Background to the Guidance

 

On 15 April 2026, the Home Office published Statutory Guidance (the Guidance) to support the understanding and implementation of the Terrorism (Protection of Premises) Act 2025 (the Act). The Act, which is commonly referred to as “Martyn’s Law” in recognition of Martyn Hett, one of the victims of the Manchester Arena attack in May 2017, aims to improve the preparedness and security of publicly accessible premises and events across the UK.

 

The Act’s objective is to ensure that organisations take preventative and preparatory steps to protect human life should a terrorist attack occur. It proceeds on the assumption that an attack could take place anywhere and, in many forms and accordingly the guidance places emphasis on reducing harm and vulnerability, rather than on predicting or preventing the occurrence of an attack itself.

 

At a time of global uncertainty, and geo-political tensions, the Guidance is both timely and necessary. The recent spate of “terror” related incidents in the UK has increased substantially, particularly activity related to overseas conflicts such as the conflicts between Russia and Ukraine, and Israel and Palestine. It is therefore vital that businesses, whether it be persons who run and own premises that are captured by the Act, or people in the relevant industries responsible for organising events at relevant premises, are aware of the Guidance and requirements it encourages, or in some circumstances, imposes.

 

 

Key Takeaways from the Guidance

 

The Guidance establishes a baseline statutory duty for publicly accessible premises and events to comply with. The focus is on harm reduction rather than mitigating the likelihood of an attack and is intended to complement, not replace, existing policies governing health and safety, licensing and safeguarding.

 

 

Qualifying Premises and Events

The Act applies only to:

 

• Buildings or buildings with land used mainly for specified public activities;
• Qualifying events with controlled entry and large attendance;
• It excludes certain locations, such as open-access parks and some transport premises.

 

Events are assessed separately from premises, unless the premises are already subject to enhanced-tier obligations.

The Guidance also outlines a tiered approach under the Act, dividing premises and events into two categories based on capacity:

 

• Standard Tier: 200–799 persons
• Enhanced Tier: 800 or more persons

Certain premises remain within the standard tier regardless of size, including places of worship, childcare settings and most educational establishments. Tier allocation is based on the reasonable expectation of the number of people present at the same time, including staff.

 

Enhanced-tier premises and events must implement physical and operational measures in addition to procedures. These measures must address:

 

• Monitoring and vigilance
• Control of movement and access
• Physical security of the site
• Protection of sensitive information

 

All measures must be tailored, proportionate, regularly reviewed and supported by clear and recorded decision-making.

 

Responsible Person and Governance

Legal responsibility rests with the person or entity in control of the premises or event and cannot be delegated, although operational tasks may be. Enhanced tier premises and events must designate a senior individual with overarching responsibility. In addition, landowners and others with influence over the premises may be required to cooperate, even where they are not the responsible person.

 

Core Duties

While the Guidance recognises the importance of premises and event-specific planning, all in-scope premises and events must establish procedures for:

 

• Evacuation
• Invacuation
• Lockdown
• Communication

 

These procedures must be documented, workable, and known to staff, with a focus on rapid decision-making, clarity and adaptability. They must also consider the immediate vicinity such as queues and shared spaces.

 

 

The “Reasonably Practicable” Standard

The Guidance stresses that there is “no requirement for those responsible for premises or events to undertake (or to expect their staff to undertake) actions that are not reasonably practicable because those actions would compromise their own safety.”

 

What is “Reasonably practicable” requires a proportionate balance between achieving protective objectives and the cost, time and difficulty of implementation. Responsible persons must consistently apply this standard when determining appropriate procedures and measures.

 

Training, Enforcement and Consequences

The guidance confirms that there is no requirement to use paid training providers, but staff must be made aware of procedures and their roles. The Security Industry Authority (SIA) is the regulator and has inspection and enforcement powers. Significant financial penalties and potential criminal liability may apply for serious non-compliance, with personal liability for senior managers where failures arise from consent or neglect.

 

 

Key considerations for Businesses

 

Understanding Exposure and Assigning Responsibility

Businesses must assess whether the Act applies by determining whether premises or events are publicly accessible and meet the 200+ capacity threshold, including situations involving temporary responsibility for events. Enhanced-tier obligations bring greater formality, documentation and governance requirements. Ultimately, responsibility rests with the person or organisation in control, not necessarily the owner, and cannot be delegated, thus requiring clear allocation and senior accountability.

 

 

Planning Practical Responses and Documenting Proportionate Decisions

Businesses should develop practical procedures for evacuation, invacuation, lockdown, and communication that reflect realistic operational scenarios. Decision-makers should be clearly identified, and procedures should be tested to ensure they function effectively under pressure. In parallel, businesses should document why specific measures were adopted, demonstrating how they reduce risk proportionately and can be implemented swiftly in the event of an incident.

 

 

Embedding Preparedness into Everyday Operations

Preparedness should be embedded into day-to-day operations, rather than treated as a standalone exercise. Businesses should integrate counter-terrorism planning into existing health and safety policies and operational processes. Regular briefings and practical reminders help ensure that, in a real incident, staff responses are instinctive, coordinated and proportionate to the level of threat, rather than improvised, uncoordinated and disproportionate.

 

 

This article was written by Liam Lane and Constance Strasser.