How to comply with Martyn's Law: a practical 8-step guide for UK venue operators

The 8-step path to Martyn's Law compliance

Most venue operators reading the Act for the first time come away with the same reaction. The law is clear in principle and vague in practice. What does compliance actually look like? What do you actually do tomorrow morning?

This is the path we walk venues through. Eight steps, in order. Each one builds on the last. You do not need to do them all at once. You do need to start.

Step 1: Confirm your tier

Capacity is everything. Standard Tier applies from 200 to 799. Enhanced Tier applies from 800 and above. Capacity is the maximum your venue can hold at any one time, including staff. Not your average occupancy. The physical limit.

For venues that operate multiple spaces (a hotel with a ballroom plus restaurant plus conference rooms), the capacity is the combined maximum across the qualifying space. If you run separate licensed venues at the same site, get advice on whether they are treated as one premises or several.

Once you know your tier, the obligations narrow. Use our tier calculator if you want a 60-second answer.

Step 2: Appoint your Responsible Person

This is the single biggest deferral mistake we see. Operators read about the duty, agree it is important, and then nobody owns it. Six months pass. No procedures get written.

The Responsible Person is the named individual the SIA holds accountable. For Standard Tier, this is typically the General Manager or Operations Director. For Enhanced Tier, you also need a Designated Senior Individual, which has to be a director or senior manager personally on the hook.

Name the person this week. Put it in writing. Tell them what the role involves before you put their name to it.

Step 3: Document your four procedures

Standard Tier compliance is built on four public protection procedures: Evacuate, Invacuate, Lockdown, Communicate.

Evacuate is the obvious one. Move people out. Routes, mustering points, headcount, communication with emergency services. You probably already have a fire evacuation plan. Use it as the spine and add the terrorism-specific elements.

Invacuate is the one most operators forget. Sometimes the safer move is to move people into the venue, not out of it. If the threat is outside (vehicle attack, marauding attacker on the street), you want people inside, away from windows, in pre-identified secure spaces.

Lockdown is about securing the venue. Doors, windows, access points. The Hatten Garden raid in 2015 was a case study in how slow lockdown response gives attackers free run of a building.

Communicate ties the other three together. Staff to staff. Staff to guests. Staff to emergency services. Define who calls whom and when. Build it into the procedure document.

Step 4: Train every member of staff

This is where most procedures fail in practice. Written procedure plus untrained staff equals chaos when something happens. The SIA will ask whether you have trained people. If the answer is no, the documented procedure is a piece of paper, not a control measure.

The free ACT Awareness e-learning module from Counter Terrorism Policing takes 45 minutes and gives every member of staff a baseline. Put it in your onboarding. Refresh annually. Document the completion dates.

For Enhanced Tier venues, you will want more than ACT Awareness for your senior security team. Look at the Counter Terrorism Awareness Network (CTAN) sessions and consider the SCaN (See, Check, and Notify) training programme.

Step 5: Run a terrorism risk assessment (Enhanced Tier)

Enhanced Tier requires a documented terrorism risk assessment. This is not a generic risk register. It is a specific assessment of the terrorism threats relevant to your venue, the vulnerabilities those threats expose, and the proportionate measures you have in place.

The structure most consultants will walk you through:

1. Identify the threats relevant to your venue type, location, and event profile
2. Identify the vulnerabilities those threats could exploit
3. Identify the likely impact if a threat materialises
4. Identify the measures already in place
5. Identify the gap between current measures and reasonably practicable measures
6. Document the plan to close that gap

The risk assessment is a living document. Review it annually. Update it whenever your venue, your event programme, or the threat picture changes.

Step 6: Add active monitoring

For Enhanced Tier, the Act expects monitoring of the venue and its immediate vicinity. Reactive CCTV does not count. The SIA will look for active monitoring that can detect and escalate threats in real time.

You have three options. Hire more security staff to watch screens. Outsource to a 24-hour monitored receiving centre. Add AI behaviour detection on top of your existing cameras. The first two scale poorly and cost more over time. The third is what most venues are choosing in 2026.

AI behaviour detection is the active measure that maps cleanly to what the Act asks for. It watches every frame on every camera continuously. It only escalates to a human when something needs human attention. The audit trail produces the evidence the SIA will ask for.

Step 7: Notify the SIA

The SIA is the regulator. In-scope venues need to register and notify. Notification establishes the Responsible Person and Designated Senior Individual on record, and puts the venue in the regulator's sights.

The exact notification process is being finalised in the lead-up to enforcement. Watch the SIA website for confirmed timelines. Do not be the venue that registers in the final month before April 2027.

Step 8: Build the evidence trail

Procedures without evidence are unprovable. The SIA will ask for documentation. Maintain a timestamped log of:

• All staff training (who, what, when)
• Procedure reviews and updates
• Risk assessment refreshes
• Drills and tabletop exercises
• Incidents, alerts, and operator responses
• Reports of suspicious activity

The log can be a spreadsheet. It can be a purpose-built compliance platform. It cannot be nothing. When an inspector asks "show me your evidence trail", the only acceptable answer is to hand them one.

The order matters

You can do steps 3 to 8 in parallel once steps 1 and 2 are done. But if you skip step 2 (the Responsible Person), nothing else has an owner. The procedure gets written, the training gets booked, the assessment gets done, but it all sits on different desks and never lands as a coherent programme.

Pick the person this week.

Where Archangel fits

The honest answer is steps 6 and 8. Active monitoring and the evidence trail. We sit on your existing cameras as an AI behaviour detection overlay. Every detection is logged, categorised, and timestamped. When the SIA asks for evidence of active measures, the log is the answer.

We do not write your procedures or run your training. You will need other partners for those, or you can do them in-house. We do the monitoring layer and the evidence layer. The two pieces most venues realise they need too late.

If you want to see what it looks like running on your specific venue, book a discovery call. Two months free. No hardware. No commitment beyond the conversation.