The Terrorism (Protection of Premises) Act 2025, commonly known as Martyn’s Law, is now in effect. Following a long period of campaigning and advocacy, it achieved Royal Assent in April 2025, and it is now in its 24-month implementation phase. Businesses must be compliant by May 2027, or will likely face severe penalties for non-compliance.
The upcoming insurance renewal season between March and July represents a natural inflection point. It is when many businesses assess security measures, update their risk documentation, and evidence controls – all of which will be central to demonstrating compliance under Martyn’s Law. Therefore, addressing any gaps now is essential to ensure that businesses have enough time to strengthen preparedness before the law becomes enforceable.
Why was Martyn’s Law brought in?
The Manchester Arena bombing in 2017 resulted in the death of 22 people, and injured many more. But the attack could have been prevented: the public enquiry into the attack later identified myriad structural and operational failings.
The key observation was inadequate risk assessment and a lack of response plans specifically relating to terrorist attacks. An absence of pre-incident training for staff, and the existence of a “grey space” between the responsibilities of different stakeholders created the opportunity for the assailant to execute his attack.
Martyn’s Law was introduced to address these failings and prevent similar attacks from taking place in the future. To achieve this, the law places greater responsibility on public-facing venues to implement security measures, staff training, and risk assessments to improve preparedness.
What requirements does the law introduce?
Martyn’s Law applies to an extensive list of specified premises, including retail, leisure, hospitality, healthcare, sport, and events spaces. In practice, the list isn’t exhaustive – any premises that are accessible to the public may fall within scope of the law.
The law assigns duties based on the number of people likely to be present, but the test is not straightforward. It relies on a realistic assessment of typical footfall, rather than a venue’s theoretical maximum capacity. In practice, this means organisations must consider how many people are actually on site during normal operations. For high‑traffic locations such as high streets or retail parks, this can amount to many thousands, despite relatively small individual premises.
Martyn’s Law categorises premises according to two tiers:
Tier | Qualifying premises | Duties | Penalties |
Standard Tier | Premises where 200–799 individuals may reasonably be expected to be present at the same time. | • Develop basic public protection procedures, including evacuation, lockdown and invacuation. • Assign roles and responsibilities for emergency response. (Derived from procedural requirements for staff‑led actions.) • Provide staff training to recognise and respond to suspicious behaviour. | Not yet formally defined in published guidance. Martyn’s Law provides the Security Industry Authority (SIA) with enforcement powers (including issuing penalties and restriction notices), but no specific monetary level for Standard Tier fines has been published. |
Enhanced Tier | Premises or events where 800+ individuals may reasonably be expected to be present. | Standard Tier duties plus: • Conduct site‑specific terrorism threat assessments. (Explicit in Enhanced Tier requirements for reviewing vulnerability.) • Implement physical security measures and movement controls to reduce vulnerability. • Appoint a Responsible Person and Designated Senior Individual, each with accountability for compliance and required to undertake mandatory training. | Up to £18 million or 5% of worldwide revenue – whichever is higher. |
The aim of Martyn’s Law was to pass on this burden at no cost to affected business. In practice, however, complying with the law will come at a cost, especially in the Enhanced Tier. Many businesses are likely to qualify for this tier, whether they realise it or not. The average cost of adopting the measures could be around £7,000.
The penalties for non-compliance can be severe. Serious breaches may carry financial and reputational consequences, and may see businesses restricted or shut down. The named person(s) could face criminal charges.
Preparing now for May 2027
With the legislation now in its implementation phase, businesses should use this period to review their exposure and strengthen controls ahead of full enforcement in May 2027.
For many organisations, the upcoming renewal season is a natural point to do this – it is when risk appetite, security measures, documentation, and operational resilience are already under review. Aligning compliance planning with renewal means you can ensure your programme reflects both current and future obligations under Martyn’s Law.
Key questions to ask include:
Which tier will likely apply to your premises?
Have you conducted a security assessment, and do you have an emergency response plan, including lockdown, evacuation, and communication protocols?
What security do you currently have in place and how is access controlled?
What staff training is currently available, and do you run practice drills?
How are you evidencing the above?
In either tier, there is a requirement to provide pre-incident training and conduct threat assessments. For many organisations these may be out of date or inadequate. Maintaining the quality of training is also likely to be a significant challenge – particularly for premises with a reliance on temporary staff with high turnover – making early preparation essential.
The role of insurance – coverage gaps and crisis response
Traditional terrorism insurance was designed to fill exclusions in property or general liability policies, often to satisfy a lender requirement, but it was not built around today’s threat profile.
Modern attacks – including lone-wolf violence, civil commotion, random armed assaults, and fixated-threat incidents – increasingly target people, not property. As a result, many businesses now face material gaps in their cover.
Specialist products, including Active Assailant Insurance and Special Crime Insurance, address this shift by focusing on people-related harm. Thanks to their broader triggers, they typically offer more holistic protection, and support businesses in meeting the preparedness and training expectations introduced under Martyn’s Law.
In addition, these policies provide access to specialist crisis responders, who can:
Audit security measures and assess compliance
Create sustainable threat-mitigation frameworks
Coordinate with law enforcement services post-incident
Handle media enquiries
Support victims, family, and staff
Engaging crisis responders through an insurance product is often more cost-effective than retaining services directly, with premiums typically including a credit towards pre-incident training and support. Organisations already buying these products should make full use of the embedded services.
Talk to us
Martyn’s Law is a major piece of legislation that should challenge the way that businesses prepare for risk and insure themselves against loss. The time to prepare is now.
We work with our clients to help them meet their duties under Martyn’s Law. Our specialists can review your controls, identify coverage gaps, and facilitate access to crisis response and pre‑incident training – so that you are ready to respond when it matters.
For more information, reach out to a member of our team.
