Martyn’s Law in Practice

Strategic Insight on Operationalising Current Guidance

By Anthony Gledhill | 20th April 2026

.

Purpose

This article has been written to bridge the gap between theoretical guidance and real world delivery, particularly for organisations without in-house security expertise at leadership level. The focus is on how the requirements translate in practice, how they will be tested, and what organisations need to do to make them work under pressure.

The final thought piece on advisors at the end of the article is crucial for private sector organisational leadership.

.

Introduction

If a serious incident happened at one of your sites tomorrow, would your people act immediately or hesitate waiting for direction?

That question sits at the centre of the Terrorism (Protection of Premises) Act 2025, commonly known as Martyn’s Law.

The legislation introduces a legal duty for organisations to prepare for terrorist attacks. It assigns accountability, establishes regulatory oversight through the Security Industry Authority, and expects organisations to implement measures that are reasonably practicable and capable of working under pressure (Home Office, 2026a; Security Industry Authority, 2026).

At first glance, the legislation can appear to be another compliance requirement. Policies are written. Procedures are documented. Training is delivered. Boxes are ticked.

That interpretation misses the point.

Martyn’s Law is not simply asking whether organisations have procedures. It asks whether those procedures would actually work during a fast moving hostile incident when information is limited, leadership may be absent, and people are under pressure (Home Office, 2026a).

That changes everything.

After an incident, investigators will not focus solely on what existed on paper. Attention immediately shifts to people:

  • What did staff understand?
  • Who made decisions?
  • How quickly did people act?
  • Did the system function under pressure or collapse in confusion?

This is where many organisations become exposed. Strong documentation does not automatically produce effective action.

Protective security in the private sector is operational. It depends on leadership, clarity, communication, decision making, and people understanding what to do before emergency services arrive (National Protective Security Authority, 2023a; ProtectUK, 2021).

That is the real test behind the legislation.

How the Guidance Fits Together

The April 2026 guidance documents establish the framework organisations are expected to follow.

The Statutory Guidance defines the requirement for public protection procedures such as evacuation, invacuation, lockdown, and communication (Home Office, 2026a).

Supplementary Documents A and B explain how premises and events fall within scope, primarily through attendance thresholds and use of premises (Home Office, 2026b; Home Office, 2026c).

Supplementary Document C focuses on awareness, competence, and staff training (Home Office, 2026d).

The SIA Section 12 Guidance explains how compliance will be assessed and enforced (Security Industry Authority, 2026).

Together, the framework moves through four stages:

  • Legal duty
  • Scope
  • Capability
  • Oversight

The guidance explains what organisations must have in place. It does not explain how people will perform during a live incident.

That gap is critical.

This is where wider experience, guidance from ProtectUK and the National Protective Security Authority becomes important. Those documents focus more heavily on operational delivery, leadership, rehearsed response, communication, and practical implementation (National Protective Security Authority, 2023a; National Protective Security Authority, 2023b; ProtectUK, 2021).

The distinction matters.

The legislation defines minimum expectation.

Operational guidance shows what effective capability actually looks like.

Organisations with experienced security professionals will already recognise this difference. Compliance alone rarely survives unless operational capability sits underneath it.

The legislation creates the legal framework. The organisation remains responsible for making it work.

What an Attack Actually Looks Like

Hostile incidents unfold very differently from how many organisations imagine them.

The guidance requires procedures for evacuation, lockdown, communication, and coordinated response. Staff must understand their roles and be capable of carrying them out effectively (Home Office, 2026a; Home Office, 2026d).

The wording sounds straightforward.

Reality rarely is.

At the Manchester Arena bombing, the attacker moved through the environment without challenge at key moments. The Inquiry highlighted communication failures, uncertainty, delayed decision making, and missed opportunities to intervene (Manchester Arena Inquiry, 2021).

  • When the device detonated, confusion spread immediately.
  • Staff were unsure what had happened.
  • Leadership was not immediately visible.
  • People searched for direction.

The procedures described within the guidance suddenly became time critical.

At the London Bridge attack and Borough Market attacks, the incident evolved rapidly across multiple locations. There was no single defined scene. Decisions had to be made with incomplete information as the attack moved between public spaces and venues (Home Office, 2018).

That reality exposes one of the central operational challenges within Martyn’s Law. Threats do not respect boundaries, floor plans, or organisational charts. Incidents evolve faster than policy documents.

Across both attacks, the same themes emerged:

  • Events developed rapidly
  • Information was incomplete
  • People defaulted to instinct
  • Leadership became unclear
  • Communication fragmented
  • Decision making slowed

For example:

A staff member hears a loud bang but hesitates because they are unsure whether to evacuate or lockdown.

A supervisor attempts to take control but others are unclear whether authority sits with them.

Communication systems exist but nobody initiates them during the first critical moments of the emergency services response gap.

These are not failures of paperwork. They are failures of operational delivery under pressure. This is the reality organisations must prepare for.

The question is simple.

Would your current system function in that environment or only in controlled conditions?

Leadership, Roles, and Decision Making

The legislation defines two key accountability roles:

The Responsible Person
The Senior Individual for Enhanced Tier premises and events (Home Office, 2026a; Security Industry Authority, 2026)

For Enhanced Tier organisations, the Senior Individual becomes the central point of legal accountability. Responsibility for compliance cannot be delegated away.

Operational tasks may be assigned to managers, consultants, or contractors. Legal accountability remains with the organisation and its leadership. This becomes highly significant after an incident.

Investigators will examine not only what decisions were made, but who made them, how they were justified, and whether leadership structures functioned effectively under pressure. The guidance requires staff to understand their roles and responsibilities.

It says far less about how operational leadership should function during a live hostile incident (Home Office, 2026d). That creates a major area of interpretation. Many organisations quietly assume leadership will naturally emerge when needed.

Real incidents repeatedly show otherwise. During incidents:

  • Chaos begins
  • Multiple individuals attempt to lead
  • Authority becomes unclear
  • Staff wait for direction
  • Decisions are delayed
  • Communication fragments

People suffer in the gap between responsibility and action.  A major concern for any organisation is mitigating the Emergency Services Response Gap.  The exact moments described above.

The legislation does not explicitly require organisations to appoint operational roles such as Incident Lead, Crisis Manager, or Emergency Services Liaison. Equally, it does not prevent organisations from defining such roles where operationally appropriate (Home Office, 2026a).

That does not remove the requirement for someone to take control. If senior leadership is absent during the first critical moments:

  • Who makes decisions?
  • Who initiates lockdown?
  • Who communicates with emergency services?
  • Who coordinates movement of people?
  • And plenty more requirements

If those answers are unclear before an incident, they will be exposed immediately during one.

Most organisations already possess capable operational leaders somewhere within the business. The challenge is identifying them, defining responsibilities clearly, and connecting those functions to protective security planning before they are needed.

Scope, Exposure, and Operational Reality

The legislation uses attendance thresholds and use of premises to determine scope and tier classification (Home Office, 2026b; Home Office, 2026c).

That creates a regulatory framework. It does not automatically define operational exposure. Real world risk rarely aligns neatly with static capacity figures.

At Manchester Arena, the attack occurred within a transitional space where people were arriving, waiting, and moving between environments (Manchester Arena Inquiry, 2021).

At London Bridge, exposure shifted rapidly across multiple locations (Home Office, 2018).

In both cases, vulnerability was shaped by movement, timing, crowd flow, and behaviour rather than formal occupancy limits. This distinction matters. Compliance thresholds define inclusion within the legislation.

They do not define where people become vulnerable.

In practice, exposure often concentrates within:

  • Entry and exit points
  • Queues and screening areas
  • Shared access routes
  • Transitional spaces
  • Peak ingress and dispersal periods

For example:

A venue may fall below attendance thresholds internally while generating large unmanaged queues externally. A shared entrance may sit outside direct control but still create operational exposure. Temporary crowd concentration may create significant vulnerability not reflected within static classification figures.

The legislation expects organisations to apply judgement and implement reasonably practicable measures appropriate to the environment (Home Office, 2026a).

This is where interpretation becomes critical.

Organisations must assess how their environment actually functions during busy periods, changing conditions, and abnormal activity rather than relying solely on fixed compliance thresholds.

The key question is not simply – Does the site fall within scope?

The real question is – Where are people most vulnerable and does the plan reflect operational reality?

Training and Human Behaviour

The legislation does not simply require training attendance. It requires staff capability (Home Office, 2026d; Security Industry Authority, 2026).

That distinction is extremely important. A procedure only exists in practical terms if people can deliver it under pressure, otherwise it’s just theory.

This moves organisations away from awareness alone and toward operational readiness. Human behaviour during incidents follows predictable patterns.

  • People freeze & hesitate
  • They seek reassurance
  • They look for leadership
  • Communication deteriorates
  • Decision making slows

All of this happens during the emergency services response gap when seconds matter most. Many organisations will misinterpret the legislation at this point. Awareness briefings, online modules, and annual presentations are often treated as sufficient – they rarely are and will fall down in court or under scrutiny.

For example:

Staff may confirm they completed training but cannot explain what they would actually do during an unfolding incident.

Individuals understand procedures in theory but freeze when confronted with ambiguity.

Teams know the process but cannot coordinate action without visible leadership.

The legislation requires capability, not familiarity (Home Office, 2026d).

That changes how organisations should think about training.

More effective approaches already exist.

Short operational exercises, role based rehearsals, routine reinforcement, and realistic scenario discussions can all be delivered within normal operations at low or neutral cost (National Protective Security Authority, 2023b; ProtectUK, 2021).

Capability develops through repetition within the environment where decisions will actually be made.

The key question is simple

Are your people trained to understand the process or trained to act when it matters?

Regulation and Enforcement

The Security Industry Authority will not assess compliance purely through documentation.

Inspectors will assess whether procedures can actually function under operational conditions (Security Industry Authority, 2026).  (Note: There is a question on capability and experience with regards to SIA inspectors, but that is for another day).

That distinction is fundamental. Three areas will come under scrutiny:

  • What exists
  • What people understand
  • What people can deliver under pressure

The first two are relatively easy to demonstrate. The third exposes organisations very quickly.

For example:

A member of staff is asked:

“What would you do right now if an incident occurred at the entrance?”

A short scenario is introduced:

“You hear a loud bang near the queue line. What happens next?”

A team is asked:

“Who takes control during the first two minutes?”

Simple questions often reveal significant weaknesses:

  • Unclear leadership
  • Hesitation
  • Poor communication
  • Assumption based planning
  • Lack of confidence
  • Unrehearsed response

At this point, paperwork carries limited value if any, it’s all about practical action by staff. Capability becomes visible immediately.

Enhanced Tier organisations should also understand the seriousness of enforcement exposure.

Failure to comply with enforcement notices within Enhanced Tier environments may become a criminal offence carrying potential imprisonment (Security Industry Authority, 2026).

That changes the liability landscape significantly for senior leadership. The legislation introduces far more than administrative oversight.

It creates personal accountability linked directly to operational performance.

Reasonably Practicable and the Grey Areas

The phrase reasonably practicable sits at the centre of the legislation (Home Office, 2026a). It also creates one of the largest areas of organisational exposure. The concept appears straightforward.

In reality, it becomes highly contested after incidents.

Organisations must justify:

  • What risks were identified
  • What options were considered
  • Why certain measures were selected
  • Why alternatives were rejected

Those decisions will later be reconstructed by investigators, regulators, legal teams, and expert witnesses.

This is where assumptions become dangerous.

For example:

An organisation assumes existing arrangements are sufficient because no incident has previously occurred. Additional measures are dismissed based on cost without properly exploring lower cost alternatives. Training is treated as a one off awareness exercise rather than capability development.

Internally, those decisions may appear reasonable. After an incident, they may be interpreted very differently.

Investigators may ask:

  • Was the assessment structured or assumption based?
  • Were lower cost alternatives explored properly?
  • Did leadership fully understand how the environment functioned operationally?
  • Did the organisation test whether systems actually worked?

This is where many organisations become vulnerable.

What appeared proportionate internally may later be interpreted as weak assessment, limited operational understanding, or over reliance on assumption.

The legislation gives organisations flexibility. It also transfers responsibility for interpretation directly onto leadership. That responsibility becomes highly visible after failure.

Post Incident Reality

After a serious incident, several processes begin simultaneously:

  • Police investigate operational actions and timelines.
  • The Security Industry Authority examines compliance against legislative requirements.
  • Public inquiries may examine leadership decisions and organisational failures.
  • Legal teams assess liability.
  • Expert witnesses reconstruct decision making.

At this stage, documentation alone carries very limited protection. Attention shifts rapidly toward operational reality.

Investigators will ask:

  • What procedures existed?
  • Why were those measures selected?
  • How was capability assessed?
  • Who held operational authority?
  • How were staff prepared?
  • How was effectiveness validated?
  • Could the organisation prove the system actually worked?

These questions directly align with the statutory guidance, supplementary documents, and SIA enforcement expectations (Home Office, 2026a; Home Office, 2026d; Security Industry Authority, 2026).

Operational failures become highly visible very quickly.

A loud bang occurs and staff hesitate. Leadership becomes unclear. Communication stalls. Access points remain unmanaged. Staff confirm they received training but cannot explain what action they would take.

At that point, the issue is no longer policy. The issue becomes delivery failure under pressure. This is where Martyn’s Law changes organisational exposure.

The legislation creates a legal framework where assumptions, preparedness, leadership decisions, and operational capability can all be examined formally under scrutiny.

This is the real legal hook behind the legislation. The system is no longer judged purely on whether something existed. It is judged on whether it worked.

Past Performance and Organisational Risk

There is also a broader issue organisations should recognise openly.

Historically, some advisory approaches (process driven theory based) within UK counter terrorism environments have focused heavily on compliance processes, documentation, and visible assurance activity rather than operational delivery capability.  This type of approach is commonly from advisors with no actual experience, from either working in the private sector or delivering protective security in the real world for a private sector organisation.

That risk may continue as enforcement develops. This creates a challenge for organisations. Administrative compliance alone does not automatically create operational resilience.

Guidance explains expectation. It does not remove organisational responsibility for making systems work in practice.

Leadership teams should ensure decisions are based on operational reality, credible assessment, and workable delivery rather than relying solely on template driven compliance approaches.

Conclusion

Martyn’s Law does not create a paperwork test. It creates a performance test.

The legislation establishes a legal duty around procedures, preparedness, leadership, and accountability. The real challenge begins when organisations attempt to make those systems function under pressure.

Real incidents repeatedly expose the same weaknesses:

  • Unclear leadership
  • Hesitation
  • Poor communication
  • Assumption based planning
  • Capability gaps between policy and delivery

The organisations that perform effectively are rarely those with the largest volume of documentation.

They are the organisations where leadership is clear, roles are understood, systems are rehearsed, and people can act confidently before emergency services arrive.

This is not fundamentally new.

Protective security, crisis management, business continuity, and operational resilience have relied on these principles for decades (National Protective Security Authority, 2023a; ProtectUK, 2021).

What Martyn’s Law changes is accountability.

The legislation creates a framework where decisions, assumptions, preparedness, and operational capability can all be examined against a defined legal standard.

That changes how organisations will be judged.

Not simply on whether measures existed.

But whether those measures were sufficient and capable of working when people needed them most.

The organisations best positioned under Martyn’s Law will not be those focused purely on compliance.

They will be the organisations that understand one critical point:

Hostile incidents do not test paperwork.

They test people, leadership, communication, and operational capability under pressure.

Final Thought & key Advice for Leadership Teams

In operational reality, organisations do not respond to legal labels. They respond to unfolding hostile incidents with limited information, uncertainty, and pressure.

Whether an event is ultimately categorised as terrorism, criminal violence, or another form of hostile activity is often determined long after the incident itself. In the moment, there is only recognition, decision making, and response.

That creates a wider operational reality for organisations. The same procedures, leadership structures, communication systems, and decision making processes required under Martyn’s Law are equally relevant across a broad range of hostile or rapidly developing incidents.

The focus should never sit purely on categorising the threat. The focus should sit on recognising danger early and ensuring people can act effectively under pressure regardless of how the incident is ultimately defined.

Because during the first critical moments, there is no distinction.

Consultancy & Advisors

Private sector leadership should ask direct questions before appointing any counter terrorism consultancy:

All based around what private sector operational experience sits behind the advice.

Leadership should ask:

• What private sector environments have you actually delivered protective security or counter terrorism systems within?
• Have you operated in commercially driven environments where decisions affect operations, reputation, liability, and business continuity?
• Have you delivered and managed security systems within a private sector organisation were the system was tested and proven?
• Can you demonstrate experience beyond guidance interpretation and compliance administration?
• How will your recommendations function operationally under pressure, not just during inspections or audits?
• How do you assess whether staff could actually perform during an incident rather than simply confirm training attendance?
• How do you test leadership, communication, and decision making?
• How do you apply the principle of reasonably practicable within operational reality, not theoretical discussion?
• If an incident happened tomorrow, how would your advice stand up under investigation, public inquiry, regulatory scrutiny, or in court?

Anyone can repeat guidance.

About the Author:

Anthony Gledhill

Over 20 years in private sector security, from frontline media operations through to designing and delivering capability development within government VIP protection units, and leading security systems across defence, construction, and oil & gas in benign, active insurgent, terrorist, and hybrid threat environments. Trained thousands of private sector security staff for armed and unarmed operations.

Useful Links:

.

References

Home Office (2026a) Terrorism (Protection of Premises) Act 2025: Statutory Guidance. London: Home Office.

Home Office (2026b) Terrorism (Protection of Premises) Act 2025: Supplementary Document A. London: Home Office.

Home Office (2026c) Terrorism (Protection of Premises) Act 2025: Supplementary Document B. London: Home Office.

Home Office (2026d) Terrorism (Protection of Premises) Act 2025: Supplementary Document C. London: Home Office.

Security Industry Authority (2026) Martyn’s Law: Section 12 Draft Guidance. London: Security Industry Authority.

National Protective Security Authority (2023a) Effective Command and Control. London: National Protective Security Authority.

National Protective Security Authority (2023b) Crisis Management Guidance. London: National Protective Security Authority.

ProtectUK (2021) Working with Emergency Services. London: National Counter Terrorism Security Office (NaCTSO).

Manchester Arena Inquiry (2021) The Manchester Arena Inquiry: Volume 1 – Security for the Arena. London: HM Government.

Home Office (2018) Lessons Learned Review of the Terrorist Attacks in London Bridge and Borough Market. London: Home Office.

Mildot Group®

Our Mission

Deliver real world security and counter terrorism consultancy built for 21st century threats.

Convert complexity into clarity so organisations act faster, smarter, and with confidence.

Provide high-quality security capability that’s within reach for everyone.

Who We Are

Mildot Group (established 2014) is a close network of experienced security professionals, selected for competence, integrity, and delivery under pressure.

With British military foundations and global private sector expertise, we help organisations strengthen security capability, from frontline operations through to senior decision-making.

What We Do

We deliver security risk management consultancy and learning that turns theory into action. From threat, vulnerability and risk assessments through to security strategies, technical systems and behavioural risk solutions, we build tailored protective security and counter-terrorism capability that works under pressure.

Our eLearning is independently reviewed and CPD Standards Office accredited.

 

International Security Experience You Can Trust

The company owner, supported by a hand‑picked network of professionals, brings unrivalled experience from ground level to senior leadership. Their private sector careers span government contracts, security and counter‑terrorism operations, specialist firearms training, and high‑level defence procurement and security advisory roles.

They have trained thousands of security personnel, managed and built large‑scale teams for Oil & Gas operations, and enhanced VIP protection programmes for government clients and delivered long‑term defence capability programmes. Extensive experience at senior levels within the private sector to design, implement and manage security risk management systems that mitigate terrorism, insurgency, and hybrid threats.

Trusted at the Highest Levels

Our services have been rigorously vetted by UK Government agencies. As former Registered Firearms Dealers with Section 5 authorities, our capability, capacity, and proven expertise have been verified to high standards, ensuring absolute confidence in our delivery.

ICO registered number ZA289831 

Privacy Policy

Terms & Conditions Policy

Terms of Use Policy

Privacy Preference Center

Privacy Preferences

Mildot Group hold data sent by users for recruitment purposes only and is not passed onto any third parties. If opportunities become available the data is used to send relevant information to potential personnel. Removal of this data can be made at anytime by requesting removal to info@mildot.co.uk

Social Media

Analytical information to help improve marketing and customer experience.