Spotlight on the new act at UK venues

Big performance: the new law sets out additional measures for venues with a capacity of 800-plus

Over 129 pages, this outlines what owners of premises – or organisations that hold an event that more than 200 people attend – need to know to comply with the legislation. The law gained royal assent in April 2025, but is only due to come into force next April.

The need for Martyn’s Law is clear. The Manchester Arena terrorist attack on 22 May 2017 claimed the lives of 22 people, including Martyn Hett, after whom the legislation is named. Hundreds more suffered either physical or psychological injuries.

According to the Home Office, since the start of 2020, MI5 and the police have disrupted 19 late-stage attack plots and intervened in many hundreds of developing threats.

In the 12 months since the law was passed, the guidance has been compiled to help businesses and event organisers understand their responsibilities.

Martyn’s Law is built around the simple idea of being prepared
Oliver Rutt, The Keyholding Company

Martyn Hett’s mother Figen Murray, who campaigned for the new law to be introduced, says: “The document enables most people to become Martyn’s Law compliant because you should have the information that you need to finalise preparations at your premises, venues and events.”

Alongside the guidance, the government body overseeing the new regime, the Security Industry Authority (SIA), is running a consultation until 12 June outlining practical measures venues and organisers can take, and double-checking with the industry whether the guidance is clear enough to put into practice.

‘Clear, sensible plans’

Although the new law looks daunting, the advice to operators from many consultants and legal advisers is not to panic. “Martyn’s Law is built around the simple idea of being prepared,” says Oliver Rutt, head of risk consultancy at security services firm The Keyholding Company.

“It’s not asking organisations to install complex security systems. It’s about having clear, sensible plans so people know what to do if something happens. For most organisations, a lot of this is already going to be in place through health and safety, fire safety and existing security processes. Martyn’s Law builds on what you already do. It’s not asking you to start from scratch.”

The legislation has a standard compliance tier for premises with a capacity of between 200 and 799 people, including staff, and an enhanced compliance tier for higher-capacity venues (see below).

For the enhanced tier, organisations must demonstrate what procedures and measures are in place, how they reduce risk, why particular decisions were taken and how staff are trained and tested. This information must be submitted to the SIA and updated promptly when material changes are made to the venue.

Rob Walley, founder and managing director of events consultancy Controlled Events, says: “Many venues and events already have elements of this information, but it is often fragmented across safety files, event management plans, fire risk assessments, contractor documentation and informal operational knowledge.

“Martyn’s Law effectively requires this to be drawn together into a coherent, defensible compliance position.”

Security overhaul: Martyn’s Law was passed in response to the Manchester Arena attack in 2017

He adds: “Poor documentation creates a real risk. An organisation may believe it is doing the right things, but if it cannot provide evidence [of this] clearly and coherently, compliance may not be accepted. At the same time, documentation itself becomes sensitive. Detailed descriptions of security arrangements, layouts and vulnerabilities must be protected from unauthorised access to avoid creating new risks.”

Another key requirement of the new law is for owners of premises to identify a ‘responsible person’ (RP), which the guidance defines as the individual or organisation with control over the premises for its principal use.

Priscilla Addo-Quaye, legal director at law firm Addleshaw Goddard, says operators should review lease, licence and management agreements to determine if they – and/or any relevant third parties – are RPs under the act.

This becomes particularly important in premises with multiple occupants, such as shopping centres or multi-let buildings including flexible offices.

“The guidance highlights the need for co-ordination and co-operation between RPs, such as aligning evacuation and lockdown procedures to ensure effective protection and compliance,” she says. “How co-operation works in practice will depend on the particular circumstances and arrangements, including any contractual terms in place.

“For example, if an RP determines that additional physical security [such as concrete planters to guard against vehicle attacks] is required, but permission is needed from a freeholder under a lease, the freeholder must co-operate so far as is ‘reasonably practicable’.”

The definition of reasonably practicable will require assessment of the objectives of public protection, balanced against the cost, time and difficulty involved, mirroring the approach under the Health and Safety at Work Act 1974.

This establishes minimum legal standards across a broad range of premises
Priscilla Addo-Quaye, Addleshaw Goddard

Walley points out that the test of what is reasonably practicable is one of the most challenging concepts in the new guidance and says the burden sits with the RP to demonstrate why certain measures have not been implemented. “In practice, this will depend heavily on context,” he adds.

“The same control may be reasonably practicable for one organisation and not for another, depending on the risk profile, physical environment and available alternatives.

“What is clear is that simple assertions of affordability will not be sufficient. Decisions must be reasoned, documented and aligned with what a reasonable organisation in the same position would do.”

A Home Office impact assessment published in September 2024 estimated that out of almost a million sites and premises across the UK, 176,891 would be affected by Martyn’s Law, with a cost to organisations, owners and operators of £87.6m to £701.8,
and a central estimate of £267.9m in the first year only.

The Home Office also broke down the internal costs for management and staff time at standard-tier premises as £330 per year and £5,210 per year for enhanced-tier premises.

Proportionate requirements

The new guidance outlines clear legal duties, but also proportionate requirements for operators. These include explaining how to improve organisational preparedness and protective security.

Operators of qualifying premises and events are required to take practical steps to reduce vulnerabilities and protect the public, irrespective of whether a terrorist attack is considered likely at their site.

“The act assumes an attack could occur anywhere, so requirements are not based on risk assessments of likelihood at specific locations,” Addleshaw Goddard’s Addo-Quaye says. “The intention is to place protective security on the same footing as health and safety or fire safety, establishing minimum legal standards across a broad range of premises.”

For companies, the biggest question is working out how to ensure they are compliant before the enforcement regime kicks in next year. While this has led to claims that organisations may need staff to undergo costly training programmes, this may not be the case, especially for lower-tier premises.

In its updated summary of the new law, the Home Office states that neither it nor the SIA would endorse any third-party products offered by the private sector in respect of compliance with the legislation.

The Keyholding Company’s Rutt adds: “The key test with the guidance is what is reasonably practicable. So that means balancing risk against cost, time and effort. Nothing excessive or unrealistic is expected, so you don’t need to panic.

“There’s also a clear threshold for who is in scope. Many smaller premises won’t be affected at all, and those that are affected already know which tier they’re going to fit into. So, in reality, this comes down to asking a small number of practical questions at each site to understand what is already in place and where any gaps might be.”

Rutt adds that those steps, along with understanding how the guidance will be interpreted in each situation, is what will make it usable. The SIA, meanwhile, has taken the proactive step of seeking industry views on further guidance via the new consultation.

Addo-Quaye says: “The main aim of the consultation is to ensure that all premises and events in [the act’s] scope understand the SIA’s intended regulatory approach before the legislation comes into force in spring 2027. For property operators, the draft guidance and consultation serve both as a call to action and as a roadmap for the SIA’s approach to compliance.

“It is a chance for those affected to highlight ambiguities, suggest improvements and help ensure that the SIA’s approach to compliance is workable in real-world scenarios.”