The Terrorism (Protection of Premises) Act 2025

The Terrorism (Protection of Premises) Act 2025 (the Act), also known as Martyn’s Law was introduced in response to the Manchester Arena Attack in 2017 which claimed 22 victims. It aims to strengthen security at public spaces and events. The Act received Royal Assent on 3 April 2025 and is expected to come into force in 2027. Draft Guidance was published on 15 April 2026 and is open for consultation until 12 June 2026.

The Act essentially applies to premises that are open to the public, irrespective of whether paid entry is required or not, subject to certain exceptions. For leisure and other public building operators, the key practical issue will be to establish (i) whether premises are in scope, (ii) whether the premises fall into the standard or enhanced tier based on the “reasonable expectation” of numbers present at the same time (including staff), and (iii) what procedures and measures are “reasonably practicable” in light of the operator’s specific risk profile and operating model.

Which premises are affected?

Qualifying Premises

A Qualifying Premises is a small premises with a capacity of 200-799 individuals. These will fall into what is termed the “standard tier”.

The requirements of standard tier premises focus on simple, low-cost measures to ensure staff are better prepared to respond effectively in the event of a terrorist attack, but they are still likely to have practical implications for leisure and public building operators (for example, management time spent assessing capacity, updating incident plans, delivering staff briefings/training and running periodic exercises). Operators should also anticipate some ongoing administration (for example, keeping procedures under review as layouts, uses and peak trading periods change).

Enhanced Duty Premises

An enhanced duty premises is a larger premises where it is anticipated that over 800 individuals could be present. These enhanced tier premises will have additional compliance requirements to the standard tier, and are more likely to involve capital and operational expenditure (for example, upgrades to CCTV or other monitoring, improved access control and searching arrangements, physical security enhancements and additional security staffing during peak periods or events).

Qualifying Event

A Qualifying event does not need a to be held at a physical building, it is any land where:

• members of the public have access for the purpose of attending an event;
• 800 or more individuals are expected to be present;
• for the purpose of attending the event, individuals:
  • have paid to attend,
  • have tickets or passes allowing access, or
  • are members or guests of a club or association.

Who is responsible?

For Qualifying Premises:

• the person who has control of the premises in connection with the relevant use e.g. the use of a venue as a sports ground or hotel.

For Qualifying Events:

• the circumstances of the event will need to be considered. For example:
  • if a company is putting on a concert held in a park and the company takes control of the area, then the company will be the responsible person
  • if a stately home puts on a concert in its grounds and keeps control of the site for the purpose of that concert, the stately home would be the responsible person

The need for an appointed representative

For an enhanced duty premises, if the responsible person is not an individual (e.g. a company, trust, governing body etc.) then they must appoint a senior individual. This senior individual must be responsible for managing the affairs of the relevant body as a whole, such as a director or partner and cannot be a lower-level employee.

The role of this senior individual is to ensure the organisation complies with the relevant requirements of the Act, however the individual is not fully responsible for carrying out actions to fulfil the necessary requirements so is not liable for an organisation’s failure to meet all requirements.

However, in relation to offences under the Act senior officials (including the appointed representative) may be liable if it is proven that the offence was committed with their consent, as a result of their negligence, or complicity in the offence.

Basic Obligations

Standard Tier

The core requirements of Qualifying Premises are:

• the responsible person will have to notify the Security Industry Authority (SIA) of
  • the premises; and
  • their role as the responsible person; and
• implement, as reasonably practicable, appropriate public procedures that could be reasonably expected to reduce the risk of physical harm.

These procedures should include provisions for:

• evacuating individuals from the premises or event;
• moving individuals to a safer place within the premises where there is less risk of physical harm;
• controlling entry and exit of premises or event; and
• communicating effectively with those on site.

Enhanced Tier and Qualifying Events

There are additional requirements for enhanced duty premises and qualifying events including:

• implementing, as soon as reasonably practicable, public protection measures that could reduce the vulnerability of the premises and the risk of physical harm to individuals;
• documenting the implemented and/or proposed public protection procedures to the SIA. This must include an assessment of how the procedures reduce vulnerability and/or the risk of harm; and
• as stated above, where the responsible person is not an individual, the responsible person must designate a senior individual.

These additional procedures should include provisions for:

• monitoring systems such as CCTV;
• physical security measures; and
• movement control such as bag searches and ticket checks.

Practical implications for operators (including budgeting, contracts and service charge)

Although the Home Office has emphasised that standard tier requirements are designed to be low-cost and that organisations do not need to spend money on consultants to be compliant, most operators should expect some compliance cost. In practice, these are likely to fall into three broad categories:

• People and process: time spent identifying the “responsible person”, estimating capacity, putting written procedures in place (evacuation, invacuation, lockdown, communication), staff training and refreshers, as well as periodic testing and exercises.
• Security operations: additional guarding, stewarding, searching, queue management and incident response arrangements, particularly for enhanced tier premises and qualifying events, and at peak times.
• Capital and technology: upgrades to CCTV and other monitoring, lighting, barriers and shutters, access control, communications systems, and, where relevant, reconfiguration of entrances and exits.

For owners and operators of multi-let leisure and retail assets (including mixed-use schemes), a key practical question will be whether (and to what extent) compliance costs can be recovered through service charge. This will be highly lease-specific. By way of example, recovery may be easier where the service charge provisions allow recovery of costs incurred in complying with statutory requirements, or in providing security services for the estate. Conversely, recovery may be more difficult where leases contain narrow lists of recoverable services, exclude “improvements” (as opposed to repair or maintenance) or impose caps or exclusions on security costs.

Early engagement will be essential: building a compliance plan and budget, mapping likely one-off versus ongoing costs, and, if service charge recovery is intended, ensuring the approach is aligned with existing service charge accounting practices and communicated transparently to occupiers. Operators should also consider whether contracts with managing agents and security providers need to be updated.  For example, to reflect new procedures, reporting, training requirements and audit rights.

What about shopping centres?

Shopping centres will potentially be “premises open to the public” and, depending on the reasonable expectation of how many individuals may be present at the same time (including staff), they may fall within the standard tier (200–799) or enhanced tier (800+). Many larger centres may therefore be in scope. The practical challenge is that responsibility and control may be shared across landlords, centre managers and individual occupiers. The statutory guidance anticipates the need to coordinate where there are multiple responsible persons, such as where a landlord or centre manager responsible for common parts and an anchor tenant responsible for its own unit. For shopping centres, this makes it important to define roles clearly, align procedures (particularly evacuation and lockdown communications) and ensure estate-wide security measures and tenant procedures work together.

Whether a particular centre or parts of it are in scope will depend on the statutory tests. As commencement approaches, landlords and operators may want to stress-test their position as part of wider building safety and risk management governance.

Who is excluded?

• Smaller premises or events with a capacity of 199 or less.
• Private offices with no public access.
• Government premises.
• Public open-air spaces such as parks, gardens, open-access sports grounds.
• Premises or events in relation to which individuals have not paid or obtained tickets to enter.
• Certain events held at premises that otherwise fall within the scope of the Act.

Penalties

If you fail to comply, the SIA can issue a range of civil sanctions including compliance notes, monetary penalties and restriction notices. Criminal offences may include giving false or misleading information to the SIA, which can result in a criminal conviction.

What steps should you be taking now?

As the Act is not yet in force, organisations should begin preparing by strengthening their approach to security and risk management if you fall within the standard or enhanced tiers.

Key considerations include:

• What is the nature of the premises or event?
• How are the premises used, or what is the purpose of the event?
• Are there areas of the premises, or event, that are excluded from the assessment?
• How many staff will be present, as well as the public?
• What is the most appropriate method to establish a figure which accurately reflects the numbers of individuals who will be present?
• What measures do you need to put in place?

Early preparation will help ensure compliance and improve readiness when the Act comes into force.