In April of this year, the Terrorism (Protection of Premises) Act 2025 received royal assent, meaning that those responsible for public venues and events are now required to identify and mitigate the risk of terrorism and adequately protect the public.
Following my previous article regarding Martyn's law – named for Martyn Hett, a victim of the 2017 Manchester Arena bomb – there have been several changes to the legislation.
Specifically, these include new capacity criteria for standard-tier sites, the appointment of the Security Industry Authority (SIA) as regulator, and the removal of defined boundaries for events.
As it will take at least 24 months for the regulator to be in a position to start enforcement, there is currently no legal requirement to comply until the Act officially comes into force.
However, the next two years provide a good opportunity for businesses to start understanding what the legislation requires of them, and for property management companies to start engaging with tenants who may be subject to the Act.
One of the key elements of the Act is the definition of the 'responsible person', i.e. who will be responsible for ensuring compliance with the Act. For qualifying premises, the responsible person is whomever has control of the premises in connection with its Schedule 1 use, which will usually be the premises operator.
For example, if a person or business leases a building for retail use and has control of the building for that use, they will be the responsible person or business.
To simplify this, if we look at a traditional shopping centre, the responsible person for the centre would be – at present – the property management company responsible for managing the centre on behalf of the owner.
If units within the centre are rented to an occupier, the occupier would be the responsible person for their own area, i.e. premises within premises.
Over the next 24 months, the Home Office will publish statutory guidance to support responsible persons; there are fact sheets available from the Home Office providing more detail regarding responsible persons which can provide more clarity.
Tighter requirements apply where capacities are larger
For a premises to fall under scope of the legislation, it must satisfy four criteria:
- there must be a building
- the premises must be wholly or mainly used for one or more uses which the Act specifies; a full list of categories set out in Schedule 1 to the Act can be found here
- the premises are not any of the following excluded premises:
- parliaments and devolved administrations
- parks, gardens, recreation grounds, sports grounds and other open-air premises are generally excluded where there is generally open access
- transport premises that are already subject to relevant existing legislative requirements, e.g. airports, national rail and underground premises, international rail premises and port facilities
- the premises will either be standard-tier sites, with 200–799 people present, or enhanced tier, with 800 or more. Premises with a capacity of fewer than 200 will have no duty to comply with the Act.
Operators of standard-tier premises must:
- notify the regulator when they become responsible for a property, and when they are no longer responsible
- ensure appropriate public protection procedures are in place for entry, evacuation, securing premises to prevent or restrict access by an attacker, and alerting people to any danger.
Enhanced-tier operators must meet the same public protection requirements and likewise notify the regulator when they assume or give up responsibility for the premises. They should also designate a senior individual to ensure that the requirements of the Act are met, and ensure:
- measures are in place to monitor the premises or event and their immediate vicinity, such as CCTV and other monitoring systems
- measures are in place to control the movement of individuals into, out of and within the premises or event
- measures relating to the physical safety and security of the premises or event are in place, for example hostile vehicle mitigation
- information security measures are in place, such as restricting sensitive information from being freely distributed, ensuring that any information that can be used in the planning, preparation or execution of acts of terrorism are held securely and access is restricted to relevant individuals.
Act covers range of venues and events
The categories of use set out in Schedule 1 to the Act are:
- shops
- food and drink providers
- entertainment and leisure activities
- sports grounds
- libraries, museums and galleries
- halls
- visitor attractions
- hotels
- places of worship
- healthcare facilities
- bus and railway stations
- aerodromes
- childcare facilities
- primary and secondary schools
- further education colleges
- universities
- public authority buildings.
It is important to note that any protective measures considered or implemented must be reasonably practicable in the relevant premises – what is implemented at one premises may not be appropriate to another, however similar they are.
Events are also subject to the Act – for an event to fall within its scope, it must satisfy the following four criteria:
- the event takes place at a premises that falls under section 3(1)(a) of the Act
- the event hosts at least 800 attendees at the same time, including staff members
- the event has specific entry conditions – such as a ticket or a pass – and someone must be present to check that these have been met
- the event is accessible to members of the public.
Regulator given authority to inspect and sanction
The SIA has been appointed regulator to ensure compliance with the Act, and will support qualifying events and premises as well as conducting inspections.
Under the legislation, the SIA will be able to access a premises or event to ensure compliance and view documentation, though it must provide 72 hours' notice to inspect and observe activities.
If access is required with fewer than 72 hours' notice, giving notice would defeat the object of entry, or if a request has been refused by the venue or event, the inspector may apply for a warrant.
In the event that premises or events are unable to meet the Act's requirements, the SIA will be able to impose the following sanctions:
- compliance notices requiring failings to be addressed in a specified time frame
- restriction notices issued to enhanced-tier premises or events if there is a significant risk to public safety
- penalty notices: standard-tier premises face a maximum fine of £10,000, while those in the enhanced tier are subject to a maximum of £18m or 5% of worldwide revenue
- daily penalties include a maximum of £500 for standard-tier premises and £50,000 for enhanced-tier.
Ensuring safety need not be cause for concern
One of the main reasons for the legislation is the need for a consistent approach to protection and resilience across sectors, to ensure the safety of members of the public; but it is important to understand the requirements and not panic.
The list of requirements can appear to be overwhelming with a lot of responsibility placed on responsible persons to ensure compliance, but a lot of the basic requirements are already being met.
It is important that responsible persons take a structured approach to understand what they currently have in place and highlight areas of improvement against the requirements of the Act as part of an integrated risk management approach to security and resilience.
There has been a marked increase in the number of consultants and specialist resilience companies offering training, assessments and audits to ensure compliance with the Act.
However, advisory body ProtectUK clearly states that money does not need to be spent on consultants to meet the legislative requirements. The National Counter Terrorism Security Office and the Home Office do not endorse any third-party products or providers either.