On 15 April 2026, the Home Office published statutory guidance under Martyn's Law. The guidance opens by honouring Martyn Hett, one of the 22 people killed in the Manchester Arena attack of 2017, and his mother, Figen Murray OBE, who drove the campaign that bears his name.
The legislation that followed - the Terrorism (Protection of Premises) Act 2025 - carries an emotional weight most regulatory frameworks lack. But the guidance does more than commemorate, it reshapes how organisations need to think about protecting people. As the guidance states starkly, "a terrorist attack might occur anywhere."
Although the Act has received Royal Assent, the main duties under it are not yet in effect. An implementation period of "at least 24 months" (see here) means the obligations are unlikely to bite before April 2027. In due course, the Home Office will give further detail on timing, but businesses would be wise not to wait for it. The guidance is available now, and so is the threat. As Sky News reported last month, for example, the UK terror threat was "absolutely" under review following the war in Iran.
The result? Affected organisations should start reading and planning accordingly.
Six features in this guidance stand out:
Decoupling preparedness from probability
Most risk regulation rests on a probability-times-impact matrix. The Act dispenses with the first variable: probability.
As the guidance states, "the requirements in the Act are not related to considering the likelihood of an attack at specific premises or events." Instead, for example, responsible persons for enhanced-tier premises and qualifying events (see below) must consider what procedures are "appropriate and reasonably practicable to achieve the objective of reducing the risk of physical harm" if an attack were to occur.
Put simply, the Act sidesteps the question 'how likely is it really?', and replaces it with 'but what would you do if it happened?'.
Proportionality
The guidance uses the concept of "reasonably practicable" as a built-in calibration mechanism. It defines this as meaning "proportionate", requiring the responsible person to "weigh what can be done to achieve the objectives of procedures and/or measures, balanced against the cost, time and difficulty of implementation".
This is then applied in context: what is reasonably practicable for a large cinema chain is different from what is reasonably practicable for a village hall run by volunteers.
Two tiers, two expectations
A reminder: the Act, and the guidance under it, draw a clear line between two principal categories:
- standard-tier premises (200–799 individuals) must put in place public protection procedures (evacuation, invacuation, lockdown, communication), but they face no statutory requirement to document them or install physical measures.
- enhanced-tier premises (800 or more) must do all of that and implement public protection measures covering monitoring, movement, physical security and information security. They must also document their compliance, submit that document to the Security Industry Authority, designate a senior individual, and keep their measures under review.
Standard-tier, in short, means think and plan. Enhanced-tier means build and prove.
For further details on this and qualifying events, check out our more detailed article here.
Responsibility stays at the top
The guidance repeatedly emphasises that "the responsible person cannot delegate their legal responsibility to a contracted service provider, for example, but may delegate tasks". Senior individuals "can delegate actions to others, such as a security manager." However, they will maintain overall responsibility for compliance.
This prevents the classic 'compliance laundering' problem where organisations hire consultants, file paperwork, and then mentally check out. The Act effectively makes ignorance a liability.
Emphasis on people-based measures
The Act's requirements are not just about physical countermeasures. The emphasis also falls on people-based measures: training, awareness, communication and having a plan. An employee who knows the lockdown procedure is, in the eyes of this legislation, a security asset.
The Act inverts the popular image of counter-terrorism as just barriers, scanners and armed guards. The most effective security in many cases, the guidance suggests, is cultural rather than physical: staff who notice something suspicious and know who to tell can matter more than blast-resistant glazing.
Compliance documents for enhanced-tier premises
For enhanced-tier premises, the compliance document is not a checklist. It must set out what procedures and measures are in place and assess how they are expected to reduce harm. Where measures differ materially from what would usually be considered appropriate, the responsible person must explain why.
The guidance effectively asks the regulated entity to construct a narrative: here is what we have done, here is why we believe it works, and here is why we did not do what you might expect.
As opposed to just box-ticking, critical thinking is thus embedded in the legal obligation itself.
The hope with this Act?
That tragedies like the Manchester Arena attack are prevented. As Figen Murray said in 2024:
no parent should have to experience the pain and loss I've felt.
If you want to discuss how Martyn's Law affects your organisation, please contact us. And check out our article on what organisations should be thinking about now, including looking at your contracts with key stakeholders.
