Crowd of people at conference

Martyn’s Law: The Terrorism (Protection of Premises) Act 2025

What ‘Martyn’s Law’ means for your organisation

The Terrorism (Protection of Premises) Act 2025 – commonly known as Martyn’s Law – will introduce new legal duties for organisations responsible for publicly accessible premises and events. It has been passed, but is not yet in force. Implementation is expected after a transition period (probably around April 2027).

The Act aims to make organisations more prepared for terrorist incidents, and ensure that they are better equipped to protect people and reduce harm. If your premises or event can reasonably expect 200 or more people to be present, you will probably be affected.

Our specialist Health and Safety team has all the insight and expertise required to help you understand your new duties and make the necessary preparations.

Important

The Home Office has published statutory guidance (April 2026), and the Security Industry Authority (SIA) has issued draft guidance for consultation.

The detail may change before implementation. The information below reflects the current direction of travel and should be treated as guidance only.


Will your organisation be affected?

If your venue capacity is…

Less than 200

Your premises are unlikely to be affected

200 – 799

Standard duty premises

Organisations must implement simple, low-cost procedures to improve preparedness

800+

Enhanced duty premises

Organisations must go further and implement additional measures


Core procedures that every affected organisation should consider

The statutory guidance indicates that organisations should be able to implement four key types of public protection procedures.

1. Evacuation

Safely moving people away from danger.

2. Invacuation

Bringing people into a safer area.

3. Lockdown

Restricting access or movement to prevent exposure to a threat.

4. Communication

Providing clear channels of communication with staff and the public. Staff need to understand their responsibilities and what they should do in any given situation; members of the public need to be able to report concerns in a way that ensures they will reach the correct people, and that the situation will be dealt with appropriately.


Designated ‘Responsible Persons’

This aspect of the Act applies to premises and events in both the ‘standard duty’ tier and the ‘enhanced duty’ one. People in control of these will be designated as a ‘Responsible Person’, who will have certain legal duties. To be precise, that might include owners of a venue or premises, occupiers or tenants, facility managers, local authorities or employers.

Responsible Persons must take reasonable steps to reduce the vulnerability to terrorism attacks, and to mitigate harm to individuals if a terrorist attack were to occur. The Home Office guidance is clear that they “cannot delegate their legal responsibility”, although they can “delegate tasks”.

Where there is more than one Responsible Person, procedures should be in place to ensure coordination between them.

Anyone designated as Responsible Person is also legally required to notify the SIA of their role. (We don’t yet know the details of this, including the required timescale or procedure.)

The Responsible Person can be an organisation. If so, a senior individual who is responsible for compliance must be designated.


Understanding your obligations

Musician playing guitar for crowd at venue

Standard duty premises (200–799 people)

Organisations in this tier must implement simple, low-cost procedures to improve preparedness for an emergency event, including:

  • Evacuation and movement to safety
  • Preventing entry or exit where appropriate
  • Communicating clearly with those on site

They must also provide training and counter-terrorism awareness for staff. This must be appropriate to the level of risk at the particular premises or event.

No specific physical security measures (e.g. scanning equipment) are required at this level.

Crowd of fans at concert

Enhanced duty premises (800+ people)

Organisations in this tier are required to go further: they must implement all reasonably practicable additional measures. Depending on the particular premises, these might include:

  • Terrorism risk assessments
  • Monitoring systems to detect suspicious behaviour (e.g. staff patrols and/or CCTV)
  • Movement tracking to control the movement of people (e.g. entry screening)
  • Information Security regarding sensitive information about the premises’ operation and design
  • Security planning and procedures
  • Staff training
  • Physical and operational security measures which protects the premises/event and deters threats (e.g. vehicle barriers)

Organisations in the enhanced tier also have a duty to document their compliance with the Act, in particular as regards what public protection procedures are in place, and assessments of how these are expected to mitigate risks.

At this level, senior individuals may carry greater accountability for compliance at this level – and more serious consequences if things go wrong. This particularly applies to designated senior individuals (see the end of the ‘Designated ‘Responsible Persons’ section above). But other members of senior management could still be prosecuted if an offence is committed with their consent, connivance or neglect.


Sector insights

How will the different sectors be impacted?

Hotels and accommodation

Often fall within scope due to public access and capacity. Challenges include multiple access points and transient guests.

Focus areas

  • Evacuation planning for guests
  • Physical security and entry barriers
  • Staff awareness and training
  • Coordination with in-house restaurants and events

Bars and restaurants

Many will fall within the standard duty tier.

Focus areas

  • Clear evacuation procedures
  • Managing customer communication during incidents
  • Staff training for real-time response
  • Lockdown mechanisms (especially for street-facing premises)

Sporting venues

Likely to fall within the enhanced duty tier.

Focus areas

  • Crowd management and entry control
  • Large-scale communication strategies
  • Coordination between operators and contractors

Entertainment venues

Often operate as both premises and event organisers.

Focus areas

  • Risk assessments for different event types
  • Security layering (where appropriate)
  • Managing high footfall and dynamic environments

Education

Includes universities, schools and colleges.

Focus areas

  • Aligning procedures with safeguarding and existing emergency planning
  • Practical implementation of lockdown and invacuation
  • Coordination across campuses and buildings

What you should be doing now

Woman signing document

We’ve put together a checklist of the key first steps for all organisations that may be affected.

Note that having a capacity of over 200 means that you will probably be affected – but this is not 100% certain.

View our checklist


How we can help

Our specialist Health and Safety team can support with all aspects of your preparation, including:

  • Identifying whether your premises are in scope
  • Determining your obligations under the Act
  • Reviewing and preparing risk assessments
  • Drafting and testing emergency procedures
  • Advising on governance and responsibilities
  • Preparing for SIA engagement and enforcement

Get in touch

If you would like to discuss how the Act may affect your organisation, please contact our Health and Safety specialists or your usual Shepherd and Wedderburn contact.


Frequently asked questions

The Act received Royal Assent in April 2025, and we are expecting a transition period of at least 24 months, so implementation is likely to be in April 2027 or fairly shortly afterwards.

Close

The individual or organisation with control of the premises or event, such as an owner, operator or employer. Legal responsibility cannot be delegated, although tasks may be.

Close

Organisations should be able to implement procedures covering:

  • Evacuation
  • Invacuation
  • Lockdown
  • Communication

Organisations in the enhanced tier will have additional requirements around monitoring, movement, information and physical security.

Close

Not necessarily. The Act does not mandate specific measures, but it instead requires a risk-based, proportionate approach.

Close

Yes. Draft guidance indicates that responsible persons will need to notify the Security Industry Authority (SIA) when they take on or cease responsibility for premises.

Close

The SIA will take a supportive, proportionate and risk-based approach, but it has powers to inspect and take enforcement action where needed.

Enforcement and penalties

The SIA will regulate compliance and has powers to:

  • Inspect premises
  • Issue compliance notices
  • Restrict the use of premises or events
  • Impose penalties for non-compliance

Serious breaches may result in fines of up to £18 million or 5% of global turnover (whichever is greater), alongside potential criminal liability for organisations and senior individuals.

Close

Although the Act is not yet in force, organisations should begin to:

  • Assess their exposure
  • Review their procedures
  • Plan a compliance strategy

Close