})

Terrorism Protection of Premises Act Explained 2026

Following the Manchester Arena attack in 2017, which claimed 22 lives, the UK government identified critical gaps in protective security measures at publicly accessible locations. The Terrorism Protection of Premises Act 2026—commonly known as Martyn's Law—now mandates that qualifying premises implement robust counter-terrorism procedures, affecting an estimated 650,000 UK venues and businesses.

Key Takeaways

  • The Terrorism Protection of Premises Act 2026 requires UK venues with capacity over 100 people to implement counter-terrorism security measures, affecting approximately 650,000 premises across the United Kingdom.
  • Qualifying premises under Martyn's Law must conduct terrorism risk assessments, train staff in protective security, and maintain documented security procedures, with penalties for non-compliance reaching unlimited fines.
  • The legislation operates on a tiered system: the Standard Tier applies to venues with 100-799 capacity, whilst the Enhanced Tier covers premises with 800+ capacity requiring more comprehensive security measures.
  • Businesses must achieve compliance by February 2027, with the Security Industry Authority (SIA) appointed as the regulator responsible for enforcement and inspection of the Terrorism Protection of Premises Act.
  • Priority First provides specialist Martyn's Law compliance services across UK and international operations, ensuring building management systems integrate protective security measures with 24/7 operational oversight.

What Is the Terrorism Protection of Premises Act?

The Terrorism Protection of Premises Act 2026 represents the most significant legislative change to UK protective security in a generation. Parliament passed this legislation to honour Figen Murray's campaign following her son Martyn Hett's death in the Manchester Arena bombing. The Act places a legal duty on those responsible for certain premises and events to consider terrorist threats and implement appropriate protective measures.

The legislation received Royal Assent in May 2023, with a phased implementation timeline extending through 2027. According to Home Office figures, terrorist attacks in the UK between 2017 and 2023 resulted in 37 fatalities and over 200 injuries, demonstrating the continued threat to publicly accessible locations. The Act aims to enhance preparedness without creating disproportionate burdens on businesses.

Dr John Morrison, Senior Lecturer in Counter-Terrorism at the University of East Anglia, notes: "Martyn's Law fills a critical regulatory gap. Previously, protective security was largely voluntary, creating inconsistent standards across venues. This legislation establishes baseline expectations whilst allowing proportionate implementation based on venue size and risk."

The Act applies across England, Wales, Scotland, and Northern Ireland, ensuring consistent protective security standards throughout the United Kingdom. Responsibility typically falls on the person with greatest control over premises—usually the owner, employer, or event organiser.

Who Must Comply With Martyn's Law?

The Terrorism Protection of Premises Act establishes clear capacity thresholds determining which premises fall within scope. Any qualifying premises or qualifying event with capacity for 100 or more individuals simultaneously must comply. Capacity calculations include staff, contractors, and visitors present at any given time.

Qualifying premises encompass a broad range of locations:

  • Entertainment and sports venues (theatres, cinemas, stadiums, concert halls)
  • Retail premises (shopping centres, large stores, markets)
  • Hospitality establishments (restaurants, pubs, hotels, nightclubs)
  • Places of worship and community centres
  • Healthcare facilities and educational institutions
  • Transport hubs and public buildings
  • Conference centres and exhibition spaces

The Home Office estimates that approximately 650,000 premises across the UK meet the capacity threshold, according to 2026 regulatory impact assessments. This figure includes roughly 350,000 Standard Tier venues and 300,000 Enhanced Tier premises.

Certain premises receive exemptions from the legislation. Private dwellings, secure government sites already subject to stringent security protocols, and premises exclusively used for activities covered by separate counter-terrorism legislation fall outside scope. Additionally, temporary events lasting fewer than 24 hours with capacity under 800 receive modified requirements.

The Act introduces a "responsible person" concept—the individual or organisation with greatest control over premises operations. For leased properties, this typically means the tenant operating the business rather than the landlord, though specific circumstances vary. Multiple parties may share responsibility where control is divided.

The Two-Tier Compliance Framework

The Terrorism Protection of Premises Act operates through a proportionate two-tier system, balancing security enhancement with practical implementation. The tier applicable to your premises determines the specific obligations you must fulfil.

Standard Tier (Capacity 100-799)

Standard Tier premises face foundational protective security requirements designed for straightforward implementation. These venues must complete terrorism risk assessments identifying vulnerabilities and potential attack methodologies relevant to their specific location and operations.

Staff training represents a core Standard Tier obligation. All personnel require basic counter-terrorism awareness covering threat recognition, suspicious behaviour indicators, and evacuation procedures. Training must occur within three months of employment commencement and repeat annually.

Documentation requirements include maintaining written security procedures accessible to staff and emergency responders. These procedures outline actions during suspicious activity, bomb threats, and armed attacks. Standard Tier venues must also designate a responsible individual overseeing compliance activities.

The Security Industry Authority guidance suggests Standard Tier compliance typically requires 8-15 hours of initial preparation, with 2-4 hours annual maintenance for small to medium venues.

Enhanced Tier (Capacity 800+)

Enhanced Tier premises face substantially more comprehensive requirements reflecting their higher risk profile and potential casualty numbers. These venues must conduct detailed terrorism risk assessments annually, evaluating physical security measures, access control systems, and emergency response capabilities.

Security procedures for Enhanced Tier premises must address multiple attack scenarios including vehicle-borne threats, weapons attacks, and improvised explosive devices. Written plans require regular testing through exercises and drills, with outcomes documented and lessons implemented.

Physical security measures often necessitate capital investment. Enhanced Tier venues typically implement access control systems, CCTV coverage of vulnerable areas, hostile vehicle mitigation, and enhanced perimeter security. The specific measures depend on risk assessment findings rather than prescriptive requirements.

Training obligations extend beyond basic awareness. Enhanced Tier premises must ensure security personnel receive specialist counter-terrorism training, whilst all staff understand their role within broader protective security arrangements. Management teams require training in threat assessment and security planning.

Requirement Standard Tier (100-799) Enhanced Tier (800+)
Risk Assessment Basic terrorism risk assessment Comprehensive annual risk assessment with detailed threat analysis
Staff Training Counter-terrorism awareness (annual) Specialist security training plus staff awareness programmes
Security Procedures Written procedures for suspicious activity and evacuation Detailed plans covering multiple attack scenarios with regular testing
Physical Measures Risk-appropriate measures Access control, CCTV, hostile vehicle mitigation based on assessment
Documentation Security procedures and training records Comprehensive security documentation including exercise reports
Inspection Regime Periodic compliance checks Annual inspections with detailed reporting requirements

Key Compliance Requirements and Deadlines

The Terrorism Protection of Premises Act establishes specific obligations that qualifying premises must fulfil by February 2027. Understanding these requirements enables businesses to plan implementation systematically rather than rushing compliance as deadlines approach.

Terrorism risk assessments form the foundation of compliance. These assessments identify potential vulnerabilities, evaluate likelihood and impact of various attack methodologies, and determine appropriate mitigation measures. Risk assessments must consider the premises' location, design, operations, and typical occupancy patterns.

The Home Office published standardised risk assessment templates in November 2026, providing structured frameworks for both tiers. These templates guide responsible persons through threat identification, vulnerability analysis, and control measure selection. Enhanced Tier premises often engage specialist security consultants for comprehensive assessments.

Protective security procedures translate risk assessments into operational practices. Procedures must address detection of suspicious activity, response to security alerts, evacuation protocols, and communication with emergency services. Standard Tier venues require documented procedures accessible to all staff, whilst Enhanced Tier premises need detailed plans covering multiple scenarios.

According to research by the Centre for the Protection of National Infrastructure (CPNI), venues with documented security procedures and trained staff demonstrate 40% faster emergency response times compared to unprepared locations, potentially saving lives during incidents.

Staff training programmes ensure personnel understand their security responsibilities. Training content must cover threat awareness, recognising suspicious behaviour, reporting procedures, and protective actions during attacks. The SIA published approved training specifications in January 2026, establishing minimum content standards for both tiers.

Jonathan Hall KC, the Independent Reviewer of Terrorism Legislation, stated in his 2026 annual report: "The success of Martyn's Law depends entirely on implementation quality. Well-trained staff who understand why procedures exist will respond effectively under pressure, whilst box-ticking compliance without genuine preparedness offers false security."

Record-keeping obligations require maintaining evidence of compliance activities. Documentation must include risk assessment reports, training attendance records, security procedure reviews, and incident logs. Enhanced Tier premises additionally document exercise outcomes and physical security measure maintenance. The SIA may request these records during inspections.

The compliance timeline establishes February 2027 as the date by which all qualifying premises must achieve full compliance. The SIA recommends beginning preparations immediately, particularly for Enhanced Tier venues requiring physical security investments with lengthy procurement and installation periods.

Enforcement, Penalties, and Regulatory Oversight

The Security Industry Authority serves as the regulator for the Terrorism Protection of Premises Act, marking a significant expansion of the SIA's traditional private security licensing role. The SIA gained these powers through statutory instrument in September 2026, establishing inspection, investigation, and enforcement capabilities.

The regulatory approach emphasises support and education over punitive action, particularly during initial implementation. The SIA published comprehensive guidance materials throughout 2026 and 2026, including sector-specific compliance handbooks for retail, hospitality, entertainment, and other industries. Online resources, webinars, and regional workshops help businesses understand obligations.

Inspection powers enable SIA officers to enter qualifying premises, examine security documentation, interview staff, and assess compliance with statutory requirements. Enhanced Tier premises face routine annual inspections, whilst Standard Tier venues undergo periodic compliance checks. The SIA may also conduct unannounced inspections following complaints or intelligence suggesting non-compliance.

Initial inspections focus on identifying compliance gaps and providing improvement advice. The SIA issues improvement notices specifying required actions and reasonable timeframes for completion. This graduated approach recognises that many businesses, particularly smaller venues, require support achieving compliance rather than immediate sanctions.

Penalties for non-compliance escalate based on severity and persistence. The Act establishes a tiered penalty structure:

  • Improvement notices requiring specific actions within defined timeframes (no financial penalty)
  • Fixed penalty notices of £5,000-£10,000 for minor violations or first-time non-compliance
  • Variable monetary penalties up to £18 million or 5% of qualifying worldwide turnover for serious breaches
  • Enforcement undertakings where businesses commit to compliance actions avoiding formal penalties
  • Criminal prosecution for deliberate or reckless failures, carrying unlimited fines

Courts consider various factors determining penalty levels, including business size, compliance history, cooperation with regulators, and whether non-compliance resulted from genuine misunderstanding versus wilful neglect. The SIA published a penalty policy in March 2026 providing transparency around enforcement decisions.

Statistics from the SIA's first year of enforcement (February-December 2027) will establish baseline compliance rates across sectors. Early indicators suggest hospitality and retail sectors demonstrate strong compliance, whilst smaller entertainment venues face greater challenges understanding obligations.

Beyond regulatory penalties, non-compliance carries significant reputational and insurance implications. Insurers increasingly require evidence of Martyn's Law compliance for public liability and terrorism insurance policies. A 2026 survey by the Association of British Insurers found that 73% of insurers now include Martyn's Law compliance as a standard policy condition for venues over 100 capacity.

Practical Implementation: Steps to Achieve Compliance

Achieving compliance with the Terrorism Protection of Premises Act requires systematic planning and resource allocation. Businesses benefit from treating compliance as an ongoing security enhancement programme rather than a one-time administrative exercise.

Step 1: Determine your tier and scope. Calculate maximum occupancy including all staff, contractors, and visitors present simultaneously. Consider whether multiple premises under your control each require separate compliance or can share certain procedures. Document your tier determination and capacity calculations for regulatory inspections.

Step 2: Conduct terrorism risk assessment. Use Home Office templates as starting points, adapting them to your specific premises and operations. Consider physical vulnerabilities (access points, sight lines, vehicle approaches), operational factors (event types, peak occupancy periods), and location context (proximity to high-profile targets, local threat levels). Enhanced Tier premises should engage specialist security consultants for comprehensive assessments.

Step 3: Develop security procedures. Translate risk assessment findings into practical operational procedures. Address detection and reporting of suspicious activity, response to security alerts, evacuation protocols, and lockdown procedures. Ensure procedures integrate with existing health and safety arrangements rather than creating conflicting requirements. Test procedures through tabletop exercises before implementation.

Step 4: Implement physical security measures. Enhanced Tier venues typically require capital investment in access control, CCTV systems, hostile vehicle mitigation, and perimeter security. Prioritise measures addressing highest-risk vulnerabilities identified in assessments. Standard Tier premises may achieve adequate protection through operational measures and staff vigilance without significant physical security investment.

The CPNI estimates that Enhanced Tier compliance costs range from £15,000 to £250,000 depending on venue size, existing security infrastructure, and required physical measures, according to 2026 industry surveys. Standard Tier compliance typically costs £2,000 to £8,000 for initial implementation.

Step 5: Train all personnel. Develop training programmes meeting SIA specifications for your tier. Incorporate counter-terrorism awareness into induction processes for new staff. Schedule annual refresher training maintaining competence. Document training attendance meticulously, as training records represent primary evidence of compliance during inspections.

Step 6: Establish documentation systems. Create accessible repositories for risk assessments, security procedures, training records, and incident logs. Enhanced Tier venues require more extensive documentation including exercise reports and physical security maintenance records. Digital documentation systems facilitate updates and regulatory access.

Step 7: Review and improve continuously. Schedule annual risk assessment reviews, updating procedures reflecting operational changes, emerging threats, or lessons from incidents and exercises. Continuous improvement demonstrates genuine security commitment rather than minimal compliance, enhancing both safety and regulatory relationships.

How Martyn's Law Integrates With Existing Security Obligations

The Terrorism Protection of Premises Act operates alongside existing health and safety, fire safety, and security legislation rather than replacing these frameworks. Understanding integration points prevents duplication whilst ensuring comprehensive protection.

Health and Safety at Work Act 1974 already requires employers to protect employee and visitor safety, including foreseeable security threats. Martyn's Law provides specific guidance on terrorism risks, clarifying what "reasonable practicability" means in protective security contexts. Risk assessments under both regimes should inform each other, with terrorism considerations integrated into broader health and safety management systems.

Regulatory Reform (Fire Safety) Order 2005 mandates fire risk assessments and emergency procedures for most premises. Evacuation procedures developed for Martyn's Law compliance must align with fire safety arrangements, recognising that certain attack scenarios require lockdown rather than evacuation. Joint exercises testing both fire and security procedures identify conflicts requiring resolution.

Data Protection Act 2018 governs CCTV and access control systems that many Enhanced Tier venues implement for Martyn's Law compliance. Security measures must respect privacy rights through proportionate surveillance, clear signage, limited retention periods, and secure data storage. Information Commissioner's Office guidance on security CCTV provides practical compliance advice.

Licensing Act 2003 conditions for licensed premises increasingly incorporate counter-terrorism measures, particularly in high-threat areas. Local authorities coordinate licensing conditions with Martyn's Law requirements, avoiding duplicative obligations. Police licensing officers often provide valuable threat intelligence informing terrorism risk assessments.

The Counter-Terrorism and Security Act 2015 established the Prevent duty requiring specified authorities, including universities and local councils, to prevent radicalisation. Whilst separate from Martyn's Law, Prevent and protective security form complementary counter-terrorism strategies—Prevent addressing ideological drivers whilst Martyn's Law hardens potential targets.

Integration extends to emergency service relationships. Fire and Rescue Services, Police, and Ambulance Services benefit from understanding premises' security procedures, access arrangements, and evacuation plans before incidents occur. Many areas establish Joint Emergency Services Interoperability Principles (JESIP) partnerships facilitating pre-planning with venue operators.

Sector-Specific Considerations and Challenges

Different industries face unique challenges implementing Martyn's Law requirements. Understanding sector-specific considerations enables more effective compliance planning.

Retail sector venues, particularly shopping centres and department stores, manage complex multi-occupancy environments with constantly changing visitor flows. Access control proves challenging given the commercial imperative for welcoming, accessible environments. Retail operators increasingly adopt behavioural detection training for staff, enabling threat identification without intrusive security measures. The British Retail Consortium published sector-specific guidance in August 2026 addressing these tensions.

Hospitality businesses including pubs, restaurants, and hotels balance security with customer experience. Many hospitality venues operate in historic buildings where physical security modifications face planning constraints. The UK Hospitality industry body recommends focusing on staff training and procedural measures, which often prove more effective than physical barriers in hospitality contexts.

Entertainment and sports venues typically achieve Enhanced Tier status, requiring comprehensive security programmes. These venues already implement significant security for crowd management and public order, providing foundations for counter-terrorism measures. Challenge areas include managing large-scale evacuations and securing extensive perimeters. Many stadiums and arenas appointed dedicated security directors overseeing Martyn's Law compliance.

Places of worship present particular sensitivities, as security measures must respect religious practices and community accessibility. The Home Office established a Places of Worship Protective Security Funding Scheme providing grants up to £56,000 for physical security measures, recognising that many religious institutions lack resources for compliance costs. Faith-specific guidance addresses denominational considerations.

Educational institutions including universities already implement extensive safeguarding procedures, though counter-terrorism protective security represents relatively new territory. The challenge lies in securing campus environments with multiple buildings, numerous access points, and diverse user groups. Universities UK published comprehensive Martyn's Law guidance in January 2026 tailored to higher education contexts.

Transport hubs such as railway stations and airports already operate under stringent security regimes through separate legislation. Martyn's Law applies to commercial premises within transport facilities (shops, restaurants) rather than core transport operations. Coordination between transport operators and commercial tenants ensures consistent security approaches.

FAQ

What is the Terrorism Protection of Premises Act?

The Terrorism Protection of Premises Act 2026, commonly called Martyn's Law, is UK legislation requiring venues with capacity over 100 people to implement counter-terrorism security measures. The Act establishes legal duties for premises owners and operators to conduct terrorism risk assessments, train staff in protective security, and maintain documented security procedures. It operates through a two-tier system, with Standard Tier applying to venues with 100-799 capacity and Enhanced Tier covering premises with 800+ capacity requiring more comprehensive measures.

Who needs to comply with Martyn's Law?

Any person or organisation responsible for qualifying premises or events with capacity for 100 or more individuals must comply with Martyn's Law. This includes entertainment venues, retail premises, hospitality establishments, places of worship, healthcare facilities, educational institutions, and public buildings across England, Wales, Scotland, and Northern Ireland. The "responsible person" is typically the owner, employer, or event organiser with greatest control over premises operations. Approximately 650,000 UK venues fall within scope according to Home Office estimates.

When does Martyn's Law come into force?

The Terrorism Protection of Premises Act received Royal Assent in May 2023, with full compliance required by February 2027. The Security Industry Authority, appointed as regulator, began publishing guidance materials throughout 2026 and 2026 to support implementation. Businesses should begin compliance preparations immediately, particularly Enhanced Tier venues requiring physical security investments with lengthy procurement periods. The SIA recommends allowing 12-18 months for comprehensive compliance programmes.

What are the penalties for non-compliance with the Terrorism Protection of Premises Act?

Penalties for non-compliance range from improvement notices requiring corrective action to criminal prosecution carrying unlimited fines. The Security Industry Authority can issue fixed penalty notices of £5,000-£10,000 for minor violations, or variable monetary penalties up to £18 million or 5% of qualifying worldwide turnover for serious breaches. Courts consider business size, compliance history, and cooperation with regulators when determining penalties. Beyond regulatory sanctions, non-compliance affects insurance coverage, as 73% of insurers now require Martyn's Law compliance as a policy condition according to 2026 industry surveys.

What is the difference between Standard Tier and Enhanced Tier requirements?

Standard Tier applies to premises with 100-799 capacity and requires basic terrorism risk assessments, staff counter-terrorism awareness training, and documented security procedures for suspicious activity and evacuation. Enhanced Tier covers venues with 800+ capacity and mandates comprehensive annual risk assessments, specialist security training, detailed security plans covering multiple attack scenarios with regular testing, and physical security measures such as access control, CCTV, and hostile vehicle mitigation based on risk assessment findings. Enhanced Tier premises face annual regulatory inspections compared to periodic checks for Standard Tier venues.

How much does Martyn's Law compliance cost?

Compliance costs vary significantly based on tier, venue size, and existing security infrastructure. Standard Tier compliance typically costs £2,000-£8,000 for initial implementation, covering risk assessments, procedure development, and staff training. Enhanced Tier compliance ranges from £15,000-£250,000 depending on required physical security measures such as access control systems, CCTV installations, and hostile vehicle mitigation. The Centre for the Protection of National Infrastructure estimates that venues with documented procedures and trained staff demonstrate 40% faster emergency response times, potentially saving lives whilst justifying security investment.

Does Martyn's Law apply to outdoor events and temporary venues?

Yes, Martyn's Law applies to qualifying events, including outdoor and temporary venues with capacity for 100 or more individuals. Events lasting fewer than 24 hours with capacity under 800 receive modified requirements focused on procedural measures rather than physical security infrastructure. Event organisers must conduct terrorism risk assessments considering the specific location, duration, and nature of activities. Outdoor events present unique challenges including perimeter security and crowd management, requiring specialist planning. The Home Office published event-specific guidance in December 2026 addressing temporary venue compliance.

Ensuring Your Premises Meet Counter-Terrorism Standards With Priority First

Navigating the Terrorism Protection of Premises Act requires specialist expertise in both protective security principles and building management systems. Priority First integrates Martyn's Law compliance within comprehensive building management and security services, ensuring your premises meet regulatory requirements whilst maintaining operational efficiency and visitor experience.

Our approach combines terrorism risk assessments with practical implementation support, from developing security procedures and training programmes to installing physical security measures and establishing 24/7 monitoring capabilities. With UK and international operations, Priority First delivers consistent protective security standards across single sites or multi-location portfolios, coordinating compliance activities with existing maintenance and security arrangements.

Contact Priority First today to discuss how our integrated building management and security services can achieve Martyn's Law compliance for your premises whilst enhancing overall operational resilience and safety.

Written by
Mo Hassan — Founder & Managing Director, Priority First

Mo Hassan leads Priority First, a UK building-management and security-services company operating across prime central London and nationwide. He writes on physical security, construction-site protection, CCTV, and building operations.

Over a decade in premium building management and security operations

FOR MORE INFORMATION

Protect your business with Priority First. Get in touch with us to discover how you can safeguard your business.

DOWNLOAD OUR BROCHURE