Martyn’s Law – an important licensing update
The Home Office has published statutory guidance to enable venues and events to prepare for the Terrorism (Protection of Premises) Act 2025. Caroline Loudon and Piers Warne examine what we now know, and what needs further clarification.
The implementation of the Terrorism (Protection of Premises) Act 2025 has been a long time coming. Next year marks the 10th anniversary of the terrorist attack at Manchester Arena that prompted the legislation known as Martyn’s Law, named in tribute to Martyn Hett who was one of the victims of the attack that night in May 2017.
More than a year after the Act received royal assent, the Home Office has now published statutory guidance (known as Section 27 Guidance), which provides more detail on key points such as which premises are ‘in scope’, what ‘reasonably practicable’ means in this space and what a ‘duty holder’ must do in practical terms to comply. Registration for in-scope premises is likely to happen sometime around April 2027.
With 10 months or so until the law comes into full force, now is a good time to ask: what do we know, and what do we still need to know?
What we know:
In-scope premises
We have previously written on the ‘tiered regime’ under Martyn’s Law, however the guidance clarifies the creation of a two-tier registration scheme for qualifying premises/events. These will include hospitality, retail, leisure, education, healthcare and public service venues. The two tiers are based on use of the venues and capacity. For example:
‘Standard tier’ premises are publicly accessible, used for qualifying purposes and can reasonably be expected to have 200-799 individuals present at any one time; and
‘Enhanced tier’ premises and/or events can reasonably expect 800 or more individuals to be present at any one time, with controlled access arrangements.
Duties under the Act
The Section 27 Guidance sets out what the requirements are where a premises falls within either the standard or enhanced tier. Emphasis is on preparedness and taking public protection measures, with ‘so far as reasonably practicable’ as the central legal test.
Standard tier focuses on low-burden, practical preparedness. It includes completing basic terrorism risk assessments, establishing simple and effective invacuation and evacuation procedures, maintaining communication and ensuring staff receive appropriate training.
Enhanced tier demands more robust public protection procedures to reduce the vulnerability of the premises and the risk of physical harm during a terrorist incident, including drafting a terrorism risk assessment, implementing access controls, documenting plans, CCTV, bag checks and/or vehicle controls.
What is ‘reasonably practicable’ will depend on consideration of the likely effectiveness of any risk reduction, balanced against the burden of its implementation in terms of cost and feasibility. While the guidance doesn’t provide a list of detailed expected measures, or responses to specific types of terrorist attack (given the wideness of possibility of those attacks), examples are provided within the document itself with emphasis on operational assessment and fully documented assessment and record-keeping.
What we need clarified:
Responsible persons
A fundamental question for the hospitality sector will be: who is the ‘responsible person’? The responsible person is required to implement the measures set out in the legislation and will be held liable in the event of issues. The Act states that the responsible person is the individual, company or organisation that has ‘operational control’ of a qualifying premises or event.
However, the Section 27 Guidance states that the responsible person is a ‘matter of law’, rather than a matter of choice. An example given in the guidance suggests that this would be the holder of a premises licence. However, not all premises licence holders have operational control of premises – for example, where a premises is tenanted but a landlord holds the premises licence – and therefore this would contradict the fundamental principle of the responsible person’s role. This is likely to cause significant problems if the issue is not clarified (ideally by removing any reference to premises licences).
The regulator
The Security Industry Authority (SIA) has been confirmed as the statutory regulator, and updated guidance sets out the SIA’s role in terms of receiving notifications, reviewing enhanced tier documentation and, of course, issuing compliance and enforcement notices and/or financial penalties. Consultation on the guidance closed last month.
We are now waiting to see what the process for registration with the SIA will ultimately look like. We understand it will be through a portal and there will be a requirement to lodge certain documents when registering. Regulations are due late summer 2026 and the SIA guidance will hopefully clarify, in good time, exactly what will be needed when registering.
Enforcement
The SIA have robust enforcement powers not only to impose fines, but also to close premises and prosecute responsible persons. The messaging from the SIA has focused on ‘walking operators toward compliance’, but what this means in reality needs to be clarified. Given the vast powers available, clear and transparent enforcement protocols need to be implemented and stuck to.
Written by Caroline Loudon and Piers Warne, TLT LLP.