Brian Ruddock, Director of Security Risk Management at Securitas UK explains why Martyn’s Law marks a turning point for the UK’s counter terror strategy.
For most of my security career, UK protective security has operated within a well‑established national counter terrorism framework: CONTEST has provided strategic coherence since 2003, with the Protect and Prepare pillars intended to drive proactive mitigation rather than reactive response.
However, outside critical national infrastructure and a subset of high‑maturity organisations, the adoption of protective security best practice has remained inconsistent to say the least, too often reliant on organisation commitment and variable capability.
Martyn’s Law or the ‘Terrorism (Protection of Premises) Act 2025’, changes that dynamic in a way no previous framework has.
Not because the underlying principles are new – they aren’t – but because the legal structure is.
For the first time, the UK has placed mandatory duties on organisations managing in-scope publicly accessible premises, with statutory responsibilities, formal designation of an accountable individual (at the higher tier), regulatory oversight and substantial and significant enforcement powers.
Martyn’s Law turns protective security from guidance into obligation.
Until now, the UK has relied on discretionary uptake – and that approach hasn’t delivered consistent standards across Publicly Accessible Locations (PALs).
The government’s own Impact Assessment, the ‘Terrorism (Protection of Premises) Bill 2024: Impact assessment’ makes this explicit: Up until now, there have been no existing mandatory requirements for venues to assess and mitigate terrorism risk despite PALs remaining one of the highest‑likelihood risks in the National Risk Register and security performance varies widely as a result.
For those of us working in security, this gap has been evident for years. Martyn’s Law finally closes it.
Not by introducing new ideas, but by making long‑accepted principles a legal requirement.
According to the ‘Terrorism (protection of premises) Act 2025: The regulator, sanctions and enforcement factsheet’, the Security Industry Authority (SIA) is now empowered to issue compliance notices, restriction notices, monetary penalties and oversee enforcement.
For a sector that has historically operated on mixed standards and optional adherence, this is a watershed moment.
The Home Office has confirmed that the SIA’s new regulatory function begins following a minimum 24‑month implementation period from the Act receiving Royal Assent on 3 April 2025, giving organisations time to assess requirements and build capability before full enforcement begins.
The Manchester Arena Public Inquiry reported “serious shortcomings” in the security arrangements, including failings and missed opportunities by the venue operator, the security contractors and the British Transport Police, exacerbated by the complexities of ‘grey space’ and various shift handovers.
Martyn’s Law, in many ways, is the legal embodiment of the finding recommendations: An insistence that basic preparedness, coordinated responsibility and organisational competence are not optional when the public is under your stewardship.
For years we have relied on National Counter Terrorism Security Office (NaCTSO/ProtectUK) guidance, Action Counters Terrorism (ACT) and similar programmes and the goodwill and Health & Safety practices (e.g. The Purple Guide) of responsible operators.
The intentions were good, the guidance was solid, but the absence of legal security duties meant persistent gaps. This Act finally confronts that gap.
The Act mandates a “Responsible Person” (which effectively means ‘the body corporate’) for all qualifying premises and a “Senior Individual” for enhanced‑tier sites.
The latter must be someone with organisational authority: Think Director, Partner or someone with Senior Management responsibility.
For years, protective security has not been aligned to a competent security function: Allocated to facilities, operations, health and safety or held by an overstretched Security Manager without strategic reach or a place at the boardroom. That era is surely over.
Boards now have statutory ‘skin in the game’ and security leaders will be responsible for sharper analysis, stronger justification for decisions and clearer assurance on how risks are being managed.
The Act received Royal Assent on 3 April 2025, underlining cross‑party consensus and years of political commitment.
Both former Prime Minister Rishi Sunak and current Prime Minister Keir Starmer publicly backed the legislation and engaged directly with campaigners.
As a result, Martyn’s Law is now embedded in statute and will sit permanently within the UK’s organisational risk landscape.
Security leaders have long struggled with ambiguous divisions of responsibility for premises managers across operators, landlords, contractors and event partners.
The Act now defines qualifying premises, qualifying events, responsible persons and senior individuals in statute. This removes the ambiguity that all-too-often stalled cross‑functional security decision‑making.
The threshold for qualification is a minimum of 200 premises occupants for organisations to maintain a ‘standard duty’ and 800+ to have additional ‘enhanced duty’ obligations.
Entering the enhanced tier requires risk-assessed security measures which may need additional investment and further reporting requirements to the regulator.
The RPC’s ‘Terrorism (Protection of Premises) Bill – Martyn’s Law’ has recognised that Martyn’s Law represents a “significant shift in liability for terrorism from the State to businesses that manage event venues.”
Security leaders must now speak in the language of:
The implementation period, running until at least April 2027, provides an opportunity to raise standards, strengthen accountability and embed terrorism risk into routine decision-making across UK public venues.
Statutory Guidance from the Home Office will clarify how organisations meet the Act’s requirements and demonstrate compliance.
Martyn’s Law does not demand the impossible, it formalises long-standing best practice with clear regulatory backing. That is why it matters.
This article was originally published in the March edition of Security Journal UK. To read your FREE digital edition, click here.
