Compliance & Risk Management
Featured News
Martyn’s Law: What UK Businesses Need to Know About Protect Duty Compliance
The law is no longer theoretical
Martyn’s Law is no longer something to keep on a future watchlist. The ProtectUK overview of Martyn’s Law confirms that the Terrorism (Protection of Premises) Act 2025 received Royal Assent in April 2025 and is intended to improve organisational preparedness and protective security across the UK. That matters because the conversation has now shifted from “is this happening?” to “what does it mean for our premises, our people and our procedures?”
Not every site is caught, but many more are affected than people expect
The first step is working out whether the premises are actually in scope. The GOV.UK factsheet on scope for premises explains that qualifying premises must meet specific criteria, including having at least one building, being used mainly for one or more listed purposes, expecting 200 or more individuals to be present from time to time, and not falling within an excluded category. It also lists a wide range of uses that may fall within scope, from retail and hospitality through to education, healthcare, places of worship and public authority buildings.
That breadth is exactly why so many organisations are now looking at this seriously. A venue operator may already suspect they are in scope, but mixed-use buildings, public-facing office spaces, education sites, visitor destinations and commercial properties with event use can all raise more complex questions about occupancy, control and responsibility.
Standard tier still creates real obligations
One of the more unhelpful assumptions around Martyn’s Law is that only very large venues need to act. The ProtectUK standard tier guidance makes clear that standard-tier premises will still need to notify the Security Industry Authority that they are the responsible person and ensure appropriate public protection procedures are in place, so far as is reasonably practicable. Those procedures centre on evacuation, invacuation, lockdown and communication.
That is an important point for businesses that are public-facing but not operating at arena or stadium scale. Standard tier is not a “do nothing” category. It is the level at which organisations are expected to think through how people would actually be protected and informed if an attack took place at the premises or nearby.
Enhanced tier is a bigger governance challenge
For larger premises and qualifying events, the duties become more involved. The ProtectUK enhanced tier guidance says enhanced-tier responsible persons must have appropriate public protection procedures and appropriate public protection measures in place, document them, provide that document to the regulator and, where the responsible person is an organisation, designate a senior individual to ensure compliance. It also groups measures into four areas: monitoring, movement, physical safety and security, and information security.
That shift is significant. It means enhanced-tier compliance is not just about reacting well in an emergency. It is also about documented planning, evidence of review and senior-level accountability. For commercial property teams, larger occupiers and event operators, that will often require a more formal internal process than many sites currently have.
“Reasonably practicable” is not a loophole
A lot of businesses will be tempted to focus on that phrase and ask how little can be done while still saying they have considered the law. That would be the wrong reading. The Home Office statutory guidance explains that the requirements are subject to what is reasonably practicable in the context of the particular premises or event, and it also makes clear that the Act sits alongside other duties rather than replacing them, including obligations relating to health and safety, fire safety, licensing and equality.
In practical terms, that means the strongest approach is a proportionate one. The answer is not to rush into expensive controls without understanding the exposure, but it is equally not sensible to treat the Act as a light administrative exercise. A defensible position comes from assessing the real environment, making reasoned decisions and being able to show why those decisions were taken.
Responsibility needs to be clear early
On some sites, the responsible person will be obvious. On others, especially those involving landlords, managing agents, operators, occupiers or event delivery partners, it may not be. The GOV.UK responsible person factsheet explains who is responsible under the Act and makes clear that, while the responsible person can be an individual, it will often be a company or organisation.
This is one of the most important practical steps to deal with early. If responsibility is vague, compliance work tends to stall. Procedures remain in draft, decisions are delayed and nobody is fully accountable for whether the site is genuinely preparing in the right way.
The preparation window should be used properly
Businesses do not need to be compliant overnight, but that does not mean they should wait. The SIA guidance on Martyn’s Law and its future regulatory role says the law is expected to come into force in spring 2027 and that those responsible do not need to notify the SIA until the legislation takes effect. It also warns that the SIA, Home Office and ProtectUK do not endorse third-party providers claiming they can guarantee compliance.
That makes this a planning period, not a holding period. Sensible organisations should already be reviewing whether their sites are in scope, clarifying who owns the duty, examining current emergency procedures and identifying where training, documentation or physical measures may need to improve before the law is live.
Training will matter more than many sites expect
For a lot of premises, the immediate compliance gap will not be a complete absence of hardware. It will be staff preparedness. The ACT Awareness e-learning on ProtectUK is designed for people working in public-facing environments and covers suspicious activity, suspicious items, marauding attacks and vulnerabilities in the operating environment.
That is a useful reminder that protective security is not just about physical controls. It is also about whether people on site understand what to notice, what to communicate and how to respond when pressure hits. Procedures only become real when staff know how they work.
What businesses should do now
For most organisations, the most useful next steps are straightforward.
Review whether the site or event is in scope.
Confirm who the responsible person is.
Check whether current evacuation, lockdown, invacuation and communication procedures are actually workable.
Assess whether the physical environment creates vulnerabilities around access, movement, visibility or public protection.
Create a proper record of decisions and reviews.
Make sure the right people are trained before compliance becomes mandatory.
Final thought
Martyn’s Law should not be treated as a niche security issue for a handful of major venues. It is a wider compliance and governance issue for many public-facing organisations. The real question is not whether every premises needs the same answer. It is whether the right people are reviewing the site properly, documenting proportionate actions and preparing early enough for those actions to be meaningful.
