What the guidance and good practice says

The publication of the Home Office’s Terrorism Protection of Premises Act 2025 Statutory Guidance on 15 April 2026 marks the formal shift in how terrorism protection is regulated for many venues and events in the UK.

For large venues, major events and complex organisations that fall into the enhanced tier, this is not simply an extension of existing good practice. It represents a fundamental change in governance, accountability and operational expectations.

A new governance reality for senior leaders

One of the least appreciated aspects of Martyn’s Law is the personal exposure faced by senior individuals within enhanced tier organisations. Where an organisational offence is committed with the consent, connivance or neglect of a senior individual, criminal liability may attach to that individual personally.

Crucially, statutory responsibility cannot be delegated. Boards may assign operational delivery to safety, security or events teams, but accountability remains firmly at senior level.

Procedures and measures: a dual obligation

Enhanced tier organisations must implement both public protection procedures and public protection measures. Procedures deal with what happens when an attack or suspected attack occurs. Measures are about reducing vulnerability in the first place.

The procedural side requires credible, rehearsed arrangements for evacuation, invacuation, lockdown and communication. Measures may include CCTV, access control, searching and screening, hostile vehicle mitigation, protective glazing and information security controls.

What good looks like

Good practice starts with senior leadership understanding that Martyn’s Law is not just an operational security task. It is a governance, assurance and evidence issue.

What good looks like is a clear, documented and proportionate approach that connects risk assessment, operational procedures, protective measures, staff training, exercising and senior oversight.

• A clear vulnerability assessment that reflects the venue or event context.
• Documented procedures for evacuation, invacuation, lockdown and communication.
• Proportionate protective measures that reduce vulnerability.
• Clear ownership at senior level.
• Training that helps staff act under pressure.
• Exercises that test whether procedures work in practice.
• Evidence that explains why decisions were made.
• Secure handling of sensitive security information.

Common mistakes we see

Treating compliance as an operational task only

Security teams may lead delivery, but senior leadership remains accountable. Martyn’s Law requires board level awareness, ownership and assurance.

Relying on written procedures that have not been tested

A written plan is not enough if staff do not understand it or cannot implement it under pressure. Procedures need training, rehearsal and review.

Underestimating vulnerability assessment

The assessment is not a one off document. It should explain how the organisation understands risk, makes proportionate decisions and justifies its position.

Fragmented documentation

Many organisations already hold useful information across safety files, event plans, contractor documents and informal knowledge. The risk is that it is not joined together into a defensible compliance position.

Ignoring information security

Compliance evidence may contain sensitive information. Plans, drawings, vulnerabilities, CCTV locations and procedures need to be protected from unauthorised access.

Practical checklist

• Confirm whether the venue or event falls into the enhanced tier.
• Identify the responsible person and senior accountable individuals.
• Review existing safety, security and event documentation.
• Complete or update the vulnerability assessment.
• Document public protection procedures.
• Review proportionate public protection measures.
• Train staff and supervisors on their roles.
• Run exercises to test procedures in realistic conditions.
• Record decisions, rationale and evidence clearly.
• Protect sensitive security information.
• Create a roadmap for phased improvements.
• Review and update arrangements when material changes occur.

FAQs

What is the main change for enhanced tier organisations?

The main change is that terrorism protection becomes a formal governance and compliance issue. Organisations need to show how they assess vulnerability, implement procedures and measures, train staff and evidence their decisions.

Can senior leaders delegate responsibility?

Operational tasks can be delegated, but statutory accountability remains at senior level. Boards and senior individuals need to understand the risks, decisions and evidence behind the organisation’s approach.

Are written procedures enough?

No. Written procedures need to work in practice. Staff must be trained and able to implement arrangements such as evacuation, invacuation, lockdown and communication under pressure.

What does reasonably practicable mean?

It means balancing risk against the cost, time and difficulty of reducing it. Organisations need to show that decisions are reasoned, proportionate and documented.

What is the biggest risk for venues and events?

One major risk is believing that existing good practice is enough without being able to evidence it clearly. Poor documentation can create compliance risk even where useful activity is already happening.

Does Martyn’s Law require immediate major investment?

Not everything may be achievable immediately. However, organisations should have credible planning, prioritisation, interim measures and a clear roadmap for improvement.

Why does information security matter?

Compliance documents may include sensitive details about layouts, procedures, vulnerabilities and security arrangements. That information needs to be controlled carefully.

How can Controlled Events help?

Controlled Events supports organisations with practical, proportionate and defensible arrangements, including vulnerability assessment, planning, training, exercises, communications and operational readiness.