Skip to main content
What can we help you find?
main content, press tab to continue
Article

The Terrorism (Protection of Premises) Act 2025

Martyn's Law

By Patrick Rogers | April 15, 2025

Guidance on the new Terrorism (Protection of Premises) Act 2025 and what this means for organisations.
Crisis Management
Geopolitical Risk

On Thursday 3 April, the Terrorism (Protection of Premises) Act 2025, also commonly known as Martyn’s Law or Protect Duty, was given Royal Assent. This brings to an end a long campaign and consultation period, which has seen a lot of speculation and variations of the proposed specifications of the bill and the timelines involved. Now that we formally know what these specifications and timelines are, below we have summarised them and explore the implications for organisations with qualifying operations in the U.K.

Headlines

  • The regulations will be applicable in some way to a large proportion of organisations operating in the U.K., particularly those that are public and consumer-facing (estimated to impact over 250,000 premises), but also any organisation that hosts large events.
  • It will not be implemented for at least 24 months (April 2027 at the earliest).
  • There are two tiers of requirements: Standard duty - for premises with between 200-799 people potentially present at any given time - and enhanced duty - for premises or events with 800+ people potentially present at any given time.
  • Standard duty requirements will necessitate a set of procedures (no or low CAPEX and OPEX), while enhanced duty requirements will require the same procedures with additional measures (potential for additional CAPEX and OPEX).
  • There could be financial penalties of up to £18 million or 5% of worldwide revenue for non-compliance.
  • The existing Security Industry Authority (SIA) will assume regulatory responsibility.

Who does it apply to?

The legislation will be applicable across England, Wales, Scotland, and Northern Ireland, affecting a significant proportion of public-facing operations and activities in the U.K. We have summarised the qualifying specifications below.

Premises

Any operation with premises that meet the following four criteria are subject to the Act:

  1. There is at least one building (or the premises are in a building);
  2. The premises are wholly or mainly used for one or more of the uses specified in Schedule 1 of the Act
  3. It is reasonable to expect that at least 200 individuals may be present at least occasionally; and
  4. The premises are not excluded under Schedule 2 to the Act.

If these qualifying operations and premises are expected to accommodate 800 or more individuals, they will be classified as enhanced duty premises (see below ‘The requirements for enhanced duty premises’), unless specified otherwise by the Act.

Events

An event that satisfies the following criteria fall within scope of the Act:

  1. It will take place at premises within section 3(1)(a) of the Act, including land without buildings, that are not enhanced duty premises;
  2. The relevant premises are accessible to members of the public for the purpose of the event;
  3. It is reasonable to expect that there will be at least 800 individuals present for the event at once at some point during it;
  4. There will be measures to check entry conditions are met, such as a ticket checks; and
  5. The event is not excluded under Schedule 2 to the Act.

Schedule 1 should be reviewed in detail, but to summarise, the following premises qualify:

  • Shops (i.e. retail of goods or services);
  • Food and drink (i.e. cafés and restaurants);
  • Entertainment, leisure or recreation activity;
  • Sports grounds; (see exclusions)
  • Libraries, museums and galleries (including archives and open-air events);
  • Halls (i.e. spaces for events, activities, exhibits or conferences);
  • Visitor attractions (i.e. for cultural, historic, touristic or educational value);
  • Hotels (including hostels and holiday parks);
  • Places of worship*;
  • Healthcare; covering use as a hospital or for the provision of health care of all forms – physical and mental health, and including ancillary care;
  • Bus stations, Railway stations and tramway stations; (see exclusions)
  • Aerodromes; (see exclusions)
  • Childcare, primary and secondary care and further education*
  • Higher education
  • Public authorities

Those that are excluded are captured in Schedule 2 of the legislation, covering:

  • Legislatures and devolved administrations (i.e. U.K. Parliament and Devolved government parliamentary assets)
  • Parks and gardens (with the exception of sports grounds and when hosting qualifying events)
  • Aerodrome, railway and port premises that fall under existing security legislation, such as the Aviation Security Act 1982 or Railways Act 1993.

Excluded events:

  • Events to be held on excluded premises in Schedule 2.
  • Events help in places wholly or mainly used for worship, childcare, primary, secondary and further education.

What are the requirements?

Responsible persons

Each qualifying premise and event requires a responsible person(s). Such a person may be an individual but, it is anticipated, will typically be an organisation. For qualifying premises, the responsible person is the person who has control of the premises in connection with their Schedule 1 use. For qualifying events, the responsible person is the person who has control of the premises for the purposes of the event.

Where the responsible person for an enhanced duty premises or a qualifying event is not an individual, they must designate a ‘senior individual’. This must be someone who has responsibility for managing the affairs of the relevant body as a whole, such as those in senior roles, like a director or partner.

The responsible person must ensure that the requirements of the Act are met. In a scenario where there are two responsible persons for a single qualifying premises or a qualifying event, they should coordinate, as far as is reasonably practicable, to comply. They both remain individually responsible for their compliance. This is pertinent as it addresses the documented security failures during the Manchester Arena bombing in 2017, where the origin of the Act comes from.

What this means in practice

  • Organisations with qualifying premises or events will need to formally allocate responsibility for compliance with the legislation to a department or individual, and nominate a senior individual, as appropriate.
  • Responsible persons will need to identify their qualifying premises and events, as well as where they may have joint responsibility for a public space, often referred to as ‘grey spaces’.
  • The responsible person will usually be the premises operator. For example, if a person leases a building for retail use as a shop and is in control of the building for that use, they will be the responsible person. For events, it is those who have control of the area where the event is being held. Moving forward, this should be included in contracts for premises leases and events to clearly define this responsibility as per the terms of the Act.

The requirements for standard duty premises

The responsible person will be required to:

  • Notify the Security Industry Authority (SIA) when they become responsible for the premises.
  • Implement reasonable public protection procedures, centred around the mandatory implementation of evacuation, invacuation, lockdown, and communication protocols in case of an attack in the immediate vicinity.

These public protection procedures are expected to reduce the risk of physical harm to individuals on your premise, so far as reasonably practicable (akin to fire and health and safety regulations).

The intention of these measures is that they are simple, low-cost activities with costs relating primarily to time spent.

What this means in practice

  • Guidance is still to be provided regarding the notification process to the SIA, which will not be required until the Act is regulated from April 2027, at the earliest. Therefore, no action can be taken on this yet.
  • Some of the previously tabled requirements regarding mandatory staff training and communications have been omitted from the final version of the Act, simplifying future compliance with the regulation to some degree. However, professionally we do advocate for some level of awareness training or communications to be routinely conducted. This is important in order for staff to accurately understand the risks and familiarise themselves with the below procedures and wider security infrastructure in place.
  • The four types of procedures that must be put in place, as appropriate and so far as is reasonably practicable, are:
    • Evacuation: The process of getting people safely out of the premises or event.
    • Invacuation: The process of bringing people safely into, or to safer parts of, the premises or event.
    • Lockdown: The process of securing the premises or event to prevent individuals from entering or leaving, e.g., to restrict or prevent entry by an attacker by locking doors, closing shutters, or using available barriers.
    • Communication: The process of alerting people on the premises or at the event to the danger, e.g., providing instructions to remain in place or move away from any danger.
  • Guidance is also expected to be provided by the SIA for the technical requirements of these procedures, e.g., format, minimum details, etc. It is advised to be abreast of these types of procedures (see ‘What useful resources are available?’) and, where practical, start to implement these practices into your qualifying operations prior to the compliance deadline for familiarity.

The requirements for enhanced duty premises and qualifying events

Responsible persons for enhanced duty premises and qualifying events must apply, in addition to the requirements of the Standard Duty, appropriate public protection measures, so far as reasonably practicable, that could be expected to reduce both the vulnerability of the premises and the risk of physical harm being caused to individuals if an attack was to occur there or nearby.

The measures in place will vary between different types of qualifying premises and events.

The four types of measures in the legislation are:

  1. Measures in relation to monitoring the premises or event, and their immediate vicinity, such as awareness materials, CCTV, or other monitoring systems.
  2. Measures in relation to controlling the movement of individuals into, out of, and within the premises or event, such as controlled access, barriers, searching, and screening.
  3. Measures in relation to the physical safety and security of the premises or event, such as hostile vehicle mitigation, safety glass, or standoff areas.
  4. Measures in relation to the security of information, such as securing sensitive information, like floor plans, and restricting access to relevant individuals.

The responsible person for enhanced duty premises or a qualifying event must record the following information in a tailored document:

  • The public protection procedures and measures that are in place, and/or which will be put in place.
  • Reasoning as to how those public protection procedures and measures reduce the vulnerabilities and risk of harm, were a terrorist attack to occur. The document must be kept up to date.

It should contain the necessary detail to enable the SIA to make an initial evaluation of compliance and be provided to the SIA as soon as reasonably practicable after it is prepared for the first time and within 30 days of any revision.

What this means in practice

  • There is a notably higher administrative burden, with potential for increased security capital and operating expenditure, for enhanced premises to be compliant with the legislation.
  • Most established and well-run qualifying operations will already meet many of the requirements in the ‘measures’, reducing the potential for additional expenditure on security in the immediate and long term. However it will be dependent on each premise or event, and it would be prudent to assume some level of increased security expenditure until further guidance is provided by the SIA and a formal evaluation has been undertaken.
  • Many organisations without mature and dedicated security functions will need to upskill their responsible persons to enable them to be appropriately familiar with security risk management best practices and their application in the context of the requirements of this legislation. Further supporting guidance from the SIA is expected in this regard. The existing Protect UK website hosts a significant amount of technical materials and training already, and a Competent Person Scheme is in development by the National Counter Terrorism Security Office (NaCTSO).

How will it be enforced?

The regulator

A new regulatory function has been established within the Security Industry Authority (SIA), which has recently been absorbed into the Home Office. The SIA’s remit will cover preparing guidance and advice regarding the requirements, exercising investigatory powers for compliance with the requirements and carrying out enforcement actions. They won’t be fully established until at least 24 months’ time (April 2027).

Penalties

Where there are instances of serious or persistent non-compliance, the SIA will be able to take enforcement action including compliance notices, monetary penalties and restriction notices. The legislation also includes some criminal offences.

As with many other legislations, there is a compounding scale of enforcement severity, as outlined below (least severe to most).

  • Compliance notices: Notice requiring the person to whom it is given to comply with a specified relevant requirement within a specified period.
  • Restriction notices: These can be issued in relation to enhanced duty premises and qualifying events where the SIA has reasonable grounds to believe both (i) that the responsible person has failed to ensure that appropriate public protection measures and/or procedures are in place and (ii) that the restrictions are necessary to reduce the risk of harm arising from acts of terrorism.
  • Penalty notices: The SIA will be able to issue non-compliance penalties up to a maximum of £10,000 for standard duty premises and £18 million or 5% of worldwide revenue for enhanced duty premises or qualifying events. Where a non-compliance penalty is issued for failing to comply with a compliance or restriction notice, the SIA will also be able to issue daily penalties (up to £500 per day for standard duty premises and £50,000 per day for enhanced duty premises or qualifying events) where non-compliance continues after the date the penalty is payable.
  • Criminal offences: In extremis where an information notice has been issued, or where a compliance or restriction notice is issued in relation to enhanced duty premises or a qualifying event, it will be an offence to fail to comply with the notice. However, it is anticipated that penalty notices will be the primary method of enforcement for non-compliance with these notices.

What this means in practice

  • As previously referenced, organisations have 24 months (April 2027 at the earliest) to comply with the legislation. This timeframe will help impacted organisations to familiarise themselves with the requirements, assess what qualifies across their operations, and implement relevant procedures and measures. Further supporting guidance and tools are to be provided by the Home Office within this period.
  • The SIA will need to scale up to become a competent regulator. The start of this process has been the recent absorption of the SIA into the Home Office’s ‘Homeland Security’ function. However, the specifics of how it will discharge its functions under the Act remain opaque, and further guidance will be provided.

What useful resources are available?

A factsheets website has been created for the legislation, which is a useful reference for a simplified outline of the legislation and often with clear examples of its application in different scenarios. This is a good place to start for any questions or clarifications you may have.

Find out more

During the 24-month implementation period, additional guidance will be provided by the SIA, via the Protect UK website. This is expected to include tools and templates to support compliance with the requirements, as well as broader guidance on the expectations of the SIA in regard to the scope and quality of the procedures and measures required, and where information can be found to meet these expectations. The current content on the Protect UK website is already an excellent repository for security risk management materials.

Find out more

WTW’s specialist security and crisis management advisory practice, Alert:24, will be providing regular updates on the legislation as it progresses through to implementation in 2027.

Find out more

What can organisations do about it now?

In line with the increasing trend of adopting formal corporate security functions in large businesses, the legislation mandates organisations, regardless of size, to formalise security structures and take the management of security risks more seriously. With a 24-month implementation period, there is time for organisations to digest the legislation and prepare for its implementation. Additional guidance from the Home Office and SIA will be provided over the next two years to help affected organisations prepare for the enforcement of the regulations. However, there are several steps that can be taken now:

  1. 01

    Responsible persons

    As early as possible, determine which function within your organisation or individual will take responsibility for compliance with the legislation. Once you understand whether you have premises that meet the enhanced criteria, identify the required senior individual.

  2. 02

    Understand qualification

    Evaluate your operations in the U.K., including events, to determine which premises may or clearly fall under the Standard or Enhanced Tiers. If uncertain about what will qualify, use the Home Office’s guidance for calculating the number of individuals expected to be present and study Schedule 1 of the legislation. Note that some operations, such as those for worship and education (excluding higher education), have exemptions, and others, generally pertaining to transport infrastructure, may be excluded from the regulation, as per Schedule 2.

  3. 03

    Awareness

    Start raising awareness within your organisation about the forthcoming legislation, particularly with premises that will qualify for either tier. Outline what will be required of them (as known now) and point them to useful resources.

  4. 04

    Monitor guidance

    The Home Office and SIA still need to clarify many aspects regarding how the SIA will execute their duties as a regulator. The SIA will also provide further guidance and tools to support compliance with the regulations. Since no timeline is provided for when this information will be made publicly available, responsible persons will need to monitor communications for relevant updates as they are provided.

  5. 05

    Quantify

    Those with qualifying premises in the Enhanced Tier can begin to review their premises against the legislative requirements and current guidance (noting that further guidance will be provided) to get an indication of the additional operational and capital expenditure, including administrative burden, required to be compliant.

  6. 06

    Get ahead

    The core ethos of the legislation is to raise the baseline of protective security and organisational preparedness across the U.K. to better protect the public from severe security risks. Aside from the impending regulatory requirements, in the current ambient security risk environment there is already a moral corporate responsibility, especially at qualifying premises, to protect customers and patrons as reasonably as practicable. Therefore, organisations of all sizes can immediately enhance their protective security and organisational preparedness, taking proactive steps to be compliant with the regulation when it is enforced in 2027. Organisations can use resources such as the Protect UK website to start this process immediately.

Reach out to your local WTW representative if you have any questions regarding the Protection of Premises / Martyn’s Law legislation or how WTW can support you.

Author

Patrick Rogers
Head of Risk Advisory, Alert:24
email Email

Contacts

Robert Taylor
Head of Alert:24
email Email
Mark Allison
Head of Crisis Support, Alert:24
email Email
Carl Dobson
Head of Intelligence, Alert:24
email Email
Kate Colberg
Risk Advisory Lead, North America, Alert:24
email Email phone +1 920 417 2997
Marcus Chew
Risk Advisory Lead, Asia Pacific, Alert:24
email Email
Related content tags, list of links Article Crisis Management Leisure and Hospitality Public Sector and Education Sports and Entertainment Geopolitical Risk United Kingdom

Related capabilities

Terrorism and Political Violence

The profile of terrorism is constantly evolving. It has become a globally strategic political tool, deployed not only by religious extremists, but also a broad spectrum of actors with secular political or social motivations. The evolution of tactics and targets requires constant monitoring and adapting of risk management strategies in each territory where a company operates.
Contingency Insurance

We can help you protect your event from uncertainty and financial risk with contingency insurance.
Crisis Management

WTW specialises in helping you understand and mitigate a spectrum of security related risks, through effective risk management and insurance solutions.

Related insights

See all insights
Article
The growing threat of terrorism in West Africa
Article
Navigating a complex threat landscape: Terrorism trends for 2025
Article
Crisis Management Annual Review 2025
Article
Security and political risks confronting mining in Sub-Saharan Africa
Contact us