Understanding Martyn’s Law: What It Means for UK Businesses
At a glance:
Martyn’s Law introduces new legal duties for UK venues and businesses to assess and mitigate terrorism risks. Over the next two years, operators of publicly accessible sites must prepare to meet proportionate security and preparedness standards, from training and procedures to written plans and physical measures. For organisations in commercial real estate and security, it marks a shift from voluntary resilience to statutory responsibility, embedding safety, compliance, and trust at the heart of business operations.
Introduction
The 2017 Manchester Arena attack killed 22 people. It changed a lot. One of those changes is now law.
The Terrorism (Protection of Premises) Act 2025, known as Martyn’s Law, received Royal Assent in April 2025. It creates a statutory duty for those responsible for certain premises and events to assess and mitigate the risk of terrorism. Security preparedness is no longer a matter of good practice. It is a legal obligation.
Named after Martyn Hett, one of the 22 victims, the law aims to ensure that evacuation procedures, communications plans, and access controls are embedded across qualifying venues — not just considered.
For businesses in commercial real estate, retail, events, and hospitality, the question is no longer whether to prepare. It is how.
Who does it apply to?
The law applies to qualifying premises and qualifying events that are accessible to the public and meet the following thresholds.
Standard Tier (200–799 people)
Premises where 200 to 799 people are reasonably expected to be present. Standard tier duty-holders must implement basic protective security and response procedures, and notify the SIA that they are in scope of the Act.
Enhanced Tier (800 or more people)
Premises or events where 800 or more people may be present. Enhanced tier organisations face more substantial duties:
- A formal risk assessment is required.
- A written security plan (compliance document) must be prepared and submitted to the SIA as soon as reasonably practicable. Any revised version must be submitted within 30 days.
- Where the responsible person is an organisation rather than an individual, a named senior individual must be designated as responsible for ensuring compliance. Failure to do so is a breach of the Act.
- Physical protective measures must be implemented where appropriate.
- There is no legal requirement for standard tier premises to document their procedures, though it is strongly recommended and will make any SIA inspection significantly easier to navigate. For enhanced tier, documentation and SIA submission is a hard legal requirement.
Personal liability for senior individuals
The designated senior individual is not personally liable for civil penalty notices. However, if an organisation commits a criminal offence under the Act, senior personnel, including the designated senior individual, can be personally prosecuted. This applies where the offence was committed with their consent, connivance, or through their neglect. The designation carries real personal weight. It is not a compliance formality.
Notification obligations
Both standard and enhanced tier responsible persons must notify the Security Industry Authority (SIA) once they are in scope. This is an ongoing obligation. Responsible persons must update the SIA if any details change, and notify the SIA when they cease to be responsible for a premises or event. Failure to notify, or to keep notification information accurate, is a breach of the Act.
Multi-tenant and shared buildings
The law includes specific provisions for shared environments. Where qualifying premises are part of a larger qualifying premises, for example, a retail unit within a shopping centre, there is a duty to coordinate with the responsible person for the wider site. Persons who have an element of control over enhanced tier premises, such as a freeholder, must also co-operate with the responsible person, even if they are not themselves the responsible person.
The Regulator: The SIA
The Security Industry Authority (SIA) is the named regulator under the Act. Its role covers the full compliance lifecycle: receiving notifications and compliance documents, assessing compliance through desk-based reviews and on-site inspections, and taking enforcement action where necessary.
The SIA takes a risk-based, intelligence-led approach. It may select premises for inspection on a scheduled basis, through risk prioritisation, or based on specific intelligence about potential non-compliance.
Where non-compliance is identified, the SIA can issue compliance notices, restriction notices, and financial penalty notices. The maximum penalties are significant:
- Standard tier: up to £10,000.
- Enhanced tier: the higher of £18 million or 5% of qualifying worldwide revenue.
- Daily penalties can also be applied for ongoing failures to comply with a compliance or restriction notice: up to £500 per day for standard tier, and up to £50,000 per day for enhanced tier.
Note on the SIA’s operational guidance
The SIA is currently consulting on its draft Section 12 operational guidance, which sets out how it proposes to exercise its regulatory functions under the Act, including its approach to inspections, information-gathering, and enforcement. The consultation closes 12 June 2026. The penalty figures above are drawn from the Act itself and are not subject to the consultation.
Industries most likely to be affected
Martyn’s Law is deliberately broad. The Government’s aim is to raise the national baseline for preparedness across every environment in which people gather, not just major venues. Six sectors face particularly significant implications.
Commercial Real Estate and Workplaces
Large office buildings, mixed-use developments, and business campuses may fall into either tier depending on occupancy and public access. For landlords and property managers, the legislation introduces shared responsibilities across tenants and building operators. The coordination duty is not optional.
Retail and Shopping Centres
Shopping centres, supermarkets, and retail parks regularly host high footfall across shared spaces. Martyn’s Law will formalise responsibilities around evacuation routes, tenant coordination, and staff readiness. Retailers of all sizes who operate within larger managed environments need to understand both their own duties and those of the wider site.
Entertainment, Sports and Leisure
Arenas, stadiums, cinemas, theatres, and concert venues will almost always fall within the Enhanced Tier. Crowd control, ingress and egress planning, and real-time communications become regulated expectations, not operational choices.
Education and Public Institutions
Schools, universities, museums, libraries, and local authority buildings have duties proportionate to their setting. Most educational institutions remain in the Standard Tier but are still required to demonstrate practical preparedness and well-drilled procedures. Some larger higher education sites may fall into the Enhanced Tier.
Transport Hubs and Infrastructure
Rail stations, airports, bus terminals, and ferry ports face dynamic public flows and complex multi-operator environments. Martyn’s Law encourages consistency across agencies, operators, and contractors, and promotes joined-up response planning. The cooperation duty is directly relevant to any setting with multiple responsible parties.
Hospitality and Night-Time Economy
Hotels, restaurants, bars, nightclubs, and conference venues must ensure that public-facing staff are trained, and that emergency procedures are documented and actionable. Capacity will be the determining factor for tier placement, and many hospitality businesses will find they are in scope.
How many UK locations will be affected?
The scale of Martyn’s Law is significant. While the Government has not published a definitive figure, and the SIA is still establishing its regulatory framework, industry analysis points to a substantial nationwide impact.
Current estimates suggest that:
- Around 178,000 premises across the UK may fall within the scope of the legislation.
- Some assessments place the figure higher, suggesting up to 280,000 publicly accessible venues could be affected.
These ranges reflect the broad definitions within the Act and the diversity of sites that can reasonably expect 200 or more people at any one time. They include retail spaces, entertainment venues, hospitality environments, transport hubs, public buildings, education institutions, and commercial real estate.
A precise figure is difficult to establish for three reasons:
- Fluctuating occupancy: Many premises experience variable footfall, which may push them above or below tier thresholds at different times.
- No central register: Duty holders will only be formally recorded once they notify the SIA, meaning the complete scope will become clear gradually.
- Shared and mixed-use buildings: Multi-tenant properties or spaces with changing uses add complexity to determining applicability.
The estimates illustrate the scale of change ahead. Martyn’s Law will affect a significant proportion of the UK’s public-facing environments. For organisations with diverse estates or high visitor volumes, early preparation is not optional.
Implementation timeline
The Act received Royal Assent in April 2025. The Government has indicated that a transition period of around 24 months is intended before full enforcement begins, though a formal commencement date has not yet been announced. That window exists for a reason. Use it.
Organisations that act early will be better placed to demonstrate compliance readiness when the SIA begins its regulatory activity. Those that wait face compressed timescales, higher costs, and greater exposure to enforcement.
Update: Current status and what’s changed
Since this article was first published, there have been important clarifications around the timing, guidance, and regulation of Martyn’s Law.
Although the Act received Royal Assent in April 2025, the legislation is not yet in force. The Government has confirmed a minimum 24-month implementation period, meaning legal duties are not expected to become enforceable until 2027 at the earliest. This period is designed to give organisations sufficient time to prepare, and to allow supporting frameworks to be established.
The Home Office statutory guidance has now been published (April 2026), setting out how duty holders are expected to meet their obligations in practice, including what reasonably practicable measures look like across different sectors and environments.
In parallel, the SIA is actively preparing for its new role as regulator. This includes establishing a dedicated Martyn’s Law regulatory function, recruiting specialist staff, and developing inspection, enforcement, and case management processes. Until the legislation is commenced, the SIA’s focus remains advisory and preparatory rather than enforcement-led.
The SIA is also consulting separately on its Section 12 operational guidance, which covers how it will exercise its investigatory and enforcement functions. That consultation closes 12 June 2026.
Sector-specific clarifications have also begun to emerge, particularly for education settings, indicating that duties will be applied proportionately depending on use, occupancy, and risk profile.
While compliance is not yet mandatory, organisations should not delay preparation. The current period is a critical window to assess exposure, strengthen procedures, train staff, and build the systems that will demonstrate compliance clearly once enforcement begins.
What it means for businesses over the next few years
Short term (0–2 years): Preparation
- Audit premises and events to establish which tier applies.
- Submit your notification to the SIA.
- For enhanced tier organisations: designate a named senior individual for compliance, begin your risk assessment, and prepare and submit your compliance document to the SIA.
- Review and update emergency, evacuation, and communications procedures.
- Budget for any training or physical upgrades required.
Medium term (2–5 years): Compliance
- Implement the formal duties under the Act.
- Embed security plans into day-to-day operations.
- Align Martyn’s Law requirements with fire safety, health and safety, and business continuity frameworks.
Long term (5+ years): Continuous improvement
- Regularly review and test security measures.
- Keep pace with evolving threat guidance and any updates to SIA operational guidance.
- Integrate Martyn’s Law compliance into wider ESG and corporate governance frameworks.
Implications for Commercial Real Estate and Security Teams
For property owners, landlords, and building operators, Martyn’s Law represents a structural shift. Security preparedness will become a visible standard of professionalism, shaping tenant relations, insurance exposure, and organisational reputation.
For security teams, the law reinforces what well-run operations already know: connected systems, auditable records, and documented procedures are not nice-to-haves. They are the evidence of compliance.
Platforms that automate procedures, standardise emergency operating procedures and SOPs, and generate auditable logs will play a direct role in supporting organisations to demonstrate compliance, operationally and to the SIA.
Challenges to consider
- Resource and cost pressures, particularly for smaller standard tier venues adapting to new legal duties for the first time.
- Accountability in shared or multi-tenant buildings, where coordination duties require clear agreement between multiple parties.
- Evolving SIA guidance, with the operational framework still being finalised through the current consultation process.
None of these challenges change the direction of travel. The law is in place. Early preparation reduces risk on every dimension: operational, financial, and reputational.
Discover how Zinc can help prepare security teams for these changes: Martyn’s Law readiness: an operating model for Security & Operations leaders
If you manage Commercial Real Estate, read our guide here: How the CRE Sector Can Meet Martyn’s Law with Confidence
Looking ahead
Preparedness is no longer an operational choice. It is a legal and moral obligation.
Organisations that treat this period as a genuine preparation window, rather than waiting for enforcement to begin, will be in a stronger position on every front. Safer environments. Greater public confidence. Demonstrable compliance when the SIA comes knocking.
Martyn’s Law asks a direct question of every qualifying premises: are you ready? The window to answer that honestly, and act on it, is now.
Get in touch to understand how Zinc can help your business prepare for Martyn’s Law and stay compliant, from standardising procedures and improving readiness to providing the auditability and oversight required under the new legislation.
+44 (0)20 3989 4859 
info@zinc.systems 