Martyn's Law: Navigating the Terrorism (Protection of Premises) Act 2025

The Terrorism (Protection of Premises) Act 2025 - or Martyn's Law - represents a significant shift in how the UK approaches protective security in everyday places. It brings terrorism risk into the same management space as fire, first aid, and general health and safety.

For dutyholders, the message is clear - preparedness is no longer optional. By starting early, taking a proportionate approach, and integrating key duties into existing systems, you can ensure compliance with a stronger set of safety standards.

What is Martyn's Law?

The Act is named in memory of Martyn Hett, who was killed in the Manchester Arena attack in 2017. The subsequent public inquiry highlighted gaps in preparedness and protective security at publicly accessible venues - such as schools, places of worship, retail, hospitality, and entertainment spaces.

The core aim of the new law is to ensure that those who control or manage premises where the public gather take reasonable and proportionate steps to reduce the risk of harm from terrorist acts.

Rather than mandating heavy security measures everywhere, the Act is designed to be risk-based and scalable. Smaller, lower-risk venues will have simpler requirements than larger, higher-risk ones.

A note on timing and guidance

The Act includes a two-year transitional period before full enforcement is expected. This is intended to give organisations time to understand the new duties and put proportionate arrangements in place.

April 2026 saw the publication of the Home Office's statutory guidance and the Security Industry Authority's (SIA) draft Section 12 guidance. The interpretation and application of Martyn's Law is now much clearer. The SIA is currently consulting on its regulatory approach, which will be supportive, proportionate, and risk-based, while the Home Office guidance outlines the specific requirements that premises and event organisers must follow to comply with the Act.

The information in this article is based on the situation as of April 2026.

Who does the Act apply to?

The Act applies to responsible persons for qualifying premises and events. In simple terms, this is usually the person or organisation that has control of the premises in connection with its use (for example, the employer, owner, operator, or event organiser).

Qualifying premises

Premises will fall within scope if:

• They are publicly accessible, and
• They meet the relevant capacity thresholds set out in the Act.

Typical examples include:

• Retail premises and shopping centres
• Hospitality venues (restaurants, bars, hotels)
• Leisure and entertainment venues
• Visitor attractions
• Transport hubs
• Educational and healthcare settings

Qualifying events

The Act also applies to certain public events that are:

• Open to the public (or a section of the public), and
• Taking place at a venue or in a space where the organiser has control.

This can include concerts, festivals, sporting events, exhibitions, and similar gatherings.

The two tiers of duty

The Act introduces a tiered system based on the size and nature of the premises or event.

1. Standard Tier (200-799 persons)

For premises and events that meet the lower threshold, the duties focus on:

• Assessing the risk of a terrorist attack
• Implementing simple, practical procedures to reduce that risk
• Ensuring staff know what to do in the event of an incident

These measures are intended to be straightforward and proportionate, such as:

• Lockdown procedures
• Evacuation arrangements
• Communication plans
• Basic staff awareness training

Most standard tier premises won't need to install additional physical security measures.

2. Enhanced Tier (800 or more persons)

Larger or higher-risk sites will have more extensive duties, including:

• A detailed terrorism risk assessment
• A security plan setting out prevention, protection, and response measures
• Appropriate training for staff and contractors
• Ongoing review and testing of arrangements

Enhanced tier dutyholders will need to consider physical security, access control, and liaison with police or local authorities as part of their approach.

Core duties under the Act

While the level of detail varies by tier, the underlying principles are the same.

1. Risk assessment

Dutyholders must assess the risk of terrorist acts occurring at their premises or event and the risk of physical harm to people if an attack were to take place.

This is not about predicting specific plots. It is about understanding:

• The type of venue you operate
• How people enter, move around, and leave
• Where vulnerabilities may exist

2. Proportionate measures

Organisations must put in place reasonably practicable measures to reduce risk. These should be:

• Suitable for the type and size of the premises
• In proportion to the level of threat
• Integrated into existing health and safety and emergency arrangements

3. Staff training and awareness

Staff are often the first to notice unusual behaviour or respond in an emergency. The Act requires:

• Clear instructions for staff on what to do in the event of a terrorist incident
• Training that is appropriate to their role and responsibilities

4. Incident response planning

Dutyholders must have plans for responding to:

• Attacks on or near the premises
• Suspicious activity
• Threats or intelligence relating to the site

Plans should cover communication, evacuation, lockdown, and liaison with emergency services.

Regulation and enforcement

The Security Industry Authority (SIA) has been established as the official regulator to oversee compliance with Martyn's Law. The SIA has powers to:

• Request information
• Issue compliance or restriction notices
• Impose financial penalties for non-compliance

The SIA have said that it will act as a supportive regulator focussed on improving standards rather than punishment, particularly in the early stages of implementation. However, failing to engage with their duties could lead to enforcement action (e.g. notices and fines) and reputational damage.

What businesses should be doing now

Even before formal enforcement begins, you should take steps to prepare. Key actions include:

• Identifying whether your premises or events fall within scope
• Clarifying who the responsible person is within your organisation
• Reviewing existing risk assessments and emergency plans
• Embedding terrorism risk into your wider health and safety management system
• Planning staff training and awareness activity

For many businesses, this will not require starting from scratch. It will involve building on existing fire safety, emergency planning, and security arrangements.

How Opus can help

The Terrorism (Protection of Premises) Act 2025 doesn't require you to become a security expert - but it does require you to be prepared. Opus Safety can support you in meeting your duties under Martyn's Law, providing practical, proportionate solutions aligned with everyday operations.

We focus on the management, people, and process side of compliance - helping you build sensible arrangements that work in the real world. Our support includes:

• E-learning and staff awareness training - Clear, role-appropriate training so your people understand what the Act means and what to do in an incident.
• Terrorism risk assessment support - Helping you assess your premises or events in a structured, proportionate way.
• Response plans and policies - Drafting practical procedures for evacuation, lockdown, communication, and incident management that integrate with your existing health and safety systems.

If you already have fire, emergency, and health and safety arrangements in place, we help you build on them rather than reinvent them.

Get in touch to talk about e-learning, risk assessment support, and response planning for your premises or events. We're waiting to help on 0330 043 4015 or email hello@opus-safety.co.uk.