New legislation to protect certain larger premises and events from terrorist attacks

This article contains public sector information licensed under the Open Government Licence v3.0.

Summary

The Terrorism (Protection of Premises) Act 2025, also known as “Martyn’s Law”, gained Royal Assent on 3 April 2025. This is intended to protect certain larger premises and events in the UK from terrorist attacks. It will impact on premises with a capacity of 200 or more people and there will be additional measures for premises or events with a capacity of 800 or more people. This could affect a variety of larger premises including shopping centres, hotels, schools and stadiums or arenas. The penalties for non-compliance are potentially very severe. While the legislation will not come into force for at least two years, it is expected that those responsible for relevant premises and events will use that time to understand their new obligations, in order to plan and prepare accordingly.

Why has this legislation been enacted?

Counter Terrorism Policing assesses that since March 2017 there have been 15 domestic terror attacks in the UK (not including Northern Ireland-related terrorism), and security services and law enforcement have together disrupted 43 late-stage plots. The Manchester Arena Inquiry and the London Bridge Inquest called for new legislation to protect the public. The Act forms part of the government’s counter-terrorism strategy known as CONTEST and the current terrorist threat level is Substantial meaning that an attack is likely.

The government is aware that without legal compulsion, counter-terrorism protective security and preparedness often fall behind other legally required activities such as health and safety. The Act introduces that legal compulsion for certain larger premises and events.

The Act is also known as “Martyn’s Law”, named after Martyn Hett, who was tragically killed in the Manchester Arena attack.

What is the purpose of the Act?

The Act is intended to improve protective security and organisational preparedness for particular premises and events by requiring, for the first time, that those responsible for those premises and events consider the terrorist risk and how they would respond to an attack. Also certain larger premises and events must adopt additional measures to reduce the vulnerability of the premises and events to terrorist attacks. 

There is currently no consistency of approach to the consideration of the risk posed by terrorist attacks and the Act seeks to address this inconsistency through the requirements that it imposes, clarifying who is responsible at qualifying premises and events, with the intention of raising security standards.

The Act establishes a tiered approach linked to the activity that occurs at the premises or the relevant event and to the number of people who it is reasonable to expect may be present at the same time at the premises or event. So there will be a “standard tier” (“standard duty premises”) and an “enhanced tier” (“enhanced duty premises”). 

The Act’s requirements are subject to the concept of “reasonably practicable”. This will allow those responsible to take into account the nature of their activities, operating environment and available resources, in order to ensure a proportionate and premises specific approach to compliance.

Which premises and events will be in scope of the legislation?

To fall within the scope of the Act, premises (known as “standard duty premises”) must satisfy all of the following four criteria: 

1. There is at least one building (or the premises are in a building); 
2. The premises are wholly or mainly used for one or more of the uses specified in the Act (Schedule 1), which includes restaurants, shops, entertainment and leisure activities, sports grounds, museums, hotels, places of worship, conference centres, hospitals, transportation stations, schools and colleges and other facilities or services provided to visiting members of the public. 
3. It is reasonable to expect that at least 200 individuals may be present at least occasionally; and 
4. The premises are not excluded under the Act (Schedule 2) such as certain parks and gardens

The premises will be known as “enhanced duty premises” if 800 or more individuals may be expected at the premises (unless the Act specifies otherwise), with additional duties for those responsible. 

To fall within the scope of the Act, an event must satisfy all of the following criteria: 

1. It will take place at a building, other land or a building and other land (including part of a building or a group of buildings); 
2. The relevant premises are accessible to members of the public for the purpose of the event; 
3. It is reasonable to expect that there will be at least 800 individuals present for the event at once, at some point during it;  
4. There will be measures to check entry conditions are met, such as a ticket checks; and 
5. The event is not excluded as mentioned above in relation to premises. 

Who is the responsible person?

For qualifying premises, the responsible person is the person who has control of the premises in connection with their relevant use, for example, as a sports ground or hotel. Where there is more than one use, it will be the person in control of the premises in connection with whichever use is the principal use at the premises.

For a qualifying event, the responsible person is the person who has control of the premises at which the event will be held for the purposes of the event. The circumstances will determine the identity of the responsible person. For example, if a concert is to be held in a park and the company putting on the event takes control of an area of the park for the purposes of that concert, the company putting on the event will be the responsible person. However, if a stately home puts on a concert in its grounds and maintains control of the site for the purposes of that concert, the stately home will be the responsible person. This would be the case even if the stately home contracted organisations to organise certain aspects of the event such as door security or ticketing.

Requirements for “standard duty premises”

This applies generally to those premises where it is reasonable to expect that from 200 up to and including 799 individuals (including staff) may be present at the same time at least occasionally.

The responsible person will be required to do the following: 

• Notify the Security Industry Authority (SIA) of their premises; and 
• Have in place, so far as reasonably practicable, appropriate public protection procedures. Such public protection procedures are to be followed by people working at the premises in the event of a terrorist attack and may be expected to reduce the risk of physical harm being caused to people, relating to evacuation, invacuation (moving people to a safe place), locking down the premises and communicating with people on the premises.  

There is no requirement for “standard duty premises” to put in place physical measures. The requirements are focused on simple, low-cost activities, with costs relating primarily to time spent. 

Requirements for “enhanced duty premises” and qualifying events

Enhanced duty premises and qualifying events are premises or events where it is reasonable to expect that 800 or more individuals (including staff numbers) may be present on the premises at least occasionally or attend the event at the same time. There are additional requirements for such premises or events (beyond those for standard duty premises). The responsible person will also be required to do the following: 

• Have in place, so far as reasonably practicable, appropriate public protection measures that could be expected to reduce both (i) the vulnerability of the premises or event to an act of terrorism, and (ii) the risk of physical harm being caused to individuals if an attack was to occur there or nearby. For example, enhanced duty premises will be required, so far as is reasonably practicable, to implement measures relating to the monitoring of the relevant premises and their immediate vicinity;  
• Document the public protection procedures and measures in place, or proposed to be put in place, and provide this document to the SIA. This document should include an assessment of how the public protection procedures and measures reduce vulnerability and/or the risk of harm; and 
• Where the responsible person is not an individual, they must designate a senior individual with responsibility for ensuring that the responsible person complies with these requirements.  

Enforcement of legislation

The Act establishes a regulator to oversee compliance, through a new function of the Security Industry Authority (SIA). The core principle of the regulator’s activity will be to support, advise and guide businesses to implement the Act’s requirements. It will only use its powers and sanctions to address serious and persistent cases of non-compliance. This will include the power to fine (up to £18 million or 5% of worldwide revenue, whichever is the higher) those who fail to fulfil the requirements and shut down premises and events in the enhanced tier in the most serious cases of non-compliance. There are also criminal offences.

It is intended that there will be an implementation period of at least 24 months before the Act comes into force. This will allow the SIA’s new function to be established and to ensure that there is sufficient time for those responsible for relevant premises and events to understand their new obligations, enabling them to plan and prepare accordingly.

Conclusion

Those responsible for affected premises and events should be using the next 24 months or so before the Act is intended to come into force to understand what their obligations will be under the Act and what measures they need to take.

For further information on the Act, please refer to the factsheets and legislation documentation at Terrorism (Protection of Premises) Bill 2024: factsheets - GOV.UK.