Martyn's Law Compliance Checklist

Getting Started With Compliance

Martyn's Law enforcement begins around April 2027. That gives venue operators roughly two years from Royal Assent to get their house in order. The following checklist breaks compliance into practical steps you can work through systematically. Do not try to do everything at once. Start at the top and work down.

Step 1: Determine Your Tier

Calculate the maximum capacity of your premises. This includes all people who could be present at any one time: customers, guests, staff, contractors, and visitors. If your capacity is between 200 and 799, you fall into the standard tier. If it is 800 or above, you are in the enhanced tier.

If you operate multiple premises, assess each one individually. A hotel chain with 15 properties needs to classify each hotel separately based on its own capacity.

Step 2: Identify the Responsible Person

Every in-scope premises must have a designated responsible person. This is the individual legally accountable for ensuring compliance. In most cases, this will be the person who has overall control of the premises. For a standalone venue, that might be the owner or general manager. For corporate-owned sites, it may be a regional director or the company itself as an entity.

Document who this person is. Make sure they understand the role and the obligations that come with it.

Step 3: Conduct a Risk Assessment

Both tiers need to understand their vulnerabilities, but the enhanced tier has a formal risk assessment requirement. Even if you are in the standard tier, conducting a basic risk assessment is good practice and will inform your procedures.

A risk assessment should cover: the types of terrorist attack your venue could face (vehicle, blade, firearm, explosive, hostile reconnaissance), your current security measures, gaps in those measures, and the steps you can reasonably take to address those gaps.

Step 4: Develop Public Protection Procedures

Standard tier venues must have public protection procedures. These are documented plans covering:

• Evacuation and invacuation procedures (getting people out or keeping them safely inside)
• Lockdown procedures
• Communication protocols during an incident
• How to alert emergency services
• Staff roles and responsibilities during an emergency

These procedures should be written down, accessible to all staff, and practiced regularly. A procedure that exists only in a filing cabinet is not a procedure.

Step 5: Create a Security Plan (Enhanced Tier)

If you are in the enhanced tier, you need a formal security plan on top of your public protection procedures. This plan should detail the specific measures you are implementing to reduce vulnerability to terrorist attack. It should reference your risk assessment and explain why the measures you have chosen are proportionate to the risks you have identified.

Step 6: Train Your Staff

Every member of staff who works at the premises needs to know the basics. They need to understand the procedures, know their role in an emergency, and be able to recognise suspicious behaviour. Training should happen at induction and be refreshed at least annually.

For enhanced tier venues, training should go deeper. Front-of-house staff, security teams, and managers should receive scenario-based training that tests their ability to respond under pressure.

Step 7: Implement Monitoring and Technology

Technology is not mandated by the Act, but it is one of the most effective ways to demonstrate that you are taking proportionate steps. AI behaviour detection on existing CCTV, access control systems, and crowd monitoring tools all contribute to a stronger security posture. For enhanced tier venues, having documented, active monitoring makes a significant difference to your compliance position.

Step 8: Register With the SIA

The Security Industry Authority will be the regulator for Martyn's Law. You will need to notify the SIA that your premises is in scope and provide details of your responsible person. The exact registration process will be confirmed by the SIA during the implementation period.

Step 9: Review and Update Regularly

Compliance is not a one-off task. Your procedures, risk assessments, and security plans should be reviewed at least annually, or whenever there is a significant change to your premises, operations, or the threat environment. Document every review, even if no changes are made.

Step 10: Prepare for Inspection

The SIA will have the power to inspect premises and take enforcement action. Keep your documentation organised, your training records up to date, and your procedures current. If an inspector arrives, you should be able to demonstrate compliance within minutes, not days.