The clock is ticking. The Terrorism (Protection of Premises) Act received Royal Assent on 3 April 2025. After a minimum 24‑month implementation period, the law, better known as Martyn’s law, becomes mandatory from Spring 2027. The UK’s terror threat level remains “substantial”, meaning an attack is likely.
Named in memory of Martyn Hett, one of 22 victims of the 2017 Manchester Arena attack, the Act places a legal duty on tens of thousands of public venues and events across England, Wales, Scotland and Northern Ireland. The Security Industry Authority (SIA) has been confirmed as the regulator, with preparations well underway for the Spring 2027 go‑live date.
This article explains what is martyn’s law, who is affected, the two‑tier system of security obligations, the timeline for action, the penalties for non‑compliance, and the practical steps Martyn’s Law guidance provides for those who fall within scope. It also answers commercial questions about event security management, crowd management security, and event access control.
Table of Contents
Quick Facts: Martyn’s Law at a Glance
| Aspect | Detail |
| Royal Assent | 3 April 2025 |
| Implementation period | Minimum 24 months |
| Expected commencement | Spring 2027 |
| Regulator | Security Industry Authority (SIA) |
| Standard tier | 200–799 people |
| Enhanced tier | 800+ people |
| Estimated premises affected | ~155,000 standard tier, ~25,000 enhanced tier |
| Max fine | £18 million or 5% of global turnover |
| Regulator’s approach | Supportive, proportionate, risk‑based |
Key Dates: When Martyn’s Law Takes Effect
3 April 2025: Royal Assent granted. Martyn’s law is now on the statute book, but the new duties are not yet enforceable.
10 April 2026: Section 27 of the Act (which provides the power to issue statutory guidance) is commenced.
15 April 2026: The Home Office publishes final Martyn’s law guidance under section 27, laying it before Parliament. The SIA simultaneously launches a public consultation on its draft section 12 statutory guidance, which sets out how the regulator will exercise its powers. The consultation closes on 12 June 2026.
Spring 2027 (expected): Martyn’s Law is expected to commence. Legal duties become enforceable, and the SIA’s regulatory function becomes operational.
The Home Office has confirmed a minimum 24‑month implementation period. The Martyn’s Law guidance was deliberately published in advance of commencement to allow organisations to familiarise themselves with the requirements and begin planning proportionately.
What this means for you: There is no legal obligation to comply until Spring 2027. However, the guidance is available now. The Government strongly advises against using third‑party providers who claim they can make premises compliant. At this stage, no third‑party product is endorsed by the Home Office or the SIA. Waiting until the last minute is not a strategy.
Who Is Affected? Scope of the Act
Martyn’s Law applies to qualifying premises and qualifying events.
Qualifying premises include any building or site wholly or mainly used for specific purposes: shops, bars, pubs, restaurants, hotels, healthcare, education, childcare, entertainment venues (nightclubs, theatres, cinemas), halls, leisure centres, sports grounds, libraries, museums, galleries, transport stations, visitor attractions, and places of worship. The hospitality sector alone includes a wide range of premises, from pubs and nightclubs to hotels and event spaces, all of which will need to assess their standing.
Qualifying events are publicly accessible events where 800 or more individuals may be present at the same time, with measures in place to check tickets or control entry.
Staff count towards capacity. The Act requires those responsible to use a “pragmatic assessment” of capacity, for example, fire safety occupancy limits, peak trading data, or the venue’s physical format.
If your premises host more than 200 persons (including staff) on occasion, even perhaps only at Christmas, the threshold is likely met and will require action.
The UK Hospitality guidance is clear that while many premises may not reach the 200 threshold on a typical day, they need to consider occasional peaks. Exclusions are listed in Schedule 2 of the Act and include certain open‑air premises (parks, gardens, sports grounds that are not designated) and premises already covered by transport security legislation.
The Two‑Tier System: Know Your Duty
Standard Tier (200–799 people)
Requirements:
- Notify the SIA that you are the responsible person.
- Have in place, so far as reasonably practicable, appropriate public protection procedures covering evacuation, lockdown, and communication.
- Ensure staff are familiar with these procedures and can implement them rapidly.
What this looks like in practice: Activities could be as simple as identifying safe escape routes, locking doors or closing shutters, and ensuring staff know how to quickly communicate with customers in an emergency.
Key points:
- No mandatory physical security measures (metal detectors, bollards, bag searches).
- No statutory requirement to document procedures (though the Government and SIA recommend keeping records as good practice).
- “Reasonably practicable” is a concept familiar from health and safety and fire safety law. It requires the responsible person to weigh what can be done to achieve the objectives of procedures against the cost, time and difficulty of implementation.
- The UK Government estimates that, for a typical venue in this tier, compliance will cost around £330 per year.
Enhanced Tier (800+ people)
Requirements:
- All standard tier requirements apply.
- Implement appropriate physical measures to reduce vulnerability to terrorist attacks, so far as reasonably practicable, for example, bag search policies, CCTV coverage, entry screening, vehicle checks, or other monitoring.
- Appoint a designated senior individual with responsibility for compliance.
- Document the public protection procedures and measures in place (or proposed), and provide this document to the SIA.
- Conduct risk assessments.
- Keep measures under review.
Examples of appropriate physical measures: Bag search policies, CCTV or other monitoring, vehicle checks where appropriate, access control systems, lockdown capabilities, and effective lighting.
Key points:
- Directors of enhanced-tier premises face significantly greater risk of prosecution for serious breaches.
- Enhanced tier premises must document their security plan and submit it to the SIA.
- A designated senior individual must have responsibility for compliance.
The distinction between tiers is clear: the standard tier means think and plan; the enhanced tier means build and prove.
Public Protection Procedures: Evacuation, Invacuation, Lockdown, Communication
The Act focuses on outcomes, not prescriptive processes. Organisations can tailor their plans to their specific premises.
The four core procedures are:
- Evacuation: Moving people out of the building to a place of safety.
- Invacuation: Moving people to a safe internal area, such as a staff room or restaurant, away from danger.
- Lockdown: Securing the premises against attackers, including locking doors, closing shutters, and securing entry points.
- Communication: Ensuring staff can quickly warn customers and call for help during an incident, using PA systems, radios, or digital alerts.
For many businesses, existing health and safety and fire safety arrangements can align with the Act’s requirements. The Home Office has emphasised that no organisation needs to buy specialist third‑party products or consultancy services to comply.
For enhanced tier premises, CCTV plays multiple roles: deterrence (visible surveillance makes the premises a less attractive target), detection (identifying unusual behaviour or unauthorised access), response and investigation (supporting rapid situational awareness), and documentation of compliance.
Physical Security Measures for Enhanced Tier Venues
Enhanced-tier premises and qualifying events must take reasonably practicable steps to reduce their vulnerability to terrorist attacks.
Examples of effective physical measures include:
- CCTV coverage: Strategic placement at entry/exit points, crowd pinch‑points, and high‑traffic corridors.
- Bag search policies: Random or targeted screening at entry points.
- Access control: ID‑based systems, fob entry, static guarding at key points, or security checkpoints to restrict access to authorised personnel.
- Vehicle checks and mitigation: Physical barriers, bollards, or vehicle checks where appropriate.
- Instant lockdown capability: Electronic locks that can be triggered from central control points or via mobile access.
- Effective lighting: Bright, consistent lighting eliminates blind spots and supports surveillance.
- Emergency alerts and sound systems: PA systems, alarms, or digital signage to guide people quickly and calmly during an emergency.
Many of these measures require professional event security services from an SIA‑approved contractor. That’s where licensed SIA guards, crowd management security, and event access control specialists come in.
Whether you need bag screening at a concert, entry monitoring at a conference, or CCTV and vehicle checks at a sports stadium, working with an SIA‑approved contractor ensures your security measures are lawful, proportionate and effective. The SIA’s role as regulator for Martyn’s Law complements its existing role licensing security operatives, so SIA‑approved contractors are already aligned with the professional standards the Act expects.
Licensing Implications of Martyn’s Law
The Act makes amendments to the Licensing Act 2003 and the Licensing (Scotland) Act 2005. New licence applicants will be required to provide a detailed security plan to the local licensing authority. A less‑detailed public version must also be provided, withholding sensitive security information that could be used to assist terrorist activity.
Local authorities are already beginning to discuss how Martyn’s Law will integrate with their licensing policy statements. Existing licensees should expect additional scrutiny during future licence reviews or variations.
Enforcement and Penalties
The Security Industry Authority (SIA) is the regulator for Martyn’s Law. The regulator has confirmed that its approach will be supportive, proportionate and risk‑based, driven by public protection objectives.
The SIA’s regulatory powers include:
- Power to obtain information and conduct inspections (with or without notice).
- Power to assess compliance documents submitted by enhanced-tier premises.
- Power to issue compliance notices requiring corrective measures.
- Power to restrict or halt a venue’s operations.
- Power to levy civil penalties and, in serious cases, refer for criminal prosecution.
The regulator has already designed a new organisational structure with over 100 operational posts dedicated to Martyn’s Law, covering guidance, notifications, compliance casework, inspections, and enforcement. Inspectors will be regionally based, with most office roles located in a new SIA hub in Manchester.
Penalties for non‑compliance:
- Fixed penalties: Up to £10,000 for standard tier breaches.
- Fines: Up to £18 million, or 5% of worldwide revenue (whichever is greater) for serious enhanced tier breaches.
- Daily penalties: Up to £50,000 for continuing non‑compliance.
- Restriction or closure notices: The SIA can limit or halt a venue’s operations until compliance is achieved.
- Criminal proceedings: Possible for persistent non‑compliance, particularly affecting directors of enhanced tier premises.
The SIA will initially adopt an advisory‑first approach, giving venues and events the chance to get compliance right before enforcement begins. The regulator will highlight good practice, advise on shortcomings, and conduct “deep dives” into compliance issues where necessary.
How to Prepare: Practical Steps for Venues (Checklist)
Step 1 – Determine if you are in scope: Assess whether your premises or events may host 200+ or 800+ people. Use fire risk assessment, maximum capacity, peak trading data, or venue format as a pragmatic guide.
Step 2 – Identify your responsible person: The person who controls the premises (owner, occupier, tenant, or facility manager) holds legal responsibility and cannot delegate it. However, they may delegate tasks to others.
Step 3 – Review existing emergency procedures: Fire drills, evacuation plans and security protocols can often be adapted. Many venues already meet many of the requirements due to existing health and safety legislation.
Step 4 – Assess security gaps for the enhanced tier: Consider whether you need CCTV, bag search policies, access control, or vehicle checks. For venues in Scotland, working with a security company in Glasgow that understands local licensing and policing arrangements can streamline compliance.
Step 5 – Designate a senior individual (enhanced tier only): Directors or partners with high‑level responsibility must be identified. They will face a greater risk of prosecution if a breach occurs.
Step 6: Begin staff awareness and training. Free resources, including the ProtectUK website, provide counter‑terrorism awareness content that can be integrated into existing staff training programmes.
Step 7 – Document everything (enhanced tier – mandatory): The SIA will require a compliance document once the notification system is built.
Step 8 – Engage with the SIA consultation: The consultation on draft section 12 statutory guidance is open until 12 June 2026. Organisations can comment on the clarity and practicality of the proposed regulatory approach, a direct opportunity to influence how the Act will work in practice.
FAQs – Martyn’s Law
1. How soon must my venue be compliant by?
Martyn’s Law is expected to commence in Spring 2027. However, the guidance is available now. Start planning immediately, don’t wait.
2. How do I calculate my venue capacity?
Use a pragmatic assessment: fire safety occupancy limits, peak trading data, or site capacity. Staff count towards the total. If you host 200+ on occasion (e.g., Christmas), the threshold is met.
3. Are there grants to help with compliance costs?
No specific grants have been announced. However, for standard-tier premises, compliance costs should be low; the UK Government estimates that they are around £330 per year for a typical venue.
4. Does Martyn’s Law apply in Scotland and Northern Ireland?
Yes, the Act applies UK‑wide, including Scotland, Northern Ireland and Wales. Licensing amendments have been made to the Licensing (Scotland) Act 2005.
5. Do temporary or pop‑up events fall under the Act?
Yes, if an event is publicly accessible and 800+ people may be present, with measures to check entry conditions (e.g., tickets), it qualifies. Organisers must comply with enhanced tier requirements.
6. What security measures should I prioritise for an 800+ venue?
CCTV coverage, bag search policies, ticket checks, access control and vehicle screening are typical baseline measures. For large venues like the SEC Centre, the Hydro, or major conference centres, you also need dedicated crowd management security to prevent ingress bottlenecks.
7. Can I outsource my security obligations to a contractor?
No, the responsible person (venue owner or operator) retains legal responsibility. You can delegate tasks, but not accountability.
8. What happens if I don’t comply?
Fines up to £18 million, daily penalties, restriction notices, and, in serious cases, criminal prosecution for directors of enhanced tier premises.
9. How does the SIA plan to enforce Martyn’s Law?
The SIA will take a supportive, proportionate and risk‑based approach. Enforcement will be advisory‑first initially, giving venues the chance to comply before formal enforcement action begins.
10. What should we do about the SIA consultation?
The consultation on the SIA’s draft regulatory guidance closes on 12 June 2026. Businesses and organisations affected by the Act are strongly encouraged to respond, commenting on whether the guidance is clear, workable and proportionate. This is a direct opportunity to shape how the law will be enforced in practice.
Act Now, Not in April 2027
Martyn’s Law represents the most significant change to UK public safety legislation in a generation. It will affect over an estimated 155,000 standard-tier premises and 25,000 enhanced-tier premises across the country. The Martyn’s law guidance is available. The SIA consultation is open until 12 June 2026. The clock runs until Spring 2027.
The guidance is deliberately published well in advance of commencement, giving organisations time to prepare without the pressure of immediate enforcement. The Government has been clear: no third‑party products are endorsed, and standard tier compliance is designed to be low‑cost and accessible.
Don’t wait for the commencement date. Review your premises, understand your tier, and begin integrating protective security into your operations. Whether you need event security management, event access control, CCTV solutions, or a full crowd management security strategy for a large venue, now is the time to act.
Business Security You Can Rely On
Trusted by leading businesses nationwide for reliable, 24/7 protection.
or call 0330 912 2033
