
What Is Martyn's Law? UK Security Requirements 2026

Over 14,000 UK venues will face mandatory counter-terrorism security measures when Martyn's Law comes into force in 2026, fundamentally changing how businesses manage public safety. Named after Martyn Hett, one of 22 people killed in the Manchester Arena attack in 2017, this legislation introduces the first statutory duty for premises operators to protect the public from terrorist threats.
Key Takeaways
- Martyn's Law (officially the Terrorism (Protection of Premises) Bill) will require qualifying venues with capacity over 100 people to implement counter-terrorism security measures from 2026 onwards.
- The legislation establishes a two-tier system: Standard Tier venues (100-799 capacity) must complete basic security training and planning, whilst Enhanced Tier venues (800+ capacity) face comprehensive risk assessments and security implementation requirements.
- Non-compliance with Martyn's Law can result in penalties up to £18 million or 5% of global revenue for Enhanced Tier venues, with criminal sanctions for directors who fail to meet their obligations.
- According to Home Office impact assessments, approximately 11,000 premises will fall under Standard Tier requirements and 3,000 under Enhanced Tier obligations across the United Kingdom.
- Priority First's integrated security and building management services position businesses to achieve full Martyn's Law compliance through expert risk assessments, security system implementation, and 24/7 operational monitoring.
Understanding Martyn's Law: Origins and Purpose
The Manchester Arena bombing on 22 May 2017 exposed critical gaps in public venue security protocols. Figen Murray, Martyn Hett's mother, campaigned tirelessly for legislative change, arguing that simple security measures could have prevented or mitigated the attack's devastating impact.
"We need to ensure that what happened to my son and 21 others never happens again," Figen Murray stated during her five-year campaign. Her advocacy led to cross-party parliamentary support for what became known as Martyn's Law.
The legislation addresses a stark reality: according to MI5 Director General Ken McCallum, the UK faces its most complex and evolving terrorist threat environment in decades. Between 2017 and 2026, UK security services disrupted 43 late-stage terrorist plots, demonstrating the persistent nature of the threat facing public venues.
Research by the Centre for the Protection of National Infrastructure (CPNI) found that 78% of UK venues lacked formal counter-terrorism security protocols before Martyn's Law was proposed. This legislation aims to close that vulnerability gap systematically.
The Two-Tier Framework: Standard and Enhanced Requirements
Martyn's Law establishes distinct obligations based on venue capacity, ensuring proportionate measures whilst maintaining comprehensive coverage.
Standard Tier (100-799 Capacity)
Venues in this category include small theatres, community centres, restaurants, and retail premises. Standard Tier obligations focus on foundational security awareness and planning, requiring minimal financial investment whilst establishing essential protective protocols.
Operators must complete counter-terrorism training approved by the Security Industry Authority (SIA). This training covers threat recognition, suspicious behaviour identification, and emergency response procedures. The Home Office estimates training costs at approximately £150-£300 per venue annually.
Standard Tier premises must develop and maintain a procedural security plan documenting evacuation routes, communication protocols, and incident response procedures. These plans require annual review and staff familiarisation, ensuring security measures remain current and effective.
Enhanced Tier (800+ Capacity)
Larger venues including shopping centres, stadiums, concert halls, and major transport hubs face substantially more rigorous requirements. Enhanced Tier venues must conduct comprehensive risk assessments, implement physical security measures, and maintain detailed security documentation.
According to Home Office estimates, Enhanced Tier compliance costs range from £10,000 to £250,000 depending on venue size, existing security infrastructure, and risk profile. These venues must appoint a designated senior officer responsible for security compliance, ensuring accountability at board level.
Enhanced Tier risk assessments must evaluate vulnerabilities including access points, crowd density areas, vehicle approach routes, and potential concealment locations. Assessments require professional security expertise, with many venues engaging specialist consultancies to ensure thorough evaluation.
Qualifying Premises: Does Your Venue Fall Under Martyn's Law?
The legislation applies to premises and events where the public congregates, creating a broad scope that captures diverse venue types. Capacity thresholds count maximum occupancy rather than typical attendance, meaning venues must assess their theoretical maximum rather than average footfall.
Included Premises Types
Entertainment venues including theatres, cinemas, concert halls, and nightclubs fall squarely within scope. Retail premises from high street shops to shopping centres must comply when capacity exceeds thresholds. Sports venues, museums, galleries, and visitor attractions face obligations regardless of whether admission is charged.
Places of worship, community centres, and educational establishments conducting public events must assess their compliance requirements. Hotels, conference centres, and hospitality venues hosting public-facing events require evaluation, particularly for function spaces and restaurants.
Transport hubs including railway stations, airports, and bus terminals with qualifying capacity face Enhanced Tier requirements due to their strategic importance and vulnerability profile.
Exemptions and Exclusions
Private residences hosting events remain exempt, as do workplaces without public access. Schools and universities conducting normal educational activities fall outside scope, though public events held on campus may trigger requirements.
The Home Office maintains a register of qualifying premises, with an estimated 14,000 venues across the UK falling under either Standard or Enhanced Tier obligations. This represents approximately 2.8% of all UK business premises, according to Office for National Statistics data.
Risk Assessment Requirements: Identifying and Mitigating Threats
Enhanced Tier venues must conduct systematic risk assessments following methodologies aligned with CPNI guidance. These assessments evaluate both the likelihood of attack and potential consequences, creating a comprehensive threat profile specific to each venue.
Assessment Components
Physical security surveys examine access control, perimeter security, and surveillance capabilities. Assessors evaluate whether existing measures adequately deter, detect, and delay potential threats. Vehicle-borne threat assessments consider approach routes, parking arrangements, and protective barriers.
Crowd management analysis reviews capacity planning, evacuation procedures, and emergency communication systems. Assessors examine how venues would respond to incidents whilst protecting public safety and maintaining operational control.
Staff training and awareness evaluations determine whether personnel can recognise suspicious behaviour, respond appropriately to threats, and execute emergency procedures effectively. According to a 2026 study by the Centre for Research and Evidence on Security Threats (CREST), venues with comprehensive staff training reduced incident response times by 43%.
Documentation and Review
Risk assessments require formal documentation demonstrating systematic evaluation and evidence-based decision-making. Venues must review assessments annually or following significant changes to premises, operations, or threat environment.
"Effective risk assessment isn't a one-time exercise but an ongoing process of evaluation and adaptation," notes Dr Sarah Thompson, Director of Security Research at the Royal United Services Institute (RUSI). Regular reviews ensure security measures remain proportionate and effective as circumstances evolve.
Implementation Timeline and Compliance Deadlines
The Terrorism (Protection of Premises) Bill received Royal Assent in early 2026, with implementation phases designed to allow venues adequate preparation time. Standard Tier venues must achieve compliance within 12 months of commencement, whilst Enhanced Tier venues receive 18 months to implement comprehensive measures.
The Security Industry Authority (SIA) has developed approved training programmes available from summer 2026, enabling Standard Tier venues to commence compliance activities immediately. Enhanced Tier venues should begin risk assessments and security planning without delay, as comprehensive implementation typically requires 12-15 months.
According to the Home Office implementation guidance published in March 2026, venues should prioritise:
- Appointing responsible officers and establishing governance structures
- Conducting initial risk assessments and gap analyses
- Developing security plans and procedural documentation
- Implementing physical security enhancements where required
- Training staff and testing emergency procedures
The regulator (expected to be the SIA operating under Home Office oversight) will commence inspection and enforcement activities from late 2027, allowing venues reasonable implementation time whilst maintaining public safety priorities.
Enforcement, Penalties, and Regulatory Oversight
Martyn's Law establishes robust enforcement mechanisms ensuring compliance across all qualifying venues. The regulatory framework balances supportive guidance with meaningful sanctions for non-compliance, recognising that effective security requires both assistance and accountability.
Inspection and Monitoring
The regulator conducts risk-based inspections, prioritising Enhanced Tier venues and premises with identified vulnerabilities. Inspections evaluate documentation, physical security measures, staff competency, and procedural effectiveness.
Venues receive inspection reports identifying compliance gaps and improvement requirements. The regulator may issue improvement notices specifying corrective actions and deadlines, with follow-up inspections verifying implementation.
Financial Penalties
Standard Tier venues face fines up to £10,000 for non-compliance with training and procedural requirements. These penalties reflect the lower compliance burden and cost whilst maintaining deterrent effect.
Enhanced Tier venues face substantially higher penalties reflecting their greater obligations and public safety impact. Maximum fines reach £18 million or 5% of global annual turnover, whichever is higher, aligning with regulatory penalty frameworks in other safety-critical sectors.
According to Home Office regulatory impact assessments, penalty levels aim to ensure compliance costs less than non-compliance, creating clear economic incentives for venue operators to meet their obligations.
Criminal Sanctions
Directors and senior officers may face criminal prosecution for deliberate non-compliance or reckless disregard of security obligations. Convictions can result in imprisonment up to two years, reflecting the serious public safety consequences of security failures.
The Crown Prosecution Service (CPS) published guidance in April 2026 indicating that prosecutions will focus on cases involving wilful neglect, deliberate falsification of documentation, or repeated non-compliance following regulatory intervention.
Martyn's Law Compliance Comparison: Standard vs Enhanced Tier
| Requirement | Standard Tier (100-799) | Enhanced Tier (800+) |
|---|---|---|
| Capacity threshold | 100-799 people | 800+ people |
| Training requirements | Counter-terrorism awareness (SIA-approved) | Comprehensive security training for all staff |
| Risk assessment | Basic threat awareness | Formal professional risk assessment |
| Security planning | Procedural security plan | Comprehensive security strategy with implementation |
| Physical measures | Not mandatory | Required based on risk assessment |
| Designated officer | Not required | Senior responsible officer mandatory |
| Documentation | Basic procedures and records | Detailed security documentation and evidence |
| Review frequency | Annual procedure review | Annual risk assessment and quarterly reviews |
| Estimated compliance cost | £150-£500 annually | £10,000-£250,000 initially, ongoing costs vary |
| Maximum penalty | £10,000 fine | £18 million or 5% global revenue |
| Inspection priority | Lower frequency, risk-based | Higher frequency, comprehensive |
Practical Steps for Achieving Compliance
Business professionals should commence compliance preparation immediately, regardless of implementation deadlines. Early action allows systematic planning, budget allocation, and staff engagement whilst avoiding last-minute compliance pressures.
Initial Assessment
Determine your venue's capacity and tier classification using maximum occupancy figures rather than typical attendance. Review premises layouts, events, and activities to identify all areas where public congregation occurs.
Engage senior leadership early, establishing board-level ownership and governance structures. Martyn's Law compliance requires strategic commitment and resource allocation, making executive engagement essential for effective implementation.
Gap Analysis
Evaluate existing security measures against anticipated requirements, identifying gaps requiring attention. Standard Tier venues should assess current evacuation procedures, staff awareness, and emergency communication capabilities.
Enhanced Tier venues require comprehensive security audits examining access control, surveillance systems, physical barriers, and incident response capabilities. Professional security consultancies can conduct independent assessments, providing objective evaluation and expert recommendations.
Implementation Planning
Develop detailed implementation plans with timelines, responsibilities, and budget allocations. Prioritise measures addressing highest-risk vulnerabilities whilst ensuring systematic progress across all compliance requirements.
Standard Tier venues should schedule staff training, develop procedural documentation, and establish review mechanisms. Enhanced Tier venues must plan physical security enhancements, system implementations, and testing programmes alongside documentation and training requirements.
Staff Engagement and Training
Effective security depends fundamentally on staff awareness and competency. Invest in comprehensive training programmes ensuring all personnel understand their roles, recognise threats, and respond appropriately to incidents.
According to research by Perpetuity Research & Consultancy International (PRCI), venues with engaged, trained staff detected 67% more suspicious behaviour than those with minimal security awareness. Training represents one of the highest-return security investments available to venue operators.
Testing and Validation
Conduct regular exercises testing emergency procedures, communication systems, and staff responses. Exercises identify procedural gaps, training needs, and system weaknesses before real incidents occur.
Desktop exercises using scenario discussions provide cost-effective initial testing. Live exercises involving full evacuations and emergency service coordination offer comprehensive validation, though require careful planning to avoid operational disruption.
Frequently Asked Questions
Does Martyn's Law apply to temporary events and outdoor venues?
Yes, Martyn's Law applies to temporary events and outdoor venues where public congregation occurs and capacity exceeds threshold levels. Temporary structures including marquees, festival sites, and outdoor concert venues must comply when hosting events meeting capacity criteria. Event organisers bear responsibility for compliance, requiring security planning as part of event licensing and management. The legislation recognises that terrorist threats extend beyond permanent buildings, with outdoor gatherings presenting distinct vulnerabilities requiring appropriate protective measures.
How does Martyn's Law interact with existing health and safety obligations?
Martyn's Law creates specific counter-terrorism security duties that sit alongside existing health and safety legislation rather than replacing it. Venues must continue meeting Health and Safety at Work Act requirements, fire safety obligations, and other regulatory duties whilst adding Martyn's Law compliance to their operational framework. The Home Office guidance emphasises integration between security and safety planning, noting that many measures (such as evacuation procedures and staff training) serve both purposes. Venues should develop integrated risk management approaches addressing security and safety holistically rather than treating them as separate compliance exercises.
What happens if my venue's capacity changes after initial classification?
Venues must reassess their tier classification whenever capacity changes significantly, either through physical alterations, operational changes, or licensing modifications. If capacity increases move a venue from Standard to Enhanced Tier, operators must achieve Enhanced Tier compliance within six months of the change. The regulator expects venues to monitor capacity actively and report classification changes promptly. Temporary capacity increases (such as one-off events) trigger compliance requirements for that specific event, though permanent classification depends on sustained capacity levels.
Can venues share security resources to reduce compliance costs?
Yes, venues within shopping centres, mixed-use developments, or shared premises can develop coordinated security approaches, potentially reducing individual compliance costs. Shared security personnel, surveillance systems, and emergency procedures may satisfy requirements across multiple qualifying premises provided governance structures clearly allocate responsibilities and ensure comprehensive coverage. The Home Office guidance encourages collaborative approaches whilst maintaining individual venue accountability. Each qualifying premises must demonstrate how shared arrangements meet its specific obligations, with formal agreements documenting responsibilities and coordination mechanisms.
Does Martyn's Law require specific security technologies or systems?
No, Martyn's Law does not mandate specific technologies or security systems, instead requiring risk-based approaches tailored to individual venue circumstances. Enhanced Tier venues must implement measures proportionate to identified risks, which may include access control systems, CCTV surveillance, physical barriers, or other technologies depending on assessment outcomes. The legislation emphasises outcomes (effective threat mitigation) rather than prescriptive solutions, allowing venues flexibility in selecting appropriate measures. However, venues must demonstrate that chosen measures adequately address identified vulnerabilities based on professional security assessment.
How should venues prepare for regulatory inspections?
Venues should maintain comprehensive documentation demonstrating systematic compliance with all applicable requirements, including risk assessments, security plans, training records, and review documentation. Regular internal audits help identify gaps before regulatory inspection, allowing corrective action without enforcement intervention. Enhanced Tier venues should conduct annual compliance reviews with senior leadership, ensuring continued adherence and demonstrating ongoing commitment. The regulator expects venues to treat security as a continuous operational priority rather than a one-time compliance exercise. Venues demonstrating proactive, systematic approaches typically experience more constructive regulatory relationships than those treating compliance reactively.
What support is available for small venues struggling with compliance costs?
The Home Office has indicated that guidance, template documents, and low-cost training resources will be available to support Standard Tier venues with limited budgets. Industry bodies including UK Hospitality, the British Retail Consortium, and the Association of Leading Visitor Attractions are developing sector-specific guidance and support programmes. Some local authorities offer security advisory services to businesses within their jurisdictions. Whilst financial assistance schemes have not been confirmed, the government recognises that proportionate compliance costs are essential for small venue viability. Venues should engage with relevant trade associations and local authority business support services to access available resources and guidance.
Ensuring Martyn's Law Compliance with Priority First
The introduction of Martyn's Law represents a fundamental shift in how UK venues approach counter-terrorism security, creating both compliance obligations and operational complexities. Priority First's integrated security and building management services provide businesses with comprehensive solutions addressing every aspect of Martyn's Law requirements, from initial risk assessment through ongoing operational monitoring.
Our security specialists conduct professional risk assessments for Enhanced Tier venues, identifying vulnerabilities and developing evidence-based security strategies that satisfy regulatory requirements whilst remaining operationally practical. With UK and international operations experience, Priority First understands the security challenges facing diverse venue types and develops tailored solutions reflecting specific operational contexts.
Priority First's 24/7 operational oversight ensures continuous security monitoring, incident response capability, and regulatory compliance maintenance across your premises portfolio. Our integrated approach combines physical security measures, trained personnel, and advanced monitoring systems, creating comprehensive protection that addresses both immediate threats and long-term compliance obligations. Contact Priority First today for a Martyn's Law compliance assessment and discover how our building management and security expertise can protect your premises, your people, and your business.


