For three years, Martyn’s Law existed somewhere between campaign and legislation. It was widely discussed and rarely understood.

That changed on 3rd April 2025, when the Terrorism (Protection of Premises) Act received Royal Assent and became law. It changed again in April 2026, when the Home Office published the statutory guidance that tells those responsible for public premises exactly what’s expected of them.

The clock is running. Enforcement is anticipated by early 2027, which sounds like plenty of time until you consider that physical infrastructure, staff training, documentation and governance doesn’t appear overnight. For anyone responsible for a publicly accessible venue, event or space, this is the moment to stop filing this under ‘monitor; and start taking action.

This is an honest attempt to digest what the guidance actually says, and what it means for the people and organisations who now need to act on it.

Where did Marytn's Law originate?
Martyn’s Law is named for Martyn Hett, one of the 22 people killed at the terrorist attack that took place at the Manchester Arena in May 2017. His mother, Figen Murray, campaigned for years to turn that tragedy into lasting change. The result is one of the most significant pieces of counter-terrorism legislation in twenty years.

The Act doesn’t exist to generate paperwork or burden venue managers, it exists because the inquiry into Manchester Arena found that better preparation could have reduced harm, and because the same is likely true of the many of the public spaces people use every day without thinking about it.

Does it apply to you?
The Act applies to publicly accessible premises and qualifying events, split into two tiers based on capacity. The Standard Tier covers venues where between 200 and 799 people might be reasonably expected to be present at the same time, including staff. The Enhanced Tier applies to 800 or more. Tier allocation is about reasonable expectation of occupancy in normal operation.

Some premises sit within the Standard Tier regardless of size, including places of worship, childcare setting and most educational establishments. Events are assessed separately from the premises they’re held at, unless the venue already falls under the Enhanced Tier obligations.

The net is wider than many people assume. Shopping centres, leisure complexes, transport hubs, libraries, markets, entertainment venues, sports grounds, the list goes on. If the public can walk in and significant numbers routinely do, there's a reasonable chance you're in scope. If you're not sure, the statutory guidance includes clear criteria and working through them with your legal or security adviser is the sensible first step.

What the guidance actually requires
The framing of the guidance is important: the focus is on harm reduction. No one is expected to prevent terrorism. The obligation is to be well prepared to respond to it, minimise casualties, and get people to safety quickly and effectively.

For all in-scope premisses and events the minimum requirement is to have documented, workable procedures for four scenarios: evacuation, invacuation (moving people to a place of safety within the building), lockdown, and communication. Those procedures need to be known to staff and need to account for the immediate vicinity of the premises.

Enhanced tier premises go further. In addition to procedures, they must implement physical and operational measures that address monitoring and vigilance, control of movement and access, the physical; security of the site itself, and the protection of sensitive information. This is where the design of your environment becomes a part of your compliance picture.

All measures, at both tiers, must be proportionate, tailored to the specific premises, regularly reviewed, and supported by documented decision-making. The guidance is explicit that a one-size-fits-all approach won’t satisfy the requirements.

The physical environment and why it matters more than people expect
One of the threats that the guidance expects Enhanced Tier responsible persons to have considered is the vehicle as a weapon.

Vehicle-borne attacks have featured in several of the UK's most devastating terrorist incidents. They require no specialist knowledge to execute, and they're effective precisely because public spaces, by design, tend to be open and accessible. Addressing that vulnerability means thinking seriously about the physical boundary between vehicle routes and pedestrian areas.

Hostile Vehicle Mitigation, or HVM, is the security discipline that addresses this. At its most effective, it's not a set of ugly blocks bolted on after the fact; it's security that's designed into the public realm from the outset. Crash-rated bollards, security planters, counter-terror barriers and integrated street furniture can all serve HVM functions while remaining appropriate to the character of the space they protect. The best examples are invisible as security infrastructure; they read as considered urban design that happens to be doing a vital job.

For many Enhanced Tier venues, a review of pedestrian approach routes, vehicle access points and perimeter design will form a necessary part of compliance planning. For Standard Tier venues, it's worth considering even if not strictly mandated. Proportionality cuts both ways, and a venue that has assessed the risk and put appropriate measures in place is in a far stronger position than one that hasn't.

The "reasonably practicable" principle
The guidance is careful to build in a proportionality standard, and it's worth understanding because it's often misread in both directions, either as a reason to do nothing ("it doesn't have to be perfect") or as an impossibly high bar ("how can we ever do enough?").

What the guidance actually says is to be "reasonably practicable". This involves balancing protective objectives against the cost, time and difficulty of implementation. A small community venue and a major transport hub won't be held to the same standard. What they will both be held to is the standard of having genuinely considered their risks and made proportionate, documented decisions in response.

That documentation matters. The guidance expects responsible persons to be able to show their working – not just what they've done, but why, and how they arrived at that conclusion.

Enforcement and the timeline
The Security Industry Authority is the regulator. It has investigatory powers and the ability to issue compliance notices and financial penalties. For serious breaches, criminal liability is also possible. The SIA has been clear that it intends to enforce (the guidance isn't advisory, it's statutory) and commencement is expected in early 2027.

The implementation period was always described as at least 24 months, intended to give venues time to prepare. That time is now largely spent. Venues and event organisers who haven't yet mapped their obligations are behind where they should be.

What to do now
The guidance is publicly available and worth reading in full if you're in scope. But in practical terms, the immediate priorities are: establish whether your premises or events qualify and at which tier; map your existing procedures and infrastructure against what the guidance requires; and for Enhanced Tier sites, commission a genuine security review of your physical environment – particularly vehicle access points and pedestrian approaches.

Document everything. Not as a paper exercise, but because the "reasonably practicable" standard is demonstrated through evidence of structured thinking and proportionate response.

Review regularly. The guidance expects ongoing assessment, not a single compliance tick.

For Enhanced Tier operators with questions about physical perimeter security and HVM, Townscape Products (a Broxap company) carries a full range of crash-rated barriers, bollards and security-integrated street furniture, with technical guidance on how to approach site assessments. Details are on their website.

Martyn's Law is, in the most direct sense possible, the response to a real failure to prepare. The guidance is thorough, proportionate and useful. Getting across it now, before the enforcement date, is the right thing to do.