On 3 April, the Terrorism (Protection of Premises) Act 2025 received Royal Assent. The Act, also known as “Martyn’s Law” in tribute to Martyn Hett, one of the 22 people killed in the 2017 Manchester Arena attack, is intended to improve protective security and organisational preparedness for terrorist attacks at public venues across the UK.

The Act comes at a time when the Government considers the threat level from terrorism in the UK to be “substantial” as well as “less predictable and harder to detect and investigate.”

Pursuant to the Act, those responsible for certain premises and events will now be legally obliged to consider the risk and take reasonably practicable measures to mitigate the impact of a terrorist attack.

Background

The Act’s provisions were developed following engagement with the Martyn’s Law campaign team, expert security partners, businesses, and local authorities, as well as via learnings from the Manchester Arena Inquiry (a statutory public inquiry to investigate the deaths of the victims of the 2017 Manchester Arena attack) and the London Bridge Inquest (an inquest into the 2017 terror attack at London Bridge and Borough Market), which both recommended introducing legislation to protect the public and clarify venue owners’ duties regarding protective security.

The Act also forms part of the Government’s broader counter-terrorism strategy (CONTEST) 2023. At a time when the nature and threat of a terrorist attack is complex and unpredictable, the Government is aiming to enhance the UK’s readiness and protection by ensuring a wide a range of premises and events are legally obliged to be better equipped and ready to respond to a terrorist attack.

Key Provisions

Those responsible for certain premises or events will now be required to implement reasonably practicable public protection procedures and/or measures, depending on the capacity of the premises or event.

Tiered Approach

The Act establishes a tiered approach, linked to the number of individuals reasonably expected to be present on the premises at the same time. Smaller premises (200-799 individuals) fall within the standard tier and will be required to put in place simple procedures to reduce the risk of physical harm to individuals who may be present. Larger premises and events (800 individuals plus) fall within the enhanced tier, with additional procedural requirements in recognition of the potentially higher impact of a successful terrorist attack.

Types of Premises & Events

Premises include a building, part of a building, a group of buildings, or a building and other land - for example, a hotel plus its grounds where the same are used for dining or events.

Premises must be wholly or mainly used for one or more specified use(s), including shops, bars, pubs, restaurants, hotels, healthcare, education and childcare facilities, entertainment venues such as nightclubs, theatres and cinemas, halls, leisure, sports grounds, libraries, museums, galleries, transport stations, visitor attractions, and places of worship.

Events reasonably expected to have 800-plus individuals in attendance at the same time are also captured and subject to enhanced tier requirements so long as the event is publicly accessible and meets the “express permission” criteria (employees or individuals checking conditions of entry to the event are satisfied by attendees).

Standard v Enhanced Tier Requirements

Persons responsible for standard tier premises (or “standard duty premises”) will be required to implement appropriate and reasonably practicable public protection procedures for staff to follow in the event of a terrorist attack at the premises or in the immediate vicinity, including procedures to (i) provide information to individuals on the premises and (ii) evacuate, invacuate, or lockdown the premises. For these smaller venues there is no expectation to incur costly or implement physical measures.

Enhanced tier premises (or “enhanced duty premises”) will also be required to comply with the requirements above, but appropriate and reasonably practicable public protection procedures must also be documented and provided to the regulator (see below), including procedures that may be expected to reduce the vulnerability of the premises or event to an act of terrorism. This might include the monitoring of premises and their immediate vicinity, controlling the movement of individuals into, out of, and within the premises or event, and physical safety and security. It also includes measures relating to the security of information which may reveal vulnerabilities and assist in the planning, preparation, or execution of acts of terrorism, particularly what is appropriate to share, where, and with whom.

The requirement for procedures to be “reasonably practicable” allows those responsible persons to factor in the nature of the qualifying premises or event, encouraging a tailored approach whilst complying with the Act’s requirements.

Who Is the ‘Responsible Person’?

The responsible person must ensure the legislative requirements are met.

For a qualifying premises, the responsible person is the person who has control of the premises in connection with its use. Where premises are let, this would typically be the tenant. However, if qualifying premises form part of other qualifying premises, for example a department store within a shopping centre, then both the tenant and the property owner would each be responsible persons. In this case, the property owner and tenant would be required, so far as is reasonably practicable, to coordinate to enhance individual and cumulative compliance.

For a qualifying event, the responsible person is the person who has control of the premises at which the event is taking place in connection with its use for that event. For example, if a hotel hosted a public event in its grounds and maintained control of the premises for the purposes of that event, the hotel is the responsible person irrespective of the involvement of any contracting organisations. Responsibility cannot be delegated to contracted services.

For enhanced tier premises or an event, the responsible person is required to appoint a designated senior individual (DSI), i.e., someone with high-level management responsibility such as a director or partner, with responsibility for meeting the relevant requirements.

The responsible person will also be required to notify the regulator when they become and cease to be responsible for the premises (regulations will set out further details of timings and exactly what information must be provided).

Where the responsible person is the tenant, the requirement to comply with the Act is caught by the tenant obligation in most market standard leases where a tenant is typically required to comply with all laws relating to the premises and the occupation and use of the same by the tenant. Where the responsible person is the landlord, for example with a shopping centre, then a landlord may be obliged to meet its obligations via the provision of services.

Co-Operation

There is a requirement for persons with control over enhanced tier premises or events but not being the responsible person (for example, the freeholder where premises are let) to co-operate so far as reasonably practicable with the responsible person to facilitate the responsible person’s compliance with the Act.

The Government gives examples in its additional guidance where a freeholder as landlord would be obliged to consider the above to a reasonably practicable level. One example is when receiving requests from the responsible person to carry out alterations pursuant to the terms of its lease to meet their legal obligations. Where tenant alterations require landlord’s consent not to be unreasonably withheld or delayed, this would simply be part of the landlord’s decision-making process. Another example is where the responsible person has identified certain mitigations required to meet their legal obligations but the lease may state that landlord’s permission is required and the landlord should contribute a certain percentage of costs to ensure premises remain fit for purpose. The freeholder as landlord would be obliged to consider such requests from the tenant to a reasonably practicable level.

Enforcement & Sanctions

To support the Act’s enforcement, the regulator function will be delivered as a new function of the Security Industry Authority (SIA).

The SIA will have inspection and information-gathering powers and will be able to issue a range of civil sanctions, including compliance notices and restriction notices for non-compliance resulting in the temporary closure of enhanced tier premises or prohibiting an event from taking place.

The SIA can issue monetary penalties up to a maximum of £10,000 for standard tier premises and £18 million or 5% of worldwide revenue for enhanced tier premises or events. Daily penalties (up to £500 per day for standard tier premises and £50,000 per day for enhanced tier premises or events) may also be imposed where non-compliance continues.

It will be a criminal offence to fail to comply with an information, compliance, or restriction notice, provide false or misleading information, or obstruct the SIA. Further, the offender might be liable to imprisonment and/or a fine.

For enhanced tier premises, senior officers (including the DSI) may be liable to prosecution if the responsible person commits an offence, and it is proven that the offence was committed with their consent or connivance.

Next Steps

The Act received Royal Assent on 3 April; however, its provisions have not yet come into effect and will only require compliance once activated through regulations. Implementation is expected to take approximately two years, allowing time for the SIA to establish itself, for the Home Office and the SIA to develop guidance, and for those responsible for qualifying premises and events to familiarise themselves with their new obligations.
 
Conclusion

The Act delivers on the Government’s manifesto commitment to “bring in Martyn’s Law to strengthen the security of public events and venues,” ensuring they are better prepared and ready to respond to terrorist attacks.

Whilst many owners and occupiers of premises may have already proactively considered the risk that acts of terrorism pose and have plans and procedures in place, this Act mandates for the first time who exactly is responsible for considering the risk and taking appropriately proportionate protection measures, applying a consistent level of security standards across qualifying events and premises. Both owners and occupiers should monitor the Government’s progress on guidance and regulations related to the Act, using the implementation timeframe as an opportunity to plan and prepare for compliance with the upcoming legislative changes.