Martyn's Law · Terrorism (Protection of Premises) Act 2025

MARTYN'S LAW,
MADE CLEAR.

A new legal duty is coming for UK venues: be prepared for a terrorist attack, and be able to protect the people on your premises. This page explains who is covered, what each tier must do, and how to prepare. In plain English.

200+
People present: in scope
800+
People present: enhanced tier
2027
Expected to come into force
SIA
The regulator
Background

THE STORY BEHIND
THE ACT.

Martyn's Law is named after Martyn Hett, one of the 22 people who lost their lives in the Manchester Arena attack in 2017. The law exists because of his mother, Figen Murray, who responded to unimaginable loss by campaigning, with great dignity and determination, so that other families would not have to experience the same. The Terrorism (Protection of Premises) Act 2025 received Royal Assent on 3 April 2025. It is, above all, her achievement.

The principle of the Act is simple. Fire safety has been a legal duty for decades, and preparedness for an attack now works the same way. If your premises can hold 200 or more people, you will need to think through how you would protect them, write it down, and be able to act on it.

The law is not yet in force. The Government has committed to an implementation period of at least 24 months from April 2025, and published its statutory guidance on 15 April 2026. Enforcement is expected to begin in 2027. That makes now the right time to prepare: the requirements are known, the regulator is being established, and there is still time to get ready without rushing.

3 April 2025
Royal Assent. The Act becomes law with an implementation period of at least 24 months.
15 April 2026
Home Office publishes statutory guidance explaining scope and requirements.
2026
SIA regulatory function being established. Draft SIA guidance out for consultation.
Expected 2027
The Act comes into force. Duties and penalties become enforceable.
Scope

DOES IT APPLY TO YOU?

The Act covers premises used for purposes listed in Schedule 1 of the legislation, where it is reasonable to expect 200 or more people (including staff) may be present at the same time. That includes:

RetailHospitalityEntertainment & leisureStadiums & arenasPlaces of worshipEducationHealthcareTransport hubsCommunity & event spacesPublic events with 800+ attendees

Quick self-check

Three questions for a first indication of where you stand.

1. Is your venue used for one of the purposes above (or similar public use)?

2. Could 200 or more people (including staff) reasonably be present at the same time?

3. Could that number reach 800 or more?

This is a guide, not legal advice. Scope depends on the detail of Schedule 1 and Schedule 2 of the Act. The Home Office's statutory guidance and supplementary documents on GOV.UK are the authoritative source, and they include methods for assessing how many people you should reasonably expect.

Requirements

TWO TIERS,
TWO SETS OF DUTIES.

Which tier you fall into depends on how many people it is reasonable to expect at the same time. The duties are cumulative: enhanced tier premises must do everything the standard tier does, plus more.

Standard tier
200 to 799 people
Simple, low-cost preparedness. The main cost is time.
  • Notify the Security Industry Authority (SIA) that you are responsible for the premises
  • Put in place public protection procedures, so far as reasonably practicable: how staff would evacuate people, move them to safety inside (invacuation), lock down the premises, and communicate with everyone on site during an attack
Non-compliance penalties: up to £10,000, with daily penalties of up to £500 for continuing breaches.
Enhanced tier
800+ people
Everything in the standard tier, plus active measures to reduce vulnerability.
  • All standard tier duties: SIA notification and public protection procedures
  • Public protection measures that reduce the venue's vulnerability to attack and the risk of harm, including monitoring the premises and their immediate vicinity
  • Document your procedures and measures, with an assessment of how they reduce risk, and provide that document to the SIA
  • Designate a senior individual responsible for compliance (where the responsible person is an organisation)
Non-compliance penalties: up to £18 million or 5% of worldwide revenue, with daily penalties of up to £50,000. Restriction notices can temporarily close a venue.

Public events with 800 or more attendees that check tickets or entry conditions fall under enhanced tier duties even on land without buildings. Sources: Home Office Martyn's Law factsheet (updated April 2026), Terrorism (Protection of Premises) Act 2025 statutory guidance (15 April 2026), ProtectUK.

The honest bit

WHAT MARTYN'S LAW
DOES NOT REQUIRE.

Plenty of companies are selling compliance fear right now. We would rather tell you the truth, because it's the same standard of honesty we apply to how we handle your data.

No specific technology

The Act does not mandate CCTV, facial recognition, scanners, or any other product. It requires procedures and, for larger venues, proportionate measures. What is appropriate depends on your venue and your risks.

No consultants

The Home Office states that premises and events do not need to spend money on consultants to comply. The statutory guidance is written for you to make your own assessment.

No endorsed products

Neither the Home Office nor the SIA endorses any third-party product for Martyn's Law compliance. That includes ours. Anyone claiming their product is “Martyn's Law certified” is misleading you.

“Premises and events do not need to spend money on consultants to be compliant with the legislative requirements. Please be aware neither the Home Office nor the Security Industry Authority (SIA) endorse any third-party products offered by the private sector in respect of compliance with this legislation.”

Home Office, Martyn's Law factsheet, updated April 2026
Where facial recognition genuinely fits

ONE STRONG ANSWER TO THE
MONITORING QUESTION.

For enhanced tier venues, the Act expects measures that monitor the premises and their immediate vicinity, and reduce vulnerability to an attack. Cameras that only record are passive: they tell you what happened after the event. Facial recognition makes the same cameras active, and that is where it earns its place in a Martyn's Law security plan.

01

Monitor

FaiceAlert works with your existing cameras to check faces at entrances against your own private watchlist, in real time. If a person of concern walks in, your team knows in seconds, not after reviewing footage.

02

Document

Enhanced tier venues must document their measures and how they reduce risk, and submit this to the SIA. A monitored entrance with a defined alert and response protocol is a concrete, explainable measure to include in that assessment.

03

Respond

Alerts route to the people you choose: SMS, email, headsets, or your control room. Your documented response protocol turns an alert into action, which is exactly the preparedness the Act is designed to create.

Done responsibly, or not at all. Facial recognition processes biometric data, so deploying it requires a Data Protection Impact Assessment, a lawful basis, human review of every match, and clear signage. We guide every client through the DPIA, and our platform is built around data minimisation: people who are not on your watchlist are deleted immediately. Read how we handle all of this in our Trust Centre.

Visit the Trust Centre
Common questions

MARTYN'S LAW FAQ.

The Act received Royal Assent on 3 April 2025 with an implementation period of at least 24 months, and is expected to come into force in 2027. There is no legal duty to comply until then, but the Home Office encourages venues in scope to start preparing now. The statutory guidance was published on 15 April 2026.

It applies if your premises are used for a purpose listed in Schedule 1 of the Act (such as retail, hospitality, entertainment, worship, education, healthcare or transport) and it is reasonable to expect that 200 or more people, including staff, may be present at the same time. Premises excluded under Schedule 2 are out of scope. Public events with 800 or more attendees and an entry condition, such as tickets, are also covered.

Standard tier (200 to 799 people) requires notifying the SIA and having public protection procedures covering evacuation, invacuation, lockdown and communication. Enhanced tier (800 or more people) additionally requires measures that reduce the venue's vulnerability, such as monitoring the premises and vicinity, documenting those measures for the SIA, and designating a senior individual responsible for compliance.

The SIA can issue compliance notices and monetary penalties: up to £10,000 for standard tier premises and up to £18 million or 5% of worldwide revenue for enhanced tier premises or events, plus daily penalties for continuing non-compliance. Restriction notices can temporarily close enhanced tier premises. Some failures, such as ignoring notices or providing false information, are criminal offences.

No. The Act does not mandate any specific technology, and neither the Home Office nor the SIA endorses any product for compliance. Enhanced tier venues must have proportionate measures to monitor their premises and reduce vulnerability, and each venue decides how to achieve that. Facial recognition is one option that makes existing cameras capable of identifying known threats in real time.

For enhanced tier venues, FaiceAlert turns existing cameras into an active monitoring measure: real-time alerts when a person on your watchlist enters, with a documented response protocol you can include in your SIA submission. We support clients through the Data Protection Impact Assessment and deploy with privacy safeguards built in. We are happy to say plainly that no product is required for compliance; our case is that it is one of the strongest measures available for the monitoring duty.

Further reading

PREPARING FOR MARTYN'S LAW?