Martyn’s Law moves from principle to practice: clarity on compliance

The wait is over. After six years of campaigning by Figen Murray and others, and just over a year after the law was given Royal assent, statutory guidance for the Terrorism (Protection of Premises) Act 2025 has been published this week, marking a defining moment for venue operators, event organisers and public authorities across the UK.

While the legislation itself established the framework, the guidance and supporting documents now translate Martyn’s Law into something more tangible – they explain what compliance will actually look like in practice.

The 129-page Statutory Guidance document, along with the non-statutory notes (methods for assessing the reasonable expectation of individuals present at premises and events, illustrative examples of scope, and further resources and learning), contain a lot of information to absorb and understand. Here we unpick what has become clearer with the new guidance, and outline the steps that you can take to prepare for compliance now that the guidance is in place.

What stays the same

The purpose of the guidance is to bring clarity to what compliance will look like in practice. The core framework of the legislation has not changed. The Act retains the core structure that those already familiar with Martyn’s Law already understand. The legislation defines two levels of duty: Standard Tier  for premises with a capacity of 200 – 799 people and Enhanced Tier for premises and events with 800+ attendees. The requirement is for reasonably practicable procedures and measures, and the Security Industry Authority (SIA) will have responsibility for monitoring compliance.

Clarity on who is in scope: moving from assumption to evidence

One of the most important clarifications contained in the guidance is the move away from simplistic capacity-based thinking toward a defensible, evidence-led assessment of whether premises or events fall within scope.

Duty-holders are now expected to determine how many people may reasonably be expected to be present under normal circumstances, and to take an evidence-based approach to establishing this figure using real operational data. Accepted methodologies for this include:

• Fire safety occupancy figures
• Historic attendance and footfall data
• Ticketing and booking records
• Physical layouts (fixed seating, standing capacity)
• Broader operational patterns and trends

It is clear that compliance requires an evidence-based approach to justifying assumptions. It also introduces a key safeguard: isolated or unpredictable spikes in attendance do not automatically bring premises into scope – so the church fair example that has been raised by those opposed to the legislation has now been put to bed.

What reasonably practicable’ now means in practice

The guidance provides much-needed context for the concept of ‘reasonably practicable’, anchoring it in proportionality, risk awareness and operational reality.

Rather than prescribing fixed solutions, the guidance requires that duty-holders:

• Understand their specific threat and vulnerability profile
• Select measures appropriate to their environment and resources
• Balance risk reduction against feasibility and impact

This enables flexibility while also demanding accountability, with organisations and individuals required to demonstrate why decisions were made, not just what was implemented.

A clearer structure for compliance duties

The guidance simplifies how duties should be understood and applied in practice, this is broken down into duties mandated by each tier, thus:

Standard tier premises:

• Notify the regulator (the SIA)
• Implement appropriate public protection procedures

Enhanced tier premises and qualifying events:

• Meet all standard tier requirements
• Implement additional public protection measures
• Maintain documented evidence of compliance

The emphasis is firmly on outcomes, such as effective procedures, appropriate measures, and clear accountability, rather than defining rigid frameworks.

Procedures first: the foundation of compliance

Across all in-scope premises and events, the guidance reinforces that procedural readiness is central, above and beyond physical security measures. But what does this mean in practice?

Duty-holders are expected to establish and maintain practical, usable plans that cover evacuation, invacuation (moving people to a safer internal location), lockdown and communication with staff, visitors and emergency services. These procedures must be realistic, tailored to the environment, understood by staff, and suitable for implementation under pressure

The message is clear: compliance is about making sure measures are in place that define what people will actually do in the event of an incident.

The critical importance of the ‘immediate vicinity’

A major area of clarification in the Statutory Guidance is how duty-holders should interpret the term ‘immediate vicinity’. This is critical clarification when considering operational protocols and protective security measures for Zone Ex areas, crowd flows and ingress/egress procedures.

The guidance confirms that the term ‘immediate vicinity’ does not define a specific fixed distance. Instead, organisations must assess where people gather before entry, movement routes during ingress and egress, and adjacent public spaces connected to the premises or event.

This significantly expands the practical scope of planning. For many locations it means that risk does not start at the door, requiring a risk-based approach to considering operational procedures as well as physical security covering the wider crowd environment, not just the building or event footprint.

Enhanced tier measures: defining proportionate security

For enhanced tier duty-holders, the guidance provides a structured way to think about physical and operational measures, grouped into four categories:

• Monitoring (e.g. CCTV, situational awareness)
• Movement control (e.g. entry management, searching, screening)
• Physical safety and security (e.g. barriers, hostile vehicle mitigation, glazing)
• Information security (e.g. protecting sensitive operational details)

Importantly, the guidance emphasises that measures should work together as a system and must align with procedures, with any gaps identified, documented and addressed over time.

This allows organisations to adopt a layered, proportionate approach, rather than defaulting to high-cost or highly visible interventions.

Training and awareness

While not framed as a standalone legal requirement, the guidance makes clear that staff awareness and competence are fundamental to effective delivery of the aims of Martyn’s Law.

The Statutory Guidance mandates that personnel must understand the procedures in place, be capable of implementing them and be provided with appropriate briefings or training. The expectation is not formal certification for its own sake, but operational readiness.

Coordination in complex environments

The Statutory Guidance recognises that many real-world settings involve multiple responsible persons. It highlights the importance of aligning procedures across stakeholders to avoid conflicting responses in the event of an incident, with coordination for shared spaces such as entrances, exits and the public realm. This is a critical practical point because poor coordination could undermine otherwise compliant arrangements.

Next steps: how to prepare now

With Statutory Guidance now in place, organisations can now begin to prepare for compliance, guided by a clear framework of what’s expected for each tier.

With our understanding of risk assessment methodologies, track record in training, and experience of protective security in complex environments, we are able to support clients in preparing for compliance. Here are some key steps that organisations can take now:

1. Determine scope properly – use a documented ‘reasonable expectation’ methodology supported by evidence.
2. Identify the responsible person – clarify accountability, particularly in shared or complex environments.
3. Develop or refine procedures – focus on evacuation, invacuation, lockdown and communication.
4. Assess the wider environment – include queues, approaches and surrounding public areas.
5. Review existing measures (enhanced tier) – benchmark against the four categories and identify gaps.
6. Build your compliance record -start documenting decisions, assumptions and actions now.
7. Invest in awareness and training – use established national resources to build staff capability. Much of this can be done at no or low cost using @Protect UK and @National Protective Security Authority resources. Further guidance is available in the government’s Further Resources and Training document.

The real shift: from documentation to decision-making

The most significant change required by Martyn’s Law is cultural. Compliance is no longer about having a policy on file; it is about whether those responsible in your organisation understand your environment, have made informed, evidence-based decisions, and can act effectively under pressure.

Those who start early, build evidence-based approaches and focus on practical implementation will not only meet the requirements of Martyn’s Law, they will be better prepared to protect the people who use their spaces every day.