What Does Martyn’s Law Require?

What does Martyn’s Law require? Understand the duties, scope and practical steps venues and organisations need to take for compliance.

If you run a venue, manage public-facing operations or carry responsibility for security, asking what does Martyn’s Law require is not a legal curiosity. It is an operational question. The answer affects how you assess risk, train people, plan responses and show that counter terrorism preparedness is more than a document on a server.

Martyn’s Law is designed to improve protective security and organisational readiness across publicly accessible locations. Its purpose is straightforward – reduce the risk of harm from terrorist attacks by making sure those responsible for certain premises and events take proportionate steps to prepare. That word, proportionate, matters. The law is not intended to turn every site into a fortress. It is intended to stop obvious vulnerabilities, weak planning and poor preparedness from being left unchecked.

What does Martyn’s Law require in practice?

At its core, Martyn’s Law requires those responsible for qualifying premises and events to consider the terrorist threat and take practical steps that match their exposure. For some organisations, that will mean basic procedures, awareness and simple protective measures. For others, particularly larger venues or complex operations, it will mean a more formal assessment, documented planning and stronger arrangements to reduce vulnerability and improve response.

The likely structure is tiered. In practical terms, that means smaller premises in scope are expected to meet a standard set of preparedness duties, while larger premises and major events face broader requirements. The exact legal thresholds and definitions matter, but the operational principle is consistent – the greater the public exposure and potential consequence, the stronger the duty to prepare.

This is where some organisations get it wrong. They look for a single checklist and assume compliance ends there. It does not. Martyn’s Law is about capability. If your team cannot recognise suspicious behaviour, cannot act decisively under pressure or cannot communicate during an incident, paperwork alone will not protect people.

Which organisations are likely to be affected?

Martyn’s Law is aimed at publicly accessible locations and events where members of the public may be present. That creates obvious relevance for retail, hospitality, entertainment, leisure and event environments, but the impact does not stop there. Transport-related spaces, large visitor attractions, community venues and mixed-use sites may also fall within scope depending on how they operate and how the public accesses them.

For security managers and operations leaders, the important point is this: do not assess your exposure by sector label alone. Assess it by function, footfall, accessibility, crowd behaviour, symbolic value and the practical realities of the site. A seemingly ordinary venue can still present an attractive target if access is open, detection is weak and disruption would generate high impact.

The standard tier – basic but not optional

For smaller premises that meet the legal threshold, the requirement is expected to centre on straightforward preparedness measures. That usually means having clear procedures for what staff should do if an attack happens or if suspicious activity is identified. It also means ensuring those procedures are known, not buried.

In operational terms, organisations in this category should expect to brief staff on core actions such as lockdown, evacuation, invacuation, communication and immediate reporting. The duty is unlikely to demand expensive infrastructure at this level, but it does require management attention. If the plan exists only in a policy folder and frontline staff have never practised it, that is a weakness, not compliance.

There is a trade-off here. Simplicity helps execution under stress, but over-simplified plans can ignore how people actually move through a site, how contractors behave, or how a busy Saturday trading period differs from a quiet weekday morning. Even a basic tier duty needs to be grounded in real operations.

The enhanced tier – more formal responsibility

Larger premises and larger events should expect a more demanding obligation. This is likely to include a terrorism risk assessment, consideration of proportionate security measures and a documented plan for reducing vulnerability and responding to incidents. There may also be requirements around cooperation, information retention and demonstrating that the responsible person has taken the duty seriously.

This is where capability gaps become visible. Many organisations have health and safety systems, crisis management plans and business continuity arrangements, but counter terrorism readiness often sits awkwardly between them. It is treated as a specialist add-on rather than a core operational discipline. Martyn’s Law changes that expectation.

A credible enhanced-tier response usually requires several things to work together. Physical security measures need to align with site use. Staff awareness needs to be reinforced through training. Incident management structures need to support fast decision-making. External relationships with police, local authorities, event partners or landlords may need to be clearer than they are now.

What does Martyn’s Law require from the responsible person?

One of the most important features of the law is accountability. There will be a responsible person or organisation with legal duties attached to the premises or event. That means someone cannot simply assume security is being handled elsewhere. If responsibilities are split between landlord, operator, tenant, event organiser and outsourced providers, those boundaries need to be understood and managed.

This can be one of the hardest parts in practice. Complex sites rarely have neat ownership lines. A shopping destination, for example, may include shared public spaces, anchor tenants, delivery areas and third-party operators. An event may involve promoters, venue management, stewarding, production contractors and temporary infrastructure providers. Martyn’s Law is likely to expose weak coordination quickly.

The responsible person will need confidence that plans are realistic, staff are briefed, vulnerabilities have been considered and security measures are proportionate to the threat and operating model. That does not mean eliminating every risk. It means making defensible, informed decisions and being able to show why those decisions were made.

Training, awareness and behavioural readiness

A common mistake is to treat compliance as a site survey and a document. Terrorist attacks unfold fast. Frontline performance matters. Staff need enough awareness to identify suspicious behaviour, understand hostile reconnaissance indicators, report concerns correctly and act with purpose if an incident develops.

This is where training becomes more than a compliance tick. Good training improves decision-making under pressure. It gives supervisors and frontline teams common language, defined actions and confidence. It also helps organisations test whether their procedures are usable in real conditions rather than ideal ones.

Not every employee needs the same depth of input. A senior risk lead, a venue duty manager and a part-time customer-facing worker have different roles. The right model is role-based and proportionate. Broad awareness for all, deeper operational competence for those making decisions, and scenario-driven testing for the people expected to lead.

Proportionate security measures – what that really means

The phrase proportionate measures sounds sensible, but it can be interpreted too loosely. It does not mean minimal effort. It means measures that are suitable for the threat, the site, the public profile, the likely attack methods and the consequences of failure.

For one organisation, proportionate may mean refining search policies, tightening access control to back-of-house spaces and improving suspicious activity reporting. For another, it may mean hostile vehicle mitigation, revised queue management, stronger CCTV coverage, clearer command arrangements and regular exercising. Cost matters, but cost alone is not a defence for avoidable weakness.

Modern threats also expose old security thinking. Static controls without trained people behind them are fragile. Equally, highly trained people without clear procedures or suitable physical measures are being asked to compensate for preventable design flaws. The best outcomes come when planning, people and protective measures support each other.

How to prepare before enforcement pressure arrives

Organisations waiting for absolute legal certainty before acting are wasting useful time. The practical groundwork is already clear. Start by confirming whether your premises or events are likely to fall within scope. Then review existing plans through a counter terrorism lens rather than assuming your broader emergency planning is enough.

From there, test five areas honestly: governance, risk assessment, protective measures, staff competence and incident response. If one of those areas is weak, it will usually affect the others. A poor risk assessment leads to badly chosen measures. Weak training leads to poor incident execution. Unclear governance leads to delays and assumptions.

This is also the stage where external challenge adds value. Internal teams often know their site well, but familiarity can hide vulnerabilities. An experienced protective security review can identify unrealistic assumptions, weak coordination and training gaps before they become regulatory or operational failures. That is where a specialist partner such as Mildot Group can help turn legal intent into practical capability.

Martyn’s Law should be treated as a prompt to build competence, not just compliance. Organisations that do this well will not only be better placed for the law. They will be better prepared to protect people, sustain operations and make sound decisions when pressure is highest.

The useful question is no longer whether the duty is coming. It is whether your people, plans and site arrangements would stand up if tested tomorrow.

Final points:

  1. The UK private sector are 25 years behind the curve on designing and delivering protective security for 21st century threats.  Those threats used to be what we heard on the news or read in newspapers about what was happening on the international stage. Events in 2001 onwards change the landscape and its been evolving ever since. 
  2. Official UK Government guidance on the new law and compliance systems was released in April 2026.  The law does not come into effect until 2027.  However, aspects of the law and compliance systems may change by the time the law comes into effect sometime in 2027, or even later. 
  3. UK Organisations irrespective of the law, should prioritise understanding what private sector counter terrorism is and how its delivered, before even considering what could be in the law during 2027.  

Useful Links:

.

Mildot Group®

Our Mission

Deliver real world security and counter terrorism consultancy built for 21st century threats.

Convert complexity into clarity so organisations act faster, smarter, and with confidence.

Provide high-quality security capability that’s within reach for everyone.

Who We Are

Mildot Group (established 2014) is a close network of experienced security professionals, selected for competence, integrity, and delivery under pressure.

With British military foundations and global private sector expertise, we help organisations strengthen security capability, from frontline operations through to senior decision-making.

What We Do

We deliver security risk management consultancy and learning that turns theory into action. From threat, vulnerability and risk assessments through to security strategies, technical systems and behavioural risk solutions, we build tailored protective security and counter-terrorism capability that works under pressure.

Our eLearning is independently reviewed and CPD Standards Office accredited.

 

International Security Experience You Can Trust

The company owner, supported by a hand‑picked network of professionals, brings unrivalled experience from ground level to senior leadership. Their private sector careers span government contracts, security and counter‑terrorism operations, specialist firearms training, and high‑level defence procurement and security advisory roles.

They have trained thousands of security personnel, managed and built large‑scale teams for Oil & Gas operations, and enhanced VIP protection programmes for government clients and delivered long‑term defence capability programmes. Extensive experience at senior levels within the private sector to design, implement and manage security risk management systems that mitigate terrorism, insurgency, and hybrid threats.

Trusted at the Highest Levels

Our services have been rigorously vetted by UK Government agencies. As former Registered Firearms Dealers with Section 5 authorities, our capability, capacity, and proven expertise have been verified to high standards, ensuring absolute confidence in our delivery.

ICO registered number ZA289831 

Privacy Policy

Terms & Conditions Policy

Terms of Use Policy

Privacy Preference Center

Privacy Preferences

Mildot Group hold data sent by users for recruitment purposes only and is not passed onto any third parties. If opportunities become available the data is used to send relevant information to potential personnel. Removal of this data can be made at anytime by requesting removal to info@mildot.co.uk

Social Media

Analytical information to help improve marketing and customer experience.