
| 3 April 2025
Martyn’s Law – formally The Terrorism (Protection of Premises) Bill – is a law that aims to better protect the public from terror attacks by requiring public venues to improve preparedness and have systems in place to help keep people safe.
It is known as Martyn’s Law in tribute of Martyn Hett who was killed alongside 21 others in the 2017 Manchester Arena attack, and Martyn’s mother has campaigned for these changes in the years since.
The law covers both venues that are mainly used for gatherings of people, and venues that are used for events (such as those for festivals, where the main use is not as a venue).
What does Enhanced Tier mean?
Enhanced Tier premises – also known as enhanced duty premises – are any locations with a capacity of 800 or more. This could be a permanent venue, or an event venue, such as an outdoor area used for a festival.
Not all venues of this size are in scope of the bill, with some, such as educational premises, excluded from the regulations. Learn more about which venues are in scope and which aren’t >
What will Enhanced Tier premises have to do?
The main change for premises is that they will need to have a named responsible person, who must notify the Security Industry Authority (SIA) of their details and details about the premises. The SIA are the regulator for compliance with Martyn’s Law.
Security procedures
The responsible person is required to ensure that appropriate security procedures are in place for the venue in order to reduce harm to the public in the event of an attack.
This involves four key areas:
- Evacuation – the process of getting people safely out of the premises.
- Invacuating – the process of bringing people safely into, or to safe parts within, the premises.
- Lockdown – the process of securing the premises to ensure that the entry of any attacker is restricted or prevented e.g. locking doors, closing shutters or using barriers.
- Communication – the process of alerting people on the premises to move them away from any danger.
Public protection measures
In addition, they must also consider public protection measures, designed to mitigate risk of harm or risk of a security threat taking place, and to provide greater public protection against acts of terrorism. The four types of measures are:
- Measures in relation to monitoring the premises or event, and their immediate vicinity.
- Measures in relation to controlling the movement of individuals into, out of and within the premises or event.
- Measures in relation to the physical safety and security of the premises or event.
- Measures in relation to the security of information which may assist in the planning, preparation or execution of acts of terrorism.
Each venue and responsible person will need to consider what they need to put in place in order to have compliant public protection measures.
These measures could be implemented through people, process or physical measures. This would include, for example, CCTV operation, security checks and equipment, safeguarding policies and procedures and any other number of measures.
Documenting compliance
Responsible persons are required to record and provide information to the SIA in relation to their procedures and measures. The documentation should cover:
- The public protection procedures they have in place (or will put in place) to remedy or mitigate risk.
- The public protection measures in place (or will put in place) to mitigate vulnerabilities or risks.
- Reasoning on how procedures and measures will reduce vulnerabilities and risk in the event of a terrorist attack.
- Venues are responsible for keeping this documentation up to date, and submitting any revised versions to the SIA within 30 days. This documentation will be used by the SIA to assess compliance.
Responsible person and designated senior individuals
The main change for premises is that they will need to have a named responsible person, who must notify the Security Industry Authority (SIA) of their details and details about the premises. The SIA are the regulator for compliance with Martyn’s Law. They must also notify the SIA when they are no longer the responsible person for a venue. The responsible person is required to ensure that appropriate security measures are in place for the venue in order to reduce harm to the public in the event of an attack.
Where the responsible person is not an individual, the venue must also appoint a designated senior individual (DSI). The DSI must be responsible for managing the affairs of the responsible person as a whole (such as a senior manager, head, or director) – their function is to ensure that the responsible person complies with the regulations and that senior management are a part of the decision making.
What will Enhanced Tier premises need to consider when setting procedures?
Martyn’s Law compliance is principles based. Each venue, and their responsible person, will need to set new procedures after considering their venue, the areas outside of the venue, routes of access, and other policies and procedures such as health and safety. Venue capacity, type of venue, and other individual factors will also inform what security measures can and should be put in place to reduce risk of harm.
In addition the law specifies that these procedures are put in place as far as is reasonably practicable. In this regard it follows other responsibilities, such as fire and safety, or data protection. This means that the responsible person will need to consider all the factors above and what resources are available to them, in order to put in place security measures.
What may be reasonably practicable for a venue of up to 2,000 capacity, with multiple entry and exit routes and members of staff, would not, for example, be reasonably practicable for a smaller venue of 800 capacity with mainly volunteer staff.
Will staff need new mandatory training?
Every premises will need to have a named responsible person for the standard duty premises. This person will need to notify the SIA, the regulator for compliance, when they become responsible. This person (or employees of an organisation who is named a responsible person) will have mandatory training needs.
Training for other staff or volunteers will need to be considered in order to ensure procedures can be carried out effectively. The procedures will need to be communicated to all those needed to deliver the response to a potential security incident.
This may require premises to update or provide new training in light of the changes in the law, or any updated security procedures, policies or measures, to ensure staff are capable of carrying out their job roles effectively.