Martyn’s Law: new security requirements for public venues and events
Martyn’s Law: new security requirements for public venues and events
What is Martyn's Law?
Martyn’s Law – formally the Terrorism (Protection of Premises) Act 2025 – is the UK’s landmark anti-terrorism legislation aimed at strengthening security in publicly accessible places.
On 3 April 2025, the Bill received Royal Assent, officially becoming law. Named in memory of Martyn Hett (a victim of the 2017 Manchester Arena attack), this Act introduces new legal duties for a wide range of venues and event organisers. Its core purpose is to ensure businesses “consider how they would respond to a terrorist attack” and take “appropriate steps to reduce vulnerability” so that staff and visitors are better protected.
Below, we outline what the legislation entails, which venues are affected, the timeline for implementation, key compliance requirements by tier, and guidance on best practices – all from a risk management perspective.
Royal assent and 24-month implementation timeline
Martyn’s Law received Royal Assent on 3 April 2025, marking its final approval and paving the way for commencement as the Terrorism (Protection of Premises) Act 2025.
Importantly, the government has built in an implementation period of at least 24 months after royal assent before any requirements become legally enforceable. In other words, the Act’s provisions will likely not come into force until 2027, giving organisations roughly two years to prepare. This transition period is deliberate – it allows time to establish the new regulatory body within the Security Industry Authority (SIA) and to develop detailed statutory guidance for duty holders. During this window, the Home Office will publish official guidance to help venues understand and meet their new obligations.
While businesses are not required to comply until the law formally takes effect, security experts urge venues not to “sit back and wait” – the coming two years should be used proactively to get ready. Early action will not only ensure compliance by the deadline but also reduce the risk of incidents (and avoid reputational damage) in the meantime.
Who is affected? Venues and events in scope
Martyn’s Law applies broadly across sectors – it is not limited to concert arenas or stadiums. Any location that the public can access, regardless of industry, could fall in scope if it meets certain criteria. In fact, hotels, shops, bars, nightclubs, restaurants, cinemas, museums, sports venues, hospitals, schools, colleges and many other public-facing places “will all be impacted”.
Estimates suggest over 250,000 premises across the UK will be subject to the new regulations. The law is focused on “qualifying premises” – essentially, places with regular public access, at least one building, and used mainly for activities listed in Schedule 1 of the Act (for example, retail, entertainment, leisure, hospitality, education, or healthcare uses). Crucially, the venue must be of a certain scale: if it is reasonable to expect 200 or more people to be present at the same time (including staff and visitors), the premises comes under Martyn’s Law. Smaller sites below this 200-person threshold are not legally required to comply.
Within the in-scope group, the legislation establishes a tiered framework based on venue capacity:
Standard Tier – venues expecting 200 to 799 people. Most everyday public venues (from mid-size shops and restaurants up to moderate event spaces) will fall into this tier.
Enhanced Tier – venues expecting 800+ people. This higher tier captures large venues with high footfall (e.g. major arenas, large shopping centres, big sporting events) which pose greater potential risk due to crowd size.
In practice, if a venue can reasonably anticipate “at least 200 individuals may be present” at once, it’s in scope. And “if 800 or more individuals may be expected” at once, that venue is classified as an enhanced duty premises (unless specifically exempt).
These headcount thresholds include staff and are assessed based on the venue’s normal use, similar to how fire safety occupancy is calculated (using capacity estimates or historical attendance data). Venues will need to make a reasonable assessment of their maximum occupancy to determine which tier applies.
It’s worth noting some premises are excluded by Schedule 2 of the Act (for example, purely private or residential facilities, and certain other exceptions), but any publicly accessible place meeting the above criteria is likely within scope.
One-off events are also covered: Qualifying public events that are not in a permanent venue (e.g. a festival in a park or a temporary event site) will come under Martyn’s Law if they expect 800+ attendees at any one time and have controlled entry (such as ticketing or security checks). This ensures large open-air events or temporary venues have similar security obligations.
The responsible party for compliance will be the person or organisation in control of the premises for the event – e.g. an event organiser renting a site, or the venue owner if they are hosting the event.
In summary, Martyn’s Law casts a wide net: any business or body hosting crowds in public-facing premises – whether a nightclub, a sports ground, a place of worship, a shopping mall, a university campus, or a hospital – should examine if the 200/800 capacity criteria apply to them. If so, they will have formal duties under this new law.
Tiered security requirements: standard vs. enhanced duties
Martyn’s Law introduces a set of baseline security measures that all in-scope venues and events must implement, with additional requirements for larger venues under the enhanced tier. The obligations are defined “so far as reasonably practicable”, meaning each venue should take measures appropriate to its circumstances and resources (a principle borrowed from health & safety law). There is no one-size-fits-all solution, but the Act mandates certain planning and precautions as outlined below.
Standard Tier (200–799 capacity)
At minimum, duty holders must “notify” or register their premises with the regulator (SIA) and have in place appropriate public protection procedures. In plain terms, every venue in this tier needs to prepare a basic terrorism response plan covering how staff should act if an attack occurs on-site or nearby.
These procedures should address four key areas: evacuation (swiftly moving people out to safety), invacuation (sheltering people in a secure area on-site, if evacuation isn’t safe – essentially “locking down” the site), lockdown measures for the premises, and communication with people on the premises during an incident.
The focus at the standard tier is on practical planning and training rather than expensive physical upgrades. The law explicitly does not require installing new security equipment for standard-duty premises. Low-cost steps like developing an emergency action plan, training employees in those procedures, and conducting drills or briefings are the expected compliance measures. The idea is to foster a good security culture and preparedness, analogous to fire emergency planning, without imposing undue burden on smaller businesses.
Enhanced Tier (800+ capacity)
In addition to all the standard tier requirements, larger venues and qualifying large events must take extra steps proportionate to the higher risk. Enhanced-duty sites are required to implement “public protection measures” – tangible security measures to reduce the venue’s vulnerability to attacks and limit the impact if one occurs.
What these measures entail will depend on the venue, but examples could include enhanced CCTV monitoring of entrances, bag screening or metal detectors at entry, stricter access control, perimeter security improvements, or other protective technologies “so far as is reasonably practicable”.
Critically, enhanced-tier venues must also document their security preparedness: they will need to produce a written security plan or risk assessment report outlining the procedures and measures in place (or planned) to meet the Act’s requirements. This documented plan – essentially a terrorism security risk assessment and action plan – must be provided to the SIA regulator. It should include an evaluation of how the chosen measures will mitigate risks and reduce vulnerabilities at that site.
Furthermore, any organisation (other than a sole trader) that operates an enhanced-tier venue will be required to appoint a senior manager responsible for Martyn’s Law compliance. This designated person (for example, a Security Manager or a member of senior leadership) will ensure the business is fulfilling its duties under the Act.
In summary, the enhanced tier introduces a higher standard of proactive risk management: not only must venues have plans for responding to attacks, they also must take preventative security steps where reasonable and maintain accountability through documentation and leadership oversight.
All regulated premises will ultimately be accountable to the new regulator (the SIA) once the law is in force. The SIA will maintain a registry of in-scope venues (hence the notification requirement) and will have powers to monitor and enforce compliance. For serious or persistent failures, enforcement actions can include formal compliance notices, fines (monetary penalties), and even “restriction notices” that could impose limitations on how a venue operates. Certain offences under the Act may carry criminal liability as well.
However, the SIA’s stated approach is to support and guide businesses first and foremost, helping them reach compliance rather than punishing minor missteps. This regulatory stance mirrors other safety regimes – the goal is to work with venue operators to improve security standards in a constructive way, with penalties reserved for those who neglect their duties or willfully refuse to comply.
Official guidance and best practices for compliance
Although the legal requirements won’t take effect until the implementation period ends, venues should use this lead time wisely to enhance their security preparedness. The government has made clear that detailed guidance will be rolled out during the next 24 months to help those affected understand exactly what to do.
Statutory guidance from the Home Office and SIA will clarify how to determine if your venue is in scope and, if so, what actions are expected at each tier. This means businesses will not be left to figure it all out alone – authoritative instructions and templates are on the way.
Importantly, you do not necessarily need to hire expensive consultants or invest in costly devices to get ready for Martyn’s Law. The law was designed so that most compliance steps (especially for the standard tier) can be carried out by the venue’s own management using free or low-cost resources. In fact, neither the Home Office nor NaCTSO (Counter Terrorism Security Office) endorses any specific third-party compliance products – instead, they advise relying on the upcoming official guidance to self-assess and implement needed measures.
What can venues do now? A number of best practices and resources are already available to bolster your security readiness ahead of the law’s commencement:
Leverage ProtectUK training and tools
The government’s platform ProtectUK provides a wealth of free counter-terrorism guidance, training courses, and advice for businesses.
Action Counters Terrorism (ACT) Awareness e-learning is one highly recommended resource – a free online training that gives staff basic awareness of terrorist threats and how to respond.
Similarly, the See, Check, and Notify (SCaN) programme offers training to help staff identify suspicious activity and understand how to report concerns.
These tools are officially sanctioned and easily accessible, making them an excellent starting point for venues to educate their workforce and develop a vigilant security culture.
Embracing such training now will put your team a step ahead when Martyn’s Law compliance becomes mandatory. As official guidance notes, developing “a good security culture” – where employees are alert, informed, and ready to act – is one of the most effective ways to enhance safety without significant cost.
Begin assessing your risk and procedures
Even before the formal guidance is issued, venues can take common-sense steps to prepare.
Evaluate your venue’s capacity and typical crowd size (this determines your tier) and identify who in your organisation would be the “responsible person” to lead security planning.
Conduct a preliminary risk assessment focusing on terrorism scenarios – consider how a threat might materialise at your site (e.g. an unattended bag, a hostile vehicle, etc.) and what vulnerabilities exist.
Review your current emergency plans: do you have procedures for evacuation or lockdown in a non-fire scenario? If you already conduct fire drills, think about expanding those protocols to cover other threats. Many venues are finding that Martyn’s Law planning aligns with existing safety practices – for instance, the concept of “reasonably practicable” measures is the same principle used in fire safety and health & safety regulations. This means you should integrate counter-terror planning into your overall risk management system, proportional to the risks you face.
Starting a dossier of potential security improvements (even simple things like training front-of-house staff to notice suspicious behaviour, or updating PA systems for emergency announcements) will be valuable when it comes time to formalise your Martyn’s Law compliance documentation.
Stay informed on official updates
Keep an eye on announcements from the Home Office, Security Industry Authority (SIA), and ProtectUK as the implementation phase progresses. These organisations will release further guidance, templates, and possibly sector-specific advice. For example, long-standing resources such as crowded places guidance and counter-terrorism protective security advice are now being refined into the new statutory framework.
Industry bodies in sectors like hospitality, retail, and sport are also likely to offer tailored materials and seminars to support their members through the changes.
At the same time, RiskSTOP is here to help businesses navigate the evolving landscape – offering practical insights, breaking down regulatory changes, and making risk management more accessible to everyone.
Engaging with these resources early will make the eventual compliance process far smoother.
Throughout this preparatory period, the emphasis is on being proactive and building confidence in your security measures. Many organisations have never had to formally address terrorism risk before, so it can seem daunting.
However, Martyn’s Law essentially requires sensible planning and awareness – not specialist expertise in counter-terrorism. By focusing on practical steps (training your staff, drafting emergency procedures, improving basic security hardware like locks or alarms if needed, etc.), you can significantly enhance your venue’s safety posture.
The official mantra is “proportionate security” – doing what is reasonable for your venue’s size and type. A small community theatre will not be expected to install airport-style scanners, but it should at least have a plan for ushering people to safety and locking doors in a crisis. A major stadium, on the other hand, will be expected to utilise more robust measures in line with its risk profile. Use the available guidance to gauge what’s appropriate for you.
Risk management implications
From a risk management perspective, Martyn’s Law represents a formalisation of security planning for extreme events. It makes terrorism risk a board-level issue that must be managed alongside other safety and business risks. For many venues, this will mean updating risk registers, policies, and training programs to explicitly cover hostile threats.
The good news is that the approach mirrors established risk management practices – identifying hazards, assessing likelihood and impact, and implementing controls to mitigate harm “so far as reasonably practicable.” In effect, the Act compels businesses to treat terrorism preparedness with the same diligence as fire safety or occupational health and safety. This integrated approach ensures that protective security isn’t an afterthought but a core part of your operational resilience.
Businesses should view compliance not just as a tick-box legal exercise, but as an opportunity to genuinely improve safety and continuity. The potential stakes – preventing loss of life and severe disruption – are high. By developing solid response plans and risk-reduction measures, organisations can reduce the chance of catastrophic incidents and also improve their ability to respond effectively if the worst happens. This ties directly into business continuity planning: a site that can deal with a security threat quickly is likely to recover faster and protect its reputation.
Reputation management is a key consideration here – venues that visibly prioritise guest safety build trust, whereas a failure to plan for obvious threats could be seen as negligence. Indeed, part of the impetus for Martyn’s Law was to ensure no organisation is caught unprepared in a way that endangers the public. Ignoring these responsibilities could not only invite legal penalties but also cause immense reputational damage if an incident occurred that better preparation could have mitigated. Conversely, those who embrace the law’s requirements demonstrate corporate responsibility and duty of care, which can enhance their standing with customers, employees, and partners.
In practical terms, risk managers should start incorporating Martyn’s Law compliance into their 2025–2027 planning. This might involve cross-functional meetings (security, operations, HR, facilities) to assign tasks like developing the terrorism response plan, scheduling staff training sessions, and budgeting for any security upgrades deemed necessary.
It’s wise to also keep documentation of all these efforts – not only will that be required for enhanced tier venues (for submission to the regulator), but even standard tier venues should maintain records of training and procedures as evidence of compliance. Treat this as you would a regulatory compliance project (similar to complying with fire regulations or data protection laws), with clear owners and deadlines, but grounded in a very real safety outcome.
Many insurance providers and risk consultants are highlighting Martyn’s Law in their 2025 risk outlooks, since it will influence insurance requirements and liability considerations. Engaging with your insurers or risk advisors on this topic could provide additional insights; some insurers may offer risk assessments or training resources to support clients in meeting the new standards.
Finally, remember that security risk management is an ongoing process. Threats evolve, and so should your preparedness. Martyn’s Law will require venues to periodically review and update their procedures – it’s not a one-time checkbox. Risk managers should establish a cycle (e.g. annual or biannual reviews, or after major events) to revisit their terror threat assessment and ensure their protective measures remain effective and up to date. By embedding this continuous improvement mindset, compliance with Martyn’s Law can actually make your organisation more agile and resilient against a range of emergencies.
Next steps and support for businesses
With Martyn’s Law now passed and on the road to implementation, businesses should take advantage of the support and resources available to navigate these new obligations. The government and law enforcement agencies are actively working to guide industry through the transition:
Official advice channels
The Security Industry Authority (SIA), as the designated regulator, will be a primary source of help. The SIA is tasked with developing guidance and will have a dedicated function to “support, advise and guide those responsible for premises and events” in complying with the Act. We can expect the SIA to publish easy-to-follow instructions, FAQs, and possibly run outreach programs or workshops as the enforcement date nears.
ProtectUK (the national counter-terrorism security hub) will continue to publish practical guidance, training, and news updates – their website already has a Martyn’s Law information hub and will be updated regularly.
Gov.uk will host all official factsheets, statutory guidance documents, and relevant legislation – checking the Home Office’s Martyn’s Law page periodically is advisable.
Many local authorities and police Counter Terrorism Security Advisors (CTSAs) are also preparing to assist venues in their regions, especially for smaller organisations that might need more hand-holding. Don’t hesitate to reach out to your local CTSA or police liaison for advice; they can often provide site security surveys or suggest improvements tailored to your venue.
Industry associations and peer networks:
If you operate in a specific sector (e.g. retail, live music, sports, hospitality), tap into your industry bodies and forums. Associations are likely offering seminars or guidance notes on Martyn’s Law compliance specific to your context (for example, guidance for hotels versus schools may differ in focus).
Sharing knowledge with peers – what measures are others putting in place? – can generate helpful ideas and benchmark your efforts.
Building a network of security contacts (even informally, like neighbouring venue managers discussing plans) will make the journey less daunting. Remember, developing robust security is a collective effort, and many principles (like vigilance and emergency response) benefit from community-wide participation.
Supporting better risk management
At RiskSTOP, we believe that risk management should be for everyone – clear, accessible, and rooted in practical advice. While Martyn’s Law introduces new legal responsibilities, it’s also a reminder of the importance of proactive planning and a strong safety culture.
We understand that keeping up with evolving legislation can feel daunting, especially when it’s unfamiliar territory. That’s why we’re committed to breaking things down, sharing timely updates, and helping businesses of all sizes feel more confident in managing risk, whether that’s through everyday safety improvements or longer-term planning.
As you prepare for what’s ahead, we encourage you to sign up for the RiskSTOP newsletter. We’ll share useful insights on developments like Martyn’s Law, along with expert advice and resources to help you stay informed, compliant, and resilient, whatever your business size or sector.
Knowledge, awareness, and preparation remain your best tools in today’s risk landscape – and we’re here to make them easier to access.
Want more insights on managing risk and regulatory compliance? Join the RiskSTOP newsletter for regular updates and expert guidance.
Sources
Home Office, Martyn’s Law Factsheet (updated April 2025)
ProtectUK (NaCTSO), Martyn’s Law Overview
Foot Anstey LLP, Martyn’s Law Receives Royal Assent (Lexology, 4 April 2025)
Pool Re, Martyn’s Law Hub (2025)
ProtectUK, Good Security Practice
TLT LLP, Martyn’s Law receives Royal Assent – Act now, do not wait (Insight, 3 April 2025)
ProtectUK, Standard Tier and Enhanced Tier guidance