Martyn’s Law: Unpacking the UK’s Pivotal Shift in Public Venue Security

It was a devastating evening, wasn’t it? The Manchester Arena bombing in 2017, a horrific act that ripped through the lives of so many, particularly the young. That tragedy, which claimed 22 lives, including Martyn Hett’s, served as a stark, heart-wrenching catalyst. And so, in April 2025, after years of campaigning by Figen Murray, Martyn’s mother, the UK government finally enacted the Terrorism (Protection of Premises) Act 2025, now widely known as Martyn’s Law. This isn’t just another piece of legislation, it’s a profound commitment, a legal mandate for those responsible for public venues and events to actively safeguard against terrorist attacks. It’s about bringing security from the shadows into the operational forefront.

For too long, security measures, particularly against terrorism, have often felt like an optional extra, something nice to have perhaps, but not always a fundamental requirement. Martyn’s Law flips that narrative entirely. It establishes a tiered framework, quite clever really, categorizing venues based on their capacity and the number of individuals you’d reasonably expect to be present at any given moment. This graduated approach acknowledges that a small coffee shop isn’t the same as Wembley Stadium, but both have a role to play in public safety.

Focus360 Energy: property compliance services – pre-planning to post-construction. Learn more.

Navigating the Tiered Regulatory Framework

The Act, in its essence, delineates two primary categories of duty-holders, each with specific, escalating obligations. Understanding where your premises or event falls within this framework is your absolute first step, a critical self-assessment really.

Standard Duty Premises: The Foundational Layer

This category encompasses venues where it’s reasonable to expect between 200 and 799 individuals at any given time. Think about it: this isn’t just about massive concert halls. It includes your local multiplex cinema, that bustling retail store in the city centre, perhaps a popular chain restaurant on a Saturday night, a medium-sized theatre, or even significant places of worship and community halls during large gatherings. Even some larger office buildings with substantial public access, like those housing government services or public-facing businesses, might find themselves here.

For operators of such venues, the requirements, while foundational, are certainly not trivial. They demand a significant shift in thinking and operational discipline.

• Notification of Duty-Holder Status: Your first official act under Martyn’s Law will be to notify the Security Industry Authority (SIA) that your premises falls within this category. This isn’t merely a formality, it’s about getting onto their radar. You’ll likely interact with an online portal, providing details about your venue’s capacity, primary use, and contact information for the responsible person. Missing this notification, well, that’s just asking for trouble right off the bat.

• Implementing Public Protection Procedures: This is the real meat of the standard duty. It’s about having clear, actionable plans that staff can understand and execute under pressure. You can’t just have something scribbled on a napkin; these need to be robust, documented, and practiced.

  • Evacuation and Invacuation Plans: We’re all familiar with evacuation drills for fire, aren’t we? This is similar but with a distinct security lens. Evacuation means getting people out safely and quickly, establishing clear egress routes, designated assembly points, and ensuring accessibility for all, including those with disabilities. But then there’s ‘invacuation’ – a term less commonly understood but equally vital. This means sheltering in place, securing doors, moving away from windows, and creating safe havens inside the building. When would you invacuate? If the threat is outside but close, or if moving people outside would expose them to greater danger. Knowing when to run, when to hide, and when to tell others to fight is paramount.

  • Securing Premises: This goes beyond simply locking up at the end of the day. It’s about understanding your venue’s vulnerabilities. Are all fire exits lockable from the outside but easily opened from the inside during an emergency? Are there unmonitored back entrances? Do staff know to challenge suspicious individuals or unattended bags? It’s about creating physical barriers and also fostering a vigilant mindset amongst your team.

  • Emergency Communication Protocols: Imagine a crisis unfolding. How do you inform everyone quickly and clearly? This could involve integrated PA systems, digital signage displaying emergency messages, text alerts, or even internal radio systems for staff coordination. Crucially, the communication needs to be unambiguous and actionable, guiding people to safety without causing panic. You want to avoid that cacophony of confused shouting.

  • Staff Training: This is a big one, really. Procedures are useless if your staff aren’t trained. Everyone, from the front-of-house team to cleaning staff and even volunteers, needs to understand their role in an emergency. This isn’t just for designated security personnel. It’s about raising awareness, teaching them to identify suspicious behaviour (the ‘recognise, reject, report’ principle), and knowing the initial steps to take in a crisis before emergency services arrive. Regular refreshers, perhaps a short e-learning module or an annual briefing, will be key to keeping this knowledge fresh.

• No Physical Infrastructure Upgrades Mandated (at this level): This point often causes a bit of confusion. It doesn’t mean you shouldn’t consider physical improvements. It simply means the Act, for Standard Duty premises, doesn’t mandate the installation of things like bollards, blast-resistant glass, or extensive CCTV networks. The focus here is primarily on robust, well-practiced procedures and staff preparedness. That said, if your risk assessment points to a clear physical vulnerability, it would be prudent to address it, wouldn’t it?

Enhanced Duty Premises and Qualifying Events: The Higher Stakes

This is where the requirements really ramp up, reflecting the increased risk profile of larger gatherings. This category applies to venues and events expecting 800 or more attendees. We’re talking major concert arenas, vast exhibition centres like ExCeL London, international sporting stadiums, large-scale music festivals spread across acres, significant transport hubs with high footfall, or even major tourist attractions during peak season. The potential for mass casualties, were an attack to occur, is significantly higher, and the legislation reflects that gravitas.

Operators in this category must, of course, adhere to all the standard duty requirements. Think of it as building upon a solid foundation. But then come the additional, more stringent measures designed to proactively reduce vulnerability to terrorist acts.

• Monitoring the Premises or Event and its Immediate Vicinity: This moves beyond just internal awareness. It’s about having eyes everywhere. We’re talking sophisticated CCTV systems, perhaps even with AI-driven analytics that can flag suspicious patterns or unattended items. This also means trained security patrols, both overt and covert, extending beyond the immediate perimeter. For large outdoor events, you might even consider drone surveillance or elevated observation points. And it certainly involves active intelligence gathering and seamless communication with local law enforcement to stay abreast of potential threats.

• Controlling the Movement of Individuals Into, Out of, and Within the Premises or Event: This is about actively managing the flow of people to deter or detect threats. Imagine controlled access points with turnstiles, bag searches, perhaps even metal detectors depending on the threat level. It’s about effective queue management to prevent bottlenecks that could become targets. It means clearly defined entry and exit points, ensuring staff can guide people efficiently, and preventing unauthorised access to restricted areas. For events, this might involve careful consideration of the ‘last mile’ – the area just outside the venue where people congregate before entering.

• Ensuring the Physical Safety and Security of the Premises or Event: This is about hardening the target, literally. Think hostile vehicle mitigation measures like bollards, planters, or retractable barriers at entry points. It could involve blast mitigation measures for windows in particularly vulnerable areas, securing service entrances, and conducting thorough checks of all deliveries. For new builds or major refurbishments, it implies ‘security by design,’ integrating protective measures from the earliest planning stages. It’s about creating layers of defence that make an attack harder to execute and less impactful if it occurs. You wouldn’t want to design a beautiful glass façade that’s a security weakness, would you?

• Securing Sensitive Information Related to the Premises or Event: This might seem less obvious, but it’s crucial. Terrorist groups often conduct extensive reconnaissance. Your detailed floor plans, staff rotas, shift patterns, vulnerability assessments, CCTV camera locations, or even details of your security budget could be invaluable intelligence for an adversary. This means robust cybersecurity for digital documents, secure storage for physical plans, and strict ‘need-to-know’ protocols for sharing sensitive operational information. It’s about protecting the blueprints of your defence.

• Documenting Compliance and Sharing Security Information: This isn’t optional; it’s a fundamental accountability measure. Operators must meticulously document their risk assessments, security plans, training records, incident logs, and evidence of regular reviews. Certain key security information will need to be shared with the SIA – this isn’t just for their records, but also to facilitate their enforcement role and potentially to help them build a broader picture of national resilience. Regular internal audits and perhaps external assessments will likely become common practice to ensure ongoing compliance.

Enforcement and the Weight of Sanctions

The Security Industry Authority (SIA) stands as the primary enforcement body for Martyn’s Law, and they aren’t pulling any punches. Their powers are substantial, reflecting the seriousness with which this legislation is being taken. This isn’t about gentle nudges; it’s about compelling compliance.

• Issuing Compliance and Restriction Notices: If the SIA identifies non-compliance, they won’t hesitate to issue notices. A ‘compliance notice’ might detail specific deficiencies and a timeframe within which they must be rectified. Fail to meet that, and you could face a ‘restriction notice,’ which could legally limit or even temporarily halt operations at your venue or event until the issues are addressed. Imagine having to cancel a major event because your security plan wasn’t up to scratch. The financial and reputational fallout would be enormous.

• Monetary Penalties: This is where the teeth of the law truly show. For Enhanced Duty premises or events, the penalties for significant non-compliance can be astronomical, reaching up to £18 million or 5% of your worldwide revenue, whichever is greater. Let that sink in for a moment. For a multi-national entertainment conglomerate, 5% of global revenue could represent hundreds of millions. These aren’t small fines that can be absorbed as a cost of doing business. They are designed to be a powerful deterrent, a stark reminder of the critical importance of adhering to these measures. Factors influencing the penalty amount would likely include the severity of the breach, the degree of negligence, whether it’s a repeated offence, and the potential harm posed.

• Criminal Sanctions: And it doesn’t stop at fines. For serious or repeated non-compliance, particularly where negligence leads to harm, criminal sanctions can be brought against individuals – directors, senior management, or even the appointed security lead. This could mean imprisonment. It elevates security from an operational concern to a personal liability for those at the top. It underscores the profound duty of care involved.

These penalties, you see, aren’t just arbitrary figures. They underscore the critical importance the government places on proactive adherence to the Act. They are a clear signal that public safety against terrorism is no longer a matter of best practice, but a legally enforceable obligation with severe consequences for failure. The reputational damage alone from a major fine or criminal prosecution could shatter a brand built over decades.

Proactive Steps for Venue Operators: A Roadmap to Resilience

Given the stringent nature of Martyn’s Law, venue operators simply can’t afford to be reactive. Proactive assessment and implementation are not just advisable, they’re imperative. This isn’t a one-and-done exercise; it’s a continuous journey of improvement and adaptation.

1. Conduct Comprehensive Risk Assessments

This is your foundational diagnostic. You need to identify specific vulnerabilities relevant to your premises or event. This means moving beyond generic checklists. What are the unique characteristics of your venue? Its entry points, surrounding areas, peak times, and the demographic of your patrons? You’re essentially mapping out the potential threats (vehicle-borne attacks, marauding gun attacks, IEDs, knife attacks, etc.) against your specific vulnerabilities. And consider the ‘consequence analysis’: what would be the impact if a particular threat materialised at a specific vulnerable point? A dynamic risk assessment process, updated regularly and not just a static document, will be invaluable here.

2. Implement Appropriate Security Measures

Based on your risk assessment, you then decide on and deploy the necessary physical and procedural safeguards. This means moving beyond the basics:

• Controlled Access Points: Are your entry points efficient but also secure? This might involve modern turnstile systems, rigorous bag checks, potentially walk-through metal detectors, or even advanced biometric authentication for staff and VIPs. The goal is to detect threats before they enter the core of your venue, striking a balance between security and customer experience.

• Surveillance Systems: High-resolution CCTV is a given, but think about integrating it with a central security control room, leveraging real-time analytics to spot anomalies. Can your cameras cover all critical areas without blind spots? Is there effective monitoring, and are operators trained to respond to suspicious activity, not just record it for later review?

• Trained Personnel: This goes far beyond just your uniformed security guards. It includes front-of-house staff, ticketing teams, cleaners, catering staff, and volunteers. Every single person who interacts with the public or has eyes on the premises is a potential security asset. They need training in behavioural detection – understanding what ‘suspicious’ looks like without profiling – and knowing how to communicate effectively with security teams. Programs like Project Griffin, run by the police, can be incredibly valuable here, offering free counter-terrorism awareness training. It’s about building a collective consciousness of security.

3. Establish Clear Governance and Accountability Structures

Who is ultimately responsible? You can’t have security by committee. The Act practically demands a designated security lead, someone at a senior level with the authority and resources to drive security initiatives. Clear lines of responsibility need to be drawn, from the board down to the frontline staff. Regular reporting to the executive board on security posture, compliance status, and any identified vulnerabilities will become standard practice. This isn’t just about avoiding penalties; it’s about demonstrating a genuine commitment to patron safety at the highest levels of your organisation. It’s about making security a fixed agenda item, not an afterthought.

4. Coordinate with External Authorities and Neighbouring Entities

Security in isolation is rarely effective. You need to build strong, collaborative relationships:

• Local Authorities and Police: Forge robust links with local police forces, especially their counter-terrorism units. Participate in information-sharing forums. Conduct joint exercises and tabletop drills to test your emergency plans in a realistic scenario. The police can often provide invaluable intelligence briefings on current threats relevant to your area or sector. They aren’t just there for enforcement; they are a critical resource for prevention.

• Emergency Services: Ensure your plans are fully aligned with fire and ambulance services. Do they know your venue’s layout? Have you shared your access points and internal maps with them? Smooth coordination during an emergency will save lives. You won’t want confusion when seconds count.

• Neighbouring Entities: This is often overlooked, but imagine an incident in a venue next door. How does it impact you? Do you have shared evacuation points, or shared vulnerable perimeters? Coordinate with your neighbours – other businesses, public spaces, even residential buildings – to understand shared risks and develop coordinated responses. A collective approach to urban safety is always more effective.

Beyond Compliance: Cultivating a Culture of Vigilance

Martyn’s Law, while a legal imperative, offers a profound opportunity to embed a true culture of security within your organisation. It’s not simply about ticking boxes; it’s about fostering a mindset where safety and vigilance are intrinsic to operations. For example, I remember speaking with a venue manager who transformed their approach. Instead of just having security guards at entrances, they trained every single employee to be an ‘ambassador of security.’ From the bar staff noticing an odd package, to the cleaner seeing a misplaced bag, everyone became part of the detection network. This isn’t difficult; it just requires a bit of thoughtful training, you know?

Consider the role of technology. While not explicitly mandated for all categories, advancements in AI-driven surveillance, predictive analytics for crowd movement, and integrated sensor networks can significantly enhance your protective capabilities. Budgetary considerations are, of course, a reality. But viewing security investment as an integral part of business continuity and brand protection, rather than a mere expense, changes the conversation entirely. After all, what’s the cost of not being prepared? Your insurance premiums might even be affected by your demonstrable compliance.

Conclusion: A New Era of Public Safety

The Terrorism (Protection of Premises) Act 2025 truly represents a significant, and frankly, overdue, shift in the UK’s approach to public venue security. By imposing clear, enforceable duties on venue operators, the Act aims to materially enhance public safety and preparedness against potential terrorist attacks. It elevates security from a discretionary spend to a mandatory operational pillar.

For venue operators, the message is unambiguous: understanding and complying with these new obligations isn’t just about avoiding hefty fines or legal repercussions. It’s about upholding a moral imperative to protect your patrons, your staff, and your community. It’s about preventing another devastating tragedy like the one that gave rise to this law. Take immediate steps to assess your obligations, develop robust plans, and ensure your teams are prepared. The safety of countless individuals truly depends on it. Don’t wait until it’s too late, because as we all know, hindsight, well, it’s a terrible thing when lives are at stake.