What Martyn’s Law means for you

After receiving Royal Assent in April 2025, Martyn’s Law is now entering its implementation phase, with the Security Industry Authority preparing to regulate thousands of UK venues and events. A new tiered framework will require operators to adopt proportionate security measures, backed by expanded SIA teams, digital systems, and forthcoming Home Office guidance.

At the beginning of April 2025, after six years of campaigns and almost eight years after the Manchester Arena attack, Martyn’s Law received Royal Assent.

Martyn’s Law is named after Martyn Hett, who was killed in the Manchester Arena attack in May 2017.

Officially titled the Terrorism (Protection of Premises) Bill, the law will make it a legal requirement for public places to strengthen their security measures. It will improve protective security and organisational preparedness across the UK by requiring that those responsible for certain premises and events consider how they would respond to a terrorist attack.

It will take a tiered approach. Venues with a capacity of 200 to 800 people will be required to put in place measures aimed at reducing harm to the public in the event of an attack. This could include training staff to lock doors, close shutters, and identify safe routes to shelter.

Larger venues, with a capacity of over 800 people, will fall under an enhanced tier. These venues will be required to implement more robust security measures, such as employing security staff and installing CCTV systems.

Premises within scope
Premises fall within the scope of the Act if they meet four key criteria. First, there must be at least one building on the premises, or the premises must be located within a building. Second, the premises must be wholly or mainly used for one or more of the purposes listed in Schedule 1 of the Act, such as a restaurant or a shop. Third, it must be reasonable to expect that at least 200 individuals may be present on the premises at least occasionally. Finally, the premises must not be excluded under Schedule 2 of the Act. If it is reasonable to expect that 800 or more individuals may be present at the premises at the same time, the premises will be considered enhanced duty premises, unless the Act specifies otherwise.

Events within scope
An event falls within the scope of the Act if several conditions are met. The event must take place at premises covered by section 3(1)(a) of the Act, which may include open land without buildings, provided the premises are not designated as enhanced duty premises or part of such premises. The premises must be accessible to members of the public for the purpose of attending the event. It must also be reasonable to expect that at least 800 individuals will be present at one time during the event. In addition, there must be measures in place to check that entry conditions are met, such as ticket checks. The event must also not fall under any exclusions listed in Schedule 2 of the Act.

Who is considered the responsible person for qualifying premises?
For premises that fall within the scope of the Act, the responsible person is the individual who has control over the premises in relation to its relevant use as defined in Schedule 1 – for example, operating a venue as a sports ground or a hotel. If the premises are used for more than one Schedule 1 purpose, such as a church that also operates a crèche, the responsible person will be the one in control of the premises in connection with whichever use is considered the primary or principal activity.

Who is considered the responsible person for qualifying events?
For qualifying events, the responsible person is the individual or organisation that has control of the premises where the event is being held, specifically for the purposes of the event. Determining who this is will depend on the specific circumstances of the event.
For instance, if a company organises a concert in a public park and takes control of a designated area for the duration of the event, then that company would be considered the responsible person. On the other hand, if a stately home hosts a concert on its own grounds and retains overall control of the site for the event, the stately home itself would be the responsible person, even if it contracts out certain aspects of the event, such as ticketing or security.

What are the requirements for standard duty premises?
Standard duty premises are typically locations where it is reasonable to expect between 200 and 799 people, including staff, to be present at the same time on at least an occasional basis. For such premises, the responsible person must meet two key requirements: they must notify the Security Industry Authority (SIA) of their premises, and they must have appropriate public protection procedures in place, so far as is reasonably practicable. The obligations for standard duty premises are designed to be simple and low-cost, with the main requirement being time and planning rather than physical security installations. There is no requirement under this duty to implement structural or physical security measures. These procedures are intended to guide staff in the event of a terrorist incident occurring at or near the premises. They should focus on reducing the risk of physical harm and may include steps for evacuating the building, moving people to a safer area within the premises (invacuation), locking down parts of the premises, and communicating effectively with those on site during an emergency.

What are the requirements for enhanced duty premises and qualifying events?
Enhanced duty premises and qualifying events are those where it is reasonable to expect that 800 or more individuals, including staff, may be present at the same time or attend the event at least occasionally. In addition to the requirements for standard duty premises, the responsible person for enhanced duty premises and qualifying events must meet the following additional obligations. Firstly, they must have, so far as reasonably practicable, appropriate public protection measures in place. These measures should aim to reduce both the vulnerability of the premises or event to terrorism and the risk of physical harm to individuals in the event of an attack, either at the premises or in the surrounding area. For example, enhanced duty premises should implement measures, to the extent practicable, for monitoring the premises and their immediate vicinity. Secondly, the responsible person must document the public protection procedures and measures that are in place or planned, and submit this document to the Security Industry Authority (SIA). This document should include an assessment of how the procedures and measures will help reduce vulnerability and/or the risk of harm. Finally, if the responsible person is an organisation rather than an individual, they must designate a senior person to ensure that the responsible person complies with these requirements.

The SIA
While, we are still waiting for a few more details, in November, Michelle Russell, chief executive of the SIA published an updated on the SIA’s work on Martyn’s Law. Once Martyn’s Law received Royal Assent, and the Security Industry Authority (SIA) was confirmed as the new regulator, work began immediately to prepare for go-live. Go-live will occur when Parliament, through statutory instruments, commences Martyn’s Law and the SIA’s role as regulator. While the timing of commencement is a decision for Parliament, preparations are being made for Spring 2027. Russell explained the SIA’s role as regulator, which she said is to regulate against Martyn’s Law, and the legal requirements and framework Parliament has set out in the Terrorism (Protection of Premises) Act 2025. These requirements are set to be clarified by the Home Office’s statutory section 27 guidance about the requirements.

The SIA has the responsibility of determining whether a premises or event is in compliance with those requirements as well as the responsibility to provide advice and guidance to them. Since April 2025, the SIA has been attending events and conferences across the UK. Once the guidance is published by the Home Office, the SIA will say more. Meanwhile, though, the Agency has been working at pace, building capability and capacity and exploring and testing with depth the things that need to be done in advance of go-live.
The SIA has been agreeing new, separate grant funding to be provided direct by the Home Office to the SIA to fund the SIA’s new Martyn’s Law work. This means the work will not be funded by SIA licence holders’ fees.
A new director will start in January and a blueprint design has been created for new functions and teams.

There will be over 100 new operational posts created in the SIA’s Martyn’s Law team, working on guidance and other educational and outreach work; the formal notifications that premises and events in scope of Martyn’s Law will make; desk-based casework on compliance issues, as well as scrutiny and assessment of compliance documents and plans submitted by enhanced tier premises; and inspections and formal investigations into concerns about non-compliance and follow up enforcement work.
Inspectors and inspection teams will be based regionally and locally across the UK. Other office-based roles will be mostly in a new SIA location in Manchester.

The SIA is currently working on draft section 12 guidance about how the Agency proposes to exercise its functions particularly the investigatory powers. A consultation will be launched on this, once Home Office guidance is published in 2026.
Joint engagements and events are being held with the Home Office to raise awareness of the new law and the SIA’s role. A new risk framework is being developed to ensure the SIA has clear priorities and to apply a consistent approach to decisions.
The SIA teams are actively progressing work on a new regulatory model, business plan, and internal processes and procedures. A critical focus is the development, implementation, and testing of the digital and caseworking systems required to support future casework. This programme involves extensive planning and design, alongside a robust procurement exercise that will take time to complete.

Russell said that the SIA’s role as regulator will be primarily advisory from the start to give venues and events in scope the opportunity to get compliance right first. The SIA expects to find and highlight positive good practice and identify and advise those who are not doing enough.

Martyn’s Law, formally the Terrorism (Protection of Premises) Act 2025, establishes a tiered legal framework requiring venues and events to adopt proportionate security measures based on capacity. Standard duty premises must notify the Security Industry Authority (SIA) and maintain basic protective procedures, while enhanced duty premises and qualifying events must implement more robust measures, document their plans, and submit them to the regulator. The SIA has begun building capacity for its new role, with full commencement expected in Spring 2027. While enforcement will evolve over time, the law represents a structured response to the Manchester Arena attack, embedding preparedness and public protection into the operation of UK venues and events.