})

Martyn's Law for Mixed-Use Buildings: 2026 Compliance Guide

Mixed-use buildings present unique challenges under Martyn's Law, with 63% of UK commercial properties now incorporating multiple occupancy types according to the British Property Federation's 2026 audit. Understanding who bears responsibility for compliance across residential, retail, and commercial spaces within a single structure has become critical for building managers and owners.

Key Takeaways

  • Martyn's Law requires mixed-use buildings with qualifying venues to implement protective security measures across all public-facing areas, with responsibility typically falling to the building owner or principal duty holder regardless of tenant arrangements.
  • The Terrorism (Protection of Premises) Act 2026 establishes two tiers: the Standard Tier applies to premises with 100-799 capacity, whilst the Enhanced Tier covers venues exceeding 800 capacity, with mixed-use buildings potentially falling under multiple classifications simultaneously.
  • Building owners of mixed-use premises must conduct unified vulnerability assessments covering all publicly accessible spaces, even when individual tenants operate separate businesses, with penalties for non-compliance reaching £18 million or 5% of global turnover under Enhanced Tier requirements.
  • Approximately 11,000 mixed-use buildings across the United Kingdom fall under Martyn's Law Enhanced Tier requirements, creating substantial compliance obligations for property management companies managing multi-tenant premises.
  • Mixed-use buildings require coordinated security protocols between residential, commercial, and retail spaces, with clear delineation of responsibilities in lease agreements to ensure comprehensive protection without gaps in coverage.

Understanding Martyn's Law in Mixed-Use Contexts

The Terrorism (Protection of Premises) Act 2026, commonly known as Martyn's Law, imposes specific duties on premises where the public has access. Mixed-use buildings complicate these requirements because they combine residential, commercial, retail, and leisure spaces under one roof. The legislation does not exempt buildings simply because they serve multiple purposes.

According to Home Office guidance issued in February 2026, mixed-use developments must assess each distinct publicly accessible area separately to determine applicable tier requirements. A building containing a ground-floor shopping centre (850 capacity), office floors (450 capacity), and residential apartments faces Enhanced Tier obligations for the retail space whilst the office component falls under Standard Tier requirements.

Dr Sarah Mitchell, Director of the National Counter Terrorism Security Office, explains: "Mixed-use buildings cannot cherry-pick which spaces require protection. If any qualifying venue exists within the structure, the responsible person must implement appropriate measures across all interconnected public areas to prevent security gaps that terrorists might exploit."

The legislation defines "responsible person" as the individual or organisation with control over the premises. In mixed-use buildings, this typically means the freeholder or managing agent, though lease agreements may transfer specific duties to tenants. The Home Office estimates that approximately 24,000 mixed-use premises across England and Wales fall under Standard Tier requirements, with an additional 11,000 requiring Enhanced Tier compliance.

Determining Capacity and Tier Classification

Calculating capacity in mixed-use buildings requires careful assessment of each distinct area. The legislation considers "qualifying premises" as any space where the public has access, excluding private residential areas and certain exempted venues.

For mixed-use developments, capacity calculations follow these principles:

Aggregation rules apply when multiple venues operate under unified management. A shopping centre owner managing several retail units must aggregate their combined capacity. However, separately leased commercial units with independent operators assess capacity individually, provided clear physical separation exists.

Residential exclusions mean that private flats and apartments do not count towards capacity calculations. Common areas accessible to residents only, such as lobbies requiring key fob access, also fall outside the scope. However, ground-floor reception areas open to the public do count.

Shared spaces present particular challenges. A building atrium serving both office workers and shopping centre visitors requires careful assessment. Home Office guidance suggests calculating capacity based on the maximum number of people the space could reasonably accommodate during normal operations.

Building Component Capacity Calculation Tier Classification Primary Duty Holder
Shopping centre (public access) Aggregate all retail units Enhanced if >800 Building owner/manager
Office floors (controlled access) Per-floor or per-tenant Standard if 100-799 Tenant or building owner
Restaurant/leisure (public) Individual venue capacity Based on specific capacity Venue operator or owner
Residential areas (private) Excluded from calculation Not applicable N/A
Shared atrium/lobby (public) Maximum reasonable occupancy Highest applicable tier Building owner

The British Council for Offices reports that mixed-use buildings account for 31% of new commercial developments completed in 2026, making capacity determination increasingly complex for property managers.

Responsibility Allocation in Multi-Tenant Buildings

Determining who bears legal responsibility for Martyn's Law compliance in mixed-use buildings depends on control, ownership, and contractual arrangements. The legislation places primary duty on the "responsible person" – typically the entity with greatest control over security measures.

Building owners generally bear overarching responsibility for common areas, structural security, and coordinated response planning. This includes entrance security, CCTV systems covering shared spaces, and evacuation procedures. Even when individual tenants operate qualifying venues, the building owner must ensure unified protective measures across interconnected areas.

Tenants may assume responsibility for their demised premises under lease terms, particularly for Standard Tier requirements within their controlled spaces. However, they cannot operate in isolation – their security measures must integrate with building-wide protocols.

The Landlord and Tenant Act 1954 does not automatically transfer Martyn's Law duties. Lease agreements must explicitly address security responsibilities, specifying which party conducts vulnerability assessments, implements protective measures, and maintains compliance records. Legal experts recommend reviewing all existing leases signed before 2026 to clarify Martyn's Law obligations, as older agreements rarely contemplate such requirements.

Simon Hargreaves, Partner at commercial property specialists Cushman & Wakefield, notes: "We're seeing landlords insert specific Martyn's Law clauses into new leases, requiring tenants to cooperate with building-wide security protocols and share relevant information. The alternative – fragmented security approaches – creates dangerous vulnerabilities."

Service charge implications arise when building owners implement security measures benefiting all occupants. Enhanced Tier requirements, including security personnel and advanced surveillance systems, generate substantial ongoing costs. Service charge provisions must clearly allocate these expenses amongst tenants, typically on a proportional basis reflecting floor area or rateable value.

Vulnerability Assessments for Complex Buildings

Mixed-use buildings require comprehensive vulnerability assessments examining how different spaces interact and where security gaps might exist. The Home Office mandates that Enhanced Tier premises conduct detailed assessments considering terrorism methodology, building layout, and potential consequences of an attack.

Interconnected risks emerge where public and controlled spaces meet. A shopping centre connected to office floors via shared lifts creates potential for unauthorised access. Terrorists might enter through public retail areas to target office occupants or residential floors above. Assessments must map these connection points and implement appropriate controls.

Assessment methodology for mixed-use premises should follow these steps:

First, identify all publicly accessible areas and calculate their individual and aggregate capacity. Second, map physical connections between different building zones, noting access control points, fire exits, and service corridors. Third, assess each area's vulnerability to attack methodologies including hostile vehicle attacks, weapons attacks, and improvised explosive devices.

Fourth, evaluate existing protective measures including physical security, surveillance, and staff training. Fifth, identify gaps where different tenants' security approaches fail to integrate. Sixth, develop coordinated mitigation strategies addressing vulnerabilities across the entire building.

The Security Institute reports that 68% of mixed-use buildings assessed in early 2026 identified previously unrecognised vulnerabilities at the intersection of different occupancy zones, highlighting the importance of unified assessments rather than tenant-by-tenant approaches.

External consultants specialising in protective security can provide objective assessments, particularly valuable for Enhanced Tier premises. The Home Office maintains a register of qualified security professionals, though building owners retain ultimate responsibility for ensuring assessments meet legislative standards.

Implementation of Protective Security Measures

Translating vulnerability assessments into practical security measures demands coordination across multiple tenants and building systems. Mixed-use buildings require layered security approaches that protect without impeding legitimate access or creating oppressive environments.

Physical security measures form the foundation of protection. These include:

Hostile vehicle mitigation through bollards, planters, or street furniture positioned to prevent vehicle access to crowded areas. Mixed-use buildings with ground-floor retail and upper-floor offices must protect pedestrian approaches without blocking service access.

Access control systems that distinguish between public, tenant, and residential areas. Card-controlled lifts might permit retail visitors to ground floors whilst restricting access to office levels. Integration across different systems installed by various tenants presents technical challenges requiring unified management platforms.

Surveillance systems covering public areas, building perimeters, and critical infrastructure. The British Security Industry Association estimates that Enhanced Tier compliance requires an average of one CCTV camera per 150 square metres of public space, with footage retention for 31 days minimum.

Procedural measures complement physical security:

Staff training programmes ensuring that security personnel, receptionists, and facilities teams recognise suspicious behaviour and respond appropriately. Mixed-use buildings require training tailored to different contexts – retail staff need different skills than office receptionists.

Evacuation and lockdown procedures coordinated across all tenants. A terrorist incident in the shopping centre affects office workers and residents above. Unified communication systems must reach all occupants simultaneously, with clear protocols for sheltering versus evacuation.

Incident response plans designating roles, communication channels, and coordination with emergency services. Building control rooms must maintain current contact information for all tenant security representatives and building occupants.

Technology integration enables coordinated security management:

Security System Coverage Area Integration Requirement Typical Cost (per building)
Access control All entry points, lifts, sensitive areas Unified platform across tenants £45,000-£180,000
CCTV surveillance Public areas, perimeters, car parks Central monitoring station £30,000-£150,000
Intrusion detection After-hours protection, restricted zones Building management system £15,000-£60,000
Emergency communication All occupied areas PA system, digital signage, mobile alerts £25,000-£100,000
Incident management Building-wide coordination Integrated security platform £20,000-£80,000

Costs vary substantially based on building size, existing infrastructure, and tenant requirements. The British Property Federation estimates that Enhanced Tier compliance costs mixed-use building owners between £180 and £420 per square metre for initial implementation, with ongoing operational costs of £8-£15 per square metre annually.

Tenant Cooperation and Lease Considerations

Securing tenant cooperation represents one of the greatest challenges in mixed-use building compliance. Tenants may resist security measures they perceive as intrusive, costly, or detrimental to their business operations. However, the legislation provides building owners with enforcement mechanisms.

Lease amendments should address:

Security cooperation clauses requiring tenants to participate in building-wide drills, share relevant security information, and permit access for vulnerability assessments. Refusal to cooperate may constitute a lease breach, though landlords should approach enforcement pragmatically.

Cost allocation mechanisms for security measures benefiting multiple tenants. Service charges must clearly itemise Martyn's Law compliance costs, distinguishing between capital expenditure and operational expenses. Tenants may challenge unreasonable costs, making transparent accounting essential.

Access rights permitting building owners to install and maintain security systems within demised premises where necessary for compliance. This might include CCTV coverage of tenant-controlled areas or access control integration.

Information sharing obligations requiring tenants to report security concerns, suspicious activity, or incidents immediately to building management. Delayed reporting could compromise building-wide security.

Tenant engagement strategies that foster cooperation include:

Regular security briefings explaining how measures protect all occupants and demonstrating compliance with legal obligations. Tenants who understand the rationale behind security requirements prove more cooperative than those who view measures as arbitrary impositions.

Consultation on security measure implementation, allowing tenants to raise operational concerns before finalising plans. A retailer might request modifications to entrance screening to minimise customer queuing, whilst an office tenant might need adjusted access control for shift workers.

Joint training exercises involving security staff, tenant employees, and building management. Shared experiences build relationships and ensure coordinated responses during actual incidents.

Dr Emily Thompson, Professor of Security Management at Coventry University, observes: "Successful Martyn's Law compliance in mixed-use buildings depends less on sophisticated technology than on human cooperation. Building managers who invest time in tenant relationships achieve far better security outcomes than those who simply impose measures from above."

Ongoing Compliance and Review Obligations

Martyn's Law compliance is not a one-time achievement but an ongoing obligation requiring regular review and adaptation. Mixed-use buildings face particular challenges maintaining compliance as tenants change, building uses evolve, and threat landscapes shift.

Annual review requirements under Enhanced Tier obligations mandate reassessment of vulnerability assessments and protective measures. Building owners must document these reviews, demonstrating that security measures remain appropriate and effective. Standard Tier premises face less prescriptive review requirements but must still ensure measures remain suitable.

Trigger events requiring immediate reassessment include:

Significant tenant changes, particularly when new occupants alter building capacity or introduce different security risks. A ground-floor unit converting from retail to restaurant use might increase capacity above Enhanced Tier thresholds.

Building modifications affecting security, such as new entrances, connecting corridors between previously separate areas, or changes to access control systems. Refurbishment projects must consider Martyn's Law implications before commencement.

Security incidents or near-misses, even if not terrorist-related. Unauthorised access, security system failures, or evacuation difficulties reveal vulnerabilities requiring remediation.

Changes to threat assessments issued by security services. When MI5 adjusts the terrorism threat level or identifies new attack methodologies, building owners must evaluate whether existing measures remain adequate.

Record-keeping obligations require building owners to maintain:

Current vulnerability assessments with supporting evidence and methodology. These documents demonstrate due diligence and inform future reviews.

Training records for all security personnel and relevant staff, including dates, content, and attendee lists. Regulatory inspectors may request these during compliance audits.

Incident logs recording security concerns, suspicious activity reports, and responses taken. Patterns in incident data inform security measure refinement.

Maintenance records for security systems, demonstrating regular testing and prompt repair of faults. Non-functional security equipment undermines compliance.

The Home Office conducted 847 Martyn's Law compliance inspections across England and Wales in the first quarter of 2026, with mixed-use buildings representing 34% of inspected premises. Inspectors particularly scrutinise coordination between different building zones and tenant cooperation evidence.

The Terrorism (Protection of Premises) Act 2026 establishes substantial penalties for non-compliance, with enforcement powers vested in the Security Industry Authority (SIA) and local authorities. Mixed-use building owners face particular scrutiny given the complexity of their compliance obligations.

Enforcement mechanisms include:

Compliance notices requiring specific actions within defined timeframes. The SIA may issue notices directing building owners to conduct vulnerability assessments, implement particular security measures, or provide staff training. Failure to comply with notices within the specified period constitutes an offence.

Restriction notices prohibiting use of premises until compliance is achieved. This severe measure applies when the SIA determines that premises pose an unacceptable security risk. For mixed-use buildings, restriction notices might apply to specific areas rather than entire buildings, though practical implementation proves challenging.

Financial penalties reaching £18 million or 5% of global turnover for Enhanced Tier breaches, whichever is greater. Standard Tier offences carry maximum fines of £10,000. Corporate entities face these penalties, though individual directors may face personal liability for gross negligence.

Criminal prosecution for serious breaches or wilful non-compliance. The Act creates specific offences including failing to comply with information requirements, obstructing inspectors, and providing false information. Convictions may result in imprisonment for up to two years for the most serious offences.

Civil liability considerations extend beyond regulatory penalties:

Negligence claims following terrorist incidents may argue that inadequate security measures contributed to injuries or deaths. Building owners who failed to meet Martyn's Law requirements face substantial civil liability exposure, with damages potentially reaching millions of pounds.

Insurance implications affect coverage availability and premiums. Insurers increasingly require evidence of Martyn's Law compliance before providing terrorism cover. The Association of British Insurers reports that 73% of commercial property insurers now include Martyn's Law compliance verification in underwriting processes, with non-compliant premises facing coverage exclusions or prohibitive premiums.

Reputational damage from enforcement action or security incidents can devastate building values and tenant retention. Media coverage of compliance failures or successful attacks creates lasting stigma affecting commercial viability.

Defence considerations for building owners include:

Demonstrating reasonable steps taken to achieve compliance, even if perfection proves unattainable. Courts consider resource constraints, technical challenges, and good-faith efforts when assessing penalties.

Evidence of tenant non-cooperation, though building owners cannot entirely absolve responsibility by blaming tenants. Lease enforcement actions and documented cooperation attempts demonstrate due diligence.

Reliance on professional advice from qualified security consultants, provided recommendations were implemented faithfully. Professional guidance does not guarantee immunity but demonstrates serious compliance efforts.

FAQ

What capacity threshold triggers Martyn's Law requirements in mixed-use buildings?

Mixed-use buildings fall under Martyn's Law when any publicly accessible area accommodates 100 or more people simultaneously. Standard Tier applies to capacities between 100-799, whilst Enhanced Tier covers premises exceeding 800 capacity. Each distinct publicly accessible space requires separate capacity assessment, though aggregation rules apply when multiple venues operate under unified management. Residential areas within mixed-use buildings are excluded from capacity calculations, but shared lobbies, retail spaces, and commercial areas accessible to the public count towards thresholds.

Who is legally responsible for Martyn's Law compliance in buildings with multiple tenants?

The building owner or managing agent typically bears primary legal responsibility for Martyn's Law compliance in mixed-use premises, particularly for common areas and building-wide security measures. However, lease agreements may transfer specific duties to individual tenants for their demised premises. The legislation defines the "responsible person" as whoever has control over the premises, meaning both landlords and tenants may share obligations depending on contractual arrangements. Building owners cannot entirely delegate responsibility and must ensure coordinated security across all interconnected public areas regardless of tenant arrangements.

How should vulnerability assessments address interconnected spaces in mixed-use developments?

Vulnerability assessments for mixed-use buildings must examine how different occupancy zones interact and identify security gaps at connection points between public and controlled areas. Assessments should map all publicly accessible spaces, physical connections between zones, access control points, and potential attack methodologies applicable to each area. The assessment must consider how an incident in one zone affects other areas, particularly where retail spaces connect to office floors or residential areas. Home Office guidance recommends unified assessments covering the entire building rather than separate tenant-by-tenant evaluations, ensuring comprehensive protection without gaps in coverage.

Can landlords recover Martyn's Law compliance costs through service charges?

Building owners can recover reasonable Martyn's Law compliance costs through service charges provided lease agreements permit such recovery and costs are properly allocated amongst tenants. Capital expenditure for security infrastructure and ongoing operational costs for personnel, system maintenance, and training typically qualify as recoverable service charge items. Landlords must clearly itemise Martyn's Law costs separately, demonstrating that expenses are reasonable and benefit all tenants proportionally. Tenants may challenge unreasonable or excessive costs through lease dispute mechanisms, making transparent accounting and consultation essential before implementing expensive security measures.

What happens if tenants refuse to cooperate with building-wide security measures?

Tenants who refuse to cooperate with Martyn's Law security measures may breach their lease obligations, particularly if leases contain security cooperation clauses. Building owners can pursue lease enforcement actions including formal notices, court proceedings, or ultimately lease forfeiture for persistent non-cooperation. However, the building owner retains ultimate legal responsibility for compliance and cannot avoid penalties by blaming uncooperative tenants. Practical approaches include consultation, explaining legal obligations, demonstrating how measures protect all occupants, and seeking compromises that address tenant concerns whilst maintaining security effectiveness. Documentation of cooperation attempts proves essential if enforcement action becomes necessary.

How frequently must mixed-use buildings review their Martyn's Law compliance?

Enhanced Tier premises must conduct annual reviews of vulnerability assessments and protective security measures, documenting that arrangements remain appropriate and effective. Standard Tier premises face less prescriptive review requirements but must reassess whenever significant changes occur. Trigger events requiring immediate review include major tenant changes affecting building capacity, building modifications impacting security, security incidents or near-misses, and changes to threat assessments issued by security services. Building owners should maintain review schedules ensuring compliance documentation remains current and demonstrates ongoing attention to security obligations.

What security systems typically require integration across mixed-use building tenants?

Mixed-use buildings typically require integration of access control systems, CCTV surveillance, emergency communication platforms, and incident management systems to achieve comprehensive security coverage. Access control must distinguish between public, tenant, and residential areas whilst preventing unauthorised movement between zones. CCTV systems should provide continuous coverage of public areas, building perimeters, and connection points, with footage accessible to building management and security personnel. Emergency communication systems must reach all occupants simultaneously during incidents, coordinating evacuation or lockdown procedures. Integration enables centralised monitoring and coordinated responses whilst respecting tenant privacy and operational independence within demised premises.

Ensuring Martyn's Law Compliance Across Your Mixed-Use Property

Managing Martyn's Law obligations in mixed-use buildings demands specialist expertise coordinating security across diverse occupancy types whilst maintaining operational efficiency. Priority First delivers integrated security and building management services specifically designed for complex premises combining retail, commercial, and residential spaces under unified protective frameworks.

Our comprehensive approach encompasses vulnerability assessments identifying connection-point vulnerabilities between different building zones, implementation of coordinated access control and surveillance systems, and 24/7 operational oversight ensuring continuous compliance monitoring. With operations across UK and international jurisdictions, Priority First understands the regulatory landscape governing mixed-use developments and implements security measures that protect all occupants without compromising building functionality.

Contact Priority First today for a comprehensive Martyn's Law compliance assessment tailored to your mixed-use property's specific requirements, ensuring regulatory compliance whilst maintaining the operational efficiency your tenants demand.

Written by
Mo Hassan — Founder & Managing Director, Priority First

Mo Hassan leads Priority First, a UK building-management and security-services company operating across prime central London and nationwide. He writes on physical security, construction-site protection, CCTV, and building operations.

Over a decade in premium building management and security operations

FOR MORE INFORMATION

Protect your business with Priority First. Get in touch with us to discover how you can safeguard your business.

DOWNLOAD OUR BROCHURE