The publication of the Home Office’s Terrorism (Protection of Premises) Act 2025 Statutory Guidance on 15th April 2026 marks the formal shift in how terrorism protection is regulated for many venues and events in the UK. The individuals and organisations that have worked tirelessly over many years have made this happen and it now rests with venues, events and supporting organisations to make it happen in practice and to build on good practice where it already exists. This blog aims to inform the mature audience who have already digested the key tenets of the legislation such as how venues and events are categorised. For introductory guidance see the factsheets which act as a foundation read.
For large venues, major events and complex organisations that fall into the enhanced tier, this is not simply an extension of existing good practice. It represents a fundamental change in governance, accountability and operational expectations that will involve proportionate and sensible measures to improve the security and incident response in organisations.
Upper tier status brings with it a level of scrutiny, legal exposure and operational complexity that many organisations have not previously encountered in the context of counter‑terrorism. While much public commentary has focused on awareness training and baseline preparedness, the reality for venues and events with expected occupancies above 800 is far more demanding. The guidance makes clear that senior leadership, not just operational teams, will be central to compliance.
This article explores what the guidance really means for enhanced tier organisations and why early, structured action is essential.
A New Governance Reality for Senior Leaders
One of the least appreciated aspects of Martyn’s Law is the personal exposure faced by senior individuals within enhanced tier organisations. The guidance is explicit that where an organisational offence is committed with the consent, connivance or neglect of a senior individual, criminal liability may attach to that individual personally. This is no longer a theoretical risk. Custodial sentences of up to two years are available to the courts for serious breaches, alongside substantial financial penalties for the organisation itself.
Crucially, statutory responsibility cannot be delegated. Boards may assign operational delivery to safety, security or events teams, but accountability remains firmly at senior level. For many organisations this represents a cultural shock. Security has often sat below the executive radar, viewed as a technical or operational concern rather than a matter of corporate governance. Under Martyn’s Law, that position is no longer tenable.
There is also a financial dimension that senior leaders cannot ignore. Fines of up to £18m, or five percent of global turnover, are accompanied by daily penalties for continued non‑compliance and the possibility of restriction notices that could prevent a venue opening or an event proceeding. Reputational damage following enforcement action may, in some sectors, be even more significant than the fine itself.
Procedures and Measures: A Dual Obligation
Enhanced tier organisations must implement both public protection procedures and public protection measures. The distinction between the two is critical. Procedures deal with what happens when an attack or suspected attack occurs. Measures are about reducing vulnerability in the first place.
The procedural side requires credible, rehearsed arrangements for evacuation, invacuation, lockdown and communication. These are not abstract or new concepts and there is much already out there to assist with management of publicly accessible locations, Action Counters Terrorism (ACT) training, NACTSO action cards and resources, NPSA guidance and training on evacuation, lockdown, messaging and dispersal guidance. They must work in real time, with real staff, during high‑stress situations where information is partial and decisions must be made quickly. The guidance is clear that having a written procedure is not enough if staff are not trained and able to implement it effectively.
Measures, by contrast, commonly require physical, technical and organisational controls. This can include CCTV with active monitoring, access control, searching and screening regimes, hostile vehicle mitigation, protective glazing and information security controls designed to prevent hostile reconnaissance. For many enhanced tier organisations, the measures element represents the most challenging aspect of compliance, both financially and conceptually.
The law expects a combination of both. Relying solely on reactive procedures without taking proportionate steps to reduce vulnerability is unlikely to satisfy the regulator. Equally, installing physical security without robust procedures and trained staff will fall short.
The Challenge of Assessing Vulnerability
At the heart of enhanced tier compliance sits the vulnerability assessment. The guidance requires responsible persons to assess how vulnerable a premises or event is to a range of attack methodologies, including marauding attacks, vehicle‑based attacks, explosives, fire and hazardous substances. There is no prescribed methodology and no access to threat intelligence that would allow certain risks to be discounted.
This places organisations in a difficult position. They are required to consider severe but low‑probability attacks while also ensuring that their response remains proportionate and defensible. Over‑estimating risk can lead to disproportionate and costly controls that damage the viability or character of a venue. Under‑estimating it leaves an organisation exposed both operationally and legally.
The assessment must also extend beyond the footprint of the building or event itself. The concept of “immediate vicinity” introduces further complexity, particularly where crowds gather in public spaces that the responsible person does not control. The guidance offers no fixed distance, leaving organisations to make context‑specific judgements that must later withstand regulatory scrutiny.
What emerges from the guidance is that the vulnerability assessment is not a one‑off document. It is a living expression of how an organisation understands its risk, justifies its decisions and balances safety, cost and practicality.
Documentation as a Compliance Risk in Its Own Right
Enhanced tier compliance is heavily evidence‑based. Organisations must be able to demonstrate what procedures and measures are in place, how they reduce risk, why particular decisions were taken and how staff are trained and tested. This information must be submitted to the Security Industry Authority and updated promptly when material changes occur.
Many venues and events already have elements of this information, but it is often fragmented across safety files, event management plans, fire risk assessments, contractor documentation and informal operational knowledge. Martyn’s Law effectively requires this to be drawn together into a coherent, defensible compliance position.
Poor documentation creates a real risk. An organisation may believe it is doing the right things, but if it cannot evidence them clearly and coherently, compliance may not be accepted. At the same time, documentation itself becomes sensitive. Detailed descriptions of security arrangements, layouts and vulnerabilities must be protected from unauthorised access to avoid creating new risks.
The Ambiguity of “Reasonably Practicable”
Perhaps the most challenging concept within the guidance is the test of what is “reasonably practicable”. As a term commonly used in application of health and safety legislation, it requires organisations to balance the level of risk against the cost, time and trouble of mitigating it. The burden sits with the responsible person to demonstrate why certain measures have not been implemented.
In practice, this will depend heavily on context. The same control may be reasonably practicable for one organisation and not for another, depending on the risk profile, physical environment and available alternatives. What is clear is that simple assertions of affordability will not be sufficient. Decisions must be reasoned, documented and aligned with what a reasonable organisation in the same position would do.
Phased implementation, interim measures and alternative controls will all play an important role, but only where they are clearly justified and actively managed.
People, Training and Competence
The guidance avoids prescribing specific training standards, but it leaves little doubt that untrained or poorly trained staff undermine compliance. Procedures and measures are only meaningful if people know how to operate them under pressure.
This is particularly acute for supervisors, managers and those expected to make real‑time decisions during fast‑moving incidents. There is currently no nationally mandated training framework for these roles, leaving organisations to define competence for themselves. That flexibility brings risk as well as opportunity.
For organisations that rely heavily on casual, seasonal or volunteer staff, maintaining competence will be an ongoing challenge. Training cannot be treated as a one‑off exercise. Turnover, fatigue and complacency will all be factors that the regulator expects organisations to have considered.
Investment, Planning and Long‑Term Commitment
For many enhanced tier venues and events, Martyn’s Law will require investment over time and this may require significant budget. Hostile vehicle mitigation, active CCTV monitoring, access control and screening infrastructure are not minor enhancements. They demand capital funding, design input, ongoing maintenance and qualified personnel.
The guidance implicitly recognises that not everything can be delivered immediately. What it expects instead is credible planning, clear prioritisation and interim risk management. Organisations that defer action without a structured roadmap are likely to struggle to justify their position.
Information Security and the Visibility Dilemma
A final tension runs throughout the guidance: the need to demonstrate compliance while avoiding the disclosure of information that could be exploited by hostile actors. Public confidence must be balanced against operational secrecy. Plans, drawings, CCTV locations and procedural detail all have value to an adversary if poorly controlled.
Enhanced tier organisations should assume that how they manage sensitive information, including who has access to it and how it is stored, will increasingly form part of regulatory scrutiny.
A Strategic Moment for Enhanced Tier Organisations – what next
Martyn’s Law is not simply another layer of regulation. For enhanced tier venues and events, it is a signal that terrorism protection has become a core element of organisational leadership, governance and assurance.
Those who approach it narrowly, as a compliance exercise to be delegated and minimised, are likely to expose themselves to significant risk. Those who treat it strategically, embedding proportionate security into how their venues, events and organisations are designed and operated, will be far better placed to meet both the letter and the spirit of the law. Indeed we are working with a number of organisations who do not fall under the legislative requirement but who recognise that implementing measures, guidance, and tools proportionately will enhance their staff and customer safety, operations and reputation.
At Controlled Events, we are already supporting organisations to translate this guidance into practical, defensible and proportionate arrangements. The organisations that act early, invest wisely and involve leadership from the outset will set the benchmark for what good looks like under the enhanced tier.
Controlled Events has over the last fifteen years been working with a wide variety of organisations to improve their security, resilience and readiness and have extensive experience with key organisations that can provide the wide range of expertise and advice ranging from AssessThreat tools to understand your risks, as a Skills for Justice learning centre we are supporting Taylor Bridges in delivery of the NACTSO endorsed Counter Terrorism course, S.T.O.R.M.4Events vulnerability assessments and security plans, advanced radio and audio system tools to manage communications from Crowdguard and 2CL, CCTV and analytics with Attend2IT, 2CL and Dynamic Crowd Measurement and industry leading training and exercises already customised to the key risks and scenarios. That depth of experience and breadth of key disciplines to support your planning equips us well to support any organisation reading this statutory guidance and needing support to implement it.
