Ben HarrisWith the forthcoming implementation of the Terrorism (Protection of Premises) Act 2025, better known as Martyn’s Law, UK organisations with public-facing premises are entering a new era of security responsibility. Named in memory of Martyn Hett, who tragically lost his life in the 2017 Manchester Arena bombing, the law aims to ensure that workplaces and venues are prepared to prevent, prepare for, and respond to acts of terrorism.
This legislation marks a decisive shift in how employers must think about security, risk, and duty of care. While compliance will soon be a legal necessity, the broader imperative is to embed a culture of vigilance and resilience across every public-facing organisation – from corporate offices and healthcare facilities to retail spaces, educational institutions, and cultural venues.
Martyn’s Law introduces a tiered framework for compliance, based on a premises’ size, capacity, and risk profile. The Standard Tier applies to smaller sites (typically with a capacity of 100 or more). These workplaces must introduce basic security awareness training, clear evacuation and lockdown procedures, and incident response plans.
For example, a public-facing council office, GP surgery, or university reception area may fall under this category. The Enhanced Tier applies to larger or higher-risk sites (with a capacity of 800 or more). These organisations will need to conduct detailed risk assessments, develop security management plans, and coordinate closely with local emergency services.
Measures may include controlled access points, surveillance systems, or hostile vehicle mitigation in external areas. While the Home Office and Security Industry Authority (SIA) are expected to issue detailed guidance and enforcement frameworks, the underlying principle is proportionality: security measures must be appropriate to the venue’s size, layout, and operations – not excessive or intrusive.
Martyn’s Law sets a new minimum legal standard, but true resilience goes far beyond compliance. Checking a box on a training register will not, by itself, protect lives or reputations. For workplaces that welcome members of the public, the distinction is clear: compliance protects you legally; preparedness protects people. Consider an office building with frequent public visitors. Compliance might mean ensuring staff know evacuation routes and where the assembly points are.
Preparedness means testing those routes under realistic conditions, ensuring security and reception teams can identify and report suspicious behaviour, and having communication protocols to guide staff and visitors during a live incident. Preparedness also means recognising that terrorist threats are not limited to bombs or vehicles. Lone-actor attacks, insider threats, or cyber-physical disruptions can all have devastating impacts. A well-prepared organisation builds layers of protection – physical, procedural, and cultural – that enable it to anticipate, deter, and respond effectively.
From my time in the military and later in private security, one lesson stands out: procedures don’t save lives – people do. A plan is only as effective as the people who understand and apply it under pressure. In the context of Martyn’s Law, this means training must be practical, scenario-based, and repeatable. Staff should be confident in recognising suspicious or unusual behaviour, responding calmly and decisively to alarms or instructions, moving visitors quickly and safely to secure areas or evacuation points, and communicating clearly with colleagues and first responders.
Workplaces that engage local police in joint exercises or table-top drills often find their preparedness improves dramatically. These partnerships build familiarity, confidence, and speed of response – all crucial in an emergency. Equally, debriefing after exercises is as important as the drills themselves. Identifying what worked, what didn’t, and how to improve ensures continuous readiness.
Security cannot be the sole responsibility of facilities or front-of-house teams. It must be seen as a shared organisational value, driven by leadership and reinforced at every level. Senior leaders should champion preparedness as part of their health, safety, and wellbeing agenda, allocate resources for training, communication, and infrastructure improvements, and encourage an environment where staff feel empowered to raise concerns without hesitation. Regular training refreshers and short awareness sessions are invaluable.
Many organisations are integrating security awareness into induction programs and quarterly briefings – treating it as an ongoing professional competence, not a one-off event. Embedding preparedness also extends to contractors and visitors. Everyone on-site should understand how to respond to a security alert. Simple visual aids – posters, QR codes linking to safety videos, or digital signage – can reinforce critical messages without causing alarm.
The UK’s threat level, assessed by MI5, currently sits at “substantial”, meaning an attack is likely. Yet it’s important to balance vigilance with a sense of normality. A secure workplace should still feel open, inclusive, and welcoming. Practical measures might include access control for visitor areas and deliveries, clear emergency signage and evacuation maps, CCTV coverage of entry points and communal spaces, design features (landscaping, bollards, or planters) that subtly protect perimeters, and regular maintenance and testing of alarms, PA systems, and emergency lighting. For offices with public receptions or lobbies, the goal is discreet deterrence, security that is visible enough to reassure but not so overt that it intimidates. In education or healthcare settings, trauma-informed design and staff communication training can help maintain trust while ensuring safety.
While the law allows for a 24-month implementation period (up to April 2027), waiting until deadlines approach would be a mistake. The cost and complexity of retrofitting security systems or retraining large teams can be far greater than phasing in improvements early. Organisations should begin by conducting a Martyn’s Law readiness review: identify which tier applies to your premises, map your existing security measures and training, assess gaps in emergency planning, communication, and leadership readiness, and develop an action plan that prioritises quick wins and long-term investments. Proactive planning now will reduce future costs, minimise operational disruption, and – most importantly demonstrate a clear commitment to protecting people.
Martyn’s Law represents far more than another regulatory burden. It is a national call to responsibility, to ensure that workplaces open to the public are not soft targets, but resilient spaces where people can feel safe and supported. For leaders, the challenge is to go beyond compliance and foster a culture of everyday preparedness. By embedding security into the fabric of operations today, organisations will not only meet the legal standards of tomorrow, but they will set a benchmark for safety, confidence, and care across the modern workplace.
Ben Harris is partner at Avella Security and former Special Forces & Royal Marine Commando
