigating the requirements of Martyn’s Law the Home Office is committed to publishing statutory guidance during the 24-month implementation period. This official guidance will be the definitive source for understanding the legislative requirements. A key resource is the ProtectUK platform (protectuk.police.uk) which serves as a central information-sharing hub for counter terrorism and security. Additionally comprehensive factsheets related to The Terrorism (Protection of Premises) Act 2025 are accessible on Gov.uk. The SIA, in its role as regulator, will also provide ongoing advice and guidance.

Conclusion and Next Steps

Martyn’s Law fundamentally reshapes the landscape of public safety in the UK imposing clear legal responsibilities on businesses and organisations operating publicly accessible premises and events. This legislation marks a significant commitment to enhancing protective security and organisational preparedness against terrorist threats driven by the imperative to safeguard lives.

The 24-month implementation period, following the Act’s Royal Assent, is not a period for complacency but a critical window for proactive and strategic preparation. Businesses that delay their compliance efforts until the Act fully comes into force will face significant risks of non-compliance potentially incurring severe financial penalties and criminal liabilities for responsible individuals.

To navigate these new obligations effectively in scope businesses are strongly advised to undertake the following immediate steps:

■ Assess Scope and Tier: Conduct a thorough self-assessment to determine if your premises or events fall within the scope of Martyn’s Law and if so, whether they are classified under the Standard or Enhanced Tier. This initial assessment is crucial for understanding the specific requirements applicable to your operations.

■ Appoint Responsible Person/DSI: Clearly designate the “Responsible Person” who will oversee compliance. For Enhanced Tier premises or events if the responsible person is not an individual formally appoint a “Designated Senior Individual” to ensure senior management engagement and accountability.

■ Conduct Risk Assessments: Undertake comprehensive security risk assessments to identify potential terrorism related vulnerabilities and threats specific to your premises or events. These assessments should inform all subsequent security planning.

■ Develop a Security Plan and Procedures: Create or update robust public protection procedures including clear protocols for Evacuation, Invacuation, Lockdown, and Communications tailored to your operational context and tier requirements. For Enhanced Tier entities this extends to implementing physical security measures.

■ Train Staff: Implement essential staff training and awareness programs. Utilise free official resources like ACT and SCaN training and develop internal programmes to ensure all relevant personnel are equipped with the knowledge and skills to recognise threats and respond effectively.

■ Document Everything: Maintain records of all risk assessments, public protection procedures, implemented measures and staff training. For Enhanced Tier premises this documentation must be provided to the SIA and kept current. Correct documentation will demonstrate security plans and measures and that they are appropriate, proportionate and reasonable in terms of a duty of care to the invited public.

■ Engage with Official Guidance: Regularly consult and leverage the statutory guidance to be published by the Home Office along with resources available through ProtectUK and the SIA. These official sources are designed to provide comprehensive support for compliance.

By proactively addressing these steps during the implementation period businesses can establish a robust framework for compliance, enhance public safety, and mitigate the significant operational, financial and legal risks associated with Martyn’s Law.

Martyn's Law Report

MARTYN’S LAW

Overview of Business Impact and Compliance of the Terrorism Act 2025