Prevent and Protect: What Martyn’s Law Means for Hospitality

May 11, 2026 Bars, Hospitality, Hotels, Professional Comment, Pubs, Restaurants

We’re halfway through the implementation period for Martyn’s Law, which means certain premises and events now have one year to ensure they meet the requirements for preventing a terrorist attack and protecting the public. Pauline Munro, a partner at Gateley Legal, explains what the new law requires and how businesses can prepare ahead of next year’s deadline.

Martyn Hett was singing and laughing in the foyer of Manchester Arena during an Ariana Grande concert in May 2017 when Salman Abedi detonated a shrapnel-filled bomb.

The subsequent inquiry revealed numerous failings on the part of both Manchester Arena and the emergency services, including a failure to act on reports of a suspicious person by a member of the public, and an insufficient officer presence at the event.

These shortcomings cost the lives of 22 people, including Martyn, and injured hundreds of others.

Be prepared

Officially known as The Terrorism (Protection of Premises) Act 2025 (‘the 2025 Act’), Martyn’s Law creates a legal duty for certain premises and events to assess the risks of terrorism and implement proportionate security measures.

Not all premises and events will be in scope of Martyn’s Law, with sections 2 and 3 of the 2025 Act containing the criteria that must be met for it to apply.

Premises must:
• include at least one building, or be a premises within a building;
• be wholly or mainly used for one or more of the uses specified under Schedule 1 of the 2025 Act. These include shops, restaurants, conference centres and venues for hire;
• Reasonably expect more than 200 individuals to be present at least occasionally, and;
• Not be listed as exempt under Schedule 2 of the 2025 Act.

The requirements for events are slightly different, and include events that:
• Are hosted at an area such as a park or a recreation ground;
• Have measures to check entry conditions, such as ticket checks, and;
• Can reasonably expect at least 800 individuals to be present for the event at the same time at some point.

A tiered approach

Under section 4 of Martyn’s Law, all premises and events within scope must have a ‘responsible person’ who has “control of the premises in connection with their relevant Schedule 1 use” or who has “control of the premises at which the event is to be held in connection with their use for the event”.

In the standard tier, which covers premises that can never reasonably expect more than 800 people to be present at the same time at some point, the responsible person must notify the Security Industry Authority (SIA) of the premises, have reasonably practicable public protection procedures in place, and reduce the risk of harm being caused to individuals.

In the enhanced tier, a responsible person must meet all standard tier requirements, as well as implement measures to monitor the premises and immediate vicinity and provide documentation of public protection procedures to the SIA.

Whilst a responsible person can be a business, all enhanced tier businesses will need to designate a senior individual to ensure compliance.

Any events within Martyn’s Law’s scope fall under the enhanced tier, as do premises that can reasonably expect 800 or more individuals at the same time.

To enforce the requirements, Martyn’s Law creates a new function for the SIA, the UK’s private security regulator. Under the 2025 Act, the SIA will be responsible for enforcing the new regulatory framework, with powers to enter premises and take enforcement action against serious or persistent non-compliance.
Such action may include compliance notices, monetary penalties, and restriction notices. For enhanced tier premises and events, monetary penalties could reach a maximum of 5 per cent of worldwide revenue.

Protecting the public

The UK Government has now published guidance on interpreting and preparing for the requirements under Martyn’s Law, and businesses in scope should be reviewing this carefully with legal specialists to ensure compliance.

There are also small steps that businesses in both tiers can take to ensure that they are ready for the law’s implementation, such as ensuring estimates on event or building capacity are accurate, training staff on Martyn’s Law and any relevant procedures, evaluating current emergency procedures, and assessing whether additional security measures, such as bag searches, are necessary.

Whilst Martyn’s Law doesn’t require wholesale change or investment in high-tech security, it does place an obligation on businesses to assess the risks of harm to the public and ensure all staff are trained to follow the necessary procedures for keeping people safe.

With only a year left until the law is enforced, businesses within scope should be reviewing both the law and the government guidance carefully. This will not only ensure compliance but also help businesses play their part in preventing a tragedy like the Manchester Arena bombing from ever happening again.