Martyn's Law: The Complete UK Guide for Venue Operators (2026)

01 · The Law

What Martyn's Law actually is.

Martyn's Law is the working name for the Terrorism (Protection of Premises) Act 2025. The Act received Royal Assent on 3 April 2025 and is expected to enter enforcement in April 2027 after a 24-month implementation window.

It is named after Martyn Hett, one of 22 people killed in the foyer of Manchester Arena on 22 May 2017 when a bomber detonated a device as crowds were leaving an Ariana Grande concert. Martyn was 29. After the attack his mother, Figen Murray, began campaigning for legislation that would require public venues to take meaningful steps to protect the people inside them. That campaign ran for the best part of a decade. The Act is the outcome.

Before the Act, there was no consistent legal requirement in the UK for venues to plan for terrorism. Some venues did it well. Many did nothing at all. The same hotel chain might have detailed counter-terrorism procedures at one property and nothing whatsoever at another. The Act sets a clear, enforceable baseline.

The duty is not to prevent every possible attack. That is not achievable. The duty is to take reasonably practicable steps to reduce vulnerability and limit harm if something does happen. That is the legal test the Security Industry Authority (SIA) will assess against from April 2027.

02 · Scope

Who is in scope.

The Act applies to qualifying premises and qualifying events in the United Kingdom. A premises qualifies if it has a capacity of 200 or more people at any one time, including staff.

That covers a wide range of venue types:

Hotels with event or conference facilities

Bars, nightclubs and pubs

Restaurants with function rooms

Theatres, music venues and cinemas

Shopping centres and retail complexes

Sports stadiums and arenas

Conference and exhibition centres

Leisure centres and gyms above the threshold

Places of worship above the threshold

Galleries and museums above the threshold

Universities and student venues

Healthcare facilities above the threshold

Capacity means the physical limit of the space. If your venue can hold 200 people, you are in scope regardless of what your average occupancy looks like. You do not get to argue that you usually only have 150 people in there.

03 · The Two Tiers

Standard Tier vs Enhanced Tier.

The Act operates on a two-tier system designed to keep obligations proportionate to risk. The bigger the venue, the more demanding the duty.

Standard Tier

200 to 799

Capacity

·Notify the SIA
·Documented procedures (four emergencies)
·Staff trained on those procedures
·Information sharing with staff
·Annual review

No requirement to

Buy new equipment or alter premises

Enhanced Tier

800 and above

Capacity

·All Standard Tier obligations
·Designated Senior Individual
·Formal terrorism risk assessment
·Documented security plan to the SIA
·Proportionate physical measures
·Active monitoring of vicinity

Personal accountability

A director or senior manager is on the hook

A note on "proportionate". The Act repeatedly uses the word proportionate. It does not expect a village hall to install airport-style security. What counts as proportionate depends on venue size, location, event type, and existing measures. The test is whether you have done what a reasonable operator in your position would have done.

04 · Accountability

The Responsible Person.

Every in-scope venue must appoint a named Responsible Person. That person notifies the SIA, is accountable for compliance, and is the regulator's point of contact.

Where the Responsible Person is not an individual (because the venue is owned by a company, trust, or partnership), the venue must also appoint a Designated Senior Individual. This is a director or senior manager personally accountable for the duty. It cannot be outsourced. It cannot be delegated to a contractor.

In practical terms, this means the person who signs off on compliance is the person whose name goes on the SIA notice. If the duty is not met, the financial penalty and the regulatory exposure follow that person and the operating entity.

Who typically holds the role

· Hotel General Manager or Director of Operations
· Venue Operations Director or Head of Security
· Director of Estates (for university and education venues)
· Head of Premises or Site Director (for places of worship and community venues)
· Head of Security or Chief Operating Officer (for large stadium and arena operators)

05 · The Procedures

The four procedures every venue must run.

Standard Tier focuses on public protection procedures your staff can follow under pressure. The four are not negotiable.

Evacuate

Move people out of the venue, away from the threat. Clear routes. Mustered staff. Headcount at the assembly point.

Invacuate

Move people into a safer internal location when outside is the more dangerous place. The reverse of evacuation.

Lockdown

Secure the venue. Doors, windows, access points. Stop the threat moving with you. Buys time for the response.

Communicate

Tell staff, guests, and emergency services what is happening. Clear, calm, coordinated. The procedure that turns the other three into a plan.

06 · Timeline

The timeline. Why "we'll get to it" is wrong.

3 April 2025

Royal Assent

The Terrorism (Protection of Premises) Act 2025 became law.

April 2025 – April 2027

Implementation window

A 24-month preparation period. Government guidance is explicit: use this time as active preparation, not as a reason to wait.

April 2027 (expected)

Enforcement begins

The SIA becomes the regulator. Compliance notices, restriction notices, and financial penalties become live.

Annually after enforcement

Review cycle

Procedures must be reviewed and updated. Risk assessments must be refreshed. Documentation must stay current.

Most venues underestimate how long preparation takes. Writing procedures takes weeks. Training every member of staff takes months. Installing and tuning active monitoring takes one to four weeks depending on the venue. Starting in late 2026 is not starting early. It is starting late.

07 · How to Comply

The eight-step compliance path.

This is the practical sequence we recommend to UK venue operators starting from scratch. Work through it in order. Each step builds on the last.

Confirm your tier

Use the Martyn's Law Tier Calculator at archangelprotect.ai/tools/tier-calculator. Enter your venue capacity. If you are 200 to 799 you are Standard Tier. If you are 800 or above you are Enhanced Tier.

Appoint your Responsible Person

Name a Responsible Person accountable for compliance. For Enhanced Tier, also appoint a Designated Senior Individual at director or senior manager level personally on the hook.

Document your four procedures

Write down your Evacuate, Invacuate, Lockdown, and Communicate procedures. Train staff on each. Document who has been trained and when.

Run a terrorism risk assessment (Enhanced Tier)

Identify the threats relevant to your venue, the vulnerabilities those threats expose, and the proportionate measures you will put in place. Document the assessment and review it annually.

Add active monitoring

Active monitoring of your premises and immediate vicinity is a key Enhanced Tier obligation. AI behaviour detection on existing cameras delivers this without new hardware.

Notify the SIA

Build the evidence trail

Maintain a timestamped log of safety events, alerts, and operator responses. This is the evidence an inspector will ask for.

Review annually

Set an annual review cycle. Update procedures, retrain staff, refresh the risk assessment, and verify your active monitoring is still operating as designed.

08 · Penalties

What happens if you do not comply.

Enhanced Tier penalties

Up to 18 million pounds, or 5% of worldwide revenue, whichever is the greater. The SIA also has power to issue restriction notices preventing operation until compliance is achieved.

Standard Tier penalties

Lower financial limits, but the SIA still has the power to issue compliance notices and restriction notices. Non-compliance also creates exposure under existing duty of care, licensing reviews, and insurance renewals.

09 · Technology

Where AI behaviour detection fits.

The Act does not specify any particular technology. It requires proportionate measures. For Enhanced Tier venues in particular, active monitoring of the premises and its immediate vicinity is in scope.

Reactive CCTV (cameras that record but are only reviewed after an incident) is not active monitoring. Live human-watched CCTV is active but scales poorly. Most venues cannot afford to have someone watching every screen every minute. AI behaviour detection is the practical bridge. It watches every frame on every camera continuously and only escalates to a human when something needs human attention.

Continuous monitoring

Every camera. Every shift. No fatigue, no blind spots, no gaps.

Documented incident logs

Every detection timestamped and categorised. The audit trail the SIA will ask for.

Threat detection

Aggression, unattended items, perimeter and access anomalies flagged in real time.

No new hardware

Sits on existing IP cameras. Live in under 48 hours. No rip-and-replace.

10 · FAQs

Frequently asked questions.

What is Martyn's Law?

Martyn's Law is the Terrorism (Protection of Premises) Act 2025. It creates a legal duty on UK venues with a capacity of 200 or more to put in place security measures that reduce vulnerability to terrorist attacks and limit harm if one occurs. The Act is named after Martyn Hett, one of 22 people killed in the Manchester Arena bombing in May 2017.

When does Martyn's Law come into force?

Enforcement is expected to begin in April 2027. Royal Assent was granted in April 2025. The 24-month implementation window gives venues time to prepare. The SIA (Security Industry Authority) is the regulator.

What capacity triggers Martyn's Law?

Standard Tier applies from 200 to 799 capacity. Enhanced Tier applies from 800 capacity. Capacity is the maximum the venue can hold at any one time, including staff. If the physical limit is 200 or more, the venue is in scope regardless of average occupancy.

Who is the Responsible Person under Martyn's Law?

Every in-scope venue must appoint a named Responsible Person accountable for compliance. Where the Responsible Person is not an individual (a company or trust), the venue must also appoint a Designated Senior Individual who is personally accountable. The Designated Senior Individual must be a director or senior manager.

What are the four emergency procedures?

Evacuate (move people out of the venue), Invacuate (move people into a safer internal location), Lockdown (secure doors and access points), and Communicate (alert staff, guests, and emergency services). These four procedures are the core of Standard Tier obligations.

What does Standard Tier require?

Notification to the SIA, appointment of a Responsible Person, documented public protection procedures covering the four emergency responses, staff training on those procedures, and regular review. Standard Tier does not require new equipment or physical alterations to the premises.

What does Enhanced Tier require?

Everything in Standard Tier, plus a formal terrorism risk assessment, a documented security plan submitted to the SIA, a Designated Senior Individual personally accountable, and reasonably practicable physical protective measures. This includes access control, hostile vehicle mitigation, search arrangements, monitoring of the immediate vicinity, and protection of information about the site.

What are the penalties for non-compliance?

Penalties reach up to 18 million pounds or 5% of worldwide revenue for Enhanced Tier venues. The SIA has powers to issue compliance notices, restriction notices, and financial penalties. For Standard Tier, the penalty regime is less severe but compliance notices still apply.

Does Martyn's Law require AI or CCTV?

The Act does not specify technologies. It requires proportionate measures. For Enhanced Tier venues, active monitoring of the venue and its immediate vicinity is in scope. AI behaviour detection on existing CCTV is one way to meet that requirement without new physical infrastructure.

Does Martyn's Law apply to hotels?

Yes. Hotels with event or conference facilities that regularly hold 200 or more people are in scope. Hotels with 800 or more capacity sit in Enhanced Tier. Many luxury and chain hotels will fall into one of the two tiers.

Does Martyn's Law apply to places of worship?

Yes, where the capacity threshold is met. Places of worship over 200 capacity sit in Standard Tier. Cathedrals and large venues over 800 sit in Enhanced Tier. There is no general religious exemption.

Does Martyn's Law apply to schools and universities?

Yes for event spaces and large venues operated by educational institutions (theatres, conference halls, sports arenas). Day-to-day school operation has separate guidance from the Department for Education.

Can I outsource compliance to a security contractor?

You can outsource the operational delivery of measures, but the legal accountability stays with the Responsible Person and the Designated Senior Individual. The duty cannot be transferred. Contractors deliver. Owners are accountable.

How long does it take to become compliant?

It depends on starting position. Venues with no procedures, no training, and no active monitoring typically need three to six months. Venues with mature security operations may need only two to three months to formalise documentation and add active monitoring. AI behaviour detection can be live on existing cameras inside 48 hours.

What is the difference between Martyn's Law and the Protect Duty?

They are the same thing. The Protect Duty was the original working title used during the consultation and parliamentary process. The final Act is the Terrorism (Protection of Premises) Act 2025. It is commonly called Martyn's Law in tribute to Martyn Hett.

Ready to find your tier and score your readiness?

Two free tools, no sign-up required. Get clear on your obligations in five minutes.

Find your tier Score your readiness

Martyn's Law: the complete UK guide