Regulatory and compliance

Martyn's Law introduces new security measures for public premises and events in the UK

Published on 28th April 2025

Two-year implementation period for businesses to prepare, with further guidance from regulator expected

Surveillance camera

The Terrorism (Protection of Premises) Act 2025, also referred to as "Martyn's Law", received Royal Assent on 3 April 2025. It introduces new obligations for those in control of certain premises or events accessible to the public to mitigate the risk of injury in the event of terrorist attacks and, for some, a duty to reduce their vulnerability more broadly to an act of terrorism.

The Act is the government's legislative response to the protect duty public consultation which ran from February to July 2021. The "protect duty" was championed by Figen Murray, whose son Martyn Hett was tragically killed in the 2017 Manchester Arena attack. 

It seeks to enhance security measures at certain premises and events where large numbers of members of the public can be expected to gather, with the aim of mitigating injury in the event of terror attacks and, for what are known as "enhanced duty" premises and events, to reduce their vulnerability to an act of terrorism. It establishes a tiered approach where the steps required to be taken depend on the number of people in attendance and the type of premises or event.

Businesses across the UK have a two-year period to implement these counter-terror duties, which will then take effect on 3 April 2027. During this time, further guidance from the regulator, the Security Industry Authority (SIA), is expected to be published.

Which events and premises are in scope of the Act?

The Act applies to "qualifying premises" and "qualifying events".

Qualifying premises are defined as buildings, or other land, where 200 or more people can reasonably be expected to gather on the premises in connection with one of the purposes specified in Schedule 1 of the Act. 

Schedule 1 of the Act is broad, and covers a wide range of premises which will be caught, including (but not limited to) shops, restaurants, entertainment and leisure centres, libraries, hotels, hospitals, bus and railway stations, and education facilities.

The final drafting of the Act differs to earlier versions in that office spaces are no longer explicitly excluded from its scope. Instead, whether office premises fall within scope of the Act will depend on whether they meet the definition of qualifying premises. This is likely to avoid confusion where a qualifying premises contains space used both for a Schedule 1 purpose and office space, for example a retail store with office rooms at the back.

Schedule 2 sets out premises that are excluded from the Act's provisions, including parliamentary buildings; parks and open air recreation grounds; and transport premises already subject to existing legislative security requirements such as airports, national rail and underground premises, international rail premise, and port facilities.

An event is considered a qualifying event if it is held at premises that consist of a building, other land, or a combination of both, and is not already classed as a qualifying premises. To be caught by the legislation, members of the public must have access to the event and it has to be anticipated that at some point during the event, 800 or more individuals will be present. Other requirements to define an event as a qualifying event is that attendees have paid for access, possess tickets or passes, or are members or guests of a club, association, or similar body.

Events excluded from the requirements are listed in Part 2 of Schedule 2, including those held at places of worship, schools, and certain childcare facilities.

The government's factsheet provides further examples of qualifying events. Corporate events that are held at premises not already considered qualifying premises under the Act, where 800 or more people are expected to attend and where entry will be ticketed (even if ticketing is merely registering for a free event), will fall within scope of the Act's duties.

Security measures for standard duty premises

Standard duty premises are those where 200-799 people can reasonably be expected to be present at the same time in connection with a Schedule 1 use.

The Act imposes specific public protection procedures on the responsible person for standard duty premises. These procedures include evacuating individuals, moving them to safer areas, preventing entry or exit, and providing information during suspected acts of terrorism. The objective is to reduce the risk of physical harm to individuals if an act of terrorism occurs.

Security measures for enhanced duty premises and events

Enhanced duty premises are those where 800 or more people can reasonably be expected to be present from time to time in connection with a Schedule 1 use.

Enhanced duty events are those where 800 or more individuals can reasonably be expected to be present at the same time in connection with the event (events are only ever enhanced duty, there is no provision in the Act for "standard duty" events).

Both enhanced duty premises and events have additional duties to the public protection procedures detailed above. Those include:

  • keeping public protection measures under review, and updating those as necessary;
  • implementing measures to reduce vulnerability to an act of terrorism and the risk of physical harm to individuals if an attack was to occur there or nearby. These measures include monitoring the premises or event, controlling the movement of individuals, ensuring physical safety and security, and safeguarding information related to the premises or event; and
  • documenting compliance, including statements of procedures and assessments of their effectiveness in reducing vulnerability and risk. These must be submitted to the SIA.

Who is responsible for ensuring compliance?

A "responsible person" must ensure that the relevant obligations are met for the premises or event.

For premises, the responsible person will be the person who has control of the premises. This will likely be the premises operator.

For events, the responsible person is the person who has control of the premises where the event is held.

The responsible person must notify the SIA when they become responsible for the event or premises.

If the responsible person for an enhanced duty premises or event is not an individual, they must appoint a designated senior individual, such as a director or partner, to act as the responsible person.

Penalties for non-compliance

The SIA has powers under the Act to issue compliance notices and restriction notices for non-compliance, which could limit a business' ability to operate (for example, if a hotel was restricted from operating as a wedding venue for a specified period).

The SIA can also issue substantial monetary penalties, with fines reaching up to £18 million or 5% of worldwide revenue, whichever is higher, for enhanced duty premises and events.

Daily penalties may also be imposed for continued non-compliance after the specified period for payment of the non-compliance penalty, reaching up to £50,000 per day for enhanced duty premises and events.

Further guidance detailing how the regulator will use these enforcement powers is expected to be published and affected businesses should give consideration to how they interact with the regulator to limit the risk of any enforcement action (in addition to compliance with the new legislation's requirements).

Osborne Clarke comment

The new duties introduced by the Act are extensive, covering premises and events in sectors such as entertainment, hospitality, retail, healthcare, and education, and can be expected to affect a number of businesses.

While we expect many larger venues (such as arenas) or events (such as large music festivals) may already be mature in their approach to security and risk management, there are likely to be requirements on all businesses requiring some change.

In many scenarios, we anticipate there to be contractual chains with businesses operating alongside a responsible person under the Act. This will require planning and thought to ensure there is appropriate cooperation and coordination, similar to the requirements applying to fire safety and occupational health and safety.

The published guidance will be useful to businesses navigating these new measures and should help to provide further clarity on how to ensure compliance. Further guidance to be published by the SIA should provide insight into the regulator's expectations on how businesses can demonstrate compliance with these new duties.

With two years until implementation, now is a good time for businesses to start familiarising themselves with the legislation and preparing policies and procedures in relation to it. Early preparation and proactive measures will be key to ensuring compliance, mitigating risk and ensuring public safety.

Share
Related articles
Robotics at a global regulatory crossroads: compliance challenges for autonomous systems
03/04/2025 4 mins
How is the UK regulatory landscape set to change?
27/03/2025 12 mins
Court of Appeal rules on duty to clarify tender submissions with bidders in UK public procurement
21/02/2025 7 mins
New NPPS sets out 'value for money' message for UK public procurement
14/02/2025 4 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up