The Terrorism (Protection of Premises) Act 2025, also known as Martyn’s Law received Royal Assent on 3 April 2025. The inquiry following the Manchester Arena bombing in 2017, called for the Government to legislate to ensure stronger and more consistent measures were put in place to protect the public against potential terrorist attacks.

Statutory guidance has now been published and below we look at what affected organisations need to consider.

Scope: Who does Martyn's Law apply to?

The Act places legal responsibility on venues, events and public spaces where 200 people or more are present, to prepare for potential terrorist attacks and have measures in place to help keep people safe should an attack occur. These are referred to as 'standard tier'. There is an enhanced requirement for larger premises and events with 800 people or more, to take steps to reduce their risk of terrorism, known as 'enhanced tier' premises.

Those responsible for shops, restaurants, entertainment and leisure venues, libraries and museums, hotels, hospitals and educational institutions all come under the requirements of the Act. Those responsible for retail premises can find further guidance in our guide for retailers. 

See our separate guides for public authorities, retailers and schools and academy trusts for more detail specific to your area.

Statutory guidance requirements

There is no legal requirement to comply with the legislation until it comes into force, which is not anticipated for another 12 months. However, those who fall within the scope of the Act will want to consider the requirements and start to prepare. The Government issued Statutory Guidance in April 2026 which sets out several obligations.

1. Identify the responsible person: The 'responsible person' is the person or organisation with control of the premises - often an operator or leaseholder, not necessarily the owner. Legal responsibility cannot be delegated, though tasks can be.
2. Implement four public protection procedures: The four required procedure types are: evacuation, invacuation, lockdown, and communication. These are intended to reduce the risk of physical harm if an attack occurs on the premises or in its immediate vicinity. It is not sufficient to have procedures written down if they cannot be implemented rapidly and effectively due to lack of staff awareness or ability.
3. Notify the Security Industry Authority (SIA): Responsible persons must notify the SIA when they become responsible and when they cease to be responsible, within timeframes to be set by regulations.
4. Co-ordinate with others: Responsible persons must co-ordinate with other responsible persons so far as reasonably practicable, where there is more than one responsible person or where qualifying premises form part of other qualifying premises.

For enhanced tier premises and events there are the following additional requirements:

1. Implement public protection measures: Measures fall into four categories: monitoring, movement, physical safety and security, and security of information, and may be implemented through people, policies and processes, and/or physical mitigations. They must be assessed and kept under review.
2. Designate a senior individual: Where the responsible person is an organisation or company, a senior individual must be designated to ensure compliance; they must be sufficiently senior and can be personally prosecuted for certain offences if non-compliance occurs with their consent, connivance, or neglect.
3. Produce and submit a compliance document to the SIA: The document must record: a statement of procedures in place; a statement of measures in place or to be put in place; and assessments of how procedures and measures reduce the risk of physical harm and reduce vulnerabilities. It must be submitted to the SIA as soon as reasonably practicable after first preparation and within 30 days of any revision.

How to prepare for Martyn's Law

In order to be properly prepared for when the Act comes into force, it is worth reviewing the statutory guidance in detail and considering the following steps:

• Determine scope and tier: conduct a scoping exercise to assess whether each site or event falls within the Act and at which tier. Establish and evidence a reasonable method for calculating maximum expected attendance and keep under review.
• Clarify responsibility and contractual arrangements: identify who holds control of the premises as this determines legal responsibility. Where premises are hired out, the responsible person should specify requirements to hirers in contracts and demonstrate they took reasonable steps to ensure compliance.
• Develop and operationalise the four procedures: it is recommended that these are documented to help communicate the procedures and demonstrate compliance.
• Implement protective measure and compliance documentation (enhanced tier only): ensure that appropriate public protection measures are in place across the four categories mentioned above. Keep records of training and instruction and review, test and practise measures and procedures regularly.

We have specialist lawyers at Browne Jacobson who can assist your organisation in preparation for the Act coming into effect.