Martyn’s Law: The complete guide for UK venue operators

The story behind the Martyn's Law legislation

On May 22, 2017, a bomb detonated in the foyer of Manchester Arena as thousands of concert-goers were leaving an Ariana Grande show. Twenty-two people were killed.

One of those killed was Martyn Hett, a 29-year-old from Stockport. In the years that followed, Martyn's mother, Figen Murray, began asking a question that no one had a satisfying answer to:

Why were there no legal requirements for public venues to have counter-terrorism preparedness plans in place?

Health and safety law covered everyday hazards. Fire regulations covered evacuation. But the specific threat of terrorism—a threat that UK security services had been tracking with increasing concern for years—sat in an unlegislated gap.

Figen Murray campaigned for years to close it. The result is the Terrorism (Protection of Premises) Act 2025, known as Martyn's Law. It received Royal Assent on April 3, 2025 – the first legislation in UK history to establish a baseline legal standard for counter-terrorism preparedness at public venues.

Why now? An overview of the ongoing threat

It would be convenient to treat the Manchester Arena attack as an anomaly — a terrible moment that has since passed. The data suggests otherwise.

The government has described the UK terrorism threat as "enduring and evolving." Since the start of 2020, MI5 and the police have disrupted 19 late-stage attack plots and intervened in many hundreds of developing threats. (Source: Home Office Martyn's Law Factsheet, updated April 2026)

This guide synthesises the government's statutory guidance, Home Office factsheets, and ProtectUK resources into a practical overview for venue operators. For guidance specific to your organisation's situation, consult the official statutory guidance at gov.uk or a qualified legal professional.

Where does Martyn's Law apply?

Martyn's Law applies across all four nations of the United Kingdom:

• England
• Wales
• Scotland
• Northern Ireland

Counter-terrorism is a reserved matter, and the UK Government worked closely with the Scottish Government, Welsh Government, and Northern Ireland Executive to ensure the Act operates consistently across all jurisdictions.

For international organizations with UK premises, compliance obligations attach to each qualifying UK premises or event, regardless of where the parent organization is headquartered. The legal obligation falls to whoever has control of the qualifying UK premises.

Does my venue fall under Martyn's Law?

This is the question most venue operators and security teams are asking first. It's the right place to start, because the tier your premises falls into determines everything about what you're required to do.

The four qualifying premises criteria

A premises falls within scope of the Act if it meets all four of the following criteria:

1. There is at least one building (or the premises are in a building)
2. The premises are wholly or mainly used for one or more uses listed in
3. It is reasonable to expect 200 or more individuals to be present at the same time, at least occasionally
4. The premises are not excluded under

Two phrases in that list are worth unpacking: "wholly or mainly" and "reasonable to expect."

Neither requires certainty. The government's guidance makes clear that existing methods such as fire safety occupancy calculations, historic attendance data, and event ticketing records are appropriate tools for making this assessment.

Schedule 1: What types of venues are covered?

The Act's Schedule 1 sets out the categories of premises use that bring a venue into scope. Premises must be wholly or mainly used for one or more of the following:

What about offices?

Standard office use is not a Schedule 1 qualifying use. A pure office building is generally not in scope. A mixed-use building with qualifying ground-floor uses may qualify based on its principal use. Residential developments are also excluded.

What about multi-use buildings?

For a premises with more than one Schedule 1 use, the responsible person is the person in control of the principal use. For a building with both retail and hospitality uses, it's whoever controls the dominant activity.

Qualifying events

Events that are separate from the venue's day-to-day operation can also fall under the Act – even if the venue itself is not a qualifying premises. A public event falls in scope if:

• It takes place at a premises (including land without buildings, such as parks)
• It is accessible to the public
• It is not being held at Enhanced Tier premises
• 800 or more people are reasonably expected to be present at some point
• Access control measures are in place (ticket checks, payment gates)

Qualifying events are always Enhanced Tier, regardless of the venue's usual status. And the responsible person for a qualifying event is whoever has control of the premises for the purposes of that event, which may be a third-party promoter, festival organizer, or event company, not the venue owner.

This matters for contracts. If you hire out your venue to third-party event organisers, it is worth reviewing what your agreements say about where compliance obligations sit.

What is excluded?

The following categories are specifically excluded from the Act's scope under Schedule 2:

• Government buildings, the Palace of Westminster, and premises occupied by devolved legislatures
• Airports and national rail stations, which have separate security regulatory frameworks
• Open-air public spaces like parks, unless hosting a qualifying event with 800+ attendees and access control
• Pure office buildings and residential developments

Standard Tier vs. Enhanced Tier

The Act takes a proportionate approach. The tier your premises or event falls into determines how much is required of you, and the difference is significant.

Special cases:

• Places of worship are always Standard Tier regardless of capacity.
• Primary, secondary, and further education premises are capped at Standard Tier regardless of capacity. Events at these premises do not trigger qualifying event status.
• Universities are treated as standard qualifying premises and may be Enhanced Tier if capacity warrants.

Standard Tier requirements: What smaller venues must do

Standard Tier requirements are designed to be achievable without significant capital expenditure. There is no requirement to install physical security infrastructure at Standard Tier. The focus is entirely on procedural readiness, i.e., having plans that your team can actually execute.

That last phrase is the critical one. A printed emergency procedure sitting in a folder no one has read does not satisfy the statutory test. The Act requires that staff are aware of the procedures and have the necessary experience or tools to carry them out rapidly and effectively. The standard is executability, not documentation.

Notifying the SIA

Responsible persons must register with the SIA, identifying themselves and their premises.

The four public protection procedures

Every qualifying premises and event, including venues in both the Standard Tier and Enhanced Tier, must have appropriate procedures in place for each of the following four categories. These procedures should be tailored to your specific premises: its layout, its staff, and the nature of the activity taking place. The government has been clear that one size does not fit all.

Evacuation

Getting people safely out of the premises. Your procedure should cover primary exit routes and, where appropriate, secondary and tertiary alternatives. Staff must know these routes in practice, not just on paper.

An evacuation procedure that tells staff to use the main exits is a starting point, but not a finished plan. The test is whether your team could execute it without hesitation, from any point in the building, the moment an incident is declared.

Invacuation

Moving people to a safer location within the building when exiting isn't the safest option. For most venues, this is the least-developed procedure of the four – and arguably the most operationally demanding.

Invacuation requires staff to know not just that a safe room exists, but which rooms are appropriate, how to reach them from different areas of the building, and how to communicate those routes clearly to visitors who may be frightened and disoriented. For venues with complex layouts, this is not a trivial planning exercise.

Lockdown

Securing the premises to prevent people entering or leaving. A lockdown procedure should identify specifically which doors, shutters, or barriers to secure, and in what sequence. It may need to run simultaneously with or in sequence after invacuation.

For venues with electronic access control systems, a lockdown procedure integrated into a building-wide view of access points is faster and less error-prone than a manual door-by-door approach. Physical infrastructure is not required at Standard Tier, but it's worth understanding what your existing infrastructure can and cannot do in a lockdown scenario.

Communication

Alerting people to danger and providing clear instructions in real time. Specify how staff receive alerts and how they communicate to visitors and occupants. Specific, spatially grounded instructions are easier to follow in a high-stress situation than vague ones.

Enhanced Tier requirements: What larger venues and event operators must do

Enhanced Tier venues carry everything Standard Tier requires, plus four additional categories of physical measures. Standard Tier is about having plans; Enhanced Tier is about actively reducing your venue's vulnerability.

The test throughout is "so far as is reasonably practicable" — proportionate to your venue's nature, operating environment, and resources.

The four public protection procedures

Monitoring

Measures to detect and identify suspicious activities. The Act's examples:

• CCTV
• Security patrols
• Searches of individuals
• Perimeter monitoring

The Enhanced Tier obligation is to assess whether what's in place is appropriate to reduce vulnerability, and to keep that assessment current.

Movement control

Measures to control who enters, exits, and moves within the premises. Examples: access control systems, zoned entry, screening, door and shutter management.

For large buildings with multiple tenants — each with their own access control system — this is frequently a multi-system challenge. None of those systems necessarily offers a unified view. This is one of the more technically demanding aspects of Enhanced Tier compliance for large commercial properties.

Physical safety

Measures to harden the physical environment and mitigate attack impacts. Examples:

• Hostile vehicle mitigation (HVM) barriers
• Safety glazing

The statutory language is "so far as is reasonably practicable.” This is an assessment obligation, proportionate to your venue type. SIA statutory guidance will provide further direction.

Security of information

Enhanced Tier operators must ensure that information about their building's layout, operation, design, and internal workings is not widely available and accessible to those who want to cause harm.

Martyn's Law requires accurate floor plans and building intelligence to plan procedures, execute invacuation, support lockdown, and satisfy the documentation requirement, but those floor plans cannot be publicly accessible.

A shared drive folder accessible to anyone with the link would likely not satisfy this requirement. The standard the Act is reaching for is controlled access: the right people can see the right information; others cannot.

Documentation and SIA submission

Enhanced Tier operators must document all procedures and measures and submit that documentation to the SIA, including an assessment of how they reduce vulnerability and risk of harm. This is not a one-time filing; measures must be "assessed and kept under review." Building renovations, layout changes, and new access control points all trigger a documentation update.

Designating a senior individual

Where the responsible person is an organization, a named senior individual must be formally designated as accountable for compliance. Establish this designation now, during the implementation period.

Who is the responsible person?

Martyn's Law attaches compliance obligations to a specific person — not to a building in the abstract. Understanding who that person is matters from the moment you begin planning your compliance approach.

For qualifying premises:

The responsible person is whoever has control of the premises in connection with its Schedule 1 use. For a restaurant, that's the operator of the restaurant, not the landlord—unless the landlord is also the operator. For a shopping mall, it's the mall operator.

For qualifying events:

The responsible person is whoever has control of the premises for the purposes of the event. If a concert promoter takes control of a park, the promoter is the responsible person for the duration of that event. If a stately home stages its own concert and retains control throughout, the stately home is responsible (even if it has contracted out ticketing or door security to third parties).

A freehold owner who leases their property to an operator generally does not become the responsible person, that obligation typically falls to the operator who runs the qualifying use.

But lease structures vary significantly, and freehold owners should review their contractual arrangements to understand where compliance obligations sit relative to their tenants.

The multi-tenant complexity

Large commercial buildings often have multiple tenants, each with their own security systems, access control, and operational practices. In these environments, responsibility under Martyn's Law can be divided.

The building owner or estate operator may bear responsibility for common areas:

• Lobbies
• Atria
• Shared event spaces
• Publicly accessible ground-floor uses

Each tenant bears responsibility for their own qualifying spaces. Where both a base building and individual tenant spaces are qualifying premises, both parties may need separate compliance plans.

This is particularly relevant for large mixed-use commercial estates – exactly the kind of environment where the practical challenge of Martyn's Law compliance is most operationally complex.

Enforcement and penalties

The Government intends for there to be an implementation period of at least 24 months from April 3, 2025, before the Act comes into force.

The Security Industry Authority's stated approach during this period is to "support, advise and guide"—not to penalize. Understanding the enforcement framework now is a useful context.

Once the Act is in force, the SIA's enforcement toolkit includes:

• Compliance notices — formal requirements to take corrective action within a specified timeframe
• Monetary penalties — financial fines for non-compliance
• Restriction notices — the most severe measure, which can effectively prevent a venue from operating
• Criminal offenses — for the most serious or persistent failures

Penalties levels for Enhanced Tier

Penalties can reach £18 million or 5% of worldwide annual turnover (whichever is higher), plus a daily continuing penalty of up to £50,000 for ongoing non-compliance.

Penalties levels for Standard Tier

These will be confirmed in SIA statutory guidance, which will be published during the implementation period. Check the SIA's Martyn's Law page for the latest.

The scale of Enhanced Tier penalties reflects the potential consequences of a venue with hundreds or thousands of people in attendance being unprepared. But the SIA has been clear that its primary role during the lead-in period is advisory.

Venues acting in good faith during the implementation period such as building their procedures, assessing their measures, and beginning their documentation are exactly what the implementation period is designed to enable.

How to prepare during the implementation period

The implementation period (at least 24 months from April 3, 2025) is not a time to do nothing. It’s the time the government has explicitly built into the Act for venue operators to:

1. Understand their obligations
2. Assess their current state
3. Build toward compliance at a manageable pace

The venues that will find compliance most straightforward are the ones that treat this period as a preparation phase.

Step 1: Determine whether you're in scope and which tier applies

Use the ProtectUK scope infographic to work through the criteria. If your premises is complex, such as a mixed-use, multi-tenant, or with unusual occupancy patterns, get a qualified view.

Don't skip this step. The tier you're in determines everything about what's required of you.

Step 2: Identify your responsible person

For organizations:

• Who will be the designated senior individual for compliance purposes (Enhanced Tier)?
• Is that clear internally?
• Does the person know?

For event operators:

Have you reviewed your venue contracts to establish where compliance obligations sit relative to your clients?

Step 3: Audit your existing procedures against the four categories

Most organizations already have some form of emergency planning:

• Fire evacuation procedures
• Lockdown protocols from previous risk assessments
• Major incident guidance

Map what you already have against the four required procedure types. The gaps are what you're building toward. For many venues, this will feel less like starting from scratch and more like formalising and strengthening what already exists.

Step 4: Walk your building with fresh eyes

This is simple in principle and more revealing in practice than most venues expect.

Walk every public area of your premises and ask: if I needed to move everyone in this space to safety right now, could I tell my staff exactly where to go, which routes to use, and which areas to secure?

Do that exercise for evacuation, then do it for invacuation, and finally for lockdown.

Pay particular attention to areas where your existing plans make assumptions about knowledge your staff may not have: unmarked exits, poorly lit stairwells, service corridors that appear on no visitor-facing map. These are the gaps that matter most when seconds count.

Step 5: Use free government resources

• — free counter-terrorism training for frontline staff.
• — helps staff identify suspicious activity.
• — free tabletop exercise toolkit.
• — practical preparation guidance.
• — addresses common misconceptions.

Step 6: Start building your documentation now (Enhanced Tier)

Don't wait until the SIA's portal is confirmed. Your procedures, measures, and vulnerability assessments can be built and refined now. Having them well-developed before the Act comes into force puts you in a far stronger position than assembling under time pressure.

Frequently asked questions

Is Martyn's Law currently in force?

No. The Act received Royal Assent on April 3, 2025 but is not yet in force. The Government intends for there to be an implementation period of at least 24 months from that date before it comes into force. There is currently no legal obligation to comply. Check ProtectUK for the most current timeline.

What are the main requirements of Martyn's Law?

All qualifying premises and events must notify the SIA and have appropriate public protection procedures for evacuation, invacuation, lockdown, and communication. Enhanced Tier premises additionally require physical protection measures across four categories, formal documentation submitted to the SIA, and a designated senior individual.

Does Martyn's Law apply to schools?

Yes, with carve-outs. Primary, secondary, and further education premises are capped at Standard Tier regardless of capacity. Universities are treated as standard qualifying premises and may be Enhanced Tier if capacity warrants.

Does Martyn's Law apply in Scotland, Wales, and Northern Ireland?

Yes. The Act applies across all four UK nations without devolved carve-outs.

Does my office building fall under Martyn's Law?

Standard office use is not a Schedule 1 qualifying use. Pure office buildings are generally not in scope. Mixed-use buildings with qualifying Schedule 1 uses may qualify based on their principal use.

Do I need to hire a security consultant to comply?

No. The government is clear that venues can comply without specialist third-party services. Free resources are available through ProtectUK. Neither the Home Office nor the SIA endorses any specific commercial products.

Who enforces Martyn's Law?

The Security Industry Authority (SIA) is the designated regulator. During the implementation period its approach is to support, advise, and guide. Once in force, the SIA has powers including compliance notices, monetary penalties, restriction notices, and criminal offences for the most serious failures.

When will the Act come into force?

The Government intends for there to be an implementation period of at least 24 months from April 3, 2025 before the Act comes into force. The specific commencement date will be confirmed during the implementation period. Check ProtectUK and GOV.UK for updates.

How Mappedin thinks about Martyn's Law

We've spent a lot of time thinking about what Martyn's Law means in practice. Not as a compliance checklist, but as a question about whether venues can actually do what the Act asks of them when it matters most.

The gap this law is trying to close is an operational one for most venues.

The difference between having an invacuation procedure and being able to execute it in the first few seconds of a real incident is the difference between a written plan and genuine knowledge of your building. It's the difference between an evacuation route described in a document and one your staff can navigate without hesitation from wherever they happen to be standing the moment an alarm sounds.

That gap between the plan and the execution is where the most serious compliance risk sits. And it is where the most serious life-safety risk sits too.

At Mappedin, we work with venues, corporate campuses, and public safety organizations to build that kind of indoor intelligence. If you're exploring what that means for your venue's Martyn's Law preparedness or your broader security operations, we're happy to help.

The government is right that venues can meet the procedural requirements of this Act without third-party technology. What we offer is a way to close the gap between the plan and the execution: to make the information your team needs accessible, accurate, and there when seconds count.

A note on this guide

This article draws on the:

• Terrorism (Protection of Premises) Act 2025 statutory guidance
• Home Office Martyn's Law Factsheet (updated April 2026)
• ProtectUK resources
• Practitioner perspectives from Mappedin's Security & Public Safety team

It is not legal advice. For guidance specific to your organization, consult the official statutory guidance or a qualified legal professional. We will update this guide when the SIA publishes registration details and when the enforcement commencement date is confirmed.