Martyn’s Law: An update following final statutory guidance

Picture of Nathan Peacey

By Nathan Peacey, Tamzin Robson, Elin Bebbington

23 Apr 2026 | 5 minute read

On 15 April 2026, the UK Home Office published its statutory guidance relating to the Terrorism (Protection of Premises) Act 2025, commonly referred to as 'Martyn's Law' (the "Act") in recognition of Martyn Hett - one of the 22 victims of the Manchester Arena attack in 2017. The guidance follows extensive consultation with stakeholders and reflects feedback received throughout that process, which closed in June 2025.

The Act represents a significant step in strengthening public protection measures at large events and premises open to the public. Whilst the Act has received Royal Assent and has been through the consultation process, the UK Government intends for there to be an implementation period of at least 24 months, from 3 April 2025. Therefore, active regulation is expected in Spring 2027. Our earlier commentary on Martyn’s Law is available here.

The finalised guidance does not change or alter the venues impacted. The thresholds for Standard Tier and Enhanced Tier (an important distinction for determining the level of responsibility attributed to the venue and its staff) remain:

  • Standard Tier: those with a capacity between 200 and 799; and
  • Enhanced Tier: those with a capacity of 800 or more.

Capacity is assessed by reference to whether there is a reasonable expectation that the relevant number of individuals may be present on the premises at the same time, having regard to the nature and use of the premises. The figure must include staff / workers working at the premises / event. A supplementary document to the guidance explains how the capacity could be calculated for example, by reference to safe occupancy for fire safety purposes, historic attendance data, or any other justified means of calculation.

It is also important to note that Martyn's Law operates alongside, and does not supersede other legislation. All other legislation must continue to be complied with.

What businesses need to prepare for

The baseline duties and requirements that apply to all qualifying premises and events (i.e. both those in the Standard and Enhanced Tiers), include:

1. Implementation of public protection procedures – to reduce the risk of physical harm caused to individuals if an act of terrorism were to occur and should include evacuation, invacuation, lockdown and communication plans/actions.

2. A requirement to co-ordinate - with the responsible persons at other premises/events.

3. An obligation to notify the Security Industry Authority (SIA) – as the regulator under the Act, when they become responsible for a qualifying premises / event and when they cease to be responsible.

Requirements for Enhanced Tier premises / events include the duties listed at 1-3 above, and:

4. Additional considerations for public protection procedures – given the larger or more complex nature of the premises / event. Procedures must be appropriate to the scale and nature of the premises / event and must be kept under review. Organisations may wish to consider increased monitoring and/or monitored CCTV system, for greater situational awareness, and build in set review processes.

5. Public protection measures – being actions, planned in advance, to be implemented to keep individuals safe in the event of a suspected or actual terrorist attack. These measures relate to monitoring, movement, physical safety and security, and security of information. Organisations may also wish to consider measures to reduce the vulnerability of the premises / event as part of this obligation. The UK Government has also provided a non-exhaustive example list of public protection measures in the latest guidance.

6. Documenting compliance – recording a statement setting out the public protection procedures in place, a statement setting out the public protections measures in place, and an assessment as to how the public protection procedures / measures are expected to reduce the risk of physical harm if a terrorist attack were to occur.

7. A requirement to co-ordinate and co-operate - with the responsible persons at other premises/events and with the Act.

8. Designate a senior individual – where the responsible person for the Enhanced Tier premises / event is an organisation.

SIA Enforcement

Once the prvisions are in force, the SIA will have powers to authorise individuals to inspect premises and events, to obtain information and determine whether the responsible persons are complying with the requirements and legal duties under the Act. The SIA's authority includes, but is not limited to, powers to:

  • access premises and events to conduct inspections - typically on 72 hours notice;
  • gather information - typically by issuing a notice requiring information relating to security to be shared;
  • issue compliance notices - requiring the recipient to comply with specified requirements within a set period;
  • issuing restriction notices – to the responsible person of Enhanced Tier premises / events requiring compliance with specified prohibitions or restrictions within a set period;
  • issue penalty notices – by way of a financial penalty for filing to meet the requirements under the Act;
  • issue a non-compliance penalty – for failure to comply with a previously issued notice, requiring attendance at an interview and which can carry a maximum penalty of £10,000 (for Standard Tier) and, the greater of, £18m or 5% of global revenue (for Enhanced Tier);
  • issue daily penalties – where a penalty notice is given for contravention of a compliance notice or a restriction notice, the penalty notice may also require the person to pay daily penalties, for each day on which the contravention continues after the deadline for payment of the non-compliance penalty; and
  • refer serious cases of non-compliance for prosecution as a criminal offence.

The SIA have released their draft enforcement guidance and it is currently open for consultation.  

Key takeaways

While Martyn’s Law is not yet in force, the statutory guidance makes clear that organisations should begin preparing now. Practical early steps comprise of assessing venue capacity to determine whether standard or enhanced tier duties are likely to apply; identifying the responsible person(s); and undertaking targeted risk assessments to understand site‑specific security and terrorism risks.

Organisations should also review and, where necessary, strengthen their security and emergency response arrangements. This includes developing proportionate security protocols, training staff, ensuring effective evacuation and crowd‑management measures are in place, and establishing clear communication processes so that concerns can be promptly reported and addressed. First aid provision should also be revisited to ensure regulatory compliance and resilience in the event of a serious incident.

Finally, preparation should not be treated as a one‑off exercise. Security measures and emergency plans will need to be kept under regular review to reflect evolving threats, operational changes and further regulatory developments.

Contact a member of our specialist Regulatory team to further discuss Martyn’s Law, its impact, and how we can support your organisation.

Get in touch

Related

View all