On 3 April 2025, the UK government passed the Terrorism (Protection of Premises) Act, more widely known as Martyn’s Law — a major milestone in the country’s efforts to improve public safety and preparedness in the face of evolving terror threats.

For businesses, event organisers, local authorities, and venue operators, this legislation introduces clear and legally binding duties.

In this article, we’ll explain what Martyn’s Law means for you, how it applies, and what practical steps your business should take to comply.

What Is Martyn’s Law?

Also referred to as the ‘Terrorism (Protection of Premises) Act 2025’, or simply ‘Protect Duty’, Martyn’s Law is a recently passed bill that expands the Protect and Prepare aspects of the UK’s existing counterterrorism initiative.

The aim of Martyn’s Law is simple but powerful:

To ensure that all large publicly accessible locations take proportionate and practical steps to improve preparedness against terrorist threats.

This includes:

• Reducing the vulnerability of venues to attack
• Fostering a national culture of vigilance and accountability
• Ensuring consistent public protection across the UK

Martyn’s Law is named in honour of Martyn Hett, one of the 22 people killed in the 2017 Manchester Arena bombing. The law is the result of tireless campaigning by his mother, Figen Murray, who has championed the need for better protections at public venues.

How Was Martyn’s Law Developed?

The UK government developed Martyn’s Law in consultation with security and counterterrorism experts, local authorities, safety campaigners, victim advocacy groups, and businesses.

Although it was designed to substantially increase public protection while limiting for venues the practical burden of meeting the bill’s requirements – the gravity of the bill’s focus, as well as the complexities of its scope, are a cause for concern for many businesses across the UK.

When Does Martyn’s Law Come Into Effect?

We first brought Martyn’s Law to your attention in our 2024 article, when the act was still in development. 

Martyn’s Law received Royal Assent on 3 April 2025, and is now officially becoming part of UK legislation. However, the government has announced an implementation period of at least 24 months, giving duty holders time to:

• Understand their new obligations
• Establish internal processes
• Plan for compliance

This means the Act will be fully enforceable no earlier than April 2027.

Does Martyn’s Law Apply to Your Business?

If your premises or events are publicly accessible and fall within certain thresholds, yes — Martyn’s Law will likely apply to you.

The Act applies to:

• Public venues like stadiums, arenas, shopping centres, theatres, and nightclubs
• Hospitality and retail spaces such as restaurants, hotels, and high street shops
• Local authority-managed areas such as parks, libraries, and museums
• Higher education institutions, including colleges and universities

Premises Are in Scope If They:

1. Include at least one building (or are located in a building)
2. Are used wholly or mainly for public activities listed in Schedule 1 of the Act (e.g. restaurants, shops, concert halls, hotels, sports venues)
3. May reasonably expect 200 or more individuals on-site at the same time
4. Are not excluded by Schedule 2

Important! – The threshold is based on capacity “from time to time,” not daily averages. So, if your venue hits 200+ or 800+ attendees at peak times — even seasonally — it’s likely in scope.

Events Are in Scope If They:

• Take place in publicly accessible spaces (even open-air land)
• Expect 800+ attendees at the same time
• Have entry checks (e.g. ticketing, access controls)
• Are not excluded under the legislation

Are Any Premises or Events Excluded?

Yes. Schedule 2 of the Act outlines several exclusions:

• Primary/secondary schools and childcare settings
• Certain transport locations
• Parliamentary and devolved legislature buildings
• Open-access areas such as some parks

However, higher education institutions are included due to their open-access nature and public-facing events.

Places of worship fall under the Standard Tier (more on this next) only — even if over 800 individuals may attend — reflecting their unique community role.

Tiered Approach: Standard vs Enhanced

Martyn’s Law introduces a two-tier system based on the number of people who could reasonably be expected at a location or event.

Standard Duty Premises

Applies to venues where 200–799 individuals (including staff) may be present at one time.

Enhanced Duty Premises

Applies to venues or events where 800 or more individuals may be present.

Important: A business or venue can shift between tiers temporarily — for example, a normally small venue hosting a major event may fall under the Enhanced Tier during that time.

What Are Your ‘Protect Duty’ Obligations?

Obligations may differ based on the specifics of your business/venue, but, regardless of tier, all organisations in scope will be required to:

Conduct a Terrorism Risk Assessment

A critical first step for all businesses is to undertake a terrorism-focused risk assessment. This assessment must go beyond traditional crime or safety concerns and consider a wide range of potential terrorist threats and methods — including evolving attack methodologies such as marauding attacks, vehicle-as-weapon assaults, or the use of improvised explosives. 

The goal is to identify vulnerabilities specific to your premises and assess what measures may reasonably be required to mitigate those risks.

Develop Effective Preparedness Measures

Businesses must also develop clear, actionable emergency plans. These should include evacuation strategies, lockdown procedures, and internal communication protocols to manage and minimise harm in the event of an attack. 

Preparedness is not a one-off task — these plans must be rehearsed, refined, and embedded into everyday operations. The ability of staff to respond swiftly and calmly can significantly reduce casualties and disruption in a crisis scenario.

Maintain Documentation and Ensure Accountability

Every business in scope will be required to document their protective security approach. This includes clearly outlining the measures in place, the reasoning behind those choices, and how those measures are expected to reduce harm or vulnerability. This documentation should form a defensible record that can be presented during inspections by the regulator.

For Enhanced tier venues and events, a further requirement is the appointment of a Senior Responsible Person (SRP). 

This individual must be someone at the top of the organisation — such as a director or partner — or an outsourced expert. SRPs will carry legal responsibility for ensuring compliance. Neglecting these duties could result in personal liability, including potential prosecution.

The SRP is expected to:

• Oversee risk assessments and preparedness measures
• Ensure training is delivered and refreshed
• Maintain compliance documentation
• Liaise with regulators during inspections

Staff Training and Awareness

One of the most effective protective strategies is ensuring that staff understand the threat and know how to respond. All businesses must provide training to staff in proportion to their role and the risk profile of the premises. 

This may include recognising suspicious behaviour, initiating emergency protocols, and providing support during evacuations. While the Act does not mandate specific training courses, it does require businesses to ensure that any person with a duty under the legislation is appropriately instructed or trained to carry out that role effectively.

Plan for Risk Mitigation

Beyond procedural preparedness, venues — particularly those in the Enhanced tier — must consider tangible mitigation measures to deter or delay attacks. These might include physical barriers, CCTV systems, adjusted layouts to reduce choke points, or coordination with emergency services. 

The law acknowledges that what is “reasonably practicable” will vary by site, but those in scope must be able to demonstrate that appropriate steps have been taken.

Enforcement, Inspections and Penalties

The new regulator — the Security Industry Authority (SIA) — has been given inspection powers to assess compliance. With modest notice, the SIA can request documents, inspect physical measures, and interview staff. 

Businesses found in breach of their Protect Duty obligations can face significant financial penalties, which are expected to mirror those used for data protection violations under GDPR.

In addition to financial risks, failure to comply could result in reputational damage, operational disruption, or even criminal liability for senior personnel. As such, it is essential for businesses not only to implement appropriate protective strategies but to ensure these are well-documented, regularly reviewed, and defensible if challenged.

Martyn’s Law – Actionable Steps for Businesses to Get Started

You’d be forgiven for feeling a little overwhelmed by the responsibilities set out in Martyn’s Law, but it’s essential that you take time now to understand what’s required – so you can start your compliance journey.

If you’re struggling with where to begin, consider the following step-by-step guidance:

1. Understand Your Classification

The first step is to determine whether your site falls under the Standard or Enhanced tier. This will depend on your venue’s capacity, footfall, and how it’s used. Your classification directly impacts the level of measures you’ll need to implement.

2. Conduct a Risk Assessment

A terrorism-specific risk assessment is essential. You can either carry this out internally if you have the right expertise, or seek support from professional advisors like Cardinus. The goal is to identify vulnerabilities unique to your premises and the type of events or activities you host.

3. Create a Tailored Security Plan

Once risks are understood, you’ll need to put proportionate and effective security measures in place. This includes not just physical security but also clear, rehearsed emergency procedures. Your plan should be practical, documented, and actionable in real-time situations.

Cardinus provides a range of security risk management services to protect organisations and their employees. Learn more.

4. Clarify Roles and Responsibilities

If required, designate a Senior Responsible Person to oversee your Protect Duty compliance. Beyond that, make sure roles are clearly defined so everyone knows what they’re accountable for in both day-to-day operations and emergency scenarios.

5. Train Your Team

Security is everyone’s responsibility. Deliver training that raises awareness of threats, reinforces your security protocols, and ensures staff know how to respond in an emergency. Don’t forget to schedule regular refreshers to keep knowledge up to date.

6. Keep Records and Stay Inspection-Ready

Regulators will expect you to show how you’re complying with the Protect Duty. Keep detailed, current records that reflect your assessments, planning, training, and any actions taken. Good recordkeeping is key to demonstrating accountability and readiness.

What Happens If I Don’t Comply?

While the emphasis of the Protect Duty is on guidance, education, and support, organisations that ignore or repeatedly fail to meet their obligations may face serious consequences. The Security Industry Authority (SIA) has been given enforcement powers to ensure compliance — and these extend beyond simple warnings.

Here’s what you need to know about the potential civil and criminal sanctions under the legislation:

Compliance Notices

If you’re not meeting your duties, the SIA can issue a compliance notice requiring you to take specific corrective actions within a set timeframe. This might include reviewing risk assessments, updating security plans, or providing additional staff training.

Restriction Notices

Used only in exceptional circumstances, restriction notices apply to enhanced duty premises and qualifying events. The SIA can issue these if they believe:

• You’ve failed to implement appropriate public protection measures or procedures, and
• Immediate restrictions are needed to reduce the risk of terrorism.

A restriction notice could:

• Prohibit an event from going ahead,
• Impose conditions (like reducing the number of attendees), or
• Limit how premises are used — until adequate security measures are in place.

Penalty Notices

Financial penalties can be substantial:

• Up to £10,000 for standard duty premises,
• Up to £18 million or 5% of global turnover for enhanced duty premises or qualifying events (whichever is higher).

Failing to attend a required interview can also result in a penalty of up to £5,000.

If you fail to comply with a previously issued compliance or restriction notice, daily penalties may also apply:

• Up to £500 per day for standard duty premises,
• Up to £50,000 per day for enhanced sites or qualifying events.

The SIA will consider factors such as the severity of non-compliance, steps taken to mitigate risks, and the organisation’s ability to pay when determining the size of the penalty.

Criminal Sanctions

In the most serious cases, particularly where there’s persistent or wilful disregard of the law, criminal charges may be brought. These could result in:

• Court proceedings,
• Criminal records,
• Potential custodial sentences for individuals deemed personally responsible.

Appoint Cardinus as Your Senior Responsible Person

We understand that navigating Martyn’s Law can be complex and time-consuming — especially for busy organisations juggling multiple risks.

That’s where we come in.

Cardinus can act as your Senior Responsible Person, taking full ownership of your organisation’s responsibility to meet the obligations of Martyn’s Law. Our expert team will:

• Manage compliance
• Oversee security planning
• Maintain documentation
• Liaise with the SIA on your behalf

Contact us today – Let us help you protect your people, your premises, and your reputation.