What does Martyn's Law mean for your organisation–and what should you be doing now?

With the Terrorism (Protection of Premises) Act 2025 now on the statute books, a 24-month implementation period has begun. While the Security Industry Authority (SIA) will not start formal enforcement or issuing penalties until Spring 2027, venues and event organisers are expected to use this period to assess risks, put protective measures in place, and be able to demonstrate, with evidence, that preparedness.

How ready are you? Take our self-assessment quiz to gauge your current position, then read on to learn what action is required.

Martyn's Law: A Response to Evolving Security Risks

When a terrorist attack strikes, the consequences can be far-reaching and extend beyond the immediate tragedy. These moments often become painful but critical wake-up calls—exposing weaknesses in preparedness, decision-making, and incident response that only surface under extreme pressure.

The 2017 Manchester Arena attack brought this reality into sharp focus when nearly 3,000 nuts and bolts packed into the explosive device detonated. 22 people died, including young concertgoers, and 1,017 people were injured, many suffering life-changing harm. Survivors continue to live with psychological trauma.

The wider economic and social impacts were also significant. Physical damage to the arena and Manchester Victoria Station, combined with disruption to local businesses and tourism, resulted in an estimated £116 million in economic losses.

In response, Figen Murray—mother of victim Martyn Hett—campaigned for stronger protective measures at public venues. The public inquiry that followed the attack reinforced her message: it exposed serious gaps in how venues prepare for and respond to terrorist threats. Emergency exits were unclear, communication systems failed under pressure, and security procedures existed on paper but had never been tested in practice. Murray's advocacy, combined with the inquiry's findings, led directly to Martyn's Law.

While intelligence and prevention of terrorism have improved, the security risk remains real. Since 2017, UK security services have disrupted 43 late-stage terrorist plots while managing approximately 800 live investigations at any given time.

State-led prevention and police protection alone cannot guarantee safety. Venue-level preparedness has become an essential component of public protection—and this is why Martyn's Law is crucial.

Martyn's Law: A Tiered Approach to Protection

Modern terrorism increasingly targets "soft targets"—public venues, concerts, and crowded spaces where large numbers gather—using low-tech methods (vehicles, knives, improvised explosives) that can evade sophisticated intelligence networks. This shift makes venue-level preparedness essential. And this is why–with Martyn's Law–venues as well as large-scale event organisers must identify risks and put measures in place to protect the public.

However, a one-size-fits-all approach would be neither practical nor proportionate. Enhanced security measures—including comprehensive risk assessments, security equipment, incident management systems, and extensive documentation—require time and investment that smaller venues cannot reasonably bear.

Martyn's Law therefore introduces a risk-based, tiered framework* that scales requirements according to venue capacity:

Tier
Capacity
Complexity
Requirements

Under 200 people

Basic

Not legally required, but preparation recommended

...

Standard

200-799 people

Moderate

  • Put in place public protection procedures, including evacuation, invacuation, lockdown, and communication.
  • Prepare and train staff.
  • Notify SIA

Enhanced

800+ people

High

  • All standard tier duties and
  • Implement, as far as reasonably practicable, public protection measures to reduce vulnerability and risk.
  • Appoint a Designated Senior Individual (DSI)
  • Document procedures and measures: submit documentation to the SIA.

Qualifying Public Events
(festivals, concerts, sporting events)

800+ capacity + entry conditions (tickets, wristbands, accreditation)

High

  • Same as Enhanced Tier requirements
  • Except the Event organiser is Responsible Person

Note: Healthcare and religious venues are special categories with nuanced rules. For education, early years, primary, secondary and further education settings are treated as Standard Tier, even if they have 800+ people present. Only higher education may fall into Enhanced tier based on capacity.

Timeline: From Preparedness to Compliance

With Martyn's Law now on the statute books, venues and event organisers should be assessing risks and preparing for compliance. A quick glance at the timeline demonstrates the urgency of establishing emergency preparedness and implementing critical event management processes and documentation for any audits that may be needed.

A timeline showing the Martin's Law timeline and rollout in the UK

Organisations need to act swiftly to:

  • perform/update risk assessments
  • upgrade equipment as needed: where proportionate and reasonably practicable
  • create/update emergency response plans
  • conduct staff training
  • establish auditing/reporting systems

There is no time to waste. Organisations should undertake compliance efforts now to avoid penalties and, more importantly, to ensure preparedness to protect the public and defend lives.

Spring 2027: Enforcement & Penalties

The Security Industry Authority (SIA) has broad enforcement powers to ensure compliance:

Financial Penalties/Impacts:

  • Fines up to £18 million or 5% of worldwide revenue (whichever is greater) for serious breaches by large organisations. Lower, proportionate fines for smaller venues and less serious violations
  • Reputational impact: insurance implications

Operational Restrictions:

  • The SIA can issue restriction notices preventing venue use or event operation until compliance is achieved.

Criminal Sanctions:

  • Providing false or misleading information to the SIA: Criminal offense
  • Operating in breach of a restriction notice: Criminal prosecution
  • Senior officers, including the designated senior individual, may be liable where an offence is committed with their consent, connivance, or due to neglect.

The severity of penalties reflects the seriousness of the duty—public safety is at stake. However, the SIA has indicated it will take a proportionate, risk-based approach to enforcement, with guidance and support offered before punitive measures.

From Preparedness to Compliance

Martyn's Law marks a fundamental shift: it's no longer enough to simply be prepared—you must be able to prove you're prepared.

The operational reality

When an incident occurs, your staff need to make split-second decisions: Do we evacuate everyone outside, or is that more dangerous? Should we invacuate to secure internal areas? Do we lockdown and restrict movement? How do we communicate with hundreds of people while coordinating with emergency services?

These procedures must work under pressure—not just exist on paper.

The compliance challenge

In practice, SIA inspections are likely to focus on whether organisations can show evidence that procedures are understood, tested, and effective. You may be asked, "Can you show me evidence that your procedures work and that your staff know how to execute them?"

This is where many venues struggle. Emergency plans exist in binders. Staff have been trained—but when? On what? Drills happen, but there's no systematic record of what was tested or how procedures improved. When it's time to demonstrate compliance, piecing together an audit trail becomes a scramble.

Two approaches to managing compliance

Manual systems can work for Standard Tier venues: spreadsheets tracking training, paper logs documenting drills, shared drives storing plans. This requires discipline and consistent record-keeping, but it's achievable for smaller operations.

Critical Event Management (CEM) platforms become essential for Enhanced Tier venues managing complex requirements across multiple locations, scenarios, and rotating staff.

What CEM solutions provide

For operational response

  • Instant mobile access to evacuation routes, lockdown protocols, and invacuation plans during an incident
  • Real-time coordination between security teams, floor managers, and incident commanders
  • Mass notification systems to trigger evacuation, lockdown, or shelter-in-place alerts instantly
  • Role-based playbooks so each team member sees the guidance they need

For compliance documentation

  • Automated audit trails timestamping every action during drills and incidents
  • Drill management with automatic reports showing participation, response times, and gaps
  • Continuous improvement tracking how lessons learned feed into updated procedures

The dual benefit

CEM platforms aren't just compliance paperwork—they improve emergency response when it matters most. When your team can access the right plan instantly and coordinate in real-time, you're genuinely improving your ability to protect people.

A solution such as RAYVN's critical event management platform is purpose-built for this dual requirement: operational tools that work in critical moments, while automatically generating inspection-ready compliance documentation. Organizations can use RAYVN to manage everything from routine drills to real incidents, building compliance that actually improves safety.

What are your next steps?

No matter how large or small your venue, it makes sense to perform a risk assessment, create an emergency response plan, run drills/exercises and identify how you will handle any incidents and reporting that may arise should a critical event strike.

For Standard and Enhanced tiers especially, now is the time to act:

  • Assess your current state: Identify which tier applies to your organisation.
  • Conduct a gap analysis: Determine what procedures, training, and systems you need.
  • Begin implementation: Don't wait until 2027; start building compliance now.
  • Test and refine: Run drills and exercises to ensure your procedures work under pressure.
  • Assess & adapt: Update the plan as needed for the future.

Whatever the size of your venue, this is an opportunity to make emergency preparedness part of your daily operations for enhanced security and protection.

Additional resources

* Please note requirements are summarised for guidance only; organisations should consult official SIA guidance for definitive legal obligations. 

Caleb Robertson, RAYVN

Ready to see how RAYVN can streamline your preparedness and compliance?

Contact Caleb Robertson to discuss your venue's specific requirements.

Se webinaret

Vil du se integrasjonen i praksis? Vi arrangerte nylig et webinar sammen med Documaster-teamet, hvor vi demonstrerte dataflyten direkte og svarte på spørsmål om håndtering av øvelser kontra reelle hendelser.

Til webinaret

Talk to a RAYVN Expert

Don't just test a tool—optimize your strategy. Sit down with a RAYVN expert to verify our features meet your compliance needs and see how easy it is to manage complex incidents in real-time.

Get Started
Image

Latest news

A woman manages a digital archive on a laptop

Bridging Crisis Management and Archiving: The RAYVN + Documaster Integration

Why teams freeze in a crisis. Gorilla

Why Good Teams Freeze in a Crisis

The human brain and tech

Beyond Human Limits: Non-Technical Skills and the Future of Incident Management