What the guidance and good practice says

A Fundamental Shift in Responsibility

The publication of the Home Office’s Terrorism (Protection of Premises) Act 2025 Statutory Guidance on 15 April 2026 marks a formal shift in how terrorism protection is regulated across UK venues and events.

For enhanced tier organisations, this is not simply an extension of existing good practice. It represents a significant change in governance, accountability and operational expectations that requires proportionate and practical measures to improve both security and incident response.

The guidance makes clear that senior leadership, not only operational teams, will be central to compliance.

A New Governance Reality for Senior Leaders

One of the least appreciated aspects of Martyn’s Law is the personal exposure faced by senior individuals within enhanced tier organisations.

The guidance is explicit that where an organisational offence is committed with the consent, connivance or neglect of a senior individual, criminal liability may attach personally. Custodial sentences of up to two years are available to the courts for serious breaches, alongside substantial financial penalties for organisations.

Crucially, statutory responsibility cannot be delegated. Boards may assign operational delivery to security, safety or events teams, but accountability remains firmly at senior leadership level.

Fines of up to £18m, or five percent of global turnover, may also apply alongside daily penalties for continued non compliance and restriction notices that could prevent venues opening or events proceeding.

Procedures and Measures: A Dual Obligation

Enhanced tier organisations must implement both public protection procedures and public protection measures.

Procedures relate to how organisations respond during an attack or suspected attack. This includes evacuation, invacuation, lockdown and communication arrangements that must work effectively under real world pressure.

Measures focus on reducing vulnerability before an incident occurs. This may include:

• Active CCTV monitoring
• Access control systems
• Searching and screening regimes
• Hostile vehicle mitigation
• Protective glazing
• Information security controls

The guidance is clear that organisations cannot rely solely on reactive procedures without proportionate vulnerability reduction measures.

The Challenge of Assessing Vulnerability

At the heart of enhanced tier compliance sits the vulnerability assessment.

Responsible persons are expected to assess vulnerabilities relating to marauding attacks, vehicle based attacks, explosives, fire and hazardous substances. The challenge is that there is no prescribed methodology and no access to threat intelligence that would automatically discount certain risks.

The assessment must also consider the “immediate vicinity” surrounding a venue or event, particularly where crowds gather in areas outside direct organisational control.

What emerges from the guidance is that vulnerability assessment is not a static document. It is a living expression of how an organisation understands risk, justifies decisions and balances safety, practicality and cost.

Documentation and Evidence

Enhanced tier compliance is heavily evidence based.

Organisations must demonstrate:

• What procedures and measures are in place
• How those arrangements reduce risk
• Why decisions were taken
• How staff are trained and tested

Many organisations already hold parts of this information across event plans, fire risk assessments and contractor documentation. Martyn’s Law effectively requires this to be brought together into a coherent and defensible compliance position.

The Meaning of “Reasonably Practicable”

The concept of what is “reasonably practicable” remains one of the most challenging areas within the guidance.

Organisations must balance the level of risk against the time, trouble and cost involved in implementing controls. Decisions must be documented clearly and justified in the context of what a reasonable organisation in the same position would do.

Phased implementation, interim controls and alternative measures may all play a role where they are proportionate and actively managed.

People, Training and Competence

The guidance avoids prescribing specific training standards, but makes clear that poorly trained staff undermine compliance.

This is particularly important for supervisors, managers and decision makers expected to operate during fast moving incidents.

For organisations that rely on casual, seasonal or volunteer staff, maintaining competence over time will remain a major operational challenge.

Investment and Long Term Planning

For many enhanced tier organisations, compliance will require ongoing investment.

Hostile vehicle mitigation, screening infrastructure, active CCTV monitoring and advanced communication systems require funding, planning, maintenance and trained personnel.

The guidance recognises that implementation may take time, but expects organisations to demonstrate structured planning, prioritisation and interim risk management rather than delaying action indefinitely.

Information Security and Operational Sensitivity

Enhanced tier organisations must also balance transparency with operational secrecy.

Security plans, CCTV locations, layouts and procedural details all hold potential value to hostile actors if poorly managed. Organisations should expect information security and access control arrangements themselves to become part of future regulatory scrutiny.

What good looks like

• Senior leadership actively involved in security governance and decision making
• Clearly documented and regularly reviewed vulnerability assessments
• Procedures that are rehearsed, realistic and understood by staff
• Proportionate physical and technical security measures aligned to risk
• Integrated documentation bringing together security, safety and operational planning
• Structured training programmes with evidence of competence and exercises
• Phased implementation plans with justified interim controls
• Secure handling of sensitive operational and security information
• Clear accountability structures across venues, contractors and event partners
• Board level visibility of terrorism protection and resilience planning

Common mistakes we see

Treating Martyn’s Law as a purely operational issue

Many organisations still view counter terrorism preparedness as something that sits entirely within security or operational teams. The guidance makes clear that accountability sits at senior leadership level.

Over relying on documentation without practical testing

Written procedures alone are insufficient if staff cannot implement them effectively during high pressure incidents.

Focusing only on reactive procedures

Some organisations concentrate heavily on evacuation or lockdown planning while overlooking proportionate vulnerability reduction measures.

Fragmented compliance evidence

Critical information is often spread across multiple departments, contractors and legacy systems, making it difficult to evidence compliance coherently.

Underestimating the complexity of vulnerability assessments

Assessments must consider multiple attack methodologies, surrounding public spaces and proportionality of controls.

Assuming affordability alone justifies inaction

Simple cost based objections are unlikely to satisfy regulators without evidence based reasoning and consideration of alternatives.

Neglecting information security

Detailed security plans and operational information can themselves create risk if poorly controlled or widely accessible.

Practical checklist

• Identify whether your venue or event falls within the enhanced tier threshold
• Establish board level ownership of Martyn’s Law compliance
• Review existing counter terrorism procedures and measures
• Conduct or update vulnerability assessments covering multiple attack methodologies
• Assess immediate vicinity risks and public gathering areas
• Document the rationale behind implemented and non implemented controls
• Review training competence across staff, contractors and volunteers
• Test evacuation, invacuation and lockdown procedures regularly
• Audit information security arrangements relating to sensitive plans and documentation
• Create a phased implementation roadmap where full compliance cannot yet be achieved
• Review CCTV, communications and access control capability
• Ensure compliance evidence can be clearly presented to regulators

FAQs

Does Martyn’s Law only apply to major venues?

No. Different requirements apply depending on occupancy thresholds and whether organisations fall into the standard or enhanced tier.

Can responsibility be delegated to security teams?

Operational delivery can be delegated, but accountability remains with senior leadership and responsible persons.

Will organisations be expected to implement every possible security measure?

No. The legislation is based on proportionality and what is reasonably practicable within the context of the organisation and risk profile.

What happens if organisations cannot implement everything immediately?

The guidance recognises phased implementation and interim controls, provided there is credible planning and active risk management.

How important is documentation?

Extremely important. Compliance is heavily evidence based and organisations must be able to justify decisions, procedures and measures clearly.

Will regulators review information security arrangements?

Increasingly yes. Sensitive security information itself must be appropriately protected from unauthorised access.